Is Your Organization Quantum-Ready?
Complete PQC readiness assessment in 10 minutes - get actionable recommendations
10-Minute PQC Readiness Assessment
Take this assessment to determine your organization's quantum readiness level
Section 1: Cryptographic Inventory (3 minutes)
Question 1.1: Do you know which systems use cryptography?
- A: Yes, complete inventory
- B: Partial inventory (major systems only)
- C: No inventory (don't know)
Question 1.2: Which algorithms are you using?
- A: Documented (RSA-2048, AES-256, etc.)
- B: Partially known (some systems documented)
- C: Unknown (no documentation)
Question 1.3: Where are encryption keys stored?
- A: Centralized key management (HSM, KMS)
- B: Distributed (application keystores)
- C: Unknown (keys scattered across systems)
Section 2: Data Retention (2 minutes)
Question 2.1: What's your longest data retention requirement?
- A: < 5 years
- B: 5-15 years
- C: 15+ years
Question 2.2: Do you have a data classification policy?
- A: Yes, enforced (public/internal/confidential/secret)
- B: Yes, but not enforced
- C: No policy
Question 2.3: Can you identify quantum-vulnerable data?
- A: Yes (long-lived confidential data identified)
- B: Partially (some data classified)
- C: No (cannot identify)
Section 3: Regulatory Compliance (2 minutes)
Question 3.1: Are you subject to federal PQC requirements?
- A: Yes (CNSA 2.0, GSA PQC, FedRAMP)
- B: Possibly (federal contracts, but not NSS)
- C: No (commercial only)
Question 3.2: Do you have industry-specific crypto requirements?
- A: Yes (PCI DSS, HIPAA, financial regulations)
- B: General security best practices
- C: No specific requirements
Question 3.3: Have you planned for PQC compliance?
- A: Yes, migration plan exists (timeline, budget)
- B: Aware, but no plan
- C: Not aware of requirements
Section 4: Technical Capability (3 minutes)
Question 4.1: Can you change cryptographic algorithms easily?
- A: Yes (config-driven, no code changes)
- B: Requires code changes (weeks/months)
- C: Don't know (never tried)
Question 4.2: Do you have crypto-agility?
- A: Yes (demonstrated with algorithm rotations)
- B: Limited (can rotate some systems)
- C: No (hardcoded algorithms)
Question 4.3: Can you test PQC in your environment?
- A: Yes (have test environment ready)
- B: Can set up (need time/resources)
- C: No (technical barriers)
Your Readiness Score
Count your answers:
Mostly A's: ✅ QUANTUM-READY (75-100% ready)
- You have good visibility and control
- Can deploy PQC in 1-3 months
- Low risk, proactive posture
Recommendation: Proceed with PQC deployment in 2026
Mostly B's: ⚠️ PARTIALLY READY (40-74% ready)
- Some visibility, gaps in control
- Need 3-6 months preparation before PQC deployment
- Medium risk, need planning
Recommendation: 1. Complete cryptographic inventory (Q1 2026) 2. Develop migration plan (Q2 2026) 3. Pilot PQC (Q3-Q4 2026) 4. Production rollout (2027)
Mostly C's: 🔴 NOT READY (0-39% ready)
- Limited visibility and control
- Need 6-12 months foundational work
- High risk if quantum arrives early
Recommendation: 1. Conduct cryptographic audit (hire consultant if needed) 2. Document current state (systems, algorithms, keys) 3. Develop business case for PQC (present to executives) 4. Budget for 2027-2028 migration
Readiness Maturity Model
Level 1: Unaware (0-25% ready)
Characteristics:
- ❌ No cryptographic inventory
- ❌ Unknown algorithms in use
- ❌ No PQC awareness
- ❌ No migration plan
Actions needed: 1. Educate stakeholders (quantum threat briefing) 2. Conduct cryptographic audit (inventory systems) 3. Assess regulatory requirements (CNSA 2.0, industry) 4. Develop business case (present to executives)
Timeline to readiness: 12-18 months
Level 2: Aware (26-50% ready)
Characteristics:
- ⚠️ Partial cryptographic inventory
- ⚠️ Some algorithm documentation
- ✅ PQC awareness (executives informed)
- ❌ No migration plan
Actions needed: 1. Complete inventory (all systems) 2. Classify data by retention (quantum vulnerability analysis) 3. Develop migration roadmap (timeline, budget, resources) 4. Select PQC vendor (evaluate AnkaSecure vs competitors)
Timeline to readiness: 6-12 months
Level 3: Planning (51-75% ready)
Characteristics:
- ✅ Complete cryptographic inventory
- ✅ Documented algorithms
- ✅ Migration plan exists
- ⚠️ Not yet tested PQC
Actions needed: 1. Pilot PQC deployment (1-2 applications) 2. Performance testing (measure impact) 3. Vendor selection (finalize contract) 4. Training (developers, operations team)
Timeline to readiness: 3-6 months
Level 4: Ready (76-100% ready)
Characteristics:
- ✅ Complete inventory
- ✅ PQC piloted successfully
- ✅ Migration plan approved and funded
- ✅ Vendor selected (or deployed)
Actions needed: 1. Execute migration (phased rollout) 2. Monitor and validate (continuous testing) 3. Achieve compliance (NIST, GSA, CNSA) 4. Continuous improvement (algorithm updates)
Timeline to production: 1-3 months
Cryptographic Inventory Template
Systems to Audit
Download inventory template: 📥 Cryptographic Inventory Spreadsheet
Columns to complete:
| System | Algorithm | Key Location | Data Type | Retention | Quantum Risk |
|---|---|---|---|---|---|
| Database TDE | AES-256 | AWS KMS | Customer PII | 10 years | HIGH |
| S3 Encryption | RSA-4096 | AWS KMS | Financial records | 10 years | HIGH |
| VPN | RSA-2048 | Local keystore | Communications | N/A (ephemeral) | LOW |
| S/MIME Email | RSA-3072 | User certificates | Business email | 7 years | MEDIUM |
| Code Signing | ECDSA-P256 | CI/CD keystore | Software releases | Indefinite | HIGH |
Risk scoring:
- LOW: Retention < 5 years OR data not confidential
- MEDIUM: Retention 5-15 years AND moderate sensitivity
- HIGH: Retention > 15 years OR high sensitivity
- CRITICAL: Classified data OR nation-state targets
Recommended Actions by Risk
HIGH or CRITICAL risk systems:
- ✅ Migrate to PQC in 2026 (immediate priority)
- ✅ Use composite keys (defense-in-depth)
- ✅ Pilot first (validate performance)
MEDIUM risk systems:
- ⚠️ Plan migration for 2027-2028 (near-term)
- ✅ Monitor quantum progress (adjust timeline if needed)
- ✅ Budget allocation (secure funding)
LOW risk systems:
- ⚠️ Can wait until 2029-2030
- ✅ But plan anyway (avoid rush)
Cost-Benefit Analysis
Cost of PQC Migration
AnkaSecure approach (config-driven):
Migration cost: $30 (configuration only)
Performance impact: +15% latency (ML-KEM vs RSA)
Infrastructure cost: $0 (same servers)
Total: $30 one-time
Traditional approach (code rewrite):
Migration cost: $840,000 (200 apps × 70 hours × $60/hour)
Performance impact: Unknown (depends on implementation)
Infrastructure cost: Possible (if different libraries)
Total: $840,000+ one-time
ROI: $839,970 savings with AnkaSecure
Cost of NOT Migrating (If Quantum Arrives)
Scenario: Quantum computer breaks RSA in 2035, your data compromised
Direct costs:
- Regulatory fines: $50K-$5M (HIPAA, GDPR, PCI DSS breaches)
- Litigation: $1M-$100M (class-action lawsuits)
- Remediation: $500K-$10M (forensics, notification, monitoring)
Indirect costs:
- Reputation damage: 10-30% customer churn
- Stock price impact: 5-20% decline (for public companies)
- Lost business: $10M-$1B (customers leave due to breach)
Total potential cost: $10M-$1B+ (depends on data sensitivity and customer base)
Insurance: Cyber insurance may NOT cover quantum attacks (act of war exclusion, known risk)
Industry-Specific Readiness
Financial Services
Regulatory drivers:
- SEC: Transaction records (7-10 years)
- FINRA: Trading data (6 years)
- PCI DSS: Cardholder data (quantum resistance emerging)
Readiness score (average): 60% (aware, planning, not yet deployed)
Recommendation: Deploy in 2026 (ahead of industry, competitive advantage)
Healthcare
Regulatory drivers:
- HIPAA: Patient records (6-30 years)
- FDA 21 CFR Part 11: Clinical trials (50+ years)
- State laws: Medical records (varies by state)
Readiness score (average): 45% (aware, limited planning)
Recommendation: Deploy in 2026-2027 (30-year retention = high quantum risk)
Government/Defense
Regulatory drivers:
- CNSA 2.0: Classified data (mandatory by 2030)
- FISMA: Federal systems (quantum-resistant preferred)
- ICD 503: Intelligence community (Type 2 crypto)
Readiness score (average): 70% (high awareness, active planning)
Recommendation: Deploy in 2026 (4 years to deadline, avoid rush)
Technology/SaaS
Regulatory drivers:
- SOC 2: Encryption controls (quantum resistance emerging)
- Customer contracts: Data protection commitments
- Competitive pressure: Market differentiation
Readiness score (average): 35% (low awareness, reactive)
Recommendation: Deploy in 2027-2028 (customer demand will drive)
What's Next?
Improve your readiness:
- 🔍 Complete assessment (get your score)
- 📥 Download action plan (based on your score)
- 📊 ROI calculator (migration cost vs quantum breach cost)
- 📧 Request readiness audit (we'll assess your environment)
Start your PQC journey:
- Quantum threat timeline - When will quantum arrive?
- Migration strategy - How to migrate
- Compliance overview - What standards apply
Have questions? Email [email protected] or join our community forum
Last updated: 2026-01-07 | Assessment framework based on NIST guidance and industry best practices