Working Groups

PQC
Post-Quantum Cryptography Working Group

Preparing the PKI ecosystem for the quantum computing era through collaborative research, …

CM
Cryptographic Module Working Group

A central forum for addressing cryptographic module (CM) and hardware security module …

PKIMM
PKI Maturity Model Working Group

Building a globally recognized PKI maturity model for evaluating, planning, and comparing …

TCWG
Training and Certification Working Group

Advancing PKI knowledge and skills through structured training paths, certification …

CA
CA Working Group

A working group for discussions and information sharing among publicly trusted Certificate …

View all Working Groups →

Members

The PKI Consortium brings together leading organizations committed to trustworthy digital identities and secure communication.

341 Members 38 Independent
Browse all members →

Quick links

🤝
Join the PKI Consortium
Become part of our global network
📋
Application Process
Learn how membership works
📄
Bylaws & Governance
How decisions are made
Edit on GitHub

Working Groups PQCPQC Maturity Model (PQCMM)Adopting the ModelPlaybooks

Large Organizations

A practical adoption playbook for large organizations integrating the PQC Maturity Model into procurement, vendor-risk, and architecture-review processes.

Integrate with Existing Processes

Large organizations normally already have procurement, vendor-risk, security architecture, and legal processes. Add PQCMM requirements to those processes instead of creating a separate programme.

Continuous Prioritization

The long-term objective is for all in-scope suppliers to achieve Level 5 (Optimized). Moving a massive supply chain is a continuous process, so prioritize your efforts based on risk and data lifespan.

  • Baseline the entire supply chain: Add mandatory assessment intake questions to all supplier questionnaires and renewal templates. Ask everyone, but focus your manual follow-ups on the High-tier suppliers.
  • Assign risk tiers: Categorize every supplier as Low, Moderate, or High using the Supplier Risk Tiers definition — by impact of compromise and exposure of the integration, not by product category. The products most likely to land in the High tier in a large organization include cloud infrastructure, identity providers, virtual private networks, hardware security modules, payment platforms, and core software-as-a-service — confirm rather than assume.
  • Run targeted campaigns: Actively chase assessment reports from your Tier 1 and Tier 2 suppliers first.
  • Set procurement floors: Require assessment reports for all new high-risk procurements. Define minimum acceptable levels for new contracts.
  • Address HNDL exposure: Products protecting long-lived sensitive data (e.g., health records, financial history, state secrets) must not remain at Level 0. Escalate these immediately to mitigate Harvest Now, Decrypt Later (HNDL) risk.
  • Track progress: Add the PQCMM level, assurance method, report date, and evidence status to your central vendor-risk records to monitor the journey to Level 5.

Buy, Evaluate, Contract, Monitor

StepPractical action
BuyAdd level and assurance requirements to procurement templates
EvaluateUse mandatory gates before scoring vendor responses
ContractInclude reassessment triggers and roadmap milestones for suppliers below target
MonitorTrack exceptions and supplier progress in vendor-risk tooling

Minimum Policy

Require self-assessment for all in-scope suppliers, third-party assessment for High-tier suppliers, and contract milestones for suppliers below the required level.