Working Groups

PQC
Post-Quantum Cryptography Working Group

Preparing the PKI ecosystem for the quantum computing era through collaborative research, …

CM
Cryptographic Module Working Group

A central forum for addressing cryptographic module (CM) and hardware security module …

PKIMM
PKI Maturity Model Working Group

Building a globally recognized PKI maturity model for evaluating, planning, and comparing …

TCWG
Training and Certification Working Group

Advancing PKI knowledge and skills through structured training paths, certification …

CA
CA Working Group

A working group for discussions and information sharing among publicly trusted Certificate …

View all Working Groups →

Members

The PKI Consortium brings together leading organizations committed to trustworthy digital identities and secure communication.

341 Members 38 Independent
Browse all members →

Quick links

🤝
Join the PKI Consortium
Become part of our global network
📋
Application Process
Learn how membership works
📄
Bylaws & Governance
How decisions are made
Edit on GitHub

Working Groups PQCPQC Maturity Model (PQCMM)Adopting the ModelPlaybooks

Small Organizations

A lightweight adoption playbook for small organizations using the PQC Maturity Model without building a large governance programme.

Keep It Lightweight

Small organizations should not wait until they have a mature cryptography programme. Use the PQCMM to ask suppliers for the right evidence and keep a simple record of the answers.

Continuous Prioritization

The long-term goal is for your entire supply chain to reach Level 5 (Optimized). The intermediate levels serve as milestones to measure progress. Because reviewing every vendor takes time, use a continuous, prioritized approach:

  • Send the survey to everyone: Make the assessment report a mandatory request for all new purchases and renewals.
  • Chase the critical few: Identify the 10–25 suppliers that matter most and actively chase their assessment reports. Prioritize: identity providers, cloud infrastructure, virtual private networks (VPN), hardware security modules (HSM), certificate authorities, signing services, backup providers, email, payment gateways, and your most critical software-as-a-service (SaaS) providers.
  • Set a procurement floor: Require Level 2 or a credible Level 2 roadmap for new production systems that use cryptography.
  • Mitigate HNDL risk: Escalate Level 0 suppliers immediately if they protect long-lived, regulated, or business-critical data. These systems expose you to Harvest Now, Decrypt Later (HNDL) attacks, where adversaries intercept and store encrypted data today to decrypt it when quantum computers become available.
  • Record and track: Document the current level, assurance method, report date, evidence status, and next review date in your supplier inventory.

Buy, Evaluate, Contract, Monitor

StepPractical action
BuyInclude a one-line requirement for a PQCMM assessment report in new purchases
EvaluateCheck product, version, claimed level, assurance method, and evidence status
ContractAdd a renewal or milestone date if the supplier is below the target level
MonitorReview critical suppliers annually or at renewal

Minimum Policy

Self-assessment is usually acceptable for baseline visibility. Require third-party assessment only for suppliers that are business-critical, protect long-lived data, or provide trust infrastructure.