up:: The Mandates MOC

Quantum Computing Cybersecurity Preparedness Act (PL 117-260)

The Quantum Computing Cybersecurity Preparedness Act, enacted as Public Law 117-260, is the federal statute that put the migration of federal information technology to post-quantum cryptography into binding law rather than leaving it to executive policy alone. Introduced in the House as H.R. 7535 by Representative Ro Khanna and signed by President Biden on December 21, 2022, it directs the Office of Management and Budget to issue migration guidance, requires each executive agency to maintain a current inventory of the IT it runs that’s vulnerable to decryption by a quantum computer, requires agencies to plan migration once NIST publishes post-quantum standards, and requires OMB to report to Congress. It’s the statutory backbone underneath the executive mandate stack, and it expressly exempts national security systems.

The short version:

  • PL 117-260 is an Act of Congress, signed December 21, 2022, that makes the federal post-quantum inventory-and-migrate duty a matter of statute rather than revocable executive policy.
  • It directs OMB to issue post-quantum migration guidance within 180 days of enactment, and it’s the law that OMB M-23-02 operationalizes.
  • It requires each executive agency to establish and maintain a current inventory of IT that’s vulnerable to decryption by quantum computers.
  • It’s keyed to the NIST standards clock, since agencies must prioritize and plan migration within one year after NIST issues post-quantum cryptography standards, which happened in August 2024.
  • It names no algorithms and sets no completion date, so the technical content comes from the FIPS standards and NIST IR 8547, and national security systems are exempt under Section 5.

Think of it like the difference between a rule in an employee handbook and a clause written into a company’s bylaws. A handbook rule is real, but the next manager can rewrite it next quarter. A bylaw takes a formal vote to undo, so it survives a change of management. NSM-10 and OMB M-23-02 are the handbook, and they carry the operational detail. PL 117-260 wrote the inventory-and-migrate duty into the bylaws, so the obligation outlasts any single administration.

What is the Quantum Computing Cybersecurity Preparedness Act?

The Quantum Computing Cybersecurity Preparedness Act is a short federal statute, Public Law 117-260, whose stated purpose is to encourage the migration of Federal Government information technology systems to quantum-resistant cryptography. It began as H.R. 7535 in the 117th Congress, sponsored by Representative Ro Khanna of California, introduced April 18, 2022, with Representative Nancy Mace and Representative Gerald Connolly among the original cosponsors. The House passed it on July 12, 2022, the Senate passed it on December 8, 2022, and President Biden signed it on December 21, 2022. A Senate companion, S. 4592, was a separate vehicle led by Senator Maggie Hassan and Senator Rob Portman, and it wasn’t the enacting bill, so the law traces to the House measure.

Source: American Institute of Physics, “Quantum Computing Cybersecurity Preparedness Act,” FYI Federal Science Bill Tracker, aip.org; congress.gov, “H.R.7535, 117th Congress,” congress.gov.

A few facts about its standing are worth stating precisely, because they change how you cite it:

  1. It carries the force of law. This is an Act of Congress signed by the President, so its inventory-and-migrate obligation carries statutory durability across administrations, which is the property an executive memorandum lacks.
  2. It’s short and procedural. The operative statute runs a handful of sections. It directs OMB and agencies to act, and it doesn’t itself specify cryptographic algorithms, parameter sizes, or a completion year.
  3. The House bill is the law. Attribution is load-bearing here. H.R. 7535 was Representative Khanna’s; the Senate companion S. 4592 was Senator Hassan’s and Senator Portman’s. Senator Ben Ray Lujan wasn’t a sponsor of either bill, and the statute is sometimes misattributed to him.
  4. It structures into six sections. Short title, findings and sense of Congress, definitions, the inventory-and-migration mandate, the national-security-system exemption, and a budgetary-effects determination.

Source: govinfo.gov, “Public Law 117-260, Quantum Computing Cybersecurity Preparedness Act,” govinfo.gov; congress.gov, “S.4592, 117th Congress,” congress.gov.

