[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4592 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 4592

To encourage the migration of Federal Government information technology 
   systems to quantum-resistant cryptography, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 21, 2022

Ms. Hassan (for herself and Mr. Portman) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To encourage the migration of Federal Government information technology 
   systems to quantum-resistant cryptography, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Quantum Computing Cybersecurity 
Preparedness Act''.

SEC. 2. FINDINGS; SENSE OF CONGRESS.

    (a) Findings.--Congress finds the following:
            (1) Cryptography is essential for the national security of 
        the United States and the functioning of the economy of the 
        United States.
            (2) The most widespread encryption protocols today rely on 
        computational limits of classical computers to provide 
        cybersecurity.
            (3) Quantum computers might one day have the ability to 
        push computational boundaries, allowing us to solve problems 
        that have been intractable thus far, such as integer 
        factorization, which is important for encryption.
            (4) The rapid progress of quantum computing suggests the 
        potential for adversaries of the United States to steal 
        sensitive encrypted data today using classical computers, and 
        wait until sufficiently powerful quantum systems are available 
        to decrypt it.
    (b) Sense of Congress.--It is the sense of Congress that--
            (1) a strategy for the migration of information technology 
        systems of the Federal Government to post-quantum cryptography 
        is needed; and
            (2) the governmentwide and industrywide approach to post-
        quantum cryptography should prioritize developing applications, 
        hardware intellectual property, and software that can be easily 
        updated to support cryptographic agility.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Classical computer.--The term ``classical computer'' 
        means a device that accepts digital data and manipulates the 
        information based on a program or sequence of instructions for 
        how data is to be processed and encodes information in binary 
        bits that can either be 0s or 1s.
            (2) Director of cisa.--The term ``Director of CISA'' means 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency.
            (3) Director of nist.--The term ``Director of NIST'' means 
        the Director of the National Institute of Standards and 
        Technology.
            (4) Director of omb.--The term ``Director of OMB'' means 
        the Director of the Office of Management and Budget.
            (5) Executive agency.--The term ``executive agency'' has 
        the meaning given the term ``Executive agency'' in section 105 
        of title 5, United States Code.
            (6) Information technology.--The term ``information 
        technology'' has the meaning given the term in section 3502 of 
        title 44, United States Code.
            (7) Post-quantum cryptography.--The term ``post-quantum 
        cryptography'' means a cryptographic system that--
                    (A) is secure against decryption attempts using a 
                quantum computer or classical computer; and
                    (B) can interoperate with existing communications 
                protocols and networks.
            (8) Quantum computer.--The term ``quantum computer'' means 
        a computer that uses the collective properties of quantum 
        states to perform calculations.

SEC. 4. INVENTORY OF CRYPTOGRAPHIC SYSTEMS; MIGRATION TO POST-QUANTUM 
              CRYPTOGRAPHY.

    (a) Inventory.--
            (1) Establishment.--Not later than 180 days after the date 
        of enactment of this Act, the Director of OMB shall establish, 
        by rule or binding guidance, a requirement for each executive 
        agency to establish and maintain an inventory of each 
        cryptographic system in use by the agency.
            (2) Additional content in rule or binding guidance.--In the 
        rule or binding guidance established by paragraph (1), the 
        Director of OMB shall include, in addition to the requirement 
        described under that paragraph--
                    (A) a description of information technology to be 
                prioritized for migration to post-quantum cryptography;
                    (B) a description of the information required to be 
                reported pursuant to subsection (b); and
                    (C) a process for evaluating progress on migrating 
                information technology to post-quantum cryptography, 
                which shall be automated to the greatest extent 
                practicable.
            (3) Periodic updates.--The Director of OMB shall update the 
        rule or binding guidance established by paragraph (1) as the 
        Director determines necessary.
    (b) Agency Reports.--Not later than 1 year after the date of 
enactment of this Act, and on an ongoing basis thereafter, the head of 
each executive agency shall provide to the Director of OMB, the 
Director of CISA, and the National Cyber Director an inventory of all 
information technology in use by the executive agency that is 
vulnerable to decryption by quantum computers, prioritized pursuant to 
the guidance issued under subsection (a)(2).
    (c) Migration and Assessment.--
            (1) Migration to post-quantum cryptography.--Not later than 
        1 year after the date on which the Director of NIST has issued 
        post-quantum cryptography standards, the Director of OMB shall 
        issue guidance requiring each executive agency to develop a 
        plan to migrate information technology of the agency to post-
        quantum cryptography.
            (2) Designation of systems for migration.--Not later than 
        90 days after the date on which the guidance required by 
        paragraph (1) has been issued, the Director of OMB shall issue 
        guidance for agencies to--
                    (A) designate information technology to be migrated 
                to post-quantum cryptography; and
                    (B) prioritize information technology designated 
                under subparagraph (A), on the basis of the amount of 
                risk posed by decryption by quantum computers to that 
                technology, for migration to post-quantum cryptography.
    (d) Interoperability.--The Director of OMB shall ensure that the 
designations and prioritizations made under subsection (c)(2) are 
assessed and coordinated to ensure interoperability.
    (e) Report on Post-Quantum Cryptography.--Not later than 15 months 
after the date of enactment of this Act, the Director of OMB shall 
submit to Congress a report on the following:
            (1) A strategy to address the risk posed by the 
        vulnerabilities of information technology systems of executive 
        agencies to weakened encryption due to the potential and 
        possible capability of a quantum computer to breach that 
        encryption.
            (2) The amount of funding needed by executive agencies to 
        secure the information technology systems described in 
        paragraph (1) from the risk posed by an adversary of the United 
        States using a quantum computer to breach the encryption of 
        information technology systems.
            (3) A description of Federal civilian executive branch 
        coordination efforts led by the National Institute of Standards 
        and Technology, including timelines, to develop standards for 
        post-quantum cryptography, including any Federal Information 
        Processing Standards developed under chapter 35 of title 44, 
        United States Code, as well as standards developed through 
        voluntary, consensus standards bodies such as the International 
        Organization for Standardization.
    (f) Report on Migration to Post-Quantum Cryptography in Information 
Technology Systems.--Not later than 1 year after the date on which the 
Director of OMB issues guidance under subsection (c)(2), and annually 
thereafter until the date that is 5 years after the date on which post-
quantum cryptographic standards are issued, the Director of OMB shall 
submit to Congress, with the report submitted pursuant to section 
3553(c) of title 44, United States Code, a report on the progress of 
executive agencies in adopting post-quantum cryptography standards.

SEC. 5. DETERMINATION OF BUDGETARY EFFECTS.

    The budgetary effects of this Act, for the purpose of complying 
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by 
reference to the latest statement titled ``Budgetary Effects of PAYGO 
Legislation'' for this Act, submitted for printing in the Congressional 
Record by the Chairman of the House Budget Committee, provided that 
such statement has been submitted prior to the vote on passage.
                                 <all>