Post-Quantum

Engaging and Managing Vendors for Quantum Readiness

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email December 29, 2022
15 minutes read
Vendors Quantum Readiness

Understanding the Quantum Threat and Why It Matters

The advent of large-scale quantum computing poses a serious risk to today’s cryptography. In the coming years, quantum computers could break common encryption algorithms (like RSA and ECC) that currently secure everything from banking transactions to software updates. While experts debate when this “Q-Day” will arrive, attackers aren’t waiting – they can harvest encrypted data now to decrypt later with quantum capabilities. This “harvest now, decrypt later” threat means sensitive data (financial records, personal information, intellectual property) stolen today could be exposed in the future if we don’t upgrade our cryptography in time. For organizations across industries, quantum threat readiness is therefore a pressing risk management issue, not just a theoretical tech problem.

Critically, being “quantum-ready” is not only about internal systems – it extends to third-party vendors and suppliers. Modern enterprises rely on a host of vendor products and cloud services that embed cryptography. If those vendors aren’t prepared for the quantum transition, your organization inherits that vulnerability.

Regulators and governments are increasingly sounding the alarm. For example, the UK’s National Cyber Security Centre (NCSC) is already urging public bodies and their suppliers to start post-quantum migration planning, with mandates likely by 2027-2028. In the U.S., standards bodies like NIST have set timelines for phasing out legacy encryption; the NSA even announced that by January 1, 2027, all new systems for national security must use quantum-resistant cryptography (with older systems phased out by 2030).

The message is clear: organizations must engage their vendors now on quantum readiness, or risk being caught unprepared as the quantum threat and compliance requirements grow.

Why Engage Vendors Early on Quantum Readiness?

Third-party risk is a huge part of the quantum security challenge. Even if your own IT team is crypto-savvy and planning a migration to post-quantum cryptography (PQC), any weak links in your supply chain could undermine those efforts. Vendors provide critical software, cloud platforms, fintech solutions, IoT devices, and more – and these often rely on vulnerable cryptographic algorithms under the hood. If a key vendor lags in upgrading their encryption, it could expose your data or systems to quantum-enabled attacks. Engaging vendors early allows you to:

  • Gauge their awareness and preparedness: Some vendors (especially larger ones) may already have quantum-safe transition plans, while others (smaller suppliers or niche providers) might not even be aware of the issue. Early conversations will reveal who has a roadmap and who needs education or pressure to act.
  • Influence their roadmap: As a customer, you have leverage. By inquiring about and prioritizing quantum-safe features, you signal to vendors that demand exists. Vendors are more likely to invest in post-quantum upgrades if major clients (like your organization) are asking for it. This is especially true in sectors like finance, where client expectations for security are high.
  • Avoid future compatibility or contract surprises: Waiting until regulations or an actual quantum break forces a sudden change could be chaotic. By engaging now, you can ensure your vendors’ timelines align with yours – avoiding a scenario where, for example, your systems are ready for PQC but a critical vendor’s product isn’t (or vice versa). Early engagement means coordinating plans to maintain business continuity through the transition.
  • Demonstrate proactive risk management: From a governance and compliance perspective, bringing vendors into your quantum risk planning shows due diligence. Cybersecurity frameworks (and examiners in regulated industries) increasingly expect organizations to address quantum risk in third-party management. In fact, financial regulators note that embedding PQC readiness into vendor oversight is part of showing prudent risk management.

In short, engaging vendors now on quantum readiness gives you a head start on mitigation, aligns your supply chain with emerging standards, and ultimately protects your organization’s data and operations in the long run.

Strategies for Engaging Vendors on Quantum Readiness

Engaging vendors for quantum preparedness is as much a procurement and vendor management task as it is a technical one. Below are several strategies that Chief Information Security Officers (CISOs) and procurement leaders can use to start the conversation and keep it going:

Ask for the Vendor’s Quantum Roadmap

A great initial step is to simply ask each key vendor what their plan is for post-quantum cryptography. You should expect your vendors – whether it’s a core banking software provider or a cloud service – to share a quantum-safe migration roadmap with timelines for upgrades.

If a vendor cannot demonstrate that they are planning for the transition (for example, by explaining which products will be upgraded to PQC and when), consider that a red flag. Many leading vendors are already preparing pilot implementations; indeed, some vendors even offer test versions of their products using candidate post-quantum algorithms so customers can evaluate performance impacts.

Open up a dialogue: How will the vendor address the quantum threat? What milestones (e.g. supporting hybrid RSA+PQC certificates, offering PQC cipher suites in their software, etc.) do they have on their roadmap? Engaging at this level ensures the vendor’s timeline will meet your security needs.

Use a PQC Readiness Questionnaire

To make vendor outreach systematic, consider developing a post-quantum readiness questionnaire as part of your vendor risk assessments. This can be a structured set of questions that your suppliers must answer about their cryptography and plans. For example, you might ask about:

  • Current cryptographic inventory: Which encryption and signature algorithms are used in the vendor’s product or service today, and at what key sizes? (This essentially is a Cryptographic Bill of Materials CBOM for their product.) This helps identify any especially weak spots and highlights where quantum-vulnerable algorithms are in use.
  • Roadmap and strategy for PQC: Does the vendor have a documented plan to transition those algorithms to post-quantum alternatives? Have they allocated budget and personnel to this effort?
  • Standards and compliance tracking: How is the vendor monitoring developments in standards (e.g. NIST PQC standards) and regulations? Are they committed to aligning with recognized standards like NIST FIPS 203/204/205 for post-quantum algorithms? If your industry has guidance (like banking regulators or GDPR expectations), can the vendor demonstrate awareness and compliance?
  • Cryptographic agility: What is the vendor’s capability for crypto-agility – i.e., the ability to swap out cryptographic algorithms with minimal disruption ? Have they designed their systems to be modular in terms of crypto, so that new algorithms (like PQC) can be adopted through updates? A strong indicator of readiness is if the vendor’s product already supports pluggable cryptography or can run in “hybrid” modes (classic + post-quantum) during the transition.
  • Third-party and supply chain readiness: If the vendor in turn relies on third-party components or open-source libraries for crypto, have they assessed those dependencies for quantum risk ? (For instance, a software vendor might use OpenSSL or a hardware security module – are those components being upgraded to PQC?)

Such a questionnaire can be sent to existing vendors as part of regular vendor governance (e.g. annual reviews or risk re-assessments).

For new vendors, include it in your onboarding due diligence. In fact, cryptographic capabilities should be explicitly addressed during vendor selection and in contracts for new suppliers  – this ensures you only engage vendors who take security future-proofing seriously. By asking detailed questions, you not only gather useful information, but also signal to vendors that quantum readiness is a requirement, not a nice-to-have.

Differentiate by Vendor Type and Risk

Tailor your engagement approach based on the type of vendor and the sensitivity of their service. For example, a distinction can be made between general vendors and crypto-focused vendors:

  • General IT or Cloud Vendors: These are vendors whose products use cryptography under the hood but aren’t primarily cryptographic services (think of an HR software platform or a cloud database service). For these, at minimum ensure they acknowledge the quantum threat and have a timeline to upgrade their underlying cryptography. They should commit to maintaining your security and compliance without service interruption as they migrate their systems to PQC. If a general vendor has no plan at all, you may need to escalate the concern or even consider alternate suppliers in the long term.
  • Security/Cryptography Vendors: These provide security-sensitive tools (like VPNs, HSMs, PKI platforms, encryption libraries, etc.) You will need more detailed engagement here. Expect them to offer hands-on guidance and technical details for migration. For instance, a crypto vendor should provide documentation on how you can re-encrypt stored data with new algorithms, or how to rotate keys and certificates to PQC equivalents. Don’t hesitate to bring in your technical experts to meetings with such vendors – ask the tough questions about performance, compatibility, and interoperability in a post-quantum scenario. Since these vendors are directly responsible for cryptographic functions, their readiness is crucial for your overall quantum security posture.
  • High-Risk vs Low-Risk Vendors: Also consider the impact of each vendor on your critical data/processes. A fintech partner handling payment data or a core banking software will have a high confidentiality requirement – engage these vendors first and more deeply. In contrast, a vendor providing, say, facility management software might pose less crypto risk. Scale your questions and contractual demands to the risk profile: high-risk vendors might be asked for in-depth plans and more frequent updates, whereas lower-risk ones at least need to attest they will follow industry best practices as PQC standards roll out.

Collaborate and Share Timelines

Engagement is a two-way street. Be prepared to share some information about your own organization’s quantum readiness plans with vendors.

For example, if your internal goal is to have all critical data re-encrypted with quantum-safe algorithms by 2028, let your vendors know that. This helps align their timelines with yours. Vendors can better support you if they understand how you use their products and what transition period you are targeting. Setting expectations early – “We aim to test PQC solutions in 2025 and go live by 2027 for these systems” – gives your vendors a clear signal that they need to be ready on their side to support those targets.

Collaborative planning can also uncover edge cases or integration issues ahead of time (e.g. if you plan to use one vendor’s quantum-safe VPN with another vendor’s hardware, both need to ensure compatibility). The goal is to avoid any nasty surprises where a vendor’s delay or lack of support becomes a roadblock to your mission-critical security upgrade.

Leverage Industry Forums and Vendor User Groups

It may also help to raise the topic in industry consortia, user groups, or procurement forums. Chances are, if you are asking Vendor X about quantum readiness, other customers are too. Joining forces with other clients can increase pressure on vendors to prioritize these features. Some industries (like financial services) have working groups on post-quantum transition where vendors and customers discuss standards and timelines openly. By participating, you can stay informed of which vendors are ahead and which are lagging, and collectively push for solutions (for example, coordinated timelines for upgrading payment networks or security protocols that many institutions share).

In all these engagement efforts, the tone is important: make it an “open and transparent dialogue”. The aim is to partner with vendors on solving this challenge, not to catch them off guard. Many vendors will welcome the conversation if approached collaboratively, since it helps them understand customer priorities. For those who are less informed, your engagement might be the wake-up call that spurs their own internal investment in quantum-safe R&D. By engaging early and often, you turn vendor management into a proactive defense against quantum threats.

Updating Procurement Processes: RFPs and Contract Clauses for Quantum Safety

Engagement strategies must eventually be cemented into procurement requirements and vendor contracts. This ensures that quantum readiness isn’t just talked about, but formally built into how you select and manage suppliers. Here’s how to incorporate quantum-safe requirements in your RFPs and contracts:

Bake PQC into RFPs

When issuing Requests for Proposal (RFPs) or evaluating new suppliers, include specific language and questions about quantum-safe capabilities. Make it clear that quantum readiness is a selection criterion. Some practical RFP inclusions could be:

  • Vendor Questionnaire in the RFP: As mentioned, attach your PQC readiness questionnaire to the RFP and require bidders to fill it out. Ask them to detail their cryptographic practices and migration plans. For example, “Describe your organization’s roadmap for transitioning to NIST-standardized post-quantum cryptography. Include expected timelines for product updates and any completed testing of post-quantum algorithms.
  • Compliance with Standards: State that preference will be given to vendors who align with emerging standards (like the NIST PQC algorithms) and relevant regulations. For instance, “The solution must support or be upgradeable to cryptographic algorithms approved by NIST for post-quantum security (e.g., FIPS 203/204/205) once standards are finalized”. Even if exact standards are still being finalized, this signals that the vendor’s design must be crypto-agile and ready for new algorithms.
  • Crypto-Agility Requirement: Include a requirement such as “The proposed system should be crypto-agile: able to accommodate cryptographic algorithm changes (e.g., swapping out RSA/ECC for quantum-resistant algorithms) with minimal impact on system functionality.” This encourages vendors to design modular, flexible cryptography into their product (if not already present). It also weeds out solutions that are rigid or would require a complete overhaul to upgrade cryptography.
  • Experience and Testing: You might ask if the vendor has already tested their product with any quantum-safe cryptography or participated in any interoperability pilots. For example, “Provide any examples of quantum-resistant cryptography (such as hybrid TLS key exchange or PQC prototypes) that have been implemented or tested in your product.” This can highlight vendors who are ahead of the curve.

By making such points part of your RFP scoring, you send a message that quantum readiness is non-negotiable. Vendors vying for your business will know they need to come prepared on this topic. In regulated industries like finance or healthcare, you can also tie this to compliance – e.g., referencing that regulators expect strong crypto controls over the lifespan of the contract, which includes planning for the quantum era.

Key Contract Clauses for Quantum Risk Mitigation

Once you’ve selected a vendor, the contract is where you formalize their obligations regarding quantum-safe security. Here are important clauses or requirements to consider embedding:

  • Vendor Quantum Readiness Plan: Require the vendor to provide and maintain a quantum migration plan. For example: “Vendor shall provide a written Post-Quantum Cryptography Transition Plan within X months of contract signing, detailing how and when the vendor will replace or upgrade any cryptographic algorithms in the provided product/service that are vulnerable to quantum attacks.” This plan should be updated periodically as standards evolve. (Notably, some financial institutions are already doing this – for instance, Citi has notified suppliers that they must present their quantum readiness plan aligned with NIST’s guidance as part of doing business.)
  • Support for NIST-Approved Algorithms: Include a clause that, “The vendor agrees to implement cryptographic algorithms and protocols that are approved by recognized authorities (e.g., NIST) as quantum-resistant, according to the timelines recommended by such authorities.” NIST’s draft roadmap (IR 8547) suggests deprecating RSA/ECC by 2030 and migrating to PQC by 2035. Your contract could require that the vendor’s product will support PQC algorithms by a certain date or within a certain timeframe after NIST formally standardizes them. This aligns the vendor with the same clock you are on for crypto upgrades.
  • Cryptographic Agility and Upgrade Commitment: Specify that the vendor must design or modify their solution for crypto-agility, and “implement any necessary cryptographic upgrades or patches to respond to new cryptographic vulnerabilities (including those potentially introduced by quantum computing) within a reasonable timeframe.” Essentially, this is holding the vendor to prompt updates. You might even tie it to maintenance/SLA: failure to upgrade insecure algorithms could be treated as a breach of security requirements.
  • Audit and Verification Rights: To ensure the vendor follows through, include rights for audit or attestation of crypto controls. For example, “The client reserves the right to request an independent security assessment or certification report demonstrating the product’s cryptographic modules comply with FIPS 140-3 and have been updated to include post-quantum algorithms, once available.” You can require the vendor to share evidence of progress – e.g., achieving FIPS 140-3 validation for their crypto modules with PQC support  by a certain date, or providing test results from pilot implementations.
  • Monitoring and Reporting: Build in ongoing reporting: “Vendor will report annually on its progress toward quantum-safe cryptography, including any relevant roadmap updates, test results, and anticipated dates for product updates.” This keeps the issue on the table throughout the life of the contract. As the customer, you should monitor these milestones  – perhaps via quarterly business reviews or security review meetings – just as you would track uptime or other SLA metrics.
  • Termination/Remediation Clauses: In critical cases, consider language that gives you options if the vendor falls behind. For instance, “If the vendor fails to achieve a mutually agreed quantum-safe readiness milestone (e.g., not supporting any approved PQC algorithm by 20XX), the client may request a remediation plan, and if not remedied, has the right to terminate the contract without penalty.” While you hope to never invoke it, having this clause underscores the seriousness of the requirement. It also protects you if a vendor simply refuses to adapt – you don’t want to be locked into a long contract with a vendor who might expose you to quantum risk.

Of course, the exact wording and enforceability of these clauses should be vetted by your legal counsel. But the overarching goal is to make quantum safety an explicit contractual obligation. This way, vendor management has teeth: you’re not just trusting promises, you have it in writing that the vendor must take action to stay cryptographically secure over time.

Examples from Industry

To illustrate the momentum, it’s worth noting how some organizations are already implementing such procurement requirements. We mentioned Citi’s supplier notice; likewise, governments are including PQC in procurement language. The U.S. federal government, for example, has policies pushing agencies (and by extension their contractors) to inventory and upgrade cryptography, and even mandates that government RFPs will soon require “PQC-capable” systems as a default.

The trend is clear: whether in government or private sector, requests for quantum safety will increasingly be standard in RFPs. By updating your procurement templates now, you stay ahead of that curve.

Ongoing Vendor Management and Collaboration

Securing a contract with quantum-ready clauses is a critical step, but managing vendor compliance is an ongoing effort. Once the contract is in place, CISOs and procurement must work together to ensure vendors live up to their commitments:

Regular Status Updates

Treat quantum readiness as a standing agenda item in vendor meetings. For key suppliers, you might have them provide updates every 6 or 12 months on how their PQC implementation is progressing. This could be part of a security review or a broader vendor performance review. The idea is to maintain visibility. If a vendor promised a new quantum-safe feature by Q4, follow up on it.

Maintaining a simple tracker of vendor quantum readiness milestones can be helpful. This also creates accountability on the vendor’s side – they know you will be checking in.

Joint Testing and Pilots

Whenever feasible, engage in pilot testing with your vendors. For instance, if a vendor releases a beta feature that enables a post-quantum cipher in their software, try it out in a test environment. Joint pilot projects can uncover issues early and build confidence that the vendor’s solution works in practice. It also signals to the vendor that your organization is serious about adopting the updates (which may motivate them to prioritize it).

In some cases, you might even collaborate with a vendor on interoperability tests – for example, testing a post-quantum VPN client from Vendor A connecting to a PQC-enabled firewall from Vendor B, if both are in your ecosystem. Such collaboration, possibly alongside industry groups, helps everyone reach solutions faster.

Vendor Education and Support

Not all suppliers will have cryptographic experts on staff, especially smaller ones. Part of managing vendors is sometimes helping them help you. You may choose to share resources (like NIST guidelines, or your own internal cryptography policies) with less mature vendors to get them up to speed. If you have a close partnership, consider hosting a briefing for key vendors about your security expectations in the quantum era.

The more they understand your perspective – for example, why you care about “harvest-now, decrypt-later” risks and long-term data confidentiality – the more likely they are to prioritize accordingly.

Incentives and Partnerships

When possible, use positive incentives in addition to contract terms. For example, you could make continued or expanded business somewhat contingent on meeting security milestones (“we’re more likely to renew with vendors that demonstrate strong quantum readiness”).

Some organizations even establish preferred vendor programs for security, where those who excel in areas like PQC get recognition or priority. While this may not apply in every context, it underscores that vendors stand to gain a competitive edge by being quantum-ready. Share that insight with them – it might encourage laggards to pick up the pace, knowing that their quantum-safe offerings could be a market differentiator.

Finally, keep in mind that quantum risk management is an evolving journey for everyone. New standards will emerge, and timelines might shift if, say, breakthroughs in quantum computing happen sooner (or later) than expected. Thus, maintaining an adaptable stance with vendors is key. The contract clauses and initial plans are not “set-and-forget” – they should be revisited as the landscape changes. If NIST or other standard bodies issue updates (for example, a new algorithm or a change in recommended deprecation dates), you may need to update your vendor requirements accordingly.

A good vendor relationship in this context is one where both sides can discuss and adjust to these changes constructively.

Conclusion

In summary, preparing for post-quantum security is not just an IT upgrade – it’s a supply chain initiative. Engaging and managing vendors for quantum readiness ensures that your organization’s security posture remains strong end-to-end, even as cryptography undergoes its biggest transformation in decades.

By starting the conversation now, embedding requirements into RFPs and contracts, and collaborating with vendors throughout the transition, you greatly reduce the risk that a third-party weakness could jeopardize your data in the future.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email December 29, 2022
15 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap