QUANTUM READINESSASSESSMENT

Most cryptographic systems in production today use algorithms that will be broken by a sufficiently capable quantum computer. RSA, ECDSA, ECDH, and Diffie-Hellman all fall to Shor's algorithm. AES-128 loses roughly half its effective security against Grover's algorithm, which is why the National Security Agency now recommends AES-256. SHA-256 remains viable with adjusted output sizes. Every organization that stores encrypted data, issues digital certificates, or operates a public key infrastructure is affected.

The National Institute of Standards and Technology (NIST) finalized three post-quantum cryptography standards in August 2024 after nearly a decade of public review. FIPS 203 standardized ML-KEM, the lattice-based key encapsulation mechanism originally submitted as CRYSTALS-Kyber. FIPS 204 standardized ML-DSA, the lattice-based digital signature algorithm originally submitted as CRYSTALS-Dilithium. FIPS 205 standardized SLH-DSA, a stateless hash-based signature scheme originally submitted as SPHINCS+. A fourth algorithm, FN-DSA (originally Falcon), is expected to be finalized as FIPS 206. These four standards define the migration path for every public-sector system and are already influencing requirements across regulated industries.

The threat window is not theoretical. The Department of Homeland Security and NIST have repeatedly warned about harvest-now-decrypt-later attacks, where adversaries capture encrypted traffic today and hold it until quantum computers capable of breaking RSA and ECC become available. If your data has a confidentiality lifetime measured in years or decades, such as trade secrets, patient records, classified material, or long-term contracts, that data is already exposed in practice. You do not get to decide the timeline of the threat. You only decide how ready you are when it arrives.

Our assessment builds the foundation you need to plan, budget, and execute. We do not sell panic and we do not sell hype. We document what you actually run, we rank it by risk, and we hand you a roadmap that finance, engineering, and compliance can all sign.

Phase 1: Cryptographic Discovery

We inventory every place cryptography lives in your environment. That includes TLS configurations on every public and internal endpoint, certificate authorities and the certificates they have issued, SSH server and client configurations, VPN tunnels using IPsec or WireGuard, code signing keys, document signing keys, database encryption keys, object storage encryption, hardware security modules, payment processing paths, and any bespoke application-layer encryption. We use a combination of network scanning, certificate transparency log review, configuration file parsing, and guided interviews with engineering leads. The output is a living inventory that separates algorithm, key length, key management method, and data lifetime for every distinct cryptographic instance.

Phase 2: Vulnerability Classification

Each discovered cryptographic instance gets classified against the quantum threat model. Algorithms used for key exchange and digital signatures (RSA, ECDSA, ECDH, DH) are flagged as quantum-vulnerable because Shor's algorithm breaks them efficiently. Symmetric algorithms like AES-128 are flagged as partially exposed under Grover's algorithm and we recommend migration to AES-256 where performance allows. Hash functions are evaluated against the specific way they are used. We also flag configuration choices that compound quantum risk, such as long-lived static DH parameters, pinned certificates with decade-plus validity, or RSA-2048 trust anchors that cannot be rotated without major vendor changes.

Phase 3: Data Sensitivity and Lifetime Analysis

Risk is not just algorithm choice. It is algorithm choice multiplied by what the data is worth and how long it stays sensitive. We work with legal, compliance, and business owners to assign each protected data class a confidentiality lifetime. Controlled Unclassified Information under CMMC has different requirements than HIPAA protected health information, and both differ from trade secrets or intellectual property. We rank every cryptographic instance by the combined exposure of the algorithm weakness and the data lifetime so that migration priorities match business impact, not just technical severity.

Phase 4: Gap Analysis Against PQC Standards

With a classified inventory in hand, we run a gap analysis against NIST FIPS 203, 204, and 205. We identify which systems can accept a drop-in swap to ML-KEM or ML-DSA, which need hybrid deployments combining classical and post-quantum algorithms during transition, and which require vendor intervention because the underlying product has not yet shipped PQC support. We also map obligations under NSA CNSA 2.0, NIST SP 800-131A, and any sector-specific guidance such as payment card industry or federal cloud requirements. The gap analysis is what turns a general awareness of quantum risk into a list of specific work items your team can estimate and schedule.

Phase 5: Prioritized Migration Roadmap

The final deliverable is a multi-year migration roadmap with concrete phases, ownership, budget ranges, and sequencing logic. We recommend quick wins first, typically TLS and certificate authority modernization where hybrid key exchange is already supported, followed by code signing and document signing, then application-layer encryption, and finally bulk data re-encryption where the scale is large. We document dependencies on vendor roadmaps, hardware refresh cycles, and compliance deadlines. The roadmap becomes a living document that your program office can use to track progress quarter over quarter.

Peter Shor published his factoring algorithm in 1994. Running on a sufficiently large error-corrected quantum computer, Shor's algorithm factors large integers and solves the discrete logarithm problem in polynomial time. Everything your PKI trusts depends on those two problems being hard. RSA signatures, RSA key transport, Diffie-Hellman over finite fields, elliptic curve Diffie-Hellman, and ECDSA signatures all fail under Shor. We do not know exactly when a quantum computer large enough to run Shor at useful scale will exist, and responsible researchers give ranges rather than dates. What we do know is that the planning horizon for a major enterprise cryptography migration is measured in years, and the cost of waiting until a working attack is public is far higher than the cost of moving now.

