PQC Migration Cannot Start Without Inventory

NIST finalized its first post-quantum cryptography standards in 2024. The NSA’s CNSA 2.0 timeline sets migration deadlines starting in 2025. The message from standards bodies and government agencies is unambiguous: the transition from classical to quantum-resistant cryptography must begin now.

Yet most organizations cannot take the first step. They do not know where RSA, ECC, and Diffie-Hellman are deployed across their infrastructure. They cannot quantify their quantum exposure. They cannot build a migration plan because they do not have the inventory that planning depends on.

This is the fundamental problem that a Cryptographic Bill of Materials solves. A CBOM provides a complete, structured inventory of every cryptographic asset in the environment — algorithms, keys, certificates, protocols, and libraries — classified by quantum vulnerability and mapped to deployment context. It is the foundation that every subsequent migration activity builds on.

Why Inventory Comes First

Post-quantum migration is often framed as an algorithm replacement problem: swap RSA for ML-KEM, swap ECDSA for ML-DSA, update cipher suites, reissue certificates. At the algorithm level, this is correct. But at the enterprise level, the challenge is not knowing which algorithms to use — it is knowing where the old algorithms are deployed.

Consider the scope. A typical enterprise uses quantum-vulnerable cryptography in:

• TLS connections — web servers, API gateways, load balancers, database connections, message brokers
• Certificate chains — root CAs, intermediate CAs, end-entity certificates with RSA or ECDSA signatures
• SSH sessions — key exchange using ECDH, authentication using RSA or ECDSA keys
• Code signing — software signatures using RSA or ECDSA
• Encryption at rest — RSA-wrapped data encryption keys in cloud KMS, database TDE
• VPN tunnels — IKEv2 with RSA or ECDH key exchange
• Email security — S/MIME certificates, DKIM signing keys
• Application code — hardcoded algorithm selections in business logic

Each of these categories spans multiple teams, environments, and technology stacks. No single person or team has visibility into all of them. Without a systematic inventory, migration planning devolves into a series of ad-hoc discovery efforts — each team scanning its own systems, each audit uncovering previously unknown deployments.

A CBOM eliminates this fragmentation. It scans across all infrastructure categories, catalogs every cryptographic asset, and produces a unified inventory that migration planners can work from. For a detailed look at what CBOM scanning covers, see our guide on post-quantum risk assessment with CBOM.

From Inventory to Risk-Based Prioritization

A complete cryptographic inventory is necessary but not sufficient for migration planning. An enterprise with 50,000 quantum-vulnerable deployments cannot migrate them all at once. Prioritization is essential, and it requires combining cryptographic risk with business context.

CBOM enables risk-based prioritization by providing three data dimensions:

Quantum vulnerability classification. Each asset is classified as quantum-vulnerable (RSA, ECC, DH — broken by Shor’s algorithm), quantum-reduced (AES-128 — weakened by Grover’s algorithm), or quantum-safe (AES-256, ML-KEM, ML-DSA). This classification is automatic, based on the algorithm properties discovered during scanning.

Data sensitivity context. The deployment context recorded in the CBOM — which service, which environment, what data it protects — enables mapping to data classification. Quantum-vulnerable algorithms protecting long-lived sensitive data (financial records, health data, government communications) are higher priority than those protecting ephemeral or public data.

Regulatory deadline mapping. CBOM compliance mapping identifies which assets fall under which regulatory timelines. A quantum-vulnerable algorithm in a CNSA 2.0-scoped system has a hard deadline. The same algorithm in an unregulated internal tool has more flexibility.

These three dimensions produce a prioritized migration backlog: a ranked list of quantum-vulnerable deployments ordered by combined risk, with clear rationale for the sequencing.

The Migration Lifecycle

With a prioritized backlog in hand, PQC migration follows a structured lifecycle that CBOM supports at every stage.

Assessment Phase

The CBOM baseline establishes the starting point. It quantifies the total quantum-vulnerable surface area, identifies the highest-risk deployments, and maps the dependency relationships between cryptographic assets. This assessment answers the executive question: “how big is this problem, and where do we start?”

Planning Phase

Migration planners use CBOM data to sequence work. They group related assets (all certificates in a single CA chain, all TLS endpoints behind a shared load balancer) into migration units that can be transitioned together. They identify dependencies — a certificate chain must be migrated root-first, for example — and build timelines that account for testing, rollback, and change management.

Execution Phase

During migration, teams replace quantum-vulnerable algorithms with quantum-resistant alternatives. For TLS, this means updating cipher suites to include ML-KEM key exchange. For certificates, it means reissuing with ML-DSA signatures. For application code, it means updating cryptographic library calls to use post-quantum algorithms.

Each migration action updates the CBOM. The quantum-vulnerable asset is marked as migrated, and the replacement asset is added to the inventory. This creates an audit trail of migration activity.

Verification Phase

After each migration wave, the CBOM is regenerated through fresh scanning. The new CBOM is compared against the previous version to verify that targeted assets were successfully migrated and that no regressions occurred — no new quantum-vulnerable deployments introduced, no configuration changes that reverted migrated systems to classical algorithms.

Monitoring Phase

PQC migration is not a one-time project. New services are deployed, new code is written, and new infrastructure is provisioned continuously. Without ongoing monitoring, quantum-vulnerable algorithms creep back into the environment. Continuous CBOM generation detects these regressions and alerts security teams before they become compliance gaps.

Measuring Migration Progress

CBOM provides the metrics that PQC migration programs need for governance and executive reporting:

• Quantum-vulnerable percentage: the fraction of total cryptographic assets classified as quantum-vulnerable, tracked over time
• Migration velocity: the number of assets migrated per reporting period
• Regression rate: the number of new quantum-vulnerable deployments introduced between CBOM snapshots
• Compliance coverage: the percentage of regulated assets that meet applicable quantum-resistance requirements
• Time to complete: projected completion date based on current velocity and remaining backlog

These metrics transform PQC migration from an abstract security initiative into a measurable program with clear progress indicators and accountability.

Starting the Foundation Today

The organizations best positioned for PQC migration are those building cryptographic visibility now — before deadlines arrive and before the migration backlog grows larger.

QCecuring’s Certificate Lifecycle Management platform provides the starting point: automated discovery and inventory of certificates and keys across on-premises and cloud infrastructure. This visibility into the certificate layer — where many of the highest-priority quantum-vulnerable assets reside — is the first building block of a complete cryptographic inventory.

QCecuring is developing CBOM as its next planned offering, extending discovery beyond certificates and keys to cover the full cryptographic asset landscape. The planned capability will provide automated scanning, quantum vulnerability classification, compliance mapping, and migration progress tracking in a single platform.

The PQC migration timeline is fixed. The question is whether organizations will meet it with a structured plan built on complete inventory, or scramble with incomplete information under deadline pressure. CBOM provides the foundation for the first approach. Learn more about what CBOM inventories and how it works.