Skip to content
Home » Blog » Crypto Agility & Post-Quantum Cryptography (PQC) Migration Framework

Crypto Agility & Post-Quantum Cryptography (PQC) Migration Framework

Level 1 — Initial / Ad Hoc

  • Current state: No crypto inventory; crypto usage unknown or undocumented.
  • Focus: Awareness and foundational understanding.
  • Key actions:
    • Conduct awareness sessions for leadership and key teams on quantum risks.
    • Perform high-level risk assessment to identify business-critical data/processes at risk.
    • Begin documenting known cryptographic uses in key systems.

Level 2 — Managed / Partial Inventory

  • Current state: Partial crypto inventories; siloed awareness; limited visibility across enterprise.
  • Focus: Building basic inventories and governance.
  • Key actions:
    • Develop an inventory program to identify cryptographic assets (keys, certs, algorithms) using automated tools where possible.
    • Establish roles and responsibilities for crypto asset management.
    • Map some crypto assets to business units or systems.
    • Develop basic crypto governance policies.

Level 3 — Defined / Enterprise Mapping & Prioritisation

  • Current state: Crypto inventory mapped to enterprise architecture; prioritisation based on business impact.
  • Focus: Enterprise-wide visibility and risk prioritisation.
  • Key actions:
    • Integrate crypto asset inventories into Enterprise Architecture (EA) frameworks.
    • Classify cryptographic assets by data sensitivity, confidentiality lifespan, regulatory impact.
    • Prioritise migration efforts on highest-risk assets/systems.
    • Update governance policies with PQC considerations.

Level 4 — Quantitatively Managed / Crypto Agility & PQC Pilots

  • Current state: Architected for crypto agility; hybrid classical + PQC algorithms tested; pilot migrations underway.
  • Focus: Technical readiness and validation.
  • Key actions:
    • Design and deploy crypto-agnostic frameworks and API layers supporting multiple algorithms.
    • Run pilot PQC migrations in non-production environments.
    • Test performance, interoperability, and operational impact of PQC algorithms.
    • Incorporate crypto agility into incident response and vulnerability management.

Level 5 — Optimizing / Continuous Crypto Governance & PQC Readiness

  • Current state: Continuous monitoring, governance, and rapid algorithm swap capabilities; PQC migration planned & managed.
  • Focus: Operational excellence and future-proofing.
  • Key actions:
    • Implement continuous crypto asset discovery & lifecycle management tools.
    • Maintain crypto agility playbooks and update regularly based on evolving standards (NIST, ETSI, NCSC).
    • Establish crypto risk metrics and KPIs reported to leadership.
    • Engage with industry & regulators on PQC standards and threat intelligence sharing.
    • Plan and execute large-scale migration as PQC standards finalize.

Summary:
This structured, maturity-based framework guides organisations from “crypto unknown” to “quantum-ready” with clear phases, actions, and focus areas — ensuring crypto agility is embedded in enterprise architecture, governance, and technical operations.

Leave a Reply

Your email address will not be published. Required fields are marked *