Working Groups PQC PQC Maturity Model (PQCMM)Assessing a Product

Accredited Assessors

A directory of independent assessors accredited to perform Third-Party Assessments for the PQCMM.

Directory of Accredited Assessors

Third-party assessments for the PQCMM must be conducted by assessors who have been accredited by the PKI Consortium or a recognized equivalent body. Using an accredited assessor ensures that your product is evaluated consistently against the model’s criteria and that the resulting assessment report can be relied upon by procurement teams or used as a stepping stone toward PKIC Certification.

(This directory will be populated as the assessor accreditation program launches).

Becoming an Accredited Assessor

The PQCMM assessor accreditation programme is being built together with the community of organisations performing PQC and cryptographic assessments. The starting criteria below provide a baseline for the initial cohort and will be refined as the programme matures.

Starting Accreditation Criteria

Applicants for accreditation are expected to demonstrate:

Legal entity and standing. A registered legal entity with the capacity to contract directly with vendors and to issue signed assessment reports.
Cryptographic competence. Identifiable lead assessors with demonstrable PQC expertise — for example, contributions to PQC standards work, prior cryptographic audit engagements, or recognised certifications in cryptography or information security.
Methodology. A documented internal assessment methodology that follows the PQCMM level criteria and assessment guidance, identifies the tools used (e.g., SBOM/CBOM analysers, KAT validators, interoperability harnesses), and describes how findings are recorded and quality-reviewed.
Independence. A written independence policy meeting the requirements of the Third-Party Assessment page, including a published conflict-of-interest declaration process.
Sample report. A redacted sample PQCMM assessment report that the PKI Consortium can review for clarity, methodology adherence, and evidence handling. The sample may be a real prior assessment with vendor and product details anonymised.
Assessor declaration. A signed declaration accepting the PKI Consortium’s certification terms, the prior-engagement disclosure obligation, and the complaints, suspension, and revocation processes.
Maintenance. Commitment to maintain technical competence (training, monitoring of NIST/ETSI/ISO PQC publications) and to renew accreditation periodically.
Contribution to the PQCMM and the PKI Consortium. Accredited assessors are expected to contribute to the ongoing development of the model and the broader PKI Consortium community.
Contribution may take several forms, including but not limited to: participation in PQC working group discussions and review cycles; feedback on draft criteria, assessment guidance, and evidence requirements based on real assessment experience; authoring or reviewing PQCMM documentation or tooling; presenting findings or lessons learned at PKI Consortium events or publications; or membership in the PKI Consortium.
This criterion reflects the principle that the accreditation network should strengthen the model it applies, and that assessors who engage with the community are better placed to apply the model consistently and accurately.

The PKI Consortium reviews applications on a rolling basis. Accreditation may be granted, granted conditionally (with named follow-up requirements), or declined. Suspension or revocation of accreditation follows the same process as for certificates.

Interested in becoming an accredited assessor? The assessor program is currently in development. If your organization performs independent cryptographic assessments, audits, or structural reviews and wishes to be added to the registry, please contact us at contact at pkic dot org.