This bill tasks the Subcommittee on the Economic and Security Implications of Quantum Information Science with producing a National Quantum Cybersecurity Migration Strategy and related deliverables to guide federal agencies toward post‑quantum cryptography (PQC). The Subcommittee must work with NIST and consult the Quantum Economic Development Consortium, set standards for identifying when quantum computers become a practical cryptographic threat, and create performance measures across four migration stages.
The legislation also imposes a short pilot requirement—each sector risk management agency must upgrade at least one high‑impact federal system to PQC by January 1, 2027—directs the Office of Electronic Government to survey migration costs, and requires an OMB/Subcommittee report to Congress plus annual GAO assessments. The bill frames a coordinated federal response to quantum risk without authorizing appropriations, shifting immediate work onto agencies and standard bodies to define thresholds, measures, and budgets.
At a Glance
What It Does
The bill requires the Subcommittee to deliver, within 180 days, a strategy that defines a “cryptographically relevant quantum computer,” recommends standards to identify such systems, and prescribes four stage‑based performance measures (preparation, inventory baseline, planning/execution, and monitoring). It establishes a cross‑agency pilot obliging each sector risk management agency to upgrade at least one high‑impact system to PQC by a fixed date.
Who It Affects
Directly affected actors include federal agencies that operate high‑impact information systems, sector risk management agencies responsible for critical infrastructure sectors, NIST (for standards and testing alignment), and vendors who provide cryptographic libraries and hardware. The Office of Electronic Government and OMB are charged with cost verification and budgetary advising, while GAO will perform annual progress assessments.
Why It Matters
By forcing early definition and metrics, the bill aims to convert abstract quantum risk into actionable agency tasks and a testbed migration. For compliance officers and IT leaders, it creates a common performance framework to plan inventory, remediation, and procurement decisions; for security vendors, it signals a federal market push toward PQC—absent dedicated funding.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a tightly scoped federal project: define the quantum threat, set measurable migration steps, run limited pilots, and then report progress and costs to Congress. It places the Subcommittee at the center of the work, instructing it to coordinate with NIST and consult the Quantum Economic Development Consortium to produce practical standards rather than theoretical guidance.
That strategy must say when a quantum computer becomes a real-world cryptanalytic threat and lay out how agencies should recognize that threshold.
Instead of ordering wholesale agency migrations, the statute breaks the work into stages—getting ready, cataloging data and systems, planning and implementing PQC solutions (covering both data at rest and data in motion), and then monitoring effectiveness—and requires performance measures tied to those stages. The bill also creates a near-term, mandatory pilot: each sector risk management agency must move at least one system classified as high‑impact to PQC by January 1, 2027.
The Office of Electronic Government must then collect, vet, and synthesize agencies’ cost estimates for migration and advise on incentives for private‑sector uptake.Accountability is built through reporting: OMB and the Subcommittee deliver a joint report to Congress within a year summarizing assessments, pilot outcomes, and cost surveys, and the Government Accountability Office provides an annual, performance‑measure‑based assessment thereafter. The statute uses existing definitions—FIPS 199 for high‑impact systems and the Critical Infrastructures Protection Act definition for critical infrastructure—so agencies will map the new PQC tasks onto preexisting risk categorizations.
The act is procedural and diagnostic: it prescribes who must do what and when, but does not appropriate funds or mandate full agency migration timetables beyond the pilot.
The Five Things You Need to Know
The Subcommittee must produce the National Quantum Cybersecurity Migration Strategy within 180 days of enactment and must coordinate with NIST and consult the Quantum Economic Development Consortium.
The strategy must include a formal definition of a “cryptographically relevant quantum computer” and recommended standards to determine when a quantum computer can practically break classical cryptography.
Migration performance measures must cover four discrete stages—preparation, establishing a data inventory baseline, planning/execution (ensuring protections for data at rest and in motion), and monitoring/evaluation.
The bill establishes a post‑quantum pilot requiring each sector risk management agency to upgrade at least one federal high‑impact system to post‑quantum cryptography by January 1, 2027.
OMB and the Subcommittee must jointly report to Congress within one year on assessments, pilot results, and cost surveys, and the Comptroller General must publish annual agency progress reports using the bill’s performance measures.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and reference standards
This section adopts working definitions that tie into existing federal standards: it borrows the meaning of cryptography from relevant NIST publications, defines classical and quantum computers in operational terms, and uses FIPS 199 and the Critical Infrastructures Protection Act to classify high‑impact systems and critical infrastructure. The practical effect is to force agencies to apply these established taxonomies when they inventory systems and assess risk, reducing semantic ambiguity but also anchoring the strategy to current federal categorizations.
