### Step 11: Review key phase objectives - Evaluating the sensitivity of your organization’s information and determining its lifespan to identify the information that may be at risk (e.g. as part of ongoing risk assessment processes). - Educating yourself and your teams on the threats that quantum computing will pose to your existing uses of cryptography. - Asking your IM, IT and OT vendors and suppliers about their plans and timetables to implement quantum-resistant cryptography and crypto-agility, to understand any new hardware or software that will be needed. - Reviewing your IT lifecycle management plans and budgeting for potentially significant software and hardware updates. ![[Pasted image 20241216142649.png]] ### Step 12: Review the Quantum Risk Equation - the shelf-life time (measured in years) that your most important data must be protected; and - the migration time (also measured in years) that your organization will need to upgrade the systems that handle your longest shelf-life data, to be quantum-safe. ![[Pasted image 20241216142908.png]] ### Step 13: Decide how it impacts org risk posture ![[Pasted image 20241216142953.png]] ### Step 14: Evaluate shelf life time [Preparing for the quantum threat to cryptography](https://cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017) and [PQC Future State Technical Paper](https://www.fsisac.com/hubfs/Knowledge/PQC/FutureState.pdf) ### Step 15: Review Tech Lifecycle Management ### Steps 16: Estimate the migration timeline ### Step 17: Prioritise the system that need the most urgent attention Migration Time + Shelf-life Time > Threat Timeline ### Step 18: For each dataset, product / system flagged, determine: 1. whether to undergo risk mitigation 2. whether to start migration to PQC 3. to manage exceptionalities, by accepting the quantum risk and doing neither of the above.