Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · S. 3312 (Introduced in Senate) — To require the Director of the National Institute of Standards and Technology to develop guidance for upgrading infor... · Sec. 4

Sec. 4. Strategy for Federal agency upgrade to post-quantum cryptography

666 words·~3 min read·/bill/119/s/3312/is/section-4

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than 360 days after the date of the enactment of this Act, the Director of the Office of Science and Technology Policy, in coordination with the Director of the National Institute of Standards and Technology and in consultation with the Quantum Economic Development Consortium, shall develop a National Quantum Cybersecurity Upgrade Strategy that includes the following: A definition of a cryptographically relevant quantum computer. Recommended standards to apply to determine whether a quantum computer meets such definition, including— the characteristics of such computers; and the particular point at which such computers are capable of attacking real world systems that classical computers are unable to attack.
Guidelines for assessing the urgency of upgrading to post-quantum cryptography for each Federal agency relative to— the critical functions of each agency; and the risk each agency faces should a cryptographically relevant quantum computer attack a system operated by the agency. Recommended performance measures for upgrading to post-quantum cryptography for the following tasks: Preparation for upgrading to post-quantum cryptography, including— the adoption of hardware integrating quantum-resistant cryptographic algorithms; and the deployment of software-only post-quantum cryptography overlays that meet or exceed security standards set forth in the Federal Information Processing Standards issued by the National Institute of Standards and Technology.
Establishment of a baseline understanding of the data inventory, including through the use of automated tools to identify assets. Planning and execution of post-quantum cryptographic solutions, including ensuring that data at rest and in motion is subject to appropriate protections. Monitoring and evaluating the success of the upgrade and assessing the security of the system. A plan for implementing the above performance measures, including evaluating and monitoring entities that are at high risk of quantum attacks, including sector risk management agencies.
Not later than 360 days after the date of the enactment of this Act, the Director of the Office of Science and Technology Policy shall establish a pilot program to provide planning, technical, and any other support the Director considers appropriate to any covered entity that elects to participate in the program for the purpose of upgrading the systems of such covered entity to post-quantum cryptography. The Director shall encourage any covered entity that is at high risk of quantum attack to participate in the pilot program established under paragraph (1).
Under the pilot program established under paragraph (1)— not later than 18 months after the date of the establishment of the program, not fewer than 1 high-impact system of any covered entity participating in the program shall be upgraded to post-quantum cryptography in accordance with the recommended performance measures described in subsection (a)(4); and upon completion of the initial upgrade under subparagraph (A), the head of the covered entity may upgrade— 1 additional system in accordance with such performance measures; or 2 or more systems in accordance with such performance measures if the head notifies the Director before initiating such upgrade.
For each covered entity participating in the program established under paragraph (1), the Director, in coordination with the head of such entity, shall submit to the appropriate congressional committees— an initial report not later than 180 days after the date on which the initial upgrade is completed under paragraph (3)(A); and an updated report annually until such date as the Director considers appropriate. Each report submitted under subparagraph
(A)shall describe— the actions of the head of the covered entity in carrying out the program; and any planning, technical, or other support that the Director provided to the head of the covered entity through the program. In this subsection, the term covered entity means— a sector risk management agency; a Federal agency; or a mission partner of a Federal agency. Not later than 360 days after the date of the enactment of this Act, the Director of the Office of Science and Technology Policy shall submit to the appropriate congressional committees a report that includes the National Quantum Cybersecurity Upgrade Strategy developed under subsection
(a)and a description of the pilot program established pursuant to subsection (b)(1).
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.