On Dec. 21, the US government's plan for transitioning to post-quantum cryptography became law, committing the Office of Management and Budget (OMB) to scope out compliance with the recent NIST guidelines.
US President Joe Biden signed into law HR 7535, the Quantum Computing Cybersecurity Preparedness Act, which has two main components. First, the OMB is required to "prioritize" the switchover to PQC within a year of NIST issuing its new guidelines. That means that by July 5, 2023, OMB should begin moving toward implementing the NIST-approved cryptographic algorithms to protect systems in the executive branch.
The second component of the new law gives the OMB one year from the signing of the bill — so, by Dec. 21, 2023 — to send Congress a report outlining its strategy, asking for funds for the transition to quantum-safe systems, and detailing its efforts to coordinate with international standards organizations and other consortia.
The OMB issued a memorandum on Nov. 18 for agencies to run an audit of systems vulnerable to cryptanalytically relevant quantum computers (CRQCs) by May 4, 2023, which should help the agency reach its deadlines. That memo comports with Biden's national security memorandum from the year before that "directs specific actions for agencies to take as the United States begins the multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography."
Quantum computers will need to become more powerful in order to break current cryptography, but it's not just power that makes CRQCs a threat. Shor's algorithm, which is specific to quantum computing, creates a shortcut that makes decrypting most existing encryption much easier.
The new law also gives the OMB six months from its signing to work with the National Cyber Director and the director of the Cybersecurity and Infrastructure Security Agency (CISA) to "issue guidance on the migration of information technology to post-quantum cryptography."
The OMB may be working on that with acting cyber director Kemba Eneas Walden, however, since the current director, Chris Inglis, announced on Wednesday that he will be stepping down within the next two months.