Subcommittee to develop the National Quantum Cybersecurity Migration Strategy
The Subcommittee must deliver a strategy within 180 days that does more than describe the threat: it must supply an actionable definition of when quantum capability becomes cryptographically relevant, recommend standards and characteristics to test against that definition, and assess urgency of migration for each agency based on critical functions and quantum attack risk. This places the burden on the Subcommittee to translate quantum research milestones into thresholds agencies can use in procurement and risk management decisions.
Post‑quantum pilot program and deadline
Within the same 180‑day window the Subcommittee must stand up a pilot program forcing each sector risk management agency to upgrade at least one high‑impact system to PQC by January 1, 2027. That creates an operational test across critical sectors intended to surface integration, compatibility, and procurement challenges quickly, but it also generates immediate compliance pressure on agencies that may lack budgets or staff to meet the timeline.
Office of Electronic Government cost survey and guidance
The Administrator of the Office of Electronic Government must survey agency heads for migration cost estimates—personnel, equipment, and time—and must verify those estimates’ realism. The office must also identify funding needs and advise on encouraging private‑sector adoption. Practically, this makes the OEG the fiscal reality‑checker: agencies will need to produce defensible budgets, and the OEG’s findings will shape any future appropriation requests or procurement guidance.
Reporting, oversight, and annual GAO assessment
OMB and the Subcommittee must jointly report to Congress within one year on assessments, pilot outcomes, and cost data; separately, the Comptroller General must begin annual progress assessments using the bill’s four‑stage performance framework. Those reporting lines create recurring oversight and a standard metric set for comparing agency readiness, which will be useful for committees, appropriators, and agency CIOs seeking to justify budgets or prioritize system workstreams.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal agencies that operate high‑impact systems — receive a federal performance framework and pilot experience to prioritize resource allocation and procurement for PQC.
- NIST and standards bodies — gain a clear federal mandate to supply testable standards and definitional thresholds, reinforcing their role as technical arbiters.
- Critical infrastructure operators and sector risk management agencies — benefit from early federal guidance and a pilot that surfaces integration issues before large‑scale rollout.
- Security vendors and PQC solution providers — get a near‑term federal market signal and pilot opportunities to demonstrate products and interoperability.
- Congress and oversight entities — obtain standardized reporting and annual GAO assessments to monitor migration progress and budget requests.
Who Bears the Cost
- Federal agencies (CIOs and IT departments) — must inventory systems, plan migrations, and implement PQC controls without new appropriations specified in the bill.
- Sector risk management agencies — face the statutory obligation to upgrade a high‑impact system by a fixed date, which may require reallocation of existing resources.
- Office of Electronic Government and OMB — incur additional verification and advisory workloads to vet agency cost estimates and identify funding needs.
- Vendors and integrators — will need to invest in PQC development, testing, and backward‑compatibility work to meet federal standards and pilot requirements.
- Taxpayers — potential indirect costs if Congress ultimately funds broad migration after agencies identify significant budget shortfalls.
Key Issues
The Core Tension
The central dilemma is urgency versus practicality: policymakers want to act swiftly to mitigate potential quantum compromises, but moving too fast imposes real operational and fiscal costs—and without clear funding or an unambiguous technical threshold, the federal government risks either overreacting with costly, fragmented upgrades or underreacting and leaving sensitive systems vulnerable.
The bill is primarily diagnostic and procedural: it mandates definitions, standards, pilots, cost surveys, and reporting, but it does not appropriate funds or create enforceable, agency‑wide migration deadlines beyond the single‑system pilot. That design raises a practical implementation question—agencies may identify urgent needs and costs but lack the appropriations or procurement flexibility to act, turning the statute into a roadmap without the fuel to execute large‑scale migration.
Another unresolved challenge is the specification of a ‘‘cryptographically relevant quantum computer.’’ Translating quantum research benchmarks into a legally and operationally useful threshold is both technically fraught and politically sensitive: set the bar too low and the government triggers costly migrations prematurely; set it too high and agencies leave systems exposed. Additionally, the pilot deadline and the requirement that each sector risk management agency migrate one high‑impact system risk uneven outcomes: agencies with mature IT and procurement pipelines can comply, while smaller or underfunded agencies may struggle, producing non‑comparable pilot results.
Finally, the bill’s reliance on existing definitions (FIPS 199, critical infrastructure statutes) helps standardize assessments but may also constrain flexibility—some systems with long‑lived confidentiality requirements might not neatly fit into current categories, yet still merit accelerated migration. The absence of procurement guidance for backwards compatibility and interoperability across vendor implementations creates additional operational risk for agencies attempting to protect both data at rest and data in motion during a multi‑year transition.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.