Post-Quantum Readiness
PQC Readiness Checklist: A Practical Guide for Security and IT Teams
Download this practical PQC readiness checklist for security and IT teams. Covers crypto asset discovery, TLS certificate inventory, vendor assessment, and migration planning.
PQC Readiness Checklist: A Practical Guide for Security and IT Teams Post quantum cryptography readiness can feel overwhelming. NIST standards, regulatory timelines, vendor dependencies, algorithm migration — where do you actually start? This checklist breaks PQC readiness into concrete, sequential steps that security and IT teams can execute without a dedicated PQC program. Each section includes the action, the owner, and the expected output. Phase 1: Cryptographic Discovery [ ] Identify all public facing domains — List every domain your organization owns or operates. Include marketing sites, customer portals, API endpoints, and subdomains. [ ] Run external TLS certificate inventory — For each domain, record every TLS certificate: issuer, algorithm (RSA, ECC), key size, signature algorithm, expiry date, and SAN entries. [ ] Map DNS records — Document A, AAAA, MX, CNAME, and TXT records for each domain. Note any unexpected or forgotten entries. [ ] Review HTTP security headers — Check for HSTS, CSP, X Frame Options, X Content Type Options, Referrer Policy, and Permissions Policy presence. [ ] Classify by quantum risk — Assign Critical/High/Medium/Low risk tiers based on data sensitivity, algorithm type, and key size. Expected output : A spreadsheet or dashboard listing every public facing TLS endpoint, its cryptographic configuration, and its risk classification. Phase 2: Internal Crypto Inventory [ ] Inventory application level cryptography — For critical applications, document which crypto libraries are used, which algorithms are called, and where keys are generated or stored. [ ] Map internal PKI — Document all internal certificate authorities, certificate templates, issuance policies, and renewal processes. [ ] Inventory cloud KMS keys — List all keys in AWS KMS, Azure Key Vault, GCP Cloud KMS, and any managed HSM services. Record algorithm, key purpose, and rotation policy. [ ] Check database encryption — Verify encryption at rest configuration for production databases. Record which keys protect which data stores. [ ] Document SSH host keys — For critical servers, record SSH key algorithms and key sizes in use. Expected output : An internal crypto register covering applications, infrastructure, cloud, and data stores. Phase 3: Vendor Crypto Assessment [ ] List all vendors with cryptographic dependencies — SaaS platforms, API providers, payment processors, cloud services, managed security providers. [ ] Send PQC readiness questionnaire — Ask each vendor about their PQC roadmap, NIST algorithm support, hybrid certificate plans, CBOM availability, and migration timelines. [ ] Classify vendor risk — Critical vendors (direct access to regulated data, no PQC roadmap) vs Low (no access to sensitive data, PQC roadmap published). [ ] Document vendor gaps — For vendors without PQC roadmaps, note the gap and begin architectural mitigation planning. Expected output : A vendor crypto risk register with questionnaire responses and risk classifications. Phase 4: Migration Planning [ ] Build dependency map — For each cryptographic asset, identify shared libraries, shared certificates, and vendor dependencies. [ ] Prioritize migration order — Critical assets first, grouped by dependency to minimize rework. [ ] Estimate effort and resources — For each migration group, estimate timeline, required skills, and tooling needs. [ ] Identify quick wins — Certificate reissuance with larger key sizes, algorithm policy updates, decommissioning of expired/unus