Is Your Organization Quantum-Ready?
Complete PQC readiness assessment in 10 minutes - get actionable recommendations
10-Minute PQC Readiness Assessment
Take this assessment to determine your organization's quantum readiness level
Section 1: Cryptographic Inventory (3 minutes)
Question 1.1: Do you know which systems use cryptography? - A: Yes, complete inventory - B: Partial inventory (major systems only) - C: No inventory (don't know)
Question 1.2: Which algorithms are you using? - A: Documented (RSA-2048, AES-256, etc.) - B: Partially known (some systems documented) - C: Unknown (no documentation)
Question 1.3: Where are encryption keys stored? - A: Centralized key management (HSM, KMS) - B: Distributed (application keystores) - C: Unknown (keys scattered across systems)
Section 2: Data Retention (2 minutes)
Question 2.1: What's your longest data retention requirement? - A: < 5 years - B: 5-15 years - C: 15+ years
Question 2.2: Do you have a data classification policy? - A: Yes, enforced (public/internal/confidential/secret) - B: Yes, but not enforced - C: No policy
Question 2.3: Can you identify quantum-vulnerable data? - A: Yes (long-lived confidential data identified) - B: Partially (some data classified) - C: No (cannot identify)
Section 3: Regulatory Compliance (2 minutes)
Question 3.1: Are you subject to federal PQC requirements? - A: Yes (CNSA 2.0, GSA PQC, FedRAMP) - B: Possibly (federal contracts, but not NSS) - C: No (commercial only)
Question 3.2: Do you have industry-specific crypto requirements? - A: Yes (PCI DSS, HIPAA, financial regulations) - B: General security best practices - C: No specific requirements
Question 3.3: Have you planned for PQC compliance? - A: Yes, migration plan exists (timeline, budget) - B: Aware, but no plan - C: Not aware of requirements
Section 4: Technical Capability (3 minutes)
Question 4.1: Can you change cryptographic algorithms easily? - A: Yes (config-driven, no code changes) - B: Requires code changes (weeks/months) - C: Don't know (never tried)
Question 4.2: Do you have crypto-agility? - A: Yes (demonstrated with algorithm rotations) - B: Limited (can rotate some systems) - C: No (hardcoded algorithms)
Question 4.3: Can you test PQC in your environment? - A: Yes (have test environment ready) - B: Can set up (need time/resources) - C: No (technical barriers)
Your Readiness Score
Count your answers:
Mostly A's: ✅ QUANTUM-READY (75-100% ready) - You have good visibility and control - Can deploy PQC in 1-3 months - Low risk, proactive posture
Recommendation: Proceed with PQC deployment in 2026 - Start with pilot
Mostly B's: ⚠️ PARTIALLY READY (40-74% ready) - Some visibility, gaps in control - Need 3-6 months preparation before PQC deployment - Medium risk, need planning
Recommendation: 1. Complete cryptographic inventory (Q1 2026) 2. Develop migration plan (Q2 2026) 3. Pilot PQC (Q3-Q4 2026) 4. Production rollout (2027)
Mostly C's: 🔴 NOT READY (0-39% ready) - Limited visibility and control - Need 6-12 months foundational work - High risk if quantum arrives early
Recommendation: 1. Conduct cryptographic audit (hire consultant if needed) 2. Document current state (systems, algorithms, keys) 3. Develop business case for PQC (present to executives) 4. Budget for 2027-2028 migration
Readiness Maturity Model
Level 1: Unaware (0-25% ready)
Characteristics: - ❌ No cryptographic inventory - ❌ Unknown algorithms in use - ❌ No PQC awareness - ❌ No migration plan
Actions needed: 1. Educate stakeholders (quantum threat briefing) 2. Conduct cryptographic audit (inventory systems) 3. Assess regulatory requirements (CNSA 2.0, industry) 4. Develop business case (present to executives)
Timeline to readiness: 12-18 months
Level 2: Aware (26-50% ready)
Characteristics: - ⚠️ Partial cryptographic inventory - ⚠️ Some algorithm documentation - ✅ PQC awareness (executives informed) - ❌ No migration plan
Actions needed: 1. Complete inventory (all systems) 2. Classify data by retention (quantum vulnerability analysis) 3. Develop migration roadmap (timeline, budget, resources) 4. Select PQC vendor (evaluate AnkaSecure vs competitors)
Timeline to readiness: 6-12 months
Level 3: Planning (51-75% ready)
Characteristics: - ✅ Complete cryptographic inventory - ✅ Documented algorithms - ✅ Migration plan exists - ⚠️ Not yet tested PQC
Actions needed: 1. Pilot PQC deployment (1-2 applications) 2. Performance testing (measure impact) 3. Vendor selection (finalize contract) 4. Training (developers, operations team)
Timeline to readiness: 3-6 months
Level 4: Ready (76-100% ready)
Characteristics: - ✅ Complete inventory - ✅ PQC piloted successfully - ✅ Migration plan approved and funded - ✅ Vendor selected (or deployed)
Actions needed: 1. Execute migration (phased rollout) 2. Monitor and validate (continuous testing) 3. Achieve compliance (NIST, GSA, CNSA) 4. Continuous improvement (algorithm updates)
Timeline to production: 1-3 months
Cryptographic Inventory Template
Systems to Audit
Download inventory template: 📥 Cryptographic Inventory Spreadsheet
Columns to complete:
| System | Algorithm | Key Location | Data Type | Retention | Quantum Risk |
|---|---|---|---|---|---|
| Database TDE | AES-256 | AWS KMS | Customer PII | 10 years | HIGH |
| S3 Encryption | RSA-4096 | AWS KMS | Financial records | 10 years | HIGH |
| VPN | RSA-2048 | Local keystore | Communications | N/A (ephemeral) | LOW |
| S/MIME Email | RSA-3072 | User certificates | Business email | 7 years | MEDIUM |
| Code Signing | ECDSA-P256 | CI/CD keystore | Software releases | Indefinite | HIGH |
Risk scoring: - LOW: Retention < 5 years OR data not confidential - MEDIUM: Retention 5-15 years AND moderate sensitivity - HIGH: Retention > 15 years OR high sensitivity - CRITICAL: Classified data OR nation-state targets
Recommended Actions by Risk
HIGH or CRITICAL risk systems: - ✅ Migrate to PQC in 2026 (immediate priority) - ✅ Use composite keys (defense-in-depth) - ✅ Pilot first (validate performance)
MEDIUM risk systems: - ⚠️ Plan migration for 2027-2028 (near-term) - ✅ Monitor quantum progress (adjust timeline if needed) - ✅ Budget allocation (secure funding)
LOW risk systems: - ⚠️ Can wait until 2029-2030 - ✅ But plan anyway (avoid rush)
Cost-Benefit Analysis
Cost of PQC Migration
AnkaSecure approach (config-driven):
Migration cost: $30 (configuration only)
Performance impact: +15% latency (ML-KEM vs RSA)
Infrastructure cost: $0 (same servers)
Total: $30 one-time
Traditional approach (code rewrite):
Migration cost: $840,000 (200 apps × 70 hours × $60/hour)
Performance impact: Unknown (depends on implementation)
Infrastructure cost: Possible (if different libraries)
Total: $840,000+ one-time
ROI: $839,970 savings with AnkaSecure
Cost of NOT Migrating (If Quantum Arrives)
Scenario: Quantum computer breaks RSA in 2035, your data compromised
Direct costs: - Regulatory fines: $50K-$5M (HIPAA, GDPR, PCI DSS breaches) - Litigation: $1M-$100M (class-action lawsuits) - Remediation: $500K-$10M (forensics, notification, monitoring)
Indirect costs: - Reputation damage: 10-30% customer churn - Stock price impact: 5-20% decline (for public companies) - Lost business: $10M-$1B (customers leave due to breach)
Total potential cost: $10M-$1B+ (depends on data sensitivity and customer base)
Insurance: Cyber insurance may NOT cover quantum attacks (act of war exclusion, known risk)
Industry-Specific Readiness
Financial Services
Regulatory drivers: - SEC: Transaction records (7-10 years) - FINRA: Trading data (6 years) - PCI DSS: Cardholder data (quantum resistance emerging)
Readiness score (average): 60% (aware, planning, not yet deployed)
Recommendation: Deploy in 2026 (ahead of industry, competitive advantage)
Healthcare
Regulatory drivers: - HIPAA: Patient records (6-30 years) - FDA 21 CFR Part 11: Clinical trials (50+ years) - State laws: Medical records (varies by state)
Readiness score (average): 45% (aware, limited planning)
Recommendation: Deploy in 2026-2027 (30-year retention = high quantum risk)
Government/Defense
Regulatory drivers: - CNSA 2.0: Classified data (mandatory by 2030) - FISMA: Federal systems (quantum-resistant preferred) - ICD 503: Intelligence community (Type 2 crypto)
Readiness score (average): 70% (high awareness, active planning)
Recommendation: Deploy in 2026 (4 years to deadline, avoid rush)
Technology/SaaS
Regulatory drivers: - SOC 2: Encryption controls (quantum resistance emerging) - Customer contracts: Data protection commitments - Competitive pressure: Market differentiation
Readiness score (average): 35% (low awareness, reactive)
Recommendation: Deploy in 2027-2028 (customer demand will drive)
What's Next?
Improve your readiness: - 🔍 Complete assessment (get your score) - 📥 Download action plan (based on your score) - 📊 ROI calculator (migration cost vs quantum breach cost) - 📧 Request readiness audit (we'll assess your environment)
Start your PQC journey: - Quantum threat timeline - When will quantum arrive? - Migration strategy - How to migrate - Compliance overview - What standards apply
Have questions? Email [email protected] or join our community forum
Last updated: 2026-01-07 | Assessment framework based on NIST guidance and industry best practices