HR-3259-119
Ordered to be Reported by the Yeas and Nays: 35 - 0.
Sponsored by Haley Stevens (D-MI)
What it does
This bill would amend two existing federal laws — the National Quantum Initiative Act and the Cyber Security Research and Development Act — to accelerate the adoption of post-quantum cryptography (encryption methods resistant to both quantum and classical computer attacks). It would direct NIST to promote voluntary adoption of these standards, provide technical assistance to high-risk entities such as critical infrastructure operators, and authorize a grant program to help those entities upgrade their encryption. It would also expand the National Science Foundation's cybersecurity research mandate to explicitly include post-quantum cryptography.
Who benefits
Critical infrastructure operators (energy grids, water systems, financial networks) that would receive technical assistance and potential grant funding. Digital infrastructure providers at high risk of quantum-enabled cyberattacks. Small and mid-sized organizations that lack resources to independently upgrade encryption. U.S. cryptography researchers and academic institutions that would gain expanded NSF funding eligibility. Broadly, any individual or organization whose sensitive data is stored or transmitted digitally and could be vulnerable to future quantum decryption attacks — including financial account holders, healthcare patients, and government service users.
Who is hurt
Cybersecurity vendors and consultants offering proprietary quantum-security solutions may face reduced demand if free government guidance and grants displace private-sector services. Organizations that receive grants may face compliance and reporting burdens. Taxpayers would bear the cost of any appropriations made under the grant program. Foreign competitors in quantum computing and cryptography research — particularly China — may face a more resilient U.S. digital infrastructure, which could be viewed as a competitive disadvantage for them.
Supporters argue
Supporters argue that quantum computers capable of breaking current encryption standards could emerge within the next decade, and that adversaries may already be harvesting encrypted data today to decrypt later — a strategy known as "harvest now, decrypt later." They contend that NIST has already finalized its first post-quantum cryptography standards (published August 2024), making this bill a timely mechanism to drive adoption across the economy. They point to the federal government's own 2022 National Security Memorandum directing agencies to migrate to post-quantum cryptography as evidence that the threat is real and the transition is urgent.
Opponents argue
Opponents argue that the bill's voluntary framework and grant program may be insufficient to drive meaningful adoption among the most vulnerable entities, particularly those in fragmented sectors like healthcare or small utilities that lack technical capacity to act even with guidance. They contend that by limiting the program to voluntary participation and tying it to appropriations availability, Congress may be creating the appearance of action without the binding requirements needed to secure critical infrastructure before quantum threats materialize. Critics may also argue that grant eligibility criteria are left largely to NIST's discretion, raising concerns about accountability and equitable distribution of funds.
Constitutional context
Congress has broad authority to regulate cybersecurity standards for commercial entities under the Commerce Clause (Art. I, §8, cl. 3), and to fund research through the spending power. Because the bill's adoption framework is voluntary and grant-based rather than compulsory, it does not raise significant Fourth Amendment or First Amendment concerns identified in Riley v. California (2014) or Moody v. NetChoice (2024). Post-Loper Bright (2024), NIST's discretionary authority to set grant eligibility criteria and develop guidance could face heightened judicial scrutiny if challenged, as courts will independently assess whether the statutory delegation is sufficiently clear.
Checks and balances
The Executive Branch (NIST and DHS/CISA) gains new authority to set standards, distribute grants, and provide technical assistance; Congress retains control through the appropriations process, and any NIST rulemaking or guidance would be subject to independent judicial review under the post-Loper Bright standard.
Historical precedent
The Cybersecurity Enhancement Act of 2014 similarly directed NIST to develop voluntary cybersecurity standards and provide technical assistance to critical infrastructure, establishing the framework that became the NIST Cybersecurity Framework widely adopted across industries.