A practical inventory method for organizations that need to understand cryptographic dependencies before migration pressure increases.
Problem
Post-quantum readiness begins with knowing where cryptography is used, which data must remain confidential over time, and which vendors own key dependencies.
NIST released its first finalized post-quantum encryption standards in 2024, but organizational migration will be staged. Inventory comes before replacement.
Inventory scope
Cyberpert recommends inventorying certificates, TLS endpoints, VPNs, code-signing, S/MIME, SSH, embedded systems, IoT/OT devices, backups, data archives, APIs, supplier products, and long-lived sensitive datasets.
The inventory should capture algorithm, key length, protocol, owner, vendor dependency, data sensitivity, replacement difficulty, and whether confidentiality must survive for many years.
Prioritization
Prioritize long-lived sensitive data, externally exposed cryptographic services, vendor products with unclear roadmaps, regulated environments, critical infrastructure dependencies, and systems with slow replacement cycles.
This is also a supplier-governance problem. Organizations need to ask vendors when standards will be supported, how migration will be tested, and what dependencies may block transition.
Result
The public result is a first-step exposure inventory that informs migration planning without pretending the entire organization must change at once.
The practical output is a roadmap: know what exists, classify what matters, identify vendor dependencies, test migration paths, and schedule replacements by risk.
Why inventory comes before migration
NIST's finalized post-quantum cryptography standards make migration planning more concrete, but most organizations still lack a usable inventory of cryptographic dependencies. NATO-aligned and public-sector environments must care early because long-lived secrets, classified information, infrastructure certificates, and supplier products can have long replacement cycles.
The first useful output is not immediate replacement everywhere. It is an exposure inventory that identifies where cryptography is used, which data needs long-term confidentiality, which protocols and products are affected, and which vendors control migration timelines.
Practical inventory method
Cyberpert maps certificates, TLS endpoints, VPNs, code signing, document signing, backup encryption, hardware security modules, identity infrastructure, embedded systems, OT gateways, supplier products, and custom applications.
Each dependency receives an owner, algorithm family, renewal cycle, data sensitivity, vendor roadmap status, operational constraint, and recommended migration window. This turns post-quantum planning from a theoretical concern into a governable roadmap.