Lov Grover's 1996 algorithm is a smaller but still meaningful threat. Grover provides a quadratic speedup on unstructured search, which means symmetric keys effectively lose half their bit security against a quantum attacker. AES-128 becomes roughly 64-bit secure under Grover, which is why NSA CNSA 2.0 requires AES-256. The practical impact for most organizations is that any AES-128 deployments should be scheduled for migration to AES-256, that SHA-256 remains acceptable for most purposes but SHA-384 or SHA-512 becomes the conservative choice for long-lived signatures, and that key derivation chains using 128-bit security levels should be revisited.

Harvest-now-decrypt-later is the scenario that drives urgency. An adversary captures encrypted traffic or encrypted archives today, stores them cheaply, and decrypts them once quantum capability is available. The public was reminded of this when the National Academies report on quantum computing and the CISA Post-Quantum Cryptography Initiative both explicitly called out the threat. If your data has a confidentiality lifetime longer than the expected horizon to a cryptographically relevant quantum computer, that data is already compromised from an operational security perspective. The only defense is to migrate the cryptography now and rotate the data keys.

The NSA Commercial National Security Algorithm Suite 2.0 sets a transition deadline of 2035 for National Security Systems. Most sectors will see compliance requirements tighten well before that date. CISA has been publishing preparatory guidance for critical infrastructure since 2022, NIST IR 8547 outlines the transition from classical to post-quantum standards, and the White House issued National Security Memorandum 10 in 2022 directing federal agencies to begin the migration.

For most private sector organizations, the practical window to complete a thoughtful migration runs from now through roughly 2030. Starting the inventory phase in 2026 gives you three planning cycles to resolve vendor dependencies, complete one hardware refresh cycle with PQC-capable gear, and train staff on the new primitives before regulatory pressure forces a rushed cutover. Organizations that wait until 2029 or 2030 to start are going to pay a premium for emergency services and will have fewer vendor options.

We work primarily with defense contractors under CMMC scope, healthcare providers governed by HIPAA, financial institutions, and state and local government. Each sector has its own timeline pressure. The CMMC compliance pipeline is the most predictable because CNSA 2.0 mandates are explicit. HIPAA and payment card requirements are less explicit but are tightening as examiners and insurers begin asking about quantum readiness. In every case the answer is the same: inventory first, then you know what you are dealing with.

Once the assessment is complete, clients generally take one of three paths. Some hand off the roadmap to their internal security engineering team and run the migration in-house, using our findings as the charter for a multi-year program. Some engage us for the next phase, which typically means post-quantum cryptography migration implementation against specific subsystems, or crypto agility consulting to design the abstraction layers that will make future algorithm swaps painless. Some combine the assessment with a broader cybersecurity program review to make sure their overall security posture aligns with the quantum-era roadmap.

For regulated clients, the assessment also doubles as compliance evidence. Auditors reviewing your cybersecurity program will ask about quantum readiness within the next two assessment cycles. Having a dated, signed cryptographic inventory and a board-approved migration roadmap is the simplest way to answer that question with confidence. We format our deliverables so they drop directly into your existing governance documentation.

If you want a walkthrough before committing, we offer a free fifteen-minute quantum risk consultation with our team. We will review your sector, talk through the likely scope, and give you an honest answer about whether an assessment makes sense this year or if there are higher-leverage cybersecurity investments to make first. Call 919-348-4912 or reach us through the contact form.

We have run quantum readiness assessments across defense, healthcare, financial services, and state and local government. The methodology stays constant but the emphasis shifts. Defense contractors under the Cybersecurity Maturity Model Certification framework get a heavier focus on how NSA CNSA 2.0 affects their Controlled Unclassified Information handling, how the Defense Industrial Base Cybersecurity Strategy frames quantum risk, and how the contract flowdown language from prime contractors is likely to evolve. Healthcare clients get deeper analysis of electronic protected health information storage lifetimes, the implications of long-retention imaging data, and how the Office for Civil Rights is likely to interpret encryption requirements as standards shift. Financial services clients get particular attention on interbank messaging, PKI for payment cards, long-term archival of customer records, and the forward-looking guidance from the Federal Financial Institutions Examination Council and the Payment Card Industry Security Standards Council. For government clients we map findings to the White House National Security Memorandum 10 inventory format so that the output can be reused for federal reporting.

Every sector has legacy systems that cannot be upgraded on a normal cadence. Healthcare has medical devices with firmware that vendors may not patch for years. Financial services has mainframe and HSM dependencies that move slowly. Defense has programs of record with multi-decade lifetimes. We call these out early in the inventory so that roadmap decisions account for them, and we include vendor engagement strategies in the final deliverable so that your procurement team has a template for asking vendors about their post-quantum cryptography roadmap.

Organizations with overlapping frameworks, such as a defense contractor that also handles HIPAA data through a subsidiary, get a combined findings report that respects the strictest applicable control. We do not treat each framework as a separate exercise. We map once and report the projection into each framework the client cares about.

Petronella Technology Group was founded in 2002 and has been serving regulated clients in the Raleigh and Research Triangle area for more than two decades. Our team holds CMMC Registered Practitioner credentials across the board, and Craig Petronella personally holds CMMC-RP, Certified Forensic Examiner (DFE 604180), CCNA, and CWNE credentials. We are a Better Business Bureau A+ accredited business since 2003 and a CMMC-AB Registered Provider Organization under RPO-1449. We hold a Private Protective Services Board accreditation in North Carolina, which is relevant for clients in financial or legal sectors who require cleared practitioners for incident response or digital forensics adjacent work.

Quantum readiness assessments are led by senior consultants with applied cryptography experience, not by junior analysts running scripts. We pair a lead consultant with an engineering associate for larger environments, and we maintain the same team for the full duration of the engagement. You will not be handed off between account managers, and the person who signs the final report is the same person who interviewed your engineering leads on day one.