The Quantum Readiness and Innovation Act of 2025 directs the Director of the National Institute of Standards and Technology (NIST), with help from the Office of Science and Technology Policy (OSTP), to develop guidance for upgrading information systems to post-quantum cryptography. The guidance must be tailored for critical infrastructure sectors and disseminated to relevant private-sector entities.
The bill also requires a National Quantum Cybersecurity Upgrade Strategy within 360 days and creates a voluntary pilot program to spur upgrades among high-risk entities, with periodic reporting to Congress.
At a Glance
What It Does
Not later than 180 days after enactment, NIST must establish guidance for upgrading systems to post-quantum cryptography, including standards and selection criteria for procuring and deploying PQC solutions—tailored for critical infrastructure.
Who It Affects
Federal agencies, sector risk management agencies, and private entities operating high‑impact or critical infrastructure systems that will adopt PQC solutions; standards bodies and system integrators supporting those upgrades.
Why It Matters
Sets a coordinated, measurable path to defend against quantum-enabled threats, defines procurement expectations, and builds industry readiness through a federal strategy and a voluntary pilot.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a two-pronged, government-led path to moving U.S. information systems to post-quantum cryptography. First, it requires NIST to draft practical guidance on how to upgrade systems, including the standards to use and how to choose and deploy quantum-resistant technologies.
This guidance must be published and shared with private-sector entities, and NIST can do this via Special Publications. The guidance is explicitly tailored for critical infrastructure sectors, acknowledging that some sectors are more exposed to risk if cryptography is compromised.
Second, the bill directs the OSTP and NIST to develop a National Quantum Cybersecurity Upgrade Strategy within a year, defining what counts as a cryptographically relevant quantum computer and how federal agencies should assess urgency. It also sets performance measures for upgrades and requires a voluntary pilot program to help high-risk entities plan and execute PQC upgrades, with reporting to Congress on progress.
The approach emphasizes collaboration with industry groups like the Quantum Economic Development Consortium to align technical work with practical deployment.
The Five Things You Need to Know
NIST must publish PQC upgrade guidance within 180 days.
Guidance must include procurement standards and deployment criteria.
OSTP/NIST must deliver a National Quantum Cybersecurity Upgrade Strategy within 360 days.
A voluntary pilot program for high-risk entities is established to upgrade at least one high‑impact system within 18 months of program start.
Pilot participants must report back to Congress with timelines, actions, and support received.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions
This section defines key terms used throughout the bill, including “appropriate congressional committees,” “classical computer” and “quantum computer,” “critical infrastructure sectors,” “high-impact system,” “post-quantum cryptography,” and “sector risk management agency.” The definitions anchor what counts as a covered entity, the scope of the upgrade effort, and the types of cryptographic standards referenced (e.g., FIPS and related standards, zero-trust architecture references).
Guidance on Upgrading to Post-Quantum Cryptography
Section 3 requires the NIST Director, within 180 days of enactment, to establish guidance for upgrading information systems to post-quantum cryptography, with a focus on critical infrastructure. The guidance must include standards and selection criteria to guide procurement and deployment of PQC solutions, and it may be disseminated via Special Publications. The section also calls for coordination with industry representations (e.g., QEDC) to assist in assessments of adoption and to provide technical support, test beds, and interoperability frameworks as requested.
Dissemination and Coordination of Guidance
This subsection details how the guidance will be shared with the private sector and how industry-led assessments will be supported. It envisions collaboration between NIST, the QEDC, and participating entities, including the provision of test environments and interoperability frameworks to facilitate real-world evaluation of PQC deployments.
National Quantum Cybersecurity Upgrade Strategy
Section 4 tasks OSTP and NIST, in coordination with QEDC, with developing a nationwide strategy within 360 days. The strategy must define a cryptographically relevant quantum computer, set criteria for when upgrades are urgent, and establish performance measures for steps like data protection (at rest and in motion) and hardware/software upgrades to PQC. It also requires a plan to monitor and evaluate upgrade progress and security.
Pilot Program for Covered Entities
A voluntary pilot program is created to assist high-risk entities in upgrading to PQC. Covered entities include sector risk management agencies, federal agencies, or mission partners. Not later than 18 months after the program begins, at least one high-impact system must be upgraded under the program, with potential expansion to additional systems once approved by the head of the entity and the program administrator. The pilot includes reporting requirements to Congress.
Congressional Reporting
For each participating entity, the Director must submit an initial report within 180 days after the first upgrade and annual updates thereafter. Reports describe actions taken, technical and planning support provided, and progress toward broader adoption.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal agency CIOs and IT security teams who will gain structured guidance and standardized upgrade pathways.
- Owners and operators of critical infrastructure sectors (e.g., energy, finance, healthcare) who will receive tailored PQC upgrade guidance.
- Sector risk management agencies (e.g., CISA) and their partners collaborating on risk-based upgrades.
- NIST, OSTP, and QE DC members coordinating standards, pilot programs, and assessments.
- PQC solution vendors and system integrators that will align products with defined standards and processes.
Who Bears the Cost
- Agency IT budgets and compliance teams will incur upgrade costs and ongoing maintenance.
- High-impact systems and their operators face implementation costs, testing, and potential operational risk during migration.
- Vendors and consultants delivering PQC solutions will bear sales, integration, and support costs.
- Staff training, process changes, and potential temporary service interruptions during upgrades.
- Public sector overhead for pilot reporting and program administration.
Key Issues
The Core Tension
The central dilemma is whether to accelerate broad, mandatory modernization of federal and critical infrastructure systems now or to pursue a measured, voluntary pilot-driven path that could delay widespread adoption. This tension pits the need for rapid risk reduction against the costs, complexity, and operational risk of upgrading diverse systems with emerging standards and evolving quantum threats.
The bill creates a coordinated, government-wide pathway to post-quantum readiness, but real-world success depends on cross‑agency alignment, timely production of standards, and sufficient funding. A key challenge is translating high-level guidance into concrete procurement and deployment actions across diverse sectors with varying risk profiles.
The reliance on a pilot program for voluntary participation raises questions about coverage and impact, and the plan hinges on evolving definitions (such as what constitutes a cryptographically relevant quantum computer) and how quickly federal agencies will evaluate urgency. The approach also presumes the existence of interoperable standards and effective industry collaboration, which will require ongoing governance and funding beyond initial enactment.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.