In December, we covered the run-up to the signing into law of the Quantum Cybersecurity Preparedness Act. The actual signing was in late December and was included in the OODA Loop News Brief on December 28th. Following are details from the news item with coverage of the signing into law of the seminal legislation, characterized as the “The Greatest Cryptographic Migration in History.”
President Biden Signs Quantum Cybersecurity Preparedness Act into Law
“U.S. President Joe Biden has signed the Quantum Computing Cybersecurity Preparedness Act into law [on December 21, 2022].
The law is designed to secure the federal government systems and data against the threat of quantum-enabled data breaches, ahead of ‘Q Day’ – the point at which quantum computers are able to break existing cryptographic algorithms. Experts believe quantum computing will advance to this stage in the next five to 10 years, potentially leaving all digital information vulnerable to cyber-threat actors under current encryption protocols. The bi-partisan Act, which was co-sponsored by Senators Rob Portman (R-OH) and Maggie Hassan (D-NH), sets out a number of obligations on federal agencies to prepare their migration to quantum-secure cryptography.
This includes a requirement for each agency to establish and maintain a current inventory of information technology in use that is vulnerable to decryption by quantum computers. They must also create a process for evaluating progress on migrating IT systems to post-quantum cryptography. These requirements must be completed within six months of the law being enacted.
Additionally, within one year of the National Institute of Standards and Technology (NIST) issuing post-quantum cryptography standards, the Office of Management and Budget (OMB) will publish guidance requiring federal agencies to prioritize IT systems for migration to post-quantum cryptography. The agencies will then have to develop a plan for the migration. In July 2022, NIST selected four encryption algorithms to become part of its post-quantum cryptographic standard, which should be finalized in around 18 months.
The provisions apply to all federal agencies except national security systems, which are exempt.
The OMB has another important role under the Act. Within 15 months of the law coming into effect, it must create a strategy to manage the risk posed by quantum encryption, along with a report on the funding that executive agencies need to protect themselves.
The body will also be obliged to send an annual report to Congress that includes a strategy on how to address post-quantum cryptography risks, the funding that might be necessary and an analysis on whole-of-government coordination and migration to post-quantum cryptography standards and information technology.
Commenting, co-sponsor of the Act Senator Hassan said: ‘To strengthen our national security, it is essential that we address potential vulnerabilities in our cybersecurity systems, including new threats presented by quantum computing.’
‘This law will help ensure that our federal government is ready to defend our country against data breaches that could be exploited by quantum computing. I was glad to work with members of both parties to get this law across the finish line, and I will continue working to strengthen our county’s cyber defenses.’
A reminder about the upcoming event for OODA Network Members: