PQC Vendor Questionnaire: What Companies Should Ask

As organizations begin preparing the transition to post-quantum cryptography (PQC), one challenge is becoming increasingly clear: your security posture is only as strong as your vendors, suppliers, and service providers.

Even companies making strong internal progress toward PQC adoption can remain exposed through third-party software, SaaS platforms, APIs, cloud providers, PKI vendors, managed services, and hardware dependencies that are not quantum-ready.

That’s why vendor due diligence is becoming a critical component of any post-quantum readiness strategy.

A well-designed PQC vendor questionnaire helps organizations:

• Identify cryptographic risk across the supply chain
• Evaluate vendor maturity and roadmap alignment
• Reduce interoperability surprises during migration
• Prioritize remediation efforts based on business risk
• Establish contractual accountability for quantum readiness

At SafeLogic, we recommend that organizations align vendor assessments with a broader cryptographic modernization strategy, such as the Cryptographic Maturity Action Plan (CMAP), while incorporating operational controls, such as those outlined in our Continuous PQC Remediation Checklist.

The goal is not simply to ask whether a vendor “supports PQC.” The goal is to determine whether they are operationally prepared for continuous cryptographic evolution.

Why Traditional Vendor Security Questionnaires Fall Short

Most vendor security assessments today focus on:

• Encryption at rest
• TLS usage
• Compliance certifications
• Key management practices
• Vulnerability management

Those are important — but they don’t answer critical post-quantum questions like:

• Can the vendor support hybrid cryptography?
• Are cryptographic algorithms agile and replaceable?
• Does their PKI infrastructure support quantum-safe migration?
• Are they dependent on deprecated or hardcoded cryptographic libraries?
• Can they transition without major re-architecture?

Post-quantum migration is fundamentally different from past cryptographic upgrades because it affects:

• Protocols
• Certificates
• Identity systems
• Signing infrastructure
• Embedded devices
• Interoperability between organizations
• Long-lived encrypted data

This means organizations need deeper visibility into vendor cryptographic maturity.

What a PQC Vendor Questionnaire Should Include

The most effective questionnaires assess both technical readiness and operational governance.

Below are the key categories organizations should include.

1. Cryptographic Inventory & Discovery

The first step is determining whether vendors actually understand where cryptography exists in their environment.

Ask vendors:

• Have you completed a cryptographic inventory?
• Do you maintain a software bill of materials (SBOM) that includes cryptographic dependencies (cryptographic bill of materials (CBOM)?
• Can you identify where public-key cryptography is used across your products and services?
• Do you track embedded or hardcoded cryptographic implementations?
• Can you identify systems using RSA, ECC, or legacy algorithms?

If vendors cannot identify where cryptography exists, they are unlikely to execute a successful PQC transition.

2. Cryptographic Agility

One of the most important indicators of PQC readiness is cryptographic agility.

Organizations should determine whether vendors can change algorithms without requiring complete redesigns.

Ask:

• Is your architecture cryptographically agile?
• Can algorithms be updated through policy rather than code rewrites?
• Do you support hybrid cryptographic modes?
• Are cryptographic libraries centrally managed?
• How do you test interoperability when introducing new algorithms?

Vendors that lack cryptographic agility may create long-term operational risk during migration.

3. PQC Roadmap & Standards Alignment

A vendor’s roadmap matters as much as current capability.

Ask:

• What is your timeline for PQC support?
• Which NIST PQC algorithms do you plan to support?
• Are you implementing hybrid cryptographic modes?
• How are you tracking emerging standards from NIST, CNSA 2.0, ETSI, and IETF?
• Have you identified products or services that may not support PQC migration?

Organizations should also ask whether PQC efforts are tied to executive governance or treated as isolated technical initiatives.

A mature vendor should have:

• A documented transition strategy
• Defined milestones
• Risk prioritization
• Ongoing reassessment processes

4. TLS, Protocol & Transport Readiness

Network protocols are among the most immediate challenges for PQC migration.

Organizations should ask vendors:

• Do your TLS implementations support hybrid key exchange?
• Are internal service-to-service communications being evaluated for PQC migration?
• Have you identified legacy protocol dependencies?
• How are interoperability issues being tested?
• Do you support crypto-agile APIs and gateways?

Many organizations underestimate how difficult protocol interoperability becomes when multiple vendors migrate at different speeds.

5. PKI, Identity & Certificate Management

PQC migration will significantly impact PKI infrastructure and certificate lifecycles.

Ask:

• Does your PKI roadmap include support for PQC or hybrid certificates?
• Are certificate authorities and trust anchors being evaluated for quantum-safe migration?
• Have you assessed performance impacts associated with larger certificate sizes?
• Do authentication systems support PQC migration planning?
• How will code-signing infrastructure transition to quantum-safe algorithms?

This area is especially important because certificate ecosystems often involve numerous external dependencies.

6. Third-Party Dependency Management

Vendors themselves rely on upstream vendors.

That means organizations should evaluate not only direct providers, but also the providers behind them.

Ask:

• How do you assess your own suppliers for PQC readiness?
• Do your contracts include cryptographic agility requirements?
• How are interoperability constraints tracked?
• What contingency plans exist for non-PQC-ready dependencies?
• Are SBOMs and CBOMs reviewed for PQC-compatible cryptographic libraries?

In practice, third-party dependencies may become one of the biggest blockers to enterprise-wide quantum readiness.

7. Governance, Exceptions & Risk Acceptance

Post-quantum readiness is not a one-time project.

Organizations should determine whether vendors have sustainable governance models.

• Who owns PQC readiness internally?
• Are cryptographic exceptions formally documented?
• Are remediation timelines tracked?
• How frequently are cryptographic risks reassessed?
• Is PQC readiness integrated into procurement and change management processes?

The strongest vendors treat PQC as an ongoing operational discipline rather than a future compliance event.

8. Verification & Continuous Assurance

Finally, organizations should determine whether vendors continuously validate their cryptographic posture.

Ask:

• Do you continuously scan for deprecated algorithms?
• Are cryptographic controls monitored through automated pipelines?
• How do you detect drift from approved cryptographic standards?
• Are remediation findings integrated into ongoing risk management?
• How often are PQC readiness assessments repeated?

A vendor may claim PQC readiness today, but without continuous assurance processes, that posture can quickly erode.

Share this infographic

PQC Readiness Is a Supply Chain Problem

One of the biggest misconceptions about post-quantum migration is that it is purely an internal modernization effort.

It is not.

PQC readiness is an ecosystem challenge involving:

• Software suppliers
• Cloud providers
• Hardware vendors
• PKI providers
• Managed services
• External APIs
• Industry interoperability standards

Organizations that begin vendor assessments early will be far better positioned to avoid operational bottlenecks and last-minute migration risks.

Final Thoughts

The transition to post-quantum cryptography will not happen overnight, and organizations cannot afford to wait for complete standards maturity before engaging vendors.

A strong PQC vendor questionnaire should evaluate:

• Cryptographic visibility
• Algorithm agility
• Hybrid deployment readiness
• PKI modernization
• Third-party dependency management
• Governance maturity
• Continuous verification capabilities

Most importantly, organizations should view PQC readiness as a continuous remediation process — not a one-time migration event.

Long-term success depends on integrating quantum readiness into normal business operations, procurement processes, governance models, and ongoing security assurance activities.