Getting Started With Quantum Readiness and PQC Migration
This page collects the PostQuantum.com articles you need to kick‑off and run a quantum‑readiness program, end‑to‑end. It’s organized along the lifecycle most teams follow: executive briefings & budget justification, cryptographic discovery/inventory, CBOM (Cryptographic Bill of Materials) creation, risk scoring & prioritization, road‑mapping and governance, pilots and migration patterns (hybrid/PQC/crypto‑agility), and operations (monitoring, vendor due diligence, training).
Notes & caveats. Real programs are messy: phases overlap and organizations differ. I’ve tagged each article to the dominant phase for clarity, but expect cross‑links. This is an opinionated, practitioner’s curation, not a standard, and it’s under development. No warranties; I aim to keep it current as guidance and tooling evolve. Feedback and corrections are welcome.
Start here: the blueprint (read first)
Quantum‑Readiness / PQC Full Program Description (Telecom Example) – A reusable, end‑to‑end program blueprint with phases, workstreams, 10‑year timeline and ballpark effort/costing. Use it to seed your PMO plan and RAID log.
Phase 0 – Executive mandate & budget
Set the business case, deadlines, and secure funding.
Forget Q‑Day Predictions — Regulators, Insurers, Investors, Clients Are Your New Quantum Clock – Executive narrative that reframes urgency around 2030–2035 mandates and stakeholder pressure. Good for board packs.
Securing Quantum Readiness Budget Now – A structured budget case linking HNDL risk, compliance, insurance, and quick wins.
How CISOs Can Use Quantum Readiness to Secure Bigger Budgets – Turns PQC into funding for discovery, crypto‑debt cleanup, and vendor hardening achieving immediate benefits as well.
What is the Quantum Threat? A Guide for C‑Suite Executives and Boards – Plain‑English board primer with the questions directors should ask.
Phase 1 – Discovery & inventory (assets + crypto)
Get visibility fast; combine top‑down scoping with bottom‑up technical discovery.
How to Perform a Comprehensive Quantum Readiness Cryptographic Inventory – Step‑by‑step discovery across code, network, PKI/HSM, cloud, and devices.
Cryptographic Inventory Vendors and Methodologies – Landscape and selection guidance for automating inventory (static, runtime, passive, config).
Dos & Don’ts of Crypto Inventories for Quantum Readiness – Why manual‑only fails; what to automate first.
Risk‑Driven Strategies When Full Crypto Inventory Isn’t Feasible – Pragmatic triage: prioritize high‑risk systems and long‑lived data now.
The Challenge of IT and OT Asset Discovery – Useful to set expectations with leadership on why “find everything” is hard. I.e. even finding assets before digging into the cryptography, is very hard.
Upgrading OT Systems to Post‑Quantum Cryptography (PQC): Challenges and Strategies – Operational Technology (OT) systems have a specific set of challenges. Some ideas on how to tackle them.
Quantum Era Demands Changes to ALL Enterprise Systems – Sets expectation that the quantum readiness program touches identity, storage, AI stacks, and more.
Phase 2 – CBOM & documentation
Create durable, queryable documentation of cryptography and sensitive data.
Cryptographic Bill of Materials (CBOM) Deep‑Dive – What to capture, how to generate, tools/standards, and CI/CD integration.
Bills of Materials for Quantum Readiness: SBOM, CBOM, and Beyond – Synthesizes SBOM/CBOM/DataBOM/HBOM into one governance fabric.
Phase 3 – Risk scoring & prioritization
Translate visibility into a defensible, sequenced plan.
Quantum Readiness Assessment (QRA) – Structure, benefits, and how a QRA feeds your roadmap, governance, and audit readiness.
Phase 4 – Roadmap & governance
Stand up program mechanics and a realistic glidepath.
Planning the First Year of a Quantum Readiness Program – A pragmatic 12‑month plan (Phase 0–4) with early pilots and PKI/HSM steps.
Quantum Readiness / PQC Migration Is The Largest, Most Complex IT/OT Overhaul Ever – So Why Wait? – Sets stakeholder expectations and counters “one‑click update” myths.
Phase 5 – Pilots & migration patterns (hybrid/PQC/crypto‑agility)
Prove feasibility, then scale with crypto‑agility.
Hybrid Cryptography for the Post‑Quantum Era – Where to use hybrid now (TLS, SSH, IPsec), how to handle certificates/PKI, and what to pilot.
Introduction to Crypto‑Agility – Org/policy patterns to make future migrations faster and safer.
Marin’s Law on Crypto‑Agility – A simple principle and leading indicators you can measure in OKRs.
Mitigating Quantum Threats Beyond PQC – Complementary tactics (encapsulation, isolation, QKD where warranted, attack‑surface reduction).
Evaluating Tokenization in the Context of Quantum Readiness – Reduce PQC blast‑radius by tokenizing long‑lived secrets.
Phase 6 – Infrastructure & performance
Modernize PKI/HSM, harden networks, and test end‑to‑end impacts.
Infrastructure Challenges of “Dropping In” PQC – Handshake size, middleboxes, memory/CPU, cert chains; what breaks and how to fix it.
PQC and Network Connectivity: Challenges and Impacts – Network‑type‑by‑network‑type effects (WAN, mobile, LPWAN, satellite) and mitigations.
Post‑Quantum Cryptography Challenges – Summary of performance, standards, implementation, and cost headwinds to plan around.
Phase 7 – Vendor & supply chain
Make third parties part of your plan, not a blocker.
Engaging and Managing Vendors for Quantum Readiness – Questionnaires, RFP clauses, and cadence to align supplier roadmaps to yours.
Appendix – Sector & system deep‑dives (great for stakeholder education)
Use these to explain complexity to non‑crypto stakeholders.
Telecom’s Quantum‑Safe Imperative – Sector‑specific constraints (lawful intercept, roaming, supply chain).
Cryptography in a Modern 5G Call – A step‑through of how much crypto hides in a single call flow.
Cryptographic Stack in Modern Interbank Payment Systems – Why inventories and CBOM matter in financial rails.
