A preview
A few representative items per phase
Here is a sample of the checks in each phase. The full checklist expands these into detailed, tickable items with owners and acceptance criteria - it is yours to download below.
01 · Discover
Cover all four surfaces
Confirm discovery reaches the network and TLS layer, your certificates and keys, your applications and APIs and your data and cloud KMS - then export the inventory as a Cryptographic Bill of Materials (CBOM).
02 · Assess
Tag long-lived secrets
Flag data and keys whose confidentiality must outlast the arrival of a cryptographically relevant quantum computer and attach the relevant framework mapping to each finding.
03 · Plan
Sequence by regime and risk
Group findings by PQC regime and exposure, classify each as a key-encapsulation or a signature swap and agree the order of work with the owning teams.
04 · Migrate
Adopt the NIST algorithms
Move key encapsulation to ML-KEM and signatures to ML-DSA or SLH-DSA, favouring crypto-agility so future swaps are a registry change, not a re-engineering project.
05 · Monitor
Set a re-scan cadence
Decide how often the estate is re-scanned and route new or regressed findings - scored and framework-mapped - to the team that owns remediation, on every scan.
Across every phase
Keep an owner and a date
Every item carries an owner, a target date and an acceptance criterion - so the programme stays accountable from the first scan to ongoing monitoring.
ML-KEM
ML-DSA
SLH-DSA
NIST CSF
ISO 27001
FedRAMP
CMMC
Essential Eight (ASD)
NACSA