The bill amends the National Quantum Initiative Act to push the National Institute of Standards and Technology (NIST) to promote adoption of post‑quantum cryptography (PQC) across the economy and to provide technical help and grants to entities at high risk of quantum attacks. It adds statutory definitions (including a specific definition of “post‑quantum cryptography”), requires NIST to disseminate guidance and, where practicable, provide technical assistance, and authorizes a grant program—subject to appropriations and issuance of NIST standards—to cover reasonable costs of migration and remediation.
Separately, the bill amends the Cyber Security Research and Development Act to explicitly include post‑quantum cryptography in the National Science Foundation’s cryptography research authority. For compliance officers, CIOs, and risk managers, the act signals federal prioritization of PQC uptake, creates a potential source of grant funding, and heightens the practical importance of aligning enterprise crypto roadmaps with forthcoming NIST guidance and standards.
At a Glance
What It Does
The bill directs NIST to promote voluntary adoption of post‑quantum cryptography through publicly available guidance, targeted technical assistance to high‑risk entities (for example, critical infrastructure and digital infrastructure providers), and other activities the Director deems necessary. It also permits NIST to establish a grants program—after NIST issues PQC standards and subject to appropriations—to help cover reasonable costs of adopting PQC and fixing quantum‑related vulnerabilities.
Who It Affects
Operators of critical infrastructure and digital infrastructure providers, federal sector risk management agencies and sector‑specific agencies, cybersecurity vendors and consultants, and recipients of NSF research funding in cryptography. NIST and CISA will be central implementation partners.
Why It Matters
By elevating PQC into statutory programmatic activity and grant eligibility, the bill shifts PQC from a purely standards exercise toward operational deployment support. That creates a new federal lever to accelerate enterprise cryptographic migration and expands NSF’s explicit mandate to fund PQC research.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill makes three concrete legal changes. First, it inserts new definitions into the National Quantum Initiative Act—most notably a definition of “post‑quantum cryptography” and a cross‑reference to existing definitions of critical infrastructure and sector risk management agencies.
Those definitions set the scope for who the statute intends to assist and what technologies count as PQC for program purposes.
Second, the bill adds a new subsection directing NIST, working with DHS and relevant sector risk management agencies, to promote voluntary adoption of PQC standards. NIST must publish guidance and resources to help organizations plan and execute migrations and is authorized, where practicable, to provide technical assistance to entities judged to be at high risk from quantum cryptoanalysis.
The language leaves the adoption voluntary rather than mandatory but pairs guidance with targeted assistance to accelerate uptake in priority sectors.Third, the bill authorizes a discretionary grant program to help high‑risk entities pay for migration and remediation costs. That program can only be created after NIST issues PQC standards and will be subject to congressional appropriations.
The Director of NIST sets eligibility rules, disclosure and application requirements, grant amounts and durations, and may periodically update guidance. The statute requires consultation with CISA, sector agencies, and private sector representatives when designing and sharing program materials.Finally, the bill amends the Cyber Security Research and Development Act to ensure NSF’s authorized cryptography research explicitly includes post‑quantum cryptography.
That change signals federal research funding alignment with the deployment focus of the NIST provisions and aims to sustain the domestic cryptography research base that underpins secure migration.
The Five Things You Need to Know
The bill defines “post‑quantum cryptography” as cryptographic algorithms or methods assessed not to be specifically vulnerable to attack by either a quantum computer or a classical computer.
NIST may only establish the grant program after it has issued post‑quantum cryptography standards and only if Congress provides appropriations for the program.
Grants may be used to cover “reasonable costs” of adoption and remediation, up to a maximum amount the NIST Director will set through program guidance.
The statute requires NIST to consult with the Cybersecurity and Infrastructure Security Agency (CISA), sector‑specific agencies and risk management agencies, and private‑sector representatives when developing grant guidance and sharing program information.
The Cyber Security Research and Development Act is amended to explicitly allow the National Science Foundation to fund post‑quantum cryptography research under its existing cryptography research authority.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Adds PQC and infrastructure definitions
This provision inserts a statutory definition of “post‑quantum cryptography” and references the existing statutory definition of “critical infrastructure” and of “sector risk management agency.” Practically, the definitions tell agencies which entities are intended beneficiaries of the program and what algorithms the statute contemplates. The PQC definition is operationally significant because it frames the legal baseline for which algorithms NIST will treat as meeting the statute’s purpose; the statutory phrasing—‘assessed not to be specifically vulnerable’—creates room for NIST’s technical assessment process to determine coverage.
