Implementation December 2024 15 min read

Quantum Readiness Assessment: How to Evaluate Your Organization's PQC Preparedness

A comprehensive guide to assessing your quantum readiness, understanding maturity levels, and building a roadmap for post-quantum cryptography migration.

The transition to post-quantum cryptography represents one of the most significant cryptographic migrations in history. With NIST finalizing the first PQC standards in 2024 and regulatory timelines accelerating, organizations need a clear understanding of their current readiness state and a roadmap for improvement.

A quantum readiness assessment provides this clarity. It systematically evaluates your organization's preparedness across multiple dimensions, identifies gaps and risks, and prioritizes actions for effective migration planning.

This guide explains what a quantum readiness assessment involves, how to conduct one, and how frameworks like QRAMM can help structure your evaluation.

What Is a Quantum Readiness Assessment?

A quantum readiness assessment is a systematic evaluation of an organization's ability to transition to quantum-resistant cryptography. It examines current cryptographic practices, identifies vulnerabilities, assesses organizational capabilities, and provides recommendations for achieving quantum readiness.

A comprehensive assessment answers critical questions:

  • What cryptographic algorithms and implementations are currently in use?
  • Which systems and data are most vulnerable to quantum threats?
  • What governance structures exist for cryptographic decisions?
  • How agile are our systems for cryptographic changes?
  • What are our vendor and supply chain exposures?
  • What resources and timeline are needed for migration?

Why Conduct a Quantum Readiness Assessment?

Visibility

Understand your current cryptographic landscape and quantum exposure

Prioritization

Focus resources on highest-risk areas first

Planning

Develop realistic migration timelines and budgets

Compliance

Prepare for emerging regulatory requirements

Stakeholder Alignment

Build shared understanding across teams

Competitive Advantage

Stay ahead of industry requirements

QRAMM Assessment Dimensions

The QRAMM (Quantum Readiness and Maturity Model) framework structures assessment across four interconnected dimensions:

Governance & Strategy

Leadership engagement, policies, risk frameworks, strategic planning, budget allocation, and organizational accountability for quantum readiness.

Technical Capabilities

Cryptographic inventory, crypto-agility, algorithm support, key management, testing capabilities, and implementation readiness.

Operations

Monitoring, incident response, training programs, documentation, change management, and ongoing cryptographic hygiene.

Supply Chain

Vendor assessment, third-party risk, procurement requirements, contractual provisions, and ecosystem dependencies.

Maturity Levels

QRAMM uses a five-level maturity model to characterize an organization's quantum readiness:

Level 1
Level 2
Level 3
Level 4
Level 5
Basic
Ad hoc processes
Developing
Emerging structure
Established
Formal programs
Advanced
Measured processes
Optimizing
Continuous improvement

Level 1: Basic

No formal quantum readiness program. Cryptographic practices are ad hoc, inventory is incomplete or nonexistent, and there is minimal awareness of quantum threats.

Level 2: Developing

Basic awareness of quantum threats exists. Initial inventory efforts underway. Some documentation of cryptographic assets. No formal governance structure.

Level 3: Established

Formal quantum readiness program established. Complete cryptographic inventory. Documented policies and procedures. Migration planning initiated.

Level 4: Advanced

Quantitative measures of readiness tracked. Crypto-agility implemented across most systems. Active migration underway. Supply chain requirements in place.

Level 5: Optimizing

Continuous improvement processes. Full crypto-agility across all systems. Automated monitoring and response. Industry leadership position.

Assessment Process

1

Scoping & Planning

Define assessment boundaries, identify stakeholders, gather documentation, and establish timeline. Determine which systems, business units, and third parties are in scope.

2

Discovery & Inventory

Identify and catalog all cryptographic assets: algorithms in use, key management systems, certificates, protocols, libraries, and dependencies. Both automated scanning and manual review are typically required.

3

Risk Assessment

Evaluate exposure to quantum threats. Consider data sensitivity, retention periods, harvest now decrypt later risks, and regulatory requirements. Prioritize by risk level.

4

Capability Evaluation

Assess organizational capabilities across QRAMM dimensions. Conduct interviews, review documentation, and evaluate technical controls. Score against maturity model.

5

Gap Analysis

Compare current state to target state. Identify gaps in governance, technical capabilities, operations, and supply chain. Quantify effort to close each gap.

6

Roadmap Development

Create prioritized action plan with recommendations, timelines, and resource requirements. Align with organizational constraints and risk tolerance.

7

Reporting & Presentation

Document findings and present to stakeholders. Provide executive summary, detailed technical findings, and actionable recommendations.

