Post-Quantum Readiness
Vendor PQC Questionnaire: Questions to Ask Your Software, Cloud, and Infrastructure Suppliers
Use this structured vendor PQC questionnaire to assess supplier quantum readiness. Covers crypto agility, NIST PQC algorithm support, CBOM, migration roadmaps, and compliance.
Vendor PQC Questionnaire: Questions to Ask Your Software, Cloud, and Infrastructure Suppliers Your PQC readiness is only as strong as your vendors' cryptographic posture. Every SaaS platform, cloud provider, payment processor, and managed service that terminates TLS on your behalf or processes your encrypted data introduces a cryptographic dependency you may not control. This structured questionnaire helps security, compliance, and vendor management teams assess whether suppliers are preparing for post quantum cryptography — or whether they represent a hidden quantum risk. Section 1: PQC Roadmap and Strategy 1. Does your organization have a published post quantum cryptography migration roadmap? If yes, please provide a link or document. If no, when do you expect to publish one? 2. Which NIST PQC algorithms do you plan to support? Specifically: ML KEM (FIPS 203) for key encapsulation, ML DSA (FIPS 204) for digital signatures, SLH DSA (FIPS 205) for stateless hash based signatures. 3. What is your target timeline for PQC algorithm support in production? Please provide estimated quarters/years for: internal testing, customer facing beta/preview, general availability. 4. Which cryptographic functions in your platform are in scope for PQC migration? TLS termination, digital signatures, data encryption at rest, key exchange, certificate issuance, code signing — please be specific. Section 2: Hybrid and Transition Support 5. Will you support hybrid key exchange during the transition period? (e.g., ECDHE + ML KEM in TLS 1.3). If yes, what is the timeline? 6. Will you support hybrid certificates during the transition? (e.g., RSA 2048 + ML DSA in X.509). If yes, what is the timeline? 7. How will you manage backward compatibility during the transition? How will customers using legacy clients that do not support PQC algorithms continue to connect? 8. Will algorithm selection be customer configurable? Can customers choose which PQC algorithms to enable, or will you manage the transition transparently? Section 3: Cryptographic Bill of Materials (CBOM) 9. Can you provide a Cryptographic Bill of Materials (CBOM) for your platform? Ideally in CycloneDX 1.6 format. If not currently, when do you expect to support CBOM generation? 10. What does your CBOM include? Algorithms, key sizes, certificate authorities, protocol configurations, library dependencies — please be specific. 11. How often is your CBOM updated? On each release? On certificate rotation? On customer request? 12. Will you provide CBOMs to customers for compliance and audit purposes? Under what terms or conditions? Section 4: Compliance and Regulatory Alignment 13. Which regulatory frameworks do you track for PQC requirements? NSM 10, OMB M 23 02, CNSA 2.0, DORA, PCI DSS 4.0, HIPAA, CMMC 2.0 — please list all applicable. 14. Do you provide compliance documentation that maps your cryptographic posture to specific regulatory requirements? If yes, what format and frequency? 15. Are you tracking the EU PQC transition timeline? (Member states to begin by December 2026). How does your roadmap align? 16. For US federal customers: do you support CNSA 2.0 algorithm requirements? If not, what is your timeline for CNSA 2.0 compliance? Section 5: Testing and Migration Support 17. Do you offer a test or sandbox environment with PQC algorithms enabled? Can customers validate their integrations before production migration? 18. How will you notify customers of cryptographic configuration changes? Advance not