[Congressional Record Volume 168, Number 192 (Monday, December 12, 2022)]
[House]
[Pages H9659-H9661]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




            QUANTUM COMPUTING CYBERSECURITY PREPAREDNESS ACT

  Ms. NORTON. Madam Speaker, I move to suspend the rules and concur in 
the Senate amendment to the bill (H.R. 7535) to encourage the migration 
of Federal Government information technology systems to quantum-
resistant cryptography, and for other purposes.
  The Clerk read the title of the bill.
  The text of the Senate amendment is as follows:
  Senate amendment:

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Quantum Computing 
     Cybersecurity Preparedness Act''.

     SEC. 2. FINDINGS; SENSE OF CONGRESS.

       (a) Findings.--Congress finds the following:
       (1) Cryptography is essential for the national security of 
     the United States and the functioning of the economy of the 
     United States.
       (2) The most widespread encryption protocols today rely on 
     computational limits of classical computers to provide 
     cybersecurity.
       (3) Quantum computers might one day have the ability to 
     push computational boundaries, allowing us to solve problems 
     that have been intractable thus far, such as integer 
     factorization, which is important for encryption.
       (4) The rapid progress of quantum computing suggests the 
     potential for adversaries of the United States to steal 
     sensitive encrypted data today using classical computers, and 
     wait until sufficiently powerful quantum systems are 
     available to decrypt it.
       (b) Sense of Congress.--It is the sense of Congress that--
       (1) a strategy for the migration of information technology 
     of the Federal Government to post-quantum cryptography is 
     needed; and
       (2) the governmentwide and industrywide approach to post-
     quantum cryptography should prioritize developing 
     applications, hardware intellectual property, and software 
     that can be easily updated to support cryptographic agility.

     SEC. 3. DEFINITIONS.

       In this Act:
       (1) Agency .--The term ``agency''--
       (A) means any executive department, military department, 
     Government corporation, Government controlled corporation, or 
     other establishment in the executive branch of the Government 
     (including the Executive Office of the President), or any 
     independent regulatory agency; and
       (B) does not include--
       (i) the Government Accountability Office; or
       (ii) the governments of the District of Columbia and of the 
     territories and possessions of the United States, and their 
     various subdivisions.
       (2) Classical computer.--The term ``classical computer'' 
     means a device that accepts digital data and manipulates the 
     information based on a program or sequence of instructions 
     for how data is to be processed and encodes information in 
     binary bits that can either be 0s or 1s.
       (3) Director of cisa.--The term ``Director of CISA'' means 
     the Director of the Cybersecurity and Infrastructure Security 
     Agency.
       (4) Director of nist.--The term ``Director of NIST'' means 
     the Director of the National Institute of Standards and 
     Technology.
       (5) Director of omb.--The term ``Director of OMB'' means 
     the Director of the Office of Management and Budget.
       (6) Information technology.--The term ``information 
     technology'' has the meaning given the term in section 3502 
     of title 44, United States Code.
       (7) National security system.--The term ``national security 
     system'' has the meaning given the term in section 3552 of 
     title 44, United States Code.
       (8) Post-quantum cryptography.--The term ``post-quantum 
     cryptography'' means those cryptographic algorithms or 
     methods that are assessed not to be specifically vulnerable 
     to attack by either a quantum computer or classical computer.
       (9) Quantum computer.--The term ``quantum computer'' means 
     a computer that uses the collective properties of quantum 
     states, such as superposition, interference, and 
     entanglement, to perform calculations.

     SEC. 4. INVENTORY OF CRYPTOGRAPHIC SYSTEMS; MIGRATION TO 
                   POST-QUANTUM CRYPTOGRAPHY.

       (a) Inventory.--
       (1) Establishment.--Not later than 180 days after the date 
     of enactment of this Act, the Director of OMB, in 
     coordination with the National Cyber Director and in 
     consultation with the Director of CISA, shall issue guidance 
     on the migration of information technology to post-quantum 
     cryptography, which shall include at a minimum--
       (A) a requirement for each agency to establish and maintain 
     a current inventory of information technology in use by the 
     agency that is vulnerable to decryption by quantum computers, 
     prioritized using the criteria described in subparagraph (B);
       (B) criteria to allow agencies to prioritize their 
     inventory efforts; and
       (C) a description of the information required to be 
     reported pursuant to subsection (b).
       (2) Additional content in guidance.--In the guidance 
     established by paragraph (1), the Director of OMB shall 
     include, in addition to the requirements described in that 
     paragraph--
       (A) a description of information technology to be 
     prioritized for migration to post-quantum cryptography; and
       (B) a process for evaluating progress on migrating 
     information technology to post-quantum cryptography, which 
     shall be automated to the greatest extent practicable.
       (3) Periodic updates.--The Director of OMB shall update the 
     guidance required under paragraph (1) as the Director of OMB 
     determines necessary, in coordination with the National Cyber 
     Director and in consultation with the Director of CISA.
       (b) Agency Reports.--Not later than 1 year after the date 
     of enactment of this Act, and on an ongoing basis thereafter, 
     the head of each