The six sections, as enacted:

SectionHeadingWhat it does
Sec. 1Short TitleCites the Act as the “Quantum Computing Cybersecurity Preparedness Act”
Sec. 2Findings; Sense of CongressStates the quantum threat to public-key cryptography and the case for migration
Sec. 3DefinitionsDefines “post-quantum cryptography” and “national security system” (by reference to 44 U.S.C. 3552)
Sec. 4Inventory of Cryptographic Systems; Migration to Post-Quantum CryptographyThe core mandate, OMB guidance, agency inventory, prioritized migration planning, and reports to Congress
Sec. 5Exemption of National Security Systems”This Act shall not apply to any national security system”
Sec. 6Determination of Budgetary EffectsRoutine budgetary-scoring provision

Source: govinfo.gov, Public Law 117-260, govinfo.gov.

Who does PL 117-260 apply to?

PL 117-260 binds federal executive agencies and the information technology they run, and it tasks OMB as the government-wide coordinator. The scope has clean edges, and they matter:

Who you areDoes the statute bind you?How
Federal executive agencyDirectlyAgency inventory and migration-planning duties attach to each agency, through OMB-issued guidance
Federal civilian agencyDirectlyThe same civilian space that OMB M-23-02 implements operationally
National security systemExemptSection 5 exempts NSS outright; those run under NSM-10 and NSA CNSA 2.0
Federal contractorIndirectlyA contractor running IT on an agency’s behalf inherits the duty through the agency relationship and its contract terms, not from the statute’s own text
Commercial organizationNot directlyNo private-sector obligation; its value is as a durability marker that the federal transition is now law

Source: govinfo.gov, Public Law 117-260, Sections 4 and 5, govinfo.gov.

The national-security-system exemption is the edge that trips people up. Section 5 states plainly that “This Act shall not apply to any national security system,” using the definition at 44 U.S.C. 3552. An organization that operates both civilian and national-security systems can’t point to this statute for the national-security side, which follows NSA CNSA 2.0 on a separate and generally more aggressive schedule.

What does the Act require?

Section 4 carries the whole operative payload, and it’s procedural. It directs OMB to issue guidance and directs agencies to inventory and plan, and it leaves the cryptographic specifics to the standards it points at. The obligations, in order:

  1. OMB migration guidance. Not later than 180 days after enactment, the Director of OMB must issue guidance on the migration of information technology to post-quantum cryptography. That guidance includes a requirement that each agency maintain an inventory of quantum-vulnerable IT, criteria for prioritizing which systems migrate first, and a description of how agencies report their inventories.
  2. Agency cryptographic inventory. Each agency must “establish and maintain a current inventory of information technology in use by the agency that is vulnerable to decryption by quantum computers,” prioritized using the criteria in the OMB guidance. The word “current” carries weight, since a one-time snapshot doesn’t satisfy a duty to maintain a live inventory.
  3. Prioritized migration planning. Not later than one year after the Director of NIST issues post-quantum cryptography standards, OMB must require agencies to prioritize their IT for migration and to develop a plan to migrate that IT to post-quantum cryptography, with the inventory as the input.
  4. Reports to Congress. OMB must report to the Senate Homeland Security and Governmental Affairs Committee and the House Oversight Committee. A first report is due not later than 15 months after enactment, and a report is due not later than one year after OMB issues its guidance and annually after that, continuing until five years after NIST issues its standards. The reports cover the government-wide migration strategy, the funding it requires, the status of NIST’s standards work, and agency progress on adoption.

Source: govinfo.gov, Public Law 117-260, Section 4, govinfo.gov.

What counts as post-quantum cryptography under the statute?

The Act defines the term by its goal rather than by naming primitives. In Section 3, “post-quantum cryptography” means “cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by either a quantum computer or classical computer.” That framing is deliberate, because the statute was written before NIST finalized its standards, and a goal-based definition lets the law point at whatever NIST eventually standardized without having to be amended. The concrete algorithms arrived later as ML-KEM for key establishment and ML-DSA and SLH-DSA for signatures, and the deprecation schedule for the classical algorithms they replace lives in NIST IR 8547.

