Key insight

“Are we ready?” is too vague. A 0–5 maturity model turns it into an honest score and a next move: 0 unaware → 1 aware → 2 inventoried (CBOM) → 3 planned (roadmap) → 4 migrating (hybrid, highest-risk first) → 5 crypto-agile & continuous. Score honestly, accept that different parts of a big org sit at different levels, and focus on the single next move that climbs one rung — don’t leap from 1 to 5.

In one sentence

Turn a vague sense of readiness into a number, then climb one deliberate rung at a time.

The six levels

0

Unaware

The threat isn’t known, or is dismissed as science fiction. No one owns it.

Signal: blank looks if you ask around.  Next move: brief leadership, name an owner.

1

Aware

Someone understands the threat and has raised it, but nothing systematic has happened.

Signal: a champion, but no data.  Next move: start discovery.

2

Inventoried

You hold a living CBOM — you can answer “what crypto do we use?”

Signal: an inventory that stays current.  Next move: assess & prioritise by risk.

Tie-breaker: “living” means refreshed on deploy or on a schedule, with a last-verified date on each entry — a spreadsheet last touched a year ago is Level 1, not Level 2.

3

Planned

Data classified by shelf life, risk scored, and a migration roadmap with owners and dates exists.

Signal: an approved, resourced plan.  Next move: execute the first wave.

Tie-breaker: “resourced” means named owners and committed budget/headcount. An approved-but-unfunded plan is still short of Level 3 — it’s a slide, not a programme.

4

Migrating

Actively replacing vulnerable crypto, often via hybrid modes, highest-risk systems first.

Signal: production systems running PQC.  Next move: keep going & bake in agility.

5

Crypto-agile & continuous

Algorithms swap by configuration, inventory self-updates, and you continuously monitor for new guidance and threats. Migration is a normal capability, not a project.

Signal: changing an algorithm is routine.  Next move: sustain & monitor.

The ladder at a glance

Maturity ladder 0 to 5 A rising staircase from Level 0 unaware to Level 5 crypto-agile and continuous. 0 Unaware 1 Aware 2 Inventoried 3 Planned 4 Migrating 5 Agile readiness
Climb one rung at a time — don’t leap from 1 to 5.

How to use it

Score yourself honestly. In a large organisation different divisions may sit at different levels — that’s normal; score them separately. Then pick the single next move that lifts you one rung, and do it. The ladder rewards deliberate, steady climbing over heroic leaps.

The next move is the one on your current rung. Each level above lists a concrete Next move — that is your instruction. At Level 1 with no data, the move is run discovery (stand up a CBOM); at Level 2, classify by shelf life and risk-score; at Level 3, fund and start wave 1 on your highest-risk systems. Don’t skip: a plan (3) without an inventory (2) is built on guesswork.
Maturity model
A numbered ladder that turns a vague capability into a scored, improvable level.
CBOM
Cryptographic Bill of Materials — the inventory that defines Level 2.
Hybrid mode
Running classical + PQC together; a hallmark of Level 4 migration.
Continuous monitoring
Ongoing watch for new guidance/threats; part of Level 5.
PQC (Post-Quantum Cryptography)
The quantum-resistant algorithms whose presence in production marks Level 4.

What to carry forward

Next: Migration Roadmaps → — turning the plan into action.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning a 0-5 post-quantum maturity model. Quiz me one question at a
time, correcting me gently:

1. Name all six levels from 0 to 5 in order.
2. What defines Level 2, and what artefact proves it?
3. What's the difference between Level 3 (planned) and Level 4 (migrating)?
4. Why is Level 5 described as a "capability, not a project"?
5. Why should you climb one rung at a time instead of leaping to 5?

References & further reading

  1. CISA, NSA & NIST, Quantum-Readiness: Migration to PQC. cisa.gov/quantum
  2. NIST NCCoE, Migration to Post-Quantum Cryptography project. nccoe.nist.gov
  3. World Economic Forum, Transitioning to a Quantum-Secure Economy (organisational readiness). weforum.org
  4. Canadian Centre for Cyber Security, Preparing your organization for the quantum threat. cyber.gc.ca