On December 21, 2022, President Joe Biden officially signed H.R.7535, known as the Quantum Computing Cybersecurity Preparedness Act, into law. This legislation urges federal agencies to upgrade their technologies to defend against potential quantum computing threats. The act is a crucial step in the United States’ strategy to enhance its cybersecurity infrastructure in anticipation of advancements in quantum computing, which poses a serious risk to current cryptographic standards.
The law mandates that federal agencies begin transitioning their systems to post-quantum cryptography, which is designed to be secure against both quantum computers and traditional computational threats. This move is part of a broader effort outlined in several key initiatives throughout the past just over a year aimed at bolstering the nation’s quantum resilience:
- State Department Initiatives: Early in the year, on January 19, the State Department released a memorandum demanding that agencies identify and rectify any encryption protocols not aligned with NSA-approved Quantum Resistant Algorithms within six months.
- National Security Memorandum: On May 4, the administration issued National Security Memorandum 10 (NSM-10), promoting leadership in quantum computing while addressing vulnerabilities in cryptographic systems.
- OMB Memorandum: In November, Office of Management and Budget Director Shalanda D. Young issued a directive outlining steps for federal agencies to transition to Post-Quantum Cybersecurity (PQC), including creating a prioritized inventory of cryptographic systems.
- DHS Memorandum on Preparing for Post-Quantum Cryptography: In September 2021 the US Department of Homeland Security issued a memorandum “Preparing for Post-Quantum Security” providing guidance to Component Heads to begin preparing for a transition from current cryptography standards to post-quantum encryption now.
Under the new law, federal agencies have six months to develop and implement a strategy for migrating to quantum-resistant cryptographic technologies. They are also required to maintain an inventory of current IT systems that are susceptible to quantum decryption. This law not only sets the groundwork for substantial cybersecurity reforms but also includes provisions for funding the transition to safeguard the nation’s critical digital infrastructure.