Key Assessment Areas

Governance & Strategy

Areas Evaluated

  • Executive sponsorship and leadership engagement
  • Quantum risk in enterprise risk framework
  • Cryptographic policies and standards
  • Budget allocation for quantum readiness
  • Roles and responsibilities defined
  • Strategic planning and roadmap existence
  • Board/executive reporting on quantum risk

Technical Capabilities

Areas Evaluated

  • Completeness of cryptographic inventory
  • Crypto-agility of critical systems
  • Post-quantum algorithm support
  • Hybrid cryptography capabilities
  • Key management infrastructure
  • Certificate management automation
  • Testing and validation capabilities
  • Development standards for new systems

Operations

Areas Evaluated

  • Cryptographic monitoring and alerting
  • Incident response for crypto failures
  • Staff training and awareness programs
  • Documentation and runbooks
  • Change management procedures
  • Key rotation and lifecycle management
  • Compliance monitoring and reporting

Supply Chain

Areas Evaluated

  • Vendor PQC roadmap assessment
  • Third-party cryptographic dependencies
  • Procurement requirements for quantum
  • Contractual provisions for PQC migration
  • SaaS and cloud provider readiness
  • Hardware security module capabilities
  • Open-source library dependencies

Assessment Timeline

Typical Duration by Organization Size

2-4 weeks
Small organizations (<500 employees, limited IT complexity)
1-3 months
Mid-size enterprises (500-5,000 employees, moderate complexity)
3-6 months
Large organizations (>5,000 employees, complex IT environments)
6-12 months
Highly complex environments (global, heavily regulated, legacy systems)

Factors affecting duration include IT environment complexity, number of applications in scope, availability of documentation, stakeholder availability, and depth of analysis required.

Assessment Deliverables

Maturity Scorecard

Scores across all QRAMM dimensions with visualizations showing current state vs. target state

Cryptographic Inventory

Comprehensive catalog of algorithms, protocols, certificates, and libraries in use

Risk-Prioritized Gap Analysis

Identified gaps ranked by risk level with effort estimates to remediate

Migration Roadmap

Prioritized recommendations with timeline, dependencies, and resource requirements

Resource & Budget Estimates

High-level estimates for personnel, tools, and vendor costs for migration

Executive Summary

Board-ready summary of findings, risks, and recommended actions

Getting Started with QRAMM

The QRAMM Assessment Toolkit provides a structured approach to conducting your own quantum readiness assessment:

  • Self-Assessment Questionnaire: Guided questions across all four dimensions
  • Scoring Framework: Consistent evaluation criteria for each practice area
  • Maturity Visualization: Spider charts and heatmaps to communicate findings
  • Gap Identification: Systematic approach to finding improvement opportunities
  • Action Planning: Templates for prioritizing and tracking remediation

Start Your Assessment Today

Download the QRAMM Assessment Toolkit to begin evaluating your organization's quantum readiness. The toolkit includes step-by-step guidance, assessment templates, and scoring frameworks to structure your evaluation.

Best Practices

For Effective Assessments

  1. Secure Executive Sponsorship: Ensure leadership support before starting
  2. Engage Cross-Functional Teams: Include security, IT, development, compliance, and business stakeholders
  3. Be Honest: Accurate assessment requires acknowledging gaps
  4. Document Everything: Create audit trail of findings and decisions
  5. Prioritize Ruthlessly: Focus on high-risk areas first
  6. Plan for Iteration: Quantum readiness is a journey, not a destination
  7. Communicate Clearly: Tailor messages to different audiences

Common Pitfalls to Avoid

  • Underestimating inventory effort (it always takes longer than expected)
  • Ignoring supply chain dependencies
  • Treating assessment as one-time activity rather than ongoing program
  • Failing to engage business stakeholders
  • Overcomplicating the initial assessment

Frequently Asked Questions

What is a quantum readiness assessment?

A quantum readiness assessment is a systematic evaluation of an organization's preparedness to transition to post-quantum cryptography. It examines cryptographic inventory, risk exposure, governance structures, technical capabilities, and migration planning to identify gaps and prioritize actions.

Why should my organization conduct a quantum readiness assessment?

Organizations should assess quantum readiness because: 1) Harvest now, decrypt later attacks make data vulnerable today, 2) Cryptographic migration takes years, 3) Regulations are mandating PQC adoption, and 4) Understanding current state is essential for effective planning and resource allocation.

What does the QRAMM framework assess?

QRAMM (Quantum Readiness and Maturity Model) assesses four dimensions: Governance & Strategy (leadership, policies, planning), Technical Capabilities (crypto-agility, inventory, implementation), Operations (monitoring, response, training), and Supply Chain (vendor management, third-party risk, procurement).

How long does a quantum readiness assessment take?

The duration depends on organizational size and complexity. Initial assessments typically take 2-4 weeks for small organizations, 1-3 months for mid-size enterprises, and 3-6 months for large organizations or those with complex IT environments.

What are the key deliverables from a quantum readiness assessment?

Key deliverables include: maturity scores across assessment dimensions, cryptographic asset inventory, risk-prioritized gap analysis, migration roadmap with recommendations, resource requirements and timeline estimates, and executive summary for leadership.

Related Articles

Cryptographic Inventory Guide

How to build a complete inventory of cryptographic assets in your organization.

Building Crypto-Agility

Designing systems that can rapidly adapt to new cryptographic algorithms.

PQC Migration Planning

How to plan and execute your post-quantum cryptography migration.

Quantum Risk Management

Integrating quantum threats into your enterprise risk framework.