Source: govinfo.gov, Public Law 117-260, Section 3, govinfo.gov.

What is the PL 117-260 timeline?

The statute sets two clocks. One runs from enactment, and one runs from the publication of NIST’s post-quantum standards. Here’s the schedule, with the calendar dates the day-counts resolve to:

MilestoneTriggerResponsible body
Enacted as Public Law 117-260December 21, 2022President signs H.R. 7535
OMB issues migration guidanceWithin 180 days (by roughly June 19, 2023)Director of OMB
Agency cryptographic inventoryOngoing, kept currentEach executive agency
First report to CongressWithin 15 months (by roughly March 21, 2024)Director of OMB
Prioritized migration planningWithin 1 year after NIST issues PQC standardsOMB requires it of agencies
Recurring reports to CongressAnnually, from 1 year after OMB guidance until 5 years after NIST standardsDirector of OMB

Source: govinfo.gov, Public Law 117-260, Section 4, govinfo.gov.

The NIST clock actually started on August 13, 2024, when NIST published the first three finished standards, FIPS 203, FIPS 204, and FIPS 205. That publication is what set the one-year window for the agency prioritization-and-planning requirement in motion.

Source: NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.

One thing about the timeline catches people. The statute itself sets no 2035 completion date, and no dated cutoff for any specific algorithm. The well-known 2035 target is a policy goal from NSM-10, phrased as mitigating as much of the quantum risk as is feasible by 2035, and the algorithm-by-algorithm deprecation years sit in NIST IR 8547. The Act supplies the legal duty to inventory and plan, and the other instruments supply the dates for specific algorithms.

How does the Act relate to NSM-10 and the other mandates?

PL 117-260 is one layer in a stack of four instruments at four different authority levels, and it helps to see where the statute sits:

  1. NSM-10 is the presidential policy. National Security Memorandum 10, issued May 4, 2022, set the 2035 mitigation goal and directed OMB to establish the inventory requirements. The Act, enacted about seven months later, codifies that inventory-and-migrate obligation in law, so NSM-10 sets the policy and the Act sets a statutory floor beneath it.
  2. OMB M-23-02 is the operational instrument. Issued November 18, 2022, it carries the actual nine-element inventory schema, the submission mechanics, and the annual deadlines. It predates the statute by about a month, issued under NSM-10 authority, and in practice the OMB guidance the statute requires is satisfied and extended through the M-23-02 line of direction.
  3. NSA CNSA 2.0 governs the systems the Act exempts. National security systems follow CNSA 2.0 on their own, generally faster track. An agency straddling both worlds runs two compliance lanes at once.
  4. NIST IR 8547 and the FIPS standards supply the algorithms. The statute names none. ML-KEM, ML-DSA, and SLH-DSA carry the cryptographic content, and IR 8547 carries the deprecation clock. The Act’s one-year planning window is keyed to their August 2024 publication.

The surrounding legal chassis is FISMA, the Federal Information Security Modernization Act, since the statute’s national-security-system carve-out uses the FISMA definition at 44 U.S.C. 3552 and the inventory duty sits alongside FISMA’s existing security-management obligations.

Source: govinfo.gov, Public Law 117-260, Sections 3 through 5, govinfo.gov; NSM-10, May 4, 2022, bidenwhitehouse.archives.gov.

Why does a law matter more than an executive memo?

A statute changes what happens when the administration changes, and that’s the real work PL 117-260 does. A presidential memorandum or an OMB memo is a genuine instruction, and it’s also revocable by the next occupant of the office with a stroke of a pen. An Act of Congress takes another Act of Congress to undo. By writing the inventory-and-migrate duty into law seven months after NSM-10 set it as policy, Congress made the federal post-quantum transition durable in a way that policy alone is not, so a program manager planning a multi-year migration can treat the obligation as fixed rather than as this administration’s preference.

