In the final days of 2022, President Biden signed into law the “Quantum Computing Cybersecurity Preparedness Act”. The Act recognizes that current encryption protocols used by the federal government might one day be vulnerable to compromise as a result of quantum computing, which could allow adversaries of the United States to steal sensitive encrypted data. To address these concerns, the Act will require an inventory and prioritization of vulnerable information technology in use by federal agencies; a plan to migrate existing information technology systems; and reports to Congress on the progress of the migration and funding required.
Inventory and Prioritization. Within six months, the Act requires the Director of the Office of Management and Budget (“OMB”), together with the National Cyber Director and Director of the Cybersecurity and Infrastructure Security Agency (“CISA”), to issue guidance for agencies to inventory and develop a plan to prioritize information systems for migration to post-quantum cryptography:
- Inventory of Vulnerable Systems Guidance: The Act will require that the guidance that a requirement for agencies to establish and maintain a current inventory of information technology in use by the agency that is vulnerable to decryption by quantum computers.
- Priority Systems for Migration Guidance: This guidance must also include a description of information technology that should be prioritized for migration to post-quantum cryptography and a process for evaluating progress on the migration of those systems. The Act defines post-quantum cryptography as “those cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by either a quantum computer or classical computer.”
Migration of Agency Information Technology Systems. Not later than one year after the Director of the National Institute of Standards and Technology (“NIST”) has issued guidance on post-quantum cryptography standards, the Director of the OMB must issue additional guidance requiring each agency to (1) prioritize information technology systems for migration and (2) develop a plan for migration. The Director of OMB is required by the Act to ensure that prioritization is assessed and coordinated for interoperability.
Reports to Congress. No later than 15 months after enactment of this Act, the Director of OMB must submit a report to Congress on a strategy to address risk posed by vulnerabilities of information technology systems; an estimate of the amount of funding needed by agencies to secure vulnerable information technology; and a description of efforts to develop standards for post-quantum cryptography by NIST.
We will continue to monitor these and other quantum computing related developments.