Choose the Right Starting Point
Every organization can use the PQC Maturity Model (PQCMM), but not every organization needs the same operating model. The right approach depends on supplier risk tier, data lifetime, procurement formality, and available security expertise.
| Organization or use case | Start here |
|---|---|
| Limited procurement or security staff | Small Organizations |
| Established procurement and vendor-risk functions | Large Organizations |
| Formal governance, audit, or public-sector procurement | Enterprises and Governments |
| Regulated, critical infrastructure, public trust, or high-assurance use | Regulated and Critical Infrastructure |
Common Pattern
All playbooks use the same simple pattern:
- Buy — set a minimum level and assurance method before purchase or renewal.
- Evaluate — require an assessment or certification report and check mandatory gates.
- Contract — record commitments, reassessment triggers, evidence handling, and milestones.
- Monitor — keep a supplier inventory and reassess after major changes or renewal.
This keeps adoption simple while still supporting stronger controls where risk requires them.
Starting Thresholds
Use these as examples, then adapt them to your risk appetite and regulatory context.
| Product or service | Typical starting requirement |
|---|---|
| Low-risk business software with short-lived data | Level 1 or roadmap to Level 2 |
| Standard production service using cryptography | Level 2 with evidence |
| Identity, certificate, signing, key-management, or security infrastructure | Level 3 or higher; independent assessment preferred |
| Hardware security module, trust-service infrastructure, code signing, firmware signing, or critical data protection | Level 4 or higher; independent assessment expected |
| Government high assurance, public trust, or strategic critical infrastructure | Certification or highest-assurance route where required |