[[Page H9660]]

     agency shall provide to the Director of OMB, the Director of 
     CISA, and the National Cyber Director--
       (1) the inventory described in subsection (a)(1); and
       (2) any other information required to be reported under 
     subsection (a)(1)(C).
       (c) Migration and Assessment.--Not later than 1 year after 
     the date on which the Director of NIST has issued post-
     quantum cryptography standards, the Director of OMB shall 
     issue guidance requiring each agency to--
       (1) prioritize information technology described under 
     subsection (a)(2)(A) for migration to post-quantum 
     cryptography; and
       (2) develop a plan to migrate information technology of the 
     agency to post-quantum cryptography consistent with the 
     prioritization under paragraph (1).
       (d) Interoperability.--The Director of OMB shall ensure 
     that the prioritizations made under subsection (c)(1) are 
     assessed and coordinated to ensure interoperability.
       (e) Office of Management and Budget Reports.--
       (1) Report on post-quantum cryptography.--Not later than 15 
     months after the date of enactment of this Act, the Director 
     of OMB, in coordination with the National Cyber Director and 
     in consultation with the Director of CISA, shall submit to 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate and the Committee on Oversight and Reform of 
     the House of Representatives a report on the following:
       (A) A strategy to address the risk posed by the 
     vulnerabilities of information technology of agencies to 
     weakened encryption due to the potential and possible 
     capability of a quantum computer to breach that encryption.
       (B) An estimate of the amount of funding needed by agencies 
     to secure the information technology described in subsection 
     (a)(1)(A) from the risk posed by an adversary of the United 
     States using a quantum computer to breach the encryption of 
     the information technology.
       (C) A description of Federal civilian executive branch 
     coordination efforts led by the National Institute of 
     Standards and Technology, including timelines, to develop 
     standards for post-quantum cryptography, including any 
     Federal Information Processing Standards developed under 
     chapter 35 of title 44, United States Code, as well as 
     standards developed through voluntary, consensus standards 
     bodies such as the International Organization for 
     Standardization.
       (2) Report on migration to post-quantum cryptography in 
     information technology.--Not later than 1 year after the date 
     on which the Director of OMB issues guidance under subsection 
     (c)(2), and thereafter until the date that is 5 years after 
     the date on which post-quantum cryptographic standards are 
     issued, the Director of OMB, in coordination with the 
     National Cyber Director and in consultation with the Director 
     of CISA, shall submit to the Committee on Homeland Security 
     and Governmental Affairs of the Senate and the Committee on 
     Oversight and Reform of the House of Representatives, with 
     the report submitted pursuant to section 3553(c) of title 44, 
     United States Code, a report on the progress of agencies in 
     adopting post-quantum cryptography standards.

     SEC. 5. EXEMPTION OF NATIONAL SECURITY SYSTEMS.

       This Act shall not apply to any national security system.

     SEC. 6. DETERMINATION OF BUDGETARY EFFECTS.

       The budgetary effects of this Act, for the purpose of 
     complying with the Statutory Pay-As-You-Go Act of 2010, shall 
     be determined by reference to the latest statement titled 
     ``Budgetary Effects of PAYGO Legislation'' for this Act, 
     submitted for printing in the Congressional Record by the 
     Chairman of the House Budget Committee, provided that such 
     statement has been submitted prior to the vote on passage.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
the District of Columbia (Ms. Norton) and the gentlewoman from New 
Mexico (Ms. Herrell) each will control 20 minutes.
  The Chair recognizes the gentlewoman from the District of Columbia 
(Ms. Norton).


