View all text of Subchapter II [§ 1521 - § 1526]
§ 1526. Inventory of cryptographic systems; migration to post-quantum cryptography
(a) Inventory
(1) Establishment
Not later than 180 days after December 21, 2022, the Director of OMB, in coordination with the National Cyber Director and in consultation with the Director of CISA, shall issue guidance on the migration of information technology to post-quantum cryptography, which shall include at a minimum—
(A) a requirement for each agency to establish and maintain a current inventory of information technology in use by the agency that is vulnerable to decryption by quantum computers, prioritized using the criteria described in subparagraph (B);
(B) criteria to allow agencies to prioritize their inventory efforts; and
(C) a description of the information required to be reported pursuant to subsection (b).
(2) Additional span in guidance
In the guidance established by paragraph (1), the Director of OMB shall include, in addition to the requirements described in that paragraph—
(A) a description of information technology to be prioritized for migration to post-quantum cryptography; and
(B) a process for evaluating progress on migrating information technology to post-quantum cryptography, which shall be automated to the greatest extent practicable.
(3) Periodic updates
(b) Agency reports
Not later than 1 year after December 21, 2022, and on an ongoing basis thereafter, the head of each agency shall provide to the Director of OMB, the Director of CISA, and the National Cyber Director—
(1) the inventory described in subsection (a)(1); and
(2) any other information required to be reported under subsection (a)(1)(C).
(c) Migration and assessment
Not later than 1 year after the date on which the Director of NIST has issued post-quantum cryptography standards, the Director of OMB shall issue guidance requiring each agency to—
(1) prioritize information technology described under subsection (a)(2)(A) for migration to post-quantum cryptography; and
(2) develop a plan to migrate information technology of the agency to post-quantum cryptography consistent with the prioritization under paragraph (1).
(d) Interoperability
(e) Office of Management and Budget reports
(1) Report on post-quantum cryptography
Not later than 15 months after December 21, 2022, the Director of OMB, in coordination with the National Cyber Director and in consultation with the Director of CISA, shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a report on the following:
(A) A strategy to address the risk posed by the vulnerabilities of information technology of agencies to weakened encryption due to the potential and possible capability of a quantum computer to breach that encryption.
(B) An estimate of the amount of funding needed by agencies to secure the information technology described in subsection (a)(1)(A) from the risk posed by an adversary of the United States using a quantum computer to breach the encryption of the information technology.
(C) A description of Federal civilian executive branch coordination efforts led by the National Institute of Standards and Technology, including timelines, to develop standards for post-quantum cryptography, including any Federal Information Processing Standards developed under chapter 35 of title 44, as well as standards developed through voluntary, consensus standards bodies such as the International Organization for Standardization.
(2) Report on migration to post-quantum cryptography in information technology
(Pub. L. 117–260, § 4, Dec. 21, 2022, 136 Stat. 2390.)