H.R. 4942 directs the Subcommittee on the Economic and Security Implications of Quantum Information Science to prepare reports that address cybersecurity and national security risks posed by certain quantum computers. The initial report must be completed within one year of enactment and will evaluate the United States’ capabilities relative to other countries, and the progress toward adopting post-quantum cryptography and other security measures.
It also requires identifying sectors most vulnerable to quantum-enabled threats and developing a mitigation plan that includes interagency collaboration, information sharing, and public-private partnerships. The plan will establish guidelines for determining whether a quantum computer is cryptographically relevant and will outline a timetable and policy recommendations for implementation, submitted to Congress in either classified or unclassified form as appropriate.
The act also mandates annual progress reports for four subsequent years, focusing on adoption of the identified measures.
At a Glance
What It Does
The Subcommittee must complete an initial assessment within one year, identify vulnerable sectors, and draft a mitigation plan that includes interagency collaboration, private-public partnerships, and deployment guidance. It also mandates guidelines to classify cryptographically-relevant quantum computers and a comprehensive congressional report.
Who It Affects
Federal agencies coordinating quantum-security efforts and private-sector entities developing or adopting quantum-resistant technologies; critical infrastructure operators and cybersecurity professionals who implement post-quantum measures.
Why It Matters
This creates a formal, traceable path for preparing for quantum threats, aligning federal action with industry readiness, and establishing a timetable for broader adoption of quantum-resistant cryptography.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a formal reporting process to map the nation’s readiness for quantum threats. It tasks a dedicated subcommittee with producing an initial assessment within one year after enactment that benchmarks the United States against other nations in developing cryptographically relevant quantum computers and in adopting security measures such as post-quantum cryptography.
It then requires identifying which sectors of the economy are most exposed to quantum-based risks so policymakers can target defenses where they matter most.
Next, the bill requires a mitigation plan built around practical steps: promoting collaboration across federal agencies, enabling information sharing between government and the private sector, and fostering partnerships that spur adoption of quantum-resilient practices. It also directs the creation of guidelines that help determine what counts as a cryptographically relevant quantum computer, ensuring officials and businesses can apply consistent risk standards.
Finally, the plan must include recommendations on how to implement these measures, including a timetable and policy changes, with a congressional report submitted in appropriate form.Beyond the initial report, the act mandates annual progress reviews for four years to track how private sector and public sector entities are adopting the identified measures. These requirements are designed to establish accountability, drive adoption of post-quantum cryptography, and deliver a sustained, evidence-based roadmap for quantum-security readiness.
The Five Things You Need to Know
The bill requires an initial assessment within one year of enactment of U.S. capabilities and progress toward post-quantum cryptography.
It identifies the sectors most vulnerable to quantum-related risks.
It mandates a mitigation plan with interagency collaboration, information sharing, and public-private partnerships.
It requires guidelines to determine whether a quantum computer is cryptographically relevant.
It mandates a comprehensive congressional report and four subsequent annual progress reports.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Initial report requirements
This subsection directs the Subcommittee to conduct a comprehensive initial assessment within one year of enactment. It must evaluate U.S. capabilities relative to other countries in developing cryptographically relevant quantum computers and the progress toward implementing post-quantum cryptography, and it must identify the sectors most vulnerable to quantum risks. The outcome is a plan detailing mitigation steps and the mechanisms for interagency collaboration and private-public partnerships.
Subsequent reports
This subsection requires the Subcommittee to submit a follow-up report not later than one year after the initial report, and then annually for four years. These reports track progress by private sector and public sector entities toward adopting the measures described in Section 2(a). They may be classified or unclassified as appropriate.
Definitions
This subsection provides definitional anchors for terms used in the section, including what constitutes a cryptographically relevant quantum computer, post-quantum cryptography, and related concepts, leveraging definitions from the National Quantum Initiative Act and the Quantum Computing Cybersecurity Preparedness Act.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal interagency teams coordinating quantum-security efforts will gain a structured, ongoing mandate and clearer reporting lines.
- Private-sector cryptography vendors and security solution providers will have a defined pathway and timelines for delivering quantum-resistant technologies.
- Critical infrastructure operators (e.g., financial services, energy, telecommunications) will receive guidance and recommended practices to modernize security posture.
- National security analysts and researchers will obtain a framework for monitoring global progress and prioritizing risk mitigations.
Who Bears the Cost
- Private-sector entities must invest in adopting post-quantum cryptography and related security measures to meet the plan’s requirements.
- Federal agencies will incur costs to coordinate cross-agency activities and to prepare and respond to periodic reports.
- Small businesses and vendors may bear compliance costs linked to pilots, information-sharing practices, and implementing new cryptographic standards.
Key Issues
The Core Tension
The central dilemma is balancing rapid, protective action against quantum threats with the cost, complexity, and potential regulatory burden of implementing broad cryptographic changes across many sectors, while ensuring consistent, timely government guidance without stifling innovation.
The bill establishes a structured, government-led process to diagnose and mitigate quantum-related cybersecurity and national-security risks, but it raises questions about cost, timing, and implementation risk. Requiring significant collaboration and information sharing between private entities and the federal government could raise concerns about data governance, privacy, and competitive sensitivity.
The reliance on upcoming guidelines for cryptographically relevant quantum computers also invites debate over threshold definitions and the pace of standardization, particularly given the evolving landscape of post-quantum cryptography. Finally, the classified/unclassified distinction for reports balances national-security considerations with transparency and oversight, but it may complicate how findings are used by the private sector and non-federal stakeholders.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.