8. Knowledge on the PQC migration
Set Business Priority
3
Low [1]
Urgent [4]
1. Do your stakeholders understand the quantum threat timeline and why PQC migration must begin before cryptographically relevant quantum computers arrive?
2. Do you have an inventory of data types that are encrypted at rest (e.g., PII, PHI, financials, Company IP)?
3. What data types are encrypted in transit?
4. Are there instances where you do not use end-to-end encryption for sensitive communication channels?
5. Does your organization have the knowledge to perform a cryptographic asset discovery and maintain an updated cryptographic bill of materials (CBOM)?
6. How is encryption handled across cloud, hybrid, and on-prem environments?
7. Do you perform static or dynamic analysis to detect weak cryptographic practices? Can you provide data for analysis?
8. Do you have a Software Bill of Materials SBOM you can share?
9. Are cryptographic functions implemented using vetted libraries (e.g., OpenSSL, Bouncy Castle, Libsodium, etc.)?
10. Does your organization track and understand the NIST PQC standards (ML-KEM, ML-DSA, SLH-DSA, FN-DSA) and EU recommendations?
11. Do your architects and engineers know the performance, interoperability, and implementation trade-offs of deploying PQC algorithms?
12. Do you use homomorphic encryption or confidential computing techniques? Examples of Homomorphic Algorithms BFV (Brakerski-Vercauteren), BGV (Brakerski-Gentry-Vaikuntanathan), and CKKS (Chen-Kulkarni-Kulkarni-Sasaki). These algorithms enable mathematical operations to be performed on encrypted data without decrypting it
Save
Submit for Assessment