What Is a Cryptographic Inventory and Why You Need One Before 2027
You can't migrate what you can't find. A cryptographic inventory is the essential first step toward post-quantum readiness — and the window to start is closing.
You can't migrate what you can't find. A cryptographic inventory is the essential first step toward post-quantum readiness — and the window to start is closing.
Most organizations have no idea how many cryptographic assets they're running. Certificates, keys, TLS configurations, VPN tunnels, code-signing workflows, API integrations, hardware security modules — cryptography is embedded in nearly every layer of enterprise infrastructure. And the vast majority of it is invisible to the people responsible for securing it.
A cryptographic inventory is a comprehensive catalog of every cryptographic asset, algorithm, protocol, and dependency in your environment. It's the foundation of any post-quantum migration — and without one, you're planning a journey without a map.
NIST finalized its post-quantum cryptographic standards (FIPS 203, 204, and 205) and federal agencies are already under mandate to begin transition planning. While there's no single "deadline" for the private sector, the convergence of several factors makes 2027 a practical inflection point:
| Timeline | Event | Impact |
|---|---|---|
| 2024 | NIST finalizes FIPS 203/204/205 | Standards are no longer draft — migration targets are concrete |
| 2025–2026 | Federal mandate for transition plans | Agencies and contractors must demonstrate readiness |
| 2026–2027 | Vendor ecosystem begins PQC rollout | Libraