Getting Started with QRAMM

Quick Start Options

Choose the approach that best fits your organization's needs, resources, and timeline:

Recommended

Option 1: Immediate Assessment

5-10 minutes

Take the QRAMM Quick Assessment for an immediate organizational baseline. Complete 12 questions covering all four dimensions and receive prioritized recommendations.

Take Quick Assessment →

Option 2: Comprehensive Planning

2-4 weeks

Thorough preparation before formal assessment. Includes stakeholder engagement, resource planning, process design, and pilot assessment phases.

Option 3: Professional Facilitation

4-8 weeks

Expert-guided implementation with customization. Contact the QRAMM authors for strategic planning and technical implementation support.

Phase 1: Preparation and Planning

Step 1: Executive Engagement

Objective: Secure leadership commitment and establish governance foundation

Key Activities

Leadership Briefing (1-2 hours) - Present quantum threat overview, explain QRAMM value proposition, discuss resource requirements
Governance Structure - Identify executive sponsor, define roles and responsibilities, establish communication protocols

Deliverables

Executive briefing presentation
Formal project charter with leadership approval
Governance structure with defined roles
Communication plan for stakeholder engagement

Step 2: Stakeholder Identification

Objective: Identify and engage all relevant stakeholders for comprehensive assessment

Core Team (Required)

CISO - Security strategy
CTO - Technical architecture
CRO - Risk management
IT Operations Manager
Network Security Manager

Extended Team (Recommended)

CFO - Budget planning
CLO - Legal/compliance
Procurement Manager
Data Protection Officer
Application Development Manager

Specialized Expertise (As Needed)

Cryptography SME
Cloud Security Architect
OT/IoT Security Specialist
Compliance Manager

Step 3: Resource Planning

Objective: Ensure adequate resources for successful assessment and implementation

Time Investment

Core Team Members: 8-16 hours over 4-6 weeks
Extended Team Members: 4-8 hours over 2-3 weeks
Executive Sponsor: 2-4 hours for key decisions
Project Coordinator: 20-40 hours for planning

Technology Requirements

Access to QRAMM assessment tools
Centralized documentation repository
Communication and collaboration platforms
Analysis tools for data processing

Step 4: Scope Definition

Objective: Define clear boundaries and expectations for the assessment

Scope Considerations

Organizational Scope

Business units to include
Geographic locations
Subsidiary organizations
Partnership boundaries

Technical Scope

System categories
Network boundaries
Application portfolio
Data categories

Phase 2: Assessment Execution

Step 5: Data Collection and Evidence Gathering

Systematically collect information needed for accurate assessment including:

Documentary Evidence: Policies, architecture docs, inventories, risk assessments, vendor contracts, audit reports
Technical Assessment: Network scanning, configuration review, code analysis, certificate inventory
Stakeholder Interviews: Structured interviews, technical deep dives, process walkthroughs

Step 6: Assessment Question Completion

Systematically evaluate organizational capabilities using the QRAMM framework:

Read question and explanation to understand the capability being assessed
Review relevant evidence and documentation
Gather perspectives from subject matter experts
Choose response that best reflects current state
Record specific evidence supporting the score

Step 7: Results Analysis and Interpretation

Analyze assessment results to identify gaps and priorities:

Score Calculation: Practice scores, dimension scores, overall QRAMM score
Gap Analysis: Identify practices with lowest scores, stream imbalances, critical deficiencies
Trend Analysis: Recognize patterns, capability clusters, and risk hotspots

Phase 3: Improvement Planning

Step 8: Priority Setting and Roadmap Development

Create actionable improvement plan based on assessment results:

Prioritization Framework

High Risk: Critical systems with significant quantum vulnerability
Medium Risk: Important systems with moderate quantum exposure
Low Risk: Systems with limited quantum impact or longer timelines

Roadmap Phases

Short-Term (0-6 months): Quick wins, foundation building, immediate risk mitigation
Medium-Term (6-18 months): Systematic implementation, process optimization, technology deployment
Long-Term (18+ months): Advanced capabilities, innovation programs, industry leadership

Step 9: Resource Planning and Business Case

Secure necessary resources for improvement implementation:

Staffing: Dedicated resources, SMEs, project management, training
Technology: Assessment tools, security technologies, monitoring systems
External Services: Consulting, training, integration, ongoing support

Phase 4: Implementation and Monitoring

Step 10: Program Launch and Execution

Begin systematic implementation of quantum readiness improvements:

Program Kickoff: Stakeholder communication, team formation, charter development
Quick Win Implementation: Highest-priority, lowest-complexity improvements
Foundation Development: Policy framework, governance structure, training programs

Step 11: Progress Monitoring and Continuous Improvement

Track implementation progress and optimize improvement efforts:

KPIs: QRAMM score improvement, milestone achievement, risk reduction, capability development
Assessment Cycles: Quarterly reviews, annual reassessment, milestone evaluations
Optimization: Lessons learned, best practice adoption, process refinement

Implementation by Organization Type

Small to Medium Organizations

Simplified Approach: Start with Quick Assessment, focus on highest-impact improvements, leverage community resources, take a phased approach.

Large Enterprises

Comprehensive Approach: Full 120-question assessment, multi-site coordination, dedicated resources, advanced analytics, center of excellence.

Government Agencies

Compliance-Focused: Regulatory alignment, classification considerations, interagency coordination, security clearance requirements.

Critical Infrastructure

Risk-Focused: Safety-critical systems, operational continuity, supply chain security, OT/SCADA assessment, 24/7 operations.

Success Factors and Common Pitfalls

Critical Success Factors

Leadership Engagement: Strong executive sponsorship with clear accountability
Stakeholder Alignment: Cross-functional coordination with clear roles
Technical Expertise: Access to quantum security and cryptographic expertise
Systematic Approach: Evidence-based assessment with regular monitoring

Common Pitfalls to Avoid

Attempting to address everything simultaneously without prioritization
Underestimating complexity and resource requirements
Insufficient leadership engagement and accountability
Treating quantum readiness as one-time project rather than ongoing program
Overreliance on technical solutions without addressing governance

Professional Support Options

QRAMM Framework Authors

Emily (Stamm) Fane - Strategic Planning & Executive Engagement
LinkedIn Profile →

Abdel Sy Fane - Technical Implementation & Risk Assessment
LinkedIn Profile →

General Inquiries: qramm@csnp.org

Service Offerings

Assessment Facilitation: Expert-guided QRAMM assessment with validation and interpretation
Strategic Consulting: Quantum readiness strategy development and business case creation
Implementation Support: Roadmap development, technology evaluation, change management