[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7535 Engrossed Amendment Senate (EAS)]

<DOC>
  
  
  
  
  
  
  
  
  
  

                  In the Senate of the United States,

                                                      December 8, 2022.
    Resolved, That the bill from the House of Representatives (H.R. 
7535) entitled ``An Act to encourage the migration of Federal 
Government information technology systems to quantum-resistant 
cryptography, and for other purposes.'', do pass with the following

                               AMENDMENT:

             Strike all after the enacting clause and insert the 
      following:

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Quantum Computing Cybersecurity 
Preparedness Act''.

SEC. 2. FINDINGS; SENSE OF CONGRESS.

    (a) Findings.--Congress finds the following:
            (1) Cryptography is essential for the national security of 
        the United States and the functioning of the economy of the 
        United States.
            (2) The most widespread encryption protocols today rely on 
        computational limits of classical computers to provide 
        cybersecurity.
            (3) Quantum computers might one day have the ability to 
        push computational boundaries, allowing us to solve problems 
        that have been intractable thus far, such as integer 
        factorization, which is important for encryption.
            (4) The rapid progress of quantum computing suggests the 
        potential for adversaries of the United States to steal 
        sensitive encrypted data today using classical computers, and 
        wait until sufficiently powerful quantum systems are available 
        to decrypt it.
    (b) Sense of Congress.--It is the sense of Congress that--
            (1) a strategy for the migration of information technology 
        of the Federal Government to post-quantum cryptography is 
        needed; and
            (2) the governmentwide and industrywide approach to post-
        quantum cryptography should prioritize developing applications, 
        hardware intellectual property, and software that can be easily 
        updated to support cryptographic agility.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Agency .--The term ``agency''--
                    (A) means any executive department, military 
                department, Government corporation, Government 
                controlled corporation, or other establishment in the 
                executive branch of the Government (including the 
                Executive Office of the President), or any independent 
                regulatory agency; and
                    (B) does not include--
                            (i) the Government Accountability Office; 
                        or
                            (ii) the governments of the District of 
                        Columbia and of the territories and possessions 
                        of the United States, and their various 
                        subdivisions.
            (2) Classical computer.--The term ``classical computer'' 
        means a device that accepts digital data and manipulates the 
        information based on a program or sequence of instructions for 
        how data is to be processed and encodes information in binary 
        bits that can either be 0s or 1s.
            (3) Director of cisa.--The term ``Director of CISA'' means 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency.
            (4) Director of nist.--The term ``Director of NIST'' means 
        the Director of the National Institute of Standards and 
        Technology.
            (5) Director of omb.--The term ``Director of OMB'' means 
        the Director of the Office of Management and Budget.
            (6) Information technology.--The term ``information 
        technology'' has the meaning given the term in section 3502 of 
        title 44, United States Code.
            (7) National security system.--The term ``national security 
        system'' has the meaning given the term in section 3552 of 
        title 44, United States Code.
            (8) Post-quantum cryptography.--The term ``post-quantum 
        cryptography'' means those cryptographic algorithms or methods 
        that are assessed not to be specifically vulnerable to attack 
        by either a quantum computer or classical computer.
            (9) Quantum computer.--The term ``quantum computer'' means 
        a computer that uses the collective properties of quantum 
        states, such as superposition, interference, and entanglement, 
        to perform calculations.

SEC. 4. INVENTORY OF CRYPTOGRAPHIC SYSTEMS; MIGRATION TO POST-QUANTUM 
              CRYPTOGRAPHY.

    (a) Inventory.--
            (1) Establishment.--Not later than 180 days after the date 
        of enactment of this Act, the Director of OMB, in coordination 
        with the National Cyber Director and in consultation with the 
        Director of CISA, shall issue guidance on the migration of 
        information technology to post-quantum cryptography, which 
        shall include at a minimum--
                    (A) a requirement for each agency to establish and 
                maintain a current inventory of information technology 
                in use by the agency that is vulnerable to decryption 
                by quantum computers, prioritized using the criteria 
                described in subparagraph (B);
                    (B) criteria to allow agencies to prioritize their 
                inventory efforts; and
                    (C) a description of the information required to be 
                reported pursuant to subsection (b).
            (2) Additional content in guidance.--In the guidance 
        established by paragraph (1), the Director of OMB shall 
        include, in addition to the requirements described in that 
        paragraph--
                    (A) a description of information technology to be 
                prioritized for migration to post-quantum cryptography; 
                and
                    (B) a process for evaluating progress on migrating 
                information technology to post-quantum cryptography, 
                which shall be automated to the greatest extent 
                practicable.
            (3) Periodic updates.--The Director of OMB shall update the 
        guidance required under paragraph (1) as the Director of OMB 
        determines necessary, in coordination with the National Cyber 
        Director and in consultation with the Director of CISA.
    (b) Agency Reports.--Not later than 1 year after the date of 
enactment of this Act, and on an ongoing basis thereafter, the head of 
each agency shall provide to the Director of OMB, the Director of CISA, 
and the National Cyber Director--
            (1) the inventory described in subsection (a)(1); and
            (2) any other information required to be reported under 
        subsection (a)(1)(C).
    (c) Migration and Assessment.--Not later than 1 year after the date 
on which the Director of NIST has issued post-quantum cryptography 
standards, the Director of OMB shall issue guidance requiring each 
agency to--
            (1) prioritize information technology described under 
        subsection (a)(2)(A) for migration to post-quantum 
        cryptography; and
            (2) develop a plan to migrate information technology of the 
        agency to post-quantum cryptography consistent with the 
        prioritization under paragraph (1).
    (d) Interoperability.--The Director of OMB shall ensure that the 
prioritizations made under subsection (c)(1) are assessed and 
coordinated to ensure interoperability.
    (e) Office of Management and Budget Reports.--
            (1) Report on post-quantum cryptography.--Not later than 15 
        months after the date of enactment of this Act, the Director of 
        OMB, in coordination with the National Cyber Director and in 
        consultation with the Director of CISA, shall submit to the 
        Committee on Homeland Security and Governmental Affairs of the 
        Senate and the Committee on Oversight and Reform of the House 
        of Representatives a report on the following:
                    (A) A strategy to address the risk posed by the 
                vulnerabilities of information technology of agencies 
                to weakened encryption due to the potential and 
                possible capability of a quantum computer to breach 
                that encryption.
                    (B) An estimate of the amount of funding needed by 
                agencies to secure the information technology described 
                in subsection (a)(1)(A) from the risk posed by an 
                adversary of the United States using a quantum computer 
                to breach the encryption of the information technology.
                    (C) A description of Federal civilian executive 
                branch coordination efforts led by the National 
                Institute of Standards and Technology, including 
                timelines, to develop standards for post-quantum 
                cryptography, including any Federal Information 
                Processing Standards developed under chapter 35 of 
                title 44, United States Code, as well as standards 
                developed through voluntary, consensus standards bodies 
                such as the International Organization for 
                Standardization.
            (2) Report on migration to post-quantum cryptography in 
        information technology.--Not later than 1 year after the date 
        on which the Director of OMB issues guidance under subsection 
        (c)(2), and thereafter until the date that is 5 years after the 
        date on which post-quantum cryptographic standards are issued, 
        the Director of OMB, in coordination with the National Cyber 
        Director and in consultation with the Director of CISA, shall 
        submit to the Committee on Homeland Security and Governmental 
        Affairs of the Senate and the Committee on Oversight and Reform 
        of the House of Representatives, with the report submitted 
        pursuant to section 3553(c) of title 44, United States Code, a 
        report on the progress of agencies in adopting post-quantum 
        cryptography standards.

SEC. 5. EXEMPTION OF NATIONAL SECURITY SYSTEMS.

    This Act shall not apply to any national security system.

SEC. 6. DETERMINATION OF BUDGETARY EFFECTS.

    The budgetary effects of this Act, for the purpose of complying 
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by 
reference to the latest statement titled ``Budgetary Effects of PAYGO 
Legislation'' for this Act, submitted for printing in the Congressional 
Record by the Chairman of the House Budget Committee, provided that 
such statement has been submitted prior to the vote on passage.

            Attest:

                                                             Secretary.
117th CONGRESS

  2d Session

                               H.R. 7535

_______________________________________________________________________

                               AMENDMENT