Quantum Readiness and Innovation Act of 2025
- Bill Number
- S. 3312
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Science, Technology, Communications
- Status
- Introduced
- Latest Action
- 2025-12-02: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- Last Updated
- 2026-01-06T18:57:35Z
AI-Generated Summary
Purpose
The Quantum Readiness and Innovation Act of 2025 aims to prepare U.S. information systems for emerging threats from quantum computers by requiring the development of guidance and strategies to transition to post-quantum cryptography. Post-quantum cryptography refers to encryption methods designed to resist attacks from both quantum computers (which use quantum bits for faster computations) and traditional classical computers. The act focuses on protecting sensitive federal systems and critical infrastructure, such as energy, transportation, and finance sectors, from potential future quantum-based cyber threats.
Key Provisions
- Definitions (Section 2): Establishes clear terms, including:
- "Appropriate congressional committees" (Senate Commerce, Science, and Transportation Committee; House Energy and Commerce Committee).
- "Classical computer" and "quantum computer" (referencing existing law on quantum computing cybersecurity).
- "Critical infrastructure sectors" (key areas like water, healthcare, and communications, as defined in a 2024 national security memo).
- "High-impact system" (federal systems with sensitive data where a breach would cause severe harm, per federal security standards).
- "Post-quantum cryptography" (secure algorithms not vulnerable to quantum attacks, including specific NIST standards like lattice-based signatures and key encapsulation, plus zero-trust architecture for enhanced security).
- "Sector risk management agency" (federal agencies overseeing specific critical infrastructure sectors).
- Guidance on Upgrading to Post-Quantum Cryptography (Section 3):
- Within 180 days of enactment, the Director of the National Institute of Standards and Technology (NIST), in consultation with the Office of Science and Technology Policy (OSTP), must create guidance for upgrading systems to post-quantum cryptography, with tailored advice for critical infrastructure.
- The guidance includes standards and criteria for buying and deploying commercial solutions.
- NIST must share this guidance with private sector entities, possibly via special publications.
- NIST will collaborate with industry groups, like the Quantum Economic Development Consortium, on voluntary assessments of adoption, providing technical support, test environments, and coordination as needed.
- Strategy for Federal Agency Upgrades (Section 4):
- Within 360 days of enactment, OSTP, coordinating with NIST and consulting the Quantum Economic Development Consortium, must develop a National Quantum Cybersecurity Upgrade Strategy covering:
- Definition of a "cryptographically relevant quantum computer" (one capable of breaking current encryption).
- Standards to identify such computers, including their capabilities and threat thresholds.
- Guidelines for agencies to assess upgrade urgency based on their critical functions and quantum risks.
- Performance measures for tasks like preparing hardware/software, inventorying data (using automated tools), planning upgrades to protect data at rest (stored) and in motion (transmitted), and monitoring success.
- An implementation plan focusing on high-risk entities, including sector risk management agencies.
- OSTP must launch a voluntary pilot program within 360 days to help "covered entities" (sector risk management agencies, federal agencies, or their mission partners) upgrade systems, prioritizing high-risk ones.
- Requirements: Within 18 months of program start, at least one high-impact system per participant must be upgraded; additional systems can follow with notification.
- Reports: Initial report 180 days after first upgrade, plus annual updates to congressional committees, detailing actions and support provided.
- OSTP must submit the full strategy and pilot program description to congressional committees within 360 days.
Significant Changes to Existing Law
This act builds on prior laws like the Quantum Computing Cybersecurity Preparedness Act (2022) and incorporates existing NIST standards (e.g., Federal Information Processing Standards or FIPS for cryptography). It introduces new mandates not previously required, such as:
- Specific timelines for NIST guidance (180 days) and OSTP strategy/pilot (360 days).
- A national strategy defining quantum threats and performance metrics for upgrades.
- A pilot program for practical implementation, including reporting requirements.
No direct amendments to existing statutes are made; instead, it creates fresh requirements to address evolving quantum risks, referencing but not altering standards like FIPS 199 (security categorization) or NIST Special Publication 800-207 (zero-trust architecture).
Potential Impacts
- On Government Agencies: Federal agencies, especially those managing high-impact systems or critical infrastructure, will face new planning and upgrade obligations, potentially increasing costs for technology procurement and training but enhancing cybersecurity resilience against future quantum attacks. The pilot program could accelerate adoption through shared resources.
- On Citizens: Indirect benefits include stronger protection of personal data in government and critical systems (e.g., financial records, health information), reducing risks of large-scale breaches from advanced computing threats.
- On International Relations: The act could position the U.S. as a leader in global quantum cybersecurity standards, influencing allies and international bodies, but it focuses domestically without direct foreign policy elements. It may encourage private sector exports of U.S. post-quantum technologies.
Main Stakeholders Affected
- Federal Agencies and Officials: NIST (leads guidance development), OSTP (oversees strategy and pilot), and sector risk management agencies (e.g., Department of Homeland Security for overall coordination, or Energy for power grids) must implement upgrades and report progress.
- Private Sector: Critical infrastructure owners/operators (e.g., utilities, banks) and tech companies benefit from guidance and assessments; the Quantum Economic Development Consortium facilitates industry input.
- Congressional Committees: Senate Commerce, Science, and Transportation; House Energy and Commerce—receive reports and oversee implementation.
- Broader Public: Citizens relying on secure systems, though impacts are mostly indirect through improved national security.
Notable Legal, Constitutional, or Political Implications
- Legal Implications: The act enforces cybersecurity through administrative guidance and voluntary pilots, avoiding mandates that could face legal challenges. It aligns with existing federal authority under laws like the Homeland Security Act, emphasizing standards over regulation. Compliance with NIST standards ensures interoperability without creating new liabilities, but agencies may need to update procurement rules.
- Constitutional Implications: No apparent conflicts; it supports the government's role in national security (Article I, Section 8) and commerce regulation, without infringing on individual rights. Data inventory requirements could raise minor privacy concerns under the Fourth Amendment, but they focus on federal systems and use established standards.
- Political Implications: Bipartisan sponsorship (Senators Peters and Blackburn) suggests broad support for tech innovation and security. It promotes public-private collaboration, potentially fostering economic growth in quantum tech, but could spark debates on funding priorities amid budget constraints. The 2025 introduction reflects urgency in addressing quantum advancements, possibly influencing future appropriations for NIST and OSTP.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (1)
Recent Actions
- 2025-12-02: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- 2025-12-02: Introduced in Senate
Bill Versions
- Quantum Readiness and Innovation Act of 2025 — issued 2025-12-02 — PDF (11 pages)