Two New York lawmakers want Congress to take a hard, structured look at where the United States actually stands in quantum computing — and what it would take to keep an edge. On June 15, 2026, Rep. Mike Lawler, joined by Rep. Pat Ryan, introduced the National Security Commission Quantum Computing Act of 2026 (H.R. 9318), a bill that aims to create an independent federal commission charged with reviewing the entire arc of quantum computing through a national-security lens, from competitiveness and research investment to workforce, foreign rivalry and battlefield applications.
For security and cryptography teams, the most important thing to understand up front is what this bill is not a migration mandate. Neither will the bill, if successfully enacted, lead to post-quantum deadlines, algorithm selection, or audit requirements. Unlike the operational thread of quantum legislation moving through Congress — the post-quantum cryptography provisions folded into the National Quantum Initiative Reauthorization Act (H.R. 8462), or the agency-readiness reporting in the Quantum Encryption Readiness and Resilience Act — this measure is a strategic-assessment vehicle. Its product is analysis and recommendations, delivered to the President and Congress. Its influence, if it has any, will be felt indirectly: in the mandates, appropriations, and procurement rules that its findings may eventually shape.
The timing reflects a shift in how Washington frames the quantum threat as the technical case has hardened over the past year. Several 2025–26 results sharply lowered the estimated resources needed to break RSA-2048 with Shor’s algorithm, moving the question of a cryptographically relevant quantum computer from if toward when. At the same time, the “harvest now, decrypt later” problem means the exposure is already live: adversaries can capture encrypted traffic today and decrypt it once the hardware matures, which puts any data that must stay confidential into the 2030s at risk regardless of when a working machine actually appears.
Federal policy has responded mostly through the operational channel — NIST’s standardized PQC algorithms, the NSA’s CNSA 2.0 timelines for national-security systems, and agency migration planning. What has been missing is a single body tasked with stepping back and asking the strategic questions: Is the cumulative federal effort actually sufficient? Where are the gaps? How does the U.S. position compare with China’s, and what happens to deterrence and escalation if a rival reaches cryptographic relevance first? A commission is Congress’s familiar tool for exactly that kind of cross-cutting question.
The model has a track record. The bill follows the template of the National Security Commission on Artificial Intelligence, whose recommendations shaped years of AI policy and spending, and the more recent National Security Commission on Emerging Biotechnology. Both turned a fast-moving technology with diffuse stakeholders into a concentrated set of recommendations lawmakers could act on. A quantum equivalent would aim to do the same before the window to influence the migration era closes.
How the Commission Would be Built
The bill’s structure tells you who it expects to be in the room. The commission would be established as an independent body in the executive branch, with 11 members and a notably defense-weighted appointment scheme. The Secretary of Defense would name three members; the chair and ranking member of the Senate Armed Services Committee would name two each; and the chair and ranking member of the House Armed Services Committee would name two each. Members would have to be appointed within 90 days of enactment — and, pointedly, if an appointing authority misses that deadline, the seat simply disappears and the commission shrinks. The panel would elect its own chair and vice chair, and members would be deemed federal employees for the life of the commission.
That design is worth pausing on. There is no statutory seat reserved for NIST, CISA, the Department of Energy’s national labs, the National Science Foundation, or the commercial quantum industry — the institutions that have carried most of the civilian and standards work. Appropriations come from the Defense Department (up to $10 million authorized from fiscal 2027 funds, available until expended), and oversight runs through the Armed Services committees. The framing is deliberate: this is a defense-and-deterrence assessment first, an industrial-policy or cryptographic-migration assessment second. Security professionals reading the eventual reports should expect them to speak the language of strategic competition more than the language of TLS handshakes and key sizes.
What the Commission Would Study
The mandate is broad. The bill directs the panel to review advances in quantum computing and the methods needed to advance U.S. development to meet national-security needs, including economic risk. The enumerated scope spans U.S. competitiveness across national and economic security, public-private partnerships and investment; ways to maintain a technological advantage; international cooperation and competition, including foreign investment in quantum information science; incentives for basic and advanced research, including high-performance computing; and workforce and education incentives, with explicit attention to STEM talent.
Two items stand out as distinctive. First, the bill asks the commission to examine the risks of military employment of quantum computing — by both the United States and foreign states — specifically under the international law of armed conflict, international humanitarian law, and escalation dynamics. Second, it directs attention to the ethical considerations of how quantum will be used in future applications. Most quantum-security legislation stops at cryptography and supply chains; this bill reaches into how a cryptographic breakthrough could destabilize deterrence, and into the norms that should govern the technology. For an audience that usually thinks about quantum risk in terms of broken signatures and exposed data, that is a notably wider aperture, and it is where the commission’s output could prove most original.
Output would come quickly by Washington standards. An initial report to the President and Congress — findings plus recommendations for executive and legislative action, including how to better organize the federal government for quantum — would be due within 180 days of enactment. A comprehensive report would follow within one year, with annual updates after that. The commission would terminate on Oct. 1, 2030.
That sunset is the tightest constraint in the bill. Because the panel was introduced in mid-2026 and would still need to clear both chambers, the practical runway between a hypothetical enactment and the 2030 termination is short — potentially only two to three years of working life once members are seated. That compresses how much a quantum commission could realistically accomplish, and it raises the stakes on the initial report, which may end up being the document that actually moves policy before the clock runs out.
What Happens Next
The bill is at the very start of the process and faces real hurdles. On introduction it was referred not only to the House Armed Services Committee but also to Education and Workforce, Foreign Affairs, Science, Space, and Technology, and Energy and Commerce — a five-committee referral that mirrors how widely quantum touches federal jurisdiction, and that multiplies the points where the measure could stall. To become law it would need to pass the House and Senate in identical form and be signed by the President. The likelier path, as with many defense-adjacent measures, is absorption: Congress could fold some or all of the commission into the annual defense authorization or a broader technology package rather than advance it as a standalone bill.
It also lands in a crowded field. The National Quantum Initiative Reauthorization Act is moving through both chambers and already carries PQC-migration support for state and local governments and quantum-risk reporting requirements. Separate measures address post-quantum cybersecurity standards and DoD quantum coordination. The Lawler–Ryan bill is best read as the strategic-assessment piece of that larger 2026 legislative wave rather than a self-contained program.
In introducing the measure, Lawler argued that a dedicated commission would help ensure the country has “a comprehensive strategy to maintain America’s technological edge,” while Ryan, drawing on his Armed Services Committee work, tied it to how quickly “technological superiority can determine the outcome of a conflict.” The bipartisan, cross-aisle framing — a Republican and a Democrat from neighboring New York districts — is itself a signal that quantum competitiveness is being treated as a consensus national-security concern rather than a partisan one.
This legislation will not change a single security team’s near-term roadmap. It creates no obligations, sets no deadlines, and selects no algorithms; the work of cryptographic inventory, hybrid deployment, and crypto-agility continues on its own track regardless of whether the commission is ever seated. What the bill would change is the strategic conversation — producing an authoritative, defense-framed assessment of where the U.S. stands, where it is exposed, and what Washington should do about it.
The practical takeaway is to watch the outputs, not the obligations. If this commission — or its equivalent inside a defense package — is established, its initial 180-day report is the document worth reading closely. Commission recommendations are how broad mandates and budgets get born, and the post-quantum requirements that eventually reach the commercial world will likely trace part of their lineage to assessments like this one. For now, the right posture is the same as it has been: keep migrating, keep building agility into new systems, and treat the legislative signal as confirmation that quantum security has moved from the lab bench to the center of strategic planning in Washington.
