H O W C A N BU SIN E SSE S RE SPO N D TO TH E Q U A N TU M TH RE A T

TO C RYPTO G RA PH Y?

ASSESSMENT PREPARATION

ORDERLYMIGRATION

EMERGENCYMIGRATION MITIGATION

BQ

AQ

ASSESSM ENT

ASSESSM ENTR IS K

Risk Questions

M AGNITUDE: W hatriskswillinform ation disclosure create? (M onetaryloss, Com pliance, Legal, Reputation)

SCOPE: Do you issue keysorcerrtificatesto third parties? Under whatCPSsorSLAs?

DURATION: Can you quantifydam age due to degradation orinterruption of each servicesthatusescrypto?

RESPONSE: Is there a plan to protectencrypted assetsin case of a crypto failure?

DURATION: How long m ustconfidentialitybe m aintained foreach assetclass?

ASSESSM ENTD A T A

Data Questions

TYPE: W hatclassesof data do I encrypt? (PII, Trade Secret, CustodialSecret, GovtClassified…)?

RETENTION: Is encrypted data deleted according to a regularschedule?

DISCLOSURE IM PACT: W hatare the consequencesof disclosure of each data class?

EXPOSURE: Is encrypted data norm ally exposed to potentialattackers? (e.g. n transit orpubliccloud)?

PROTECTION DURATION: How long m ustconfidentialitybe m aintained foreach data class?

ASSESSM ENTK E Y S

KeyQuestions

TYPE: W hatare the strength, algorithm binding, and usage (sign vsencrypt, application, etc…) of each key?

LIFETIM E: W hatare the issuance and expiration datesforeach key?

M ANAGEM ENT: Are allkeysinventoried and locatable? Are keyseasyto revoke and reissue?

STRENGTH: W hatis the effective strength of each key, vs. classicaland quantum attack?

ASSESSM ENTIN F R A S T R U C T U R E

&S U P P L I E R S

Infrastructure Questions

CRYPTO SOFTW ARE INVENTORY: W hatcrypto librariesare in use? W hatprotocollibrariesare in use?

KEY INVENTORY: W hatkeysare in use, by whatapplications?

ADM IN INVENTORY: W ho is authorized to m anage which keysand which crypto m odulesand devices?

CERTIFICATE INVENTORY: W hatcertificatesare issued to the organization? W ho issued them ?

CRYPTO HARDW ARE INVENTORY: W hatcrypto hardware is in use?

W hatattributesdoeseach certificate have?

APPLICATION INVENTORY: W hich applicationsuse which libraries, which keys, and which protocols?

SupplierQuestions

CAs: Do m yCA agreem entshold the CA to an SLA fortim elyreissuance? Do I have a backup CA undercontract?

CODE SIGNATURES: Can and willm yapplication vendorsre-sign applicationsin a tim elyway?

SLAs(CA): Do m yrevocation and reissuance requestsgetpriorityvs. otherfirm sin em ergencies?

SLAs(Data Custodian): W hatobligationsdo custodiansof m ydata have in case of algorithm breach?

M Y CSRs: Have I retained m yCSRsso I can requestreissuance of certswith the correctattributes?

SLAs(Software Vendor): Are m yvendorsobligated to tim elyupgradesto fixcrypto breaches?

Are m yCAsobligated and prepared to revoke certificatesen m asse in case of an algorithm breach?

PREPARATIO N

PREPARATIO NO R D E R L Y M I G R A T I O N

OrderlyTransition Planning

SUPPLIER READINESS PLANS: Do yoursuppliershave quantum readinessplans? Do yourcontractsrequire them ?

STANDARDS PARTICIPATION: Are you participatingin standardsgroupspreparing forPQC?

PRODUCT TESTING: Are you testing and certifying PQC algorithm sand PQC-enabled productsin advance?

HYBRID CRYPTO: Are you investigating orim plem enting hybrid classical/PQC m odesof operation?

CRYPTO AGILITY: W illyourinfrastructure supportrapid replacem entof crypto algorithm sand protocols?

REGULATORY ENGAGEM ENT: Are you engaging with regulatorson use of PQC?

PREPARATIO NE M E R G E N C Y M I G R A T I O N

DisorderlyTransition Planning

EXERCISES: Are you planning and executing tabletop and sim ulation exercisesforcrypto algorithm failure response?

SUPPLIER AGREEM ENTS: Are you updating yoursupplierand partner agreem entsto coveralgorithm failure?

SAVED CSRs: Are you retaining yourCertificate Signing Requeststo supportem ergency certreissuance?

CA AGREEM ENTS: Are you updatingyourCA agreem entsto coveralgorithm failure?

EM ERGENCY SOFTW ARE DISTRIBUTION: Are you m aking arrangem entsto securely receive and deploy

patchesand updated software versionswhile network protocoland code signing cryptography is insecure?

E-RISK COVERAGE: Are you investigatingCyberInsurance forcryptographicalgorithm failures?

M IG RATIO N

M igration

RESPONSIBILITY: W hatexecutiveis responsible forQuantum Safety?

PROJECT M ANAGEM ENT: Is there a detailed plan forQuantum Safety? W hatis itspriority?

BUDGET: Is there a budgetforQuantum Safety projects?

M ETRICS AND TRACKING: Are there m etricsforQuantum Safety? To whom are theyreported?

M ITIG ATIO N

M itigation

STAKEHOLDER ENGAGEM ENT: Are Legal, Com pliance, and Corporate Com m unications involved in planning?

EXERCISES: Are you planning and executing tabletop and sim ulation exercisesforcrypto algorithm failure response?

BUDGET: Is there a budgetform itigation of crypto algorithm failures?

PLAYBOOKS: Have exercisesbeen used to create playbooksform itigation?

QUESTIONS