Three sets of assessment questions are provided below, to assist in determining a 3rd Party’s maturity in cryptography and posture with respect to Post-Quantum cryptography migration. Each set of questions is designed for a different time period associated with the following stages of the Post-Quantum Cryptography migration: ### A. Pre-Standardization (Today) The following questions are for the period of time before quantum-safe algorithms and PQC standards are finalized, and before government agencies decide on the set of standardized quantum-safe algorithms they will recommend be used. This period is best characterized with planning for PQC migration. ![[Pasted image 20241130184111.png]] ### B. Post-Standardization (Starting 2025 or 2026) In the face of shifting market demands, technological advances, and customer expectations, industry standards may be revised and enhanced. The questions proposed in this section will concentrate on the early stages of established standards. These questions are for the period after quantum-safe algorithms and PQC standards have been fully defined. This period is best characterized as the time for organizations to start migrating their IM, IT and OT products and systems to PQC, and to complete their migration as soon as practical. ![[Pasted image 20241130184212.png]] ### C. Post-Quantum (Starting 2030 or later) Whereas the focus of the questions up to this point has been on the risk posed by third parties, depending on their quantum posture. The questions in this section, however, can also be seen as guidance for third parties, which will need to be quantum-ready for their own purposes (notably business continuity) even if the haven't been pressed to do so by their customers or partners. These questions are for the period of time after a quantum computer has successfully proven classical cryptography to be vulnerable. This period is best characterized with realized risk to classical cryptography. ![[Pasted image 20241130184303.png]]![[Pasted image 20241130184317.png]]