Working Groups

PQC
Post-Quantum Cryptography Working Group

Preparing the PKI ecosystem for the quantum computing era through collaborative research, …

CM
Cryptographic Module Working Group

A central forum for addressing cryptographic module (CM) and hardware security module …

PKIMM
PKI Maturity Model Working Group

Building a globally recognized PKI maturity model for evaluating, planning, and comparing …

TCWG
Training and Certification Working Group

Advancing PKI knowledge and skills through structured training paths, certification …

CA
CA Working Group

A working group for discussions and information sharing among publicly trusted Certificate …

View all Working Groups →

Members

The PKI Consortium brings together leading organizations committed to trustworthy digital identities and secure communication.

341 Members 38 Independent
Browse all members →

Quick links

🤝
Join the PKI Consortium
Become part of our global network
📋
Application Process
Learn how membership works
📄
Bylaws & Governance
How decisions are made
Edit on GitHub

Working Groups PQCPQC Maturity Model (PQCMM)Adopting the ModelPlaybooks

Enterprise & Government

A formal adoption playbook for enterprises and governments using the PQC Maturity Model as a supply-chain control.

Treat the Model as a Control

Enterprises and governments should use the PQCMM as a formal supply-chain control. This does not mean every supplier must be certified on day one. It means every in-scope product has a record, a required level, an assurance method, an evidence status, and an owner.

Continuous Prioritization

The ultimate end state is a supply chain running entirely at Level 5 (Optimized). Achieving this requires formally integrated controls, continuous monitoring, and clear executive reporting across the procurement lifecycle.

  • Assign formal ownership: Distribute accountability across procurement, security architecture, vendor risk, legal, audit, and the relevant business owners.
  • Integrate into existing templates: Add PQCMM requirements to standard request-for-proposal (RFP), contract renewal, and architecture-review templates. Survey the entire existing supply base.
  • Define formal gates: Establish pass/fail gates based on product categories. Require third-party assessment or PKIC Certification for critical suppliers.
  • Prioritize and chase: Run structured campaigns targeting your top-tier vendors—especially those providing identity, cloud architecture, hardware security, and long-term data storage.
  • Enforce HNDL protection: Zero tolerance for Level 0 in systems transmitting or storing long-lived, highly classified, or regulated data. Exposure to Harvest Now, Decrypt Later (HNDL) attacks must trigger immediate escalation and remediation planning.
  • Build the inventory: Maintain a comprehensive supplier inventory integrated with your Governance, Risk, and Compliance (GRC) tooling, tracking the progress of every supplier toward Level 5.

Buy, Evaluate, Contract, Monitor

StepPractical action
BuyDefine required level and assurance method by risk tier before tender publication
EvaluateUse pass/fail gates for report, scope, level, assurance, and evidence
ContractInclude milestone, audit, reassessment, notification, and remedy clauses
MonitorReport maturity, assurance, exceptions, and overdue remediation to governance bodies

Minimum Policy

Use quarterly reporting for High-tier suppliers, formal exception governance, contractual milestones, and executive metrics showing maturity by risk tier.