Open resource
Post-quantum readiness assessment
A structured framework for evaluating your organization's exposure to quantum computing threats and readiness for post-quantum cryptography migration. Free, no email gate, no vendor lock-in.
What it is
The Post-Quantum Readiness Assessment (PQRA) is a self-assessment framework with 52 scored questions across 7 weighted domains. It evaluates your organization's cryptographic posture against quantum computing threats and produces an overall readiness score, risk category, and PQC Maturity Model (PQCMM) level.
The PDF guide explains each domain, why it matters, common gaps, and how to score your organization. The Excel workbook (11 sheets) automates weighted scoring and maps each question to compliance frameworks (NIST CSF 2.0, SP 800-53, ISO 27001, CNSA 2.0, DORA). It includes a CycloneDX CBOM template and generates a dashboard with radar chart and PQCMM maturity level. Use the results to identify your highest-priority migration gaps and build a phased PQC roadmap.
This is not a product demo or a lead magnet. The full methodology is here. Use it, adapt it, share it. The PQRA is a prioritization and planning tool, not a certification or formal audit.
Assessment framework
7 domains, weighted by impact
Cryptographic inventory
Identifies all cryptographic algorithms, protocols, keys, and certificates in use across the organization. A complete inventory is the prerequisite for any migration effort.
Migration readiness
Assesses the technical capability to transition from quantum-vulnerable algorithms to post-quantum alternatives. Covers crypto-agility, key management flexibility, PKI readiness, and testing infrastructure.
Data sensitivity and lifespan
Evaluates the sensitivity of data protected by current cryptographic mechanisms and its required confidentiality lifespan. Determines exposure to harvest-now, decrypt-later attacks.
Vendor and supply chain
Evaluates the organization's understanding of and influence over cryptographic dependencies in third-party software, hardware, and services.
Standards compliance
Measures alignment with published PQC standards and guidance from NIST, NSA (CNSA 2.0), NCSC, BSI, and ETSI.
Timeline and urgency
Assesses the organization's understanding of quantum computing threat timelines and how they relate to its specific risk horizon.
Governance and policy
Evaluates governance structures, policies, and resource allocation supporting PQC migration.
Scoring model
Each domain is scored 1 to 5, from "no awareness or preparation" to "fully documented and actively managed." The overall score is a weighted average across all 7 domains, producing one of four risk categories:
| Score range | Risk category | Interpretation |
|---|---|---|
| 1.0 – 2.0 | Critical | Immediate action required. Significant unaddressed quantum risk exposure. |
| 2.1 – 3.0 | High | Significant gaps. Prioritize remediation within 6–12 months. |
| 3.1 – 4.0 | Moderate | Progress made. Targeted improvements needed in specific domains. |
| 4.1 – 5.0 | Low | Well-prepared. Maintain current practices and monitor standards updates. |
The Excel workbook calculates weighted scores automatically, generates a radar chart showing domain-level strengths and gaps, and maps your overall score to a PQCMM maturity level.
Grounded in published guidance
Standards alignment
Question design and scoring draw from:
- NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA)
- NSA CNSA 2.0 draft guidance: ML-KEM-1024 for key establishment, ML-DSA-87 for digital signatures, LMS/XMSS for software and firmware signing
- NCSC UK: Timelines for migration to post-quantum cryptography
- NIST SP 1800-38B (Preliminary Draft): Quantum Readiness: Cryptographic Discovery
- NIST IR 8547 (Initial Public Draft): Transition to Post-Quantum Cryptography Standards
- CycloneDX CBOM Specification v1.6
- CISA Post-Quantum Cryptography Initiative
- IETF RFC 9370: Multiple Key Exchanges in IKEv2
Compliance mapping
Each question in the Excel workbook is mapped to controls and requirements from these compliance frameworks:
- NIST Cybersecurity Framework (CSF) 2.0
- NIST SP 800-53 Rev. 5
- ISO/IEC 27001:2022
- NSA CNSA 2.0
- DORA (Digital Operational Resilience Act)