The durability point is also why the Act is useful as a plain answer to a common question. When someone asks whether federal post-quantum migration is discretionary, the cleanest response is a statute citation. It’s law, Public Law 117-260, signed December 21, 2022, with a statutory obligation to inventory quantum-vulnerable IT and plan its migration. That framing outranks “it’s current policy,” and it holds regardless of which party controls the executive branch. The reach beyond the federal government follows the same pattern every mandate follows, since sector regulators and large federal-adjacent buyers tend to treat a durable federal statute as the template their own eventual requirements converge toward.

Source: govinfo.gov, Public Law 117-260, govinfo.gov.

Common misconceptions

  1. “The Act tells agencies which algorithms to deploy.” It names none. Section 3 defines post-quantum cryptography by its goal, and the specific algorithms come from the FIPS standards and the deprecation schedule from NIST IR 8547.
  2. “The Act sets a 2035 deadline.” It sets no completion date at all. The 2035 target is a policy goal from NSM-10, and the dated algorithm cutoffs live in NIST IR 8547.
  3. “It’s the same thing as NSM-10 and OMB M-23-02.” They’re three distinct instruments at three authority levels. The statute is durable across administrations, and the two memoranda are revocable executive instruments that carry the operational detail.
  4. “Senator Lujan sponsored it.” The House bill, H.R. 7535, was Representative Ro Khanna’s, and the Senate companion, S. 4592, was Senator Hassan’s and Senator Portman’s. Senator Ben Ray Lujan sponsored neither.
  5. “It covers national security systems.” Section 5 exempts them outright. Those systems run under NSA CNSA 2.0 and NSM-10 instead.
  6. “An asset inventory satisfies the statutory inventory.” The Act asks specifically for an inventory of IT that’s vulnerable to decryption by quantum computers, which is an algorithm-aware inventory, and the operational nine-element detail comes from OMB M-23-02.

Questions people ask

Does PL 117-260 apply to my organization? Directly, only if you’re a federal executive agency, or a contractor operating IT on such an agency’s behalf. National security systems are exempt. If you’re a commercial organization, it reaches you only indirectly, as the durable federal template that regulators and federal-adjacent buyers tend to follow.

Is it a law or guidance? It’s a law, an Act of Congress, Public Law 117-260, signed December 21, 2022. That’s exactly what distinguishes it from NSM-10 (a presidential memorandum) and OMB M-23-02 (an OMB memorandum), both of which are revocable executive instruments.

What’s the actual first deadline in the statute? OMB’s migration guidance was due within 180 days of enactment, which falls around June 19, 2023, and OMB’s first report to Congress was due within 15 months, around March 21, 2024.

Which NIST standards started the migration-planning clock? The one-year planning window is keyed to NIST issuing post-quantum standards, which happened on August 13, 2024 with FIPS 203, FIPS 204, and FIPS 205.

Who sponsored it, and how did it pass? Representative Ro Khanna introduced H.R. 7535 in the House on April 18, 2022, with Representative Mace and Representative Connolly among the cosponsors. The House passed it in July 2022, the Senate in December 2022, and it was signed December 21, 2022, with broad bipartisan support.

Does it name a completion date for the migration? No. The statute creates the duty to inventory and plan, and it leaves the completion horizon to NSM-10’s 2035 goal and the dated algorithm cutoffs in NIST IR 8547.

How does the Act connect to the cryptographic inventory work? Its central agency requirement is to establish and maintain a current inventory of quantum-vulnerable IT, which is the same discovery-and-inventory foundation captured as a CBOM, and the operational schema for that inventory comes from OMB M-23-02.

Why does a statute matter if the executive branch already ordered the same thing? Because a statute survives a change of administration. NSM-10 set the policy, and the Act made the same obligation durable by writing it into law, which is why the federal transition can be planned as a fixed multi-year program rather than as one administration’s initiative.


Everything here is the map, given freely. When your team needs this statute and the mandate stack around it turned into a migration plan sequenced against your own systems, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.