Key insight
Quantum readiness is a repeatable programme, not a one-off audit. The CISA/NSA/NIST guidance boils down to five phases: Govern → Discover → Assess risk → Plan → Execute & monitor. It’s a loop: new standards, threats, and newly-found systems feed back into discovery. Success looks like any mature security discipline — an owner, an inventory, a risk register, a plan, and continuous review.
Don’t boil the ocean — put someone in charge, find where crypto lives, rank what’s urgent, build a roadmap, migrate in waves, and keep watching.
Why you need a method
“Migrate to post-quantum cryptography” is overwhelming as a single instruction. Cryptography is buried in thousands of places — TLS configs, certificates, VPNs, code-signing pipelines, databases, firmware, third-party products, and partners you don’t control. Without a method you’ll either freeze or chase the loudest system instead of the riskiest. The joint CISA/NSA/NIST quantum-readiness guidance gives a shared shape, which we group into five phases.
The five phases
| Phase | Goal | Key output |
|---|---|---|
| 1 · Govern | Put someone senior in charge; secure sponsorship & budget; frame as multi-year programme | Named owner, charter, exec sponsor |
| 2 · Discover | Find where cryptography lives across systems, apps, data flows, suppliers | Cryptographic bill of materials (CBOM) |
| 3 · Assess risk | Prioritise using data classification & Mosca’s inequality | Ranked risk register |
| 4 · Plan | Sequence migrations, map dependencies, set vendor asks, fund & staff | Migration roadmap |
| 5 · Execute & monitor | Migrate in waves, test, then keep watching as standards evolve | Deployed PQC + continuous review |
Why it’s a loop, not a line
Cryptography keeps evolving: new standards land, new threats emerge, and discovery always misses things the first time. The organisations that succeed treat quantum readiness as an ongoing discipline — phase 5 continually feeds newly-found systems and updated guidance back into phase 2. This is also why crypto-agility matters: you want to swap algorithms repeatedly, not once.
Who does what
| Role | Responsibility |
|---|---|
| Executive sponsor | Funds and mandates the programme; unblocks priorities |
| PQC programme lead | Owns the methodology end to end; reports progress |
| Security / crypto architects | Run discovery, design target state, choose parameters |
| App & platform owners | Migrate their systems; validate in test |
| Procurement / vendor management | Push suppliers for PQC roadmaps and CBOMs |
A kickoff checklist
- Name a programme owner and secure executive sponsorship.
- Write a one-page charter framing this as multi-year, not a one-off.
- Agree scope: which business units, systems, and suppliers are in.
- Stand up a risk register and a place to hold the CBOM.
- Add “PQC roadmap” as a standing question in vendor reviews.
- Book the discovery phase (the next article) as the first real deliverable.
- Readiness methodology
- The repeatable five-phase programme for reaching quantum safety.
- CBOM
- Cryptographic Bill of Materials — the inventory of where crypto is used (Article 2).
- Risk register
- A ranked list of cryptographic exposures with owners and deadlines.
- Executive sponsor
- The senior leader who funds and mandates the programme.
- TLS (Transport Layer Security) / VPN (Virtual Private Network)
- Two of the many protocols where cryptography hides and must be found in discovery.
- CISA / NSA / NIST
- The US agencies — Cybersecurity and Infrastructure Security Agency, National Security Agency, National Institute of Standards and Technology — behind the joint quantum-readiness guidance.
- PQC (Post-Quantum Cryptography)
- The quantum-resistant algorithms the programme migrates to; a standing vendor question.
What to carry forward
- Five phases: Govern → Discover → Assess → Plan → Execute & monitor.
- It’s a loop — new standards and newly-found systems feed back into discovery.
- Governance first: no owner, no progress the moment budgets compete.
- The next four articles unpack the hard phases — discovery, agility, risk, and coverage — ending in a maturity model.
Next: Cryptographic Discovery & the CBOM → — you can’t protect what you can’t see.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning the post-quantum readiness methodology. Quiz me one question
at a time, correcting me gently:
1. Why is quantum readiness a programme rather than a one-off audit?
2. Name the five phases in order and say what each produces.
3. Why is "govern" first, and what breaks if you skip it?
4. Explain why the methodology is a loop, not a line.
5. Which phase produces the CBOM, and which uses Mosca's inequality?
References & further reading
- CISA, NSA & NIST, Quantum-Readiness: Migration to Post-Quantum Cryptography (2023). cisa.gov
- NIST NCCoE, Migration to Post-Quantum Cryptography project. nccoe.nist.gov
- NIST, IR 8547: Transition to PQC Standards (draft). csrc.nist.gov/pubs/ir/8547
- World Economic Forum, Transitioning to a Quantum-Secure Economy. weforum.org