Directs NIST to promote voluntary PQC adoption and provide assistance
This new subsection instructs the NIST Director, in consultation with DHS and sector risk management agencies, to promote voluntary adoption of PQC standards. The mechanics include publishing guidance and resources and, where practicable, providing technical assistance to high‑risk entities (the bill points explicitly at critical infrastructure and digital infrastructure providers). Because the provision emphasizes voluntary adoption, the primary tools are guidance, assistance and soft law rather than regulatory mandates, which affects both the speed of migration and the legal exposure of private entities.
Authorizes a discretionary, post‑standards grant program to offset migration costs
This paragraph authorizes NIST to create a grant program to identify and provide technical assistance to high‑risk entities, covering reasonable adoption and remediation costs up to amounts the NIST Director will establish. Creation of the program is conditional on two things: (1) NIST must have issued PQC standards, and (2) Congress must appropriate funds. The Director may write and update guidance on eligibility, disclosure, award size and duration, and must consult with CISA, sector agencies and private‑sector representatives when shaping the program—an effort designed to balance technical rigor, sector priorities, and program transparency.
Explicitly brings PQC into NSF cryptography research authority
This is a single‑line insertion that adds “including post‑quantum cryptography” to the list of topics NSF may fund under its cryptography research authority. The practical effect is to remove any ambiguity about NSF’s statutory power to support PQC research and to align federal research funding with the deployment and standards activities NIST is charged with in the rest of the bill.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Operators of critical infrastructure (electric utilities, water systems, pipelines): they gain prioritized technical assistance and potential grant dollars to offset costs of migrating to PQC.
- Digital infrastructure providers (cloud providers, large ISPs, DNS/PKI operators): they receive guidance, potential technical support, and eligibility for grants that lower the expense of upgrading widely used cryptographic systems.
- University and private researchers in cryptography: the explicit NSF language strengthens eligibility for PQC research funding and signals federal prioritization of relevant research agendas.
- Small and medium‑sized organizations in priority sectors: if designated as high risk, they can access grants to defray migration costs that might otherwise be unaffordable.
- Cybersecurity vendors and integrators: increased demand for PQC implementation services and tools comes from a coordinated federal push and grant‑supported uptake.
Who Bears the Cost
- NIST and CISA (administrative burden): agencies must develop guidance, technical assistance programs and grant management processes without an explicit appropriation tied to the statute.
- Federal budget (Congressional appropriations): meaningful grant support depends on future appropriations; Congress bears the fiscal choice to fund rollout assistance.
- Private infrastructure owners (implementation costs): organizations will still face substantial engineering, testing and operational costs for PQC migration that grants may only partially cover.
- Sector‑specific agencies and risk management agencies: they must participate in consultations and may be asked to prioritize and coordinate outreach to their sectors.
- Grant applicants and recipients (compliance and disclosure requirements): entities seeking grant funds will need to meet NIST’s eligibility and application disclosure rules, increasing administrative overhead.
Key Issues
The Core Tension
The central dilemma is urgency versus flexibility: protecting systems against an existential cryptographic risk calls for fast, uniform action, but the bill relies on voluntary guidance, targeted assistance and discretionary grants—tools that preserve flexibility and avoid heavy regulatory costs but may be too slow or fragmented to ensure timely, interoperable migration.
The bill balances an urgent technical threat—future quantum attacks—against a cautious, voluntary implementation model. That choice shifts the policy challenge from legal compulsion to practical incentives: how to make voluntary guidance and a discretionary grant program fast and large enough to drive widespread, interoperable migration across diverse operators and legacy systems.
The grant program’s conditionality—only after NIST issues standards and subject to appropriations—creates a sequencing risk: delays in standards publication or funding could leave high‑risk systems exposed while vendors and users wait for clearer federal direction or financial help.
Another implementation question is definitional precision. The statutory definition of PQC—algorithms “assessed not to be specifically vulnerable” to quantum or classical attacks—leaves technical assessment criteria to NIST.
That delegation is appropriate, but it concentrates authority in NIST to draw bright lines that will have real procurement and interoperability consequences. The statute also leans on consultations with CISA, sector agencies, and private representatives; effective outreach will be essential to prevent uneven uptake across sectors and supply chains.
Finally, because the statute relies on voluntary adoption, companies that cannot or will not upgrade rapidly could become weak links, creating systemic interoperability and risk‑allocation issues across interconnected platforms.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.