Sponsors (2)
The bill standardizes definitions and mandates a fast, accountable federal transition to post-quantum cryptography—improving security coordination and readiness—at the cost of substantial near-term implementation expenses, potential administrative rigidity, and capacity strains for agencies and private-sector partners.
Federal agencies, critical infrastructure operators, and affected private-sector organizations get harmonized, NIST-aligned technical definitions for cryptography and quantum computing, giving implementers a common standard and accelerating coordinated post-quantum upgrades.
Federal agencies (and taxpayers who rely on them) will follow a coordinated, time-bound transition plan to post-quantum cryptography with regular reporting to Congress, improving oversight and reducing the risk of large-scale cryptographic failures.
Utilities, financial firms, and other critical-service providers will be identified and monitored as high-risk entities, which improves protection of essential services and reduces the chance of outages or breaches that affect the public.
Federal agencies, private-sector entities, and taxpayers will likely face substantial implementation and migration costs (including for updates to systems, contracts, and policies), with small businesses and critical-service providers particularly exposed.
The bill's rapid, centralized timeline (e.g., 180-day requirements) may strain agency capacity and lead to rushed or incomplete planning and implementation, increasing operational risk during complex migrations.
Locking statutory references to specific NIST/FIPS versions 'as in effect the day before enactment' could create rigidity that forces future legislative or rulemaking to keep pace with evolving standards, causing confusion and administrative burden.
Based on analysis of 3 sections of legislative text.
Requires a federal strategy, standards, pilot, cost survey, and reporting to migrate federal high-impact systems and critical infrastructure to post-quantum cryptography.
Introduced July 30, 2025 by Gary C. Peters · Last progress July 30, 2025
Creates a required federal plan and pilot to move federal high-impact information systems and critical infrastructure toward cryptography that resists attacks by quantum computers. It directs a federal subcommittee, working with NIST and industry consortia, to define key terms, identify what counts as a "cryptographically relevant" quantum computer, set standards and performance measures, and deliver a migration strategy within 180 days. The law also requires a post-quantum pilot (each sector risk management agency must upgrade at least one high-impact system to post-quantum cryptography by Jan 1, 2027), a government-wide cost survey of migration, joint reporting to Congress within a year, and annual GAO assessments of agency progress against the strategy's performance measures.