                             general leave

  Ms. NORTON. Madam Speaker, I ask unanimous consent that all Members 
have 5 legislative days in which to revise and extend their remarks and 
include extraneous material on the measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from the District of Columbia?
  There was no objection.
  Ms. NORTON. Madam Speaker, I yield myself such time as I may consume.
  Madam Speaker, I strongly support the Quantum Computing Cybersecurity 
Preparedness Act.
  Last year, Congressman Khanna came to me about a grave national 
security threat looming on the horizon.
  Today, the processes we use to encrypt data are very reliable and can 
keep sensitive data secure during storage or transmission. But 
tomorrow, that may no longer be the case.
  Researchers around the world are making rapid advances toward quantum 
computing, which is the application of quantum physics to allow 
computers to perform calculations many magnitudes faster and more 
powerfully than they do today.
  While quantum computers have the potential to provide considerable 
benefits to society, it is also increasingly likely that they could 
allow our adversaries to break the best encryption we are capable of 
today.
  Capabilities of this magnitude are likely still a decade or more in 
the future, but China and other adversaries are expected to begin 
stealing sensitive encrypted data much sooner to unlock it when they 
have the capacity to do so.
  It is essential that the Federal Government prepare for this 
inevitability now, while we still have time to protect data that is 
critical to our national and economic security. The process of 
migrating all Federal IT systems to quantum-resistant cryptography will 
be complex and costly, but we need to start laying the groundwork for 
this today.
  I applaud Mr. Khanna, as well as Ms. Mace, Mr. Connolly, and Senator 
Hassan, for introducing the Senate companion, all of them for putting 
forth a thoughtful, bipartisan bill to establish that very process.
  This bill would require the Office of Management and Budget to 
quickly issue guidance requiring Federal agencies to create and 
maintain inventories of all cryptographic systems currently in use, as 
well as all Federal IT systems that could be vulnerable to future 
quantum computers.
  Within a year, OMB would be required to submit to Congress a strategy 
for addressing the risk posed by quantum computing, allowing time for 
assessment of this strategy before the National Institute of Standards 
and Technology is expected to issue its standards for how to deal with 
quantum computing in 2024.
  The OMB would then be required to issue guidance requiring agencies 
to develop a plan to migrate their IT systems to quantum-resistant 
cryptography using those standards and to consult with the Chief 
Information Officers Council to prioritize agency IT systems for 
migration based on risk.
  The bill before us today provides more concrete direction to support 
this vision, and I urge my colleagues to support it.
  Madam Speaker, I reserve the balance of my time.
  Ms. HERRELL. Madam Speaker, I yield myself such time as I may 
consume.
  Madam Speaker, as we wind down the 117th Congress, I am glad to be 
here supporting final passage of the Quantum Computer Cybersecurity 
Preparedness Act, a bipartisan bill the House sent to the Senate just 
this past July.
  After the Senate made technical, perfecting edits, we are here today 
to consider sending H.R. 7535 to the President.
  As an emerging technology, quantum computing holds great promise and 
potential peril for our Nation.
  While the technology continues to rapidly develop with potential to 
improve computing capabilities for American research in the economy, 
there is a clear risk that foreign adversaries, like China, will be 
using this technology for malicious purposes.
  One such risk is that our foreign adversaries may use the first 
quantum computers to unlock data that has already been stolen from U.S. 
Federal agencies.
  Current data encryption methods are nearly impossible to decrypt with 
today's computing capabilities.
  However, mature quantum computing systems could unlock our most 
sensitive information. This is a clear national security threat.
  The Quantum Computing Cybersecurity Preparedness Act will require a 
government-wide strategy to better secure valuable government data.
  While the Federal Government already has initiatives underway to 
address these emerging threats--such as a recent Presidential national 
security directive--H.R. 7535 makes this a clear congressional 
priority.
  Advancing a strategic approach to evaluating quantum computing risks 
to Federal IT and network cybersecurity is important given the 
significant potential risk to our public-sector data.
  Madam Speaker, I thank my House Oversight Committee colleagues, 
Representatives Ro Khanna and Nancy

[[Page H9661]]

Mace, for their work on this important bill.
  Madam Speaker, I encourage my colleagues to support this bill, and I 
reserve the balance of my time.

                              {time}  1445

  Ms. NORTON. Madam Speaker, I reserve the balance of my time.
  Ms. HERRELL. Madam Speaker, I yield 3 minutes to the gentlewoman from 
South Carolina (Ms. Mace).
  Ms. MACE. Madam Speaker, I rise today in support of the Quantum 
Computing Cybersecurity Preparedness Act.
  I first thank Congressman Ro Khanna and Ranking Member Comer for 
their assistance in helping craft this important legislation. There is 
no doubt Congressman Khanna has been a leader in this Congress on 
cybersecurity measures, coming from a cyber and technology background 
to Congress. Being able to serve with him and put this bill together, 
which is heading to, it looks like, the desk of the President to be 
signed into law, is no small feat.
  Cybersecurity is national security, and today, we are going to vote 
on this bill and send it to the President of the United States to be 
signed into law.
  H.R. 7535 will help future-proof the security of sensitive data and 
information which Federal agencies use in support of their missions.
  Quantum computing might sound like something far and away and very 
far off in the future, but we face the threat of real adversaries 
stealing very sensitive, encrypted information from the Federal 
Government with the hope of unlocking it in the future. That threat is 
here, and that threat is real today.
  In 2020, there were 11 Federal agencies that were hacked by agents of 
Russia and China, so there is no time like the present to put 
legislation like this through.
  We need to strengthen and protect our Nation's systems and keep our 
data secure. Now, we will have the opportunity to see the progress that 
we are making in the Federal Government through this annual report 
through OMB.
  Transitioning to post-quantum cryptography is a necessary step to 
ensure Federal agencies' sensitive information remains secure from 
prying eyes.
  The future of quantum computing brings with it both significant 
opportunities and significant risks, but I am very optimistic about the 
power of quantum computing and the technology advances that we are 
making on this frontier.
  Madam Speaker, I encourage all of my colleagues to vote for this 
measure today, and I look forward to its passage and being signed into 
law.
  Ms. NORTON. Madam Speaker, I reserve the balance of my time.
  Ms. HERRELL. Madam Speaker, I encourage my colleagues to support this 
bipartisan bill that addresses an emerging national security issue, and 
I yield back the balance of my time.
  Ms. NORTON. Madam Speaker, I urge concurrence in the Senate amendment 
to H.R. 7535, and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from the District of Columbia (Ms. Norton) that the House 
suspend the rules and concur in the Senate amendment to the bill, H.R. 
7535.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. ROSENDALE. Madam Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this motion will be postponed.

                          ____________________