Industry News

Quantum Cybersecurity Migration Act: U.S. Senate Ramps Up Push for Post-Quantum Readiness

On July 31, 2025, U.S. Senators Gary Peters (D-Mich.) and Marsha Blackburn (R-Tenn.) introduced the National Quantum Cybersecurity Migration Strategy Act, a bipartisan bill to ensure the federal government prepares for encryption-breaking quantum computers. The legislation directs a White House office to develop a comprehensive national strategy for post-quantum cybersecurity, and it mandates that federal agencies kick off pilot programs deploying quantum-safe encryption. The goal is to get ahead of “rapidly advancing quantum computers” that could one day bypass modern encryption and leave sensitive data exposed. Peters emphasized that it’s “critical that the federal government be prepared for any threat posed by quantum computing,” noting his bill would help “protect Americans’ personal data” by ensuring a proactive migration strategy. Blackburn added that the act “would ensure the federal government creates a road map to protect sensitive data and national security from emerging data security threats fueled by quantum computing”.

This proposed law builds on earlier U.S. initiatives – one law focused on boosting U.S. quantum R&D, and another (the 2022 Quantum Computing Cybersecurity Preparedness Act) directing agencies to begin adopting post-quantum cryptography in IT systems. Now, the Quantum Cybersecurity Migration Act seeks to accelerate and coordinate these efforts. In particular, the bill would:

  • Develop a National Quantum Security Strategy: Charge the White House (via the ESIX committee) with drafting a government-wide roadmap for migrating to quantum-resistant encryption.
  • Assess and Measure Agency Readiness: Require an evaluation of each federal agency’s need to transition to post-quantum cryptography, along with metrics to track progress in that migration. This ensures accountability in upgrading legacy encryption across the government.
  • Launch Post-Quantum Pilot Projects: Establish pilot programs that mandate tangible action. For example, each Sector Risk Management Agency – the lead federal agencies overseeing the 16 critical infrastructure sectors – would have to upgrade at least one high-impact system to post-quantum cryptography by early 2027. This creates real deadlines to start swapping out vulnerable encryption in vital systems (energy, finance, defense, etc.) within the next two years.

The impetus for this legislation is the looming threat of cryptographically adept quantum computers – and the knowledge that adversaries might steal encrypted data now to decrypt later once those quantum capabilities arrive.

Another driving factor is international competition. U.S. officials and experts have voiced concern about falling behind China and other rivals in the quantum computing race. Quantum industry leaders at a May congressional hearing likewise pressed Congress to expand support for quantum security initiatives, highlighting that American leadership in this domain is a national security imperative. By directing a coordinated strategy and concrete deadlines, the Senate’s quantum cybersecurity bill aims to ensure the U.S. public sector moves out of first gear and keeps pace with both the threat and what other governments are doing. (Notably, Canada just launched a federal roadmap for post-quantum cryptography in June 2025, and the EU unveiled a plan to transition Europe’s digital infrastructure to PQC by 2030. The global momentum toward quantum readiness is building.)

My Take

It’s heartening to see bipartisan attention on quantum cybersecurity at the highest levels. For years, those of us in the tech security community have been beating the drum about the quantum threat, and now Washington is listening. This Senate bill is a welcome and necessary push. In fact, it directly answers recent calls by experts and watchdogs for stronger leadership on this issue – for example, a June 2025 U.S. Government Accountability Office report urged “strong federal leadership, workforce development, [and] investment in post-quantum readiness” as keys to preparing for quantum risks. I wholeheartedly agree, and it’s validating to see lawmakers taking this seriously. A comprehensive national strategy and mandated action timeline are exactly what’s needed to jump-start quantum readiness across federal agencies. The urgency behind this initiative is fully justified: as I often say, the quantum threat isn’t some distant meteor we can watch from afar – it’s more like a storm forming on the horizon, and we ignore the warnings at our peril. Every expert testimony and report lately (from the GAO to industry panels) has repeated the same refrain: start preparing now. This legislation embraces that mantra, demanding proactive steps rather than complacency.

Frankly, a policy-driven nudge is crucial because the broader industry still hasn’t woken up to the scope of the quantum risk. Government mandates can set an example and create ripple effects. Left to their own devices, many organizations would likely procrastinate on upgrading cryptography until quantum computers are actually cracking passwords – which by then could be too late. The sobering reality is that awareness and preparedness in the private sector remain very low. A recent global poll found that while 62% of tech professionals worry about quantum breaking encryption, only 5% say their company treats it as a high-priority concern, and a mere 5% have a quantum security roadmap in place. Incredibly, 40% of respondents aren’t even aware of any quantum readiness plans at their organization, and 41% say there are no plans at all yet. Even with NIST having selected new quantum-resistant encryption standards last year, nearly half of professionals surveyed had never heard of these standards! These numbers are alarming – they paint a picture of an industry largely in denial or asleep at the wheel. This is why gentle recommendations alone won’t cut it; we need mandates, funding, and yes, legislation to jolt organizations into action. Federal agencies moving forward under a law like this can lead by example and also pressure vendors and critical infrastructure operators to follow suit. It creates an incentive for the market to start baking in post-quantum cryptography knowing that government contracts and regulations will increasingly require it.

Another point I strongly agree with is the bill’s insistence on starting now and not waiting for the mythical day when a quantum computer is in hand. We don’t know if “Q-Day” (when a quantum computer can break RSA/ECC) is 5 years away or 15 – predictions vary widely – but acting as if it could be sooner than expected is just smart risk management. Every expert who actually studies this threat will tell you that the safe assumption is sooner, not later, especially given the “harvest now, decrypt later” threat to today’s data. The cost of over-preparing early (by upgrading crypto in advance) is far lower than the cost of reacting too late after a catastrophic breach of our classical encryption. In that sense, I applaud the bill’s requirement that critical infrastructure pilots be completed by 2027 – it sets a tangible short-term deadline. Government timelines can often span decades; here, the message is that within the next ~24 months, we need to see real quantum-resistant systems in the wild. That is the kind of urgency that’s been missing and now feels much more real.

In the end, preparing for the quantum era is a massive challenge – arguably one of the biggest cybersecurity upheavals in decades – but seeing lawmakers, government agencies, and industry starting to align on this gives me optimism. Legislation like the Quantum Cybersecurity Migration Act is a critical piece of the puzzle. It creates accountability and urgency from the top down. Coupled with continued innovation from the tech community (e.g. developing efficient post-quantum algorithms and tools) and awareness efforts, this top-level push can help ensure that when the day comes that quantum code-breakers arrive, our secrets will stay secret. I often say “crypto-agility” – the ability to rapidly switch out algorithms – is the new must-have capability. This bill essentially forces crypto-agility onto the federal agenda, and by extension, will encourage others to get on board.

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Copy link
Powered by Social Snap