Key insight
“Are we ready?” is too vague. A 0–5 maturity model turns it into an honest score and a next move: 0 unaware → 1 aware → 2 inventoried (CBOM) → 3 planned (roadmap) → 4 migrating (hybrid, highest-risk first) → 5 crypto-agile & continuous. Score honestly, accept that different parts of a big org sit at different levels, and focus on the single next move that climbs one rung — don’t leap from 1 to 5.
Turn a vague sense of readiness into a number, then climb one deliberate rung at a time.
The six levels
Unaware
The threat isn’t known, or is dismissed as science fiction. No one owns it.
Signal: blank looks if you ask around. Next move: brief leadership, name an owner.
Aware
Someone understands the threat and has raised it, but nothing systematic has happened.
Signal: a champion, but no data. Next move: start discovery.
Inventoried
You hold a living CBOM — you can answer “what crypto do we use?”
Signal: an inventory that stays current. Next move: assess & prioritise by risk.
Tie-breaker: “living” means refreshed on deploy or on a schedule, with a last-verified date on each entry — a spreadsheet last touched a year ago is Level 1, not Level 2.
Planned
Data classified by shelf life, risk scored, and a migration roadmap with owners and dates exists.
Signal: an approved, resourced plan. Next move: execute the first wave.
Tie-breaker: “resourced” means named owners and committed budget/headcount. An approved-but-unfunded plan is still short of Level 3 — it’s a slide, not a programme.
Migrating
Actively replacing vulnerable crypto, often via hybrid modes, highest-risk systems first.
Signal: production systems running PQC. Next move: keep going & bake in agility.
Crypto-agile & continuous
Algorithms swap by configuration, inventory self-updates, and you continuously monitor for new guidance and threats. Migration is a normal capability, not a project.
Signal: changing an algorithm is routine. Next move: sustain & monitor.
The ladder at a glance
How to use it
Score yourself honestly. In a large organisation different divisions may sit at different levels — that’s normal; score them separately. Then pick the single next move that lifts you one rung, and do it. The ladder rewards deliberate, steady climbing over heroic leaps.
- Maturity model
- A numbered ladder that turns a vague capability into a scored, improvable level.
- CBOM
- Cryptographic Bill of Materials — the inventory that defines Level 2.
- Hybrid mode
- Running classical + PQC together; a hallmark of Level 4 migration.
- Continuous monitoring
- Ongoing watch for new guidance/threats; part of Level 5.
- PQC (Post-Quantum Cryptography)
- The quantum-resistant algorithms whose presence in production marks Level 4.
What to carry forward
- Six rungs: 0 unaware, 1 aware, 2 inventoried, 3 planned, 4 migrating, 5 crypto-agile & continuous.
- Each level has a signal (how you know) and a next move (how you climb).
- Different parts of an org can sit at different levels — score separately.
- Climb one rung at a time; Level 5 makes migration a normal capability, not a project.
Next: Migration Roadmaps → — turning the plan into action.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning a 0-5 post-quantum maturity model. Quiz me one question at a
time, correcting me gently:
1. Name all six levels from 0 to 5 in order.
2. What defines Level 2, and what artefact proves it?
3. What's the difference between Level 3 (planned) and Level 4 (migrating)?
4. Why is Level 5 described as a "capability, not a project"?
5. Why should you climb one rung at a time instead of leaping to 5?
References & further reading
- CISA, NSA & NIST, Quantum-Readiness: Migration to PQC. cisa.gov/quantum
- NIST NCCoE, Migration to Post-Quantum Cryptography project. nccoe.nist.gov
- World Economic Forum, Transitioning to a Quantum-Secure Economy (organisational readiness). weforum.org
- Canadian Centre for Cyber Security, Preparing your organization for the quantum threat. cyber.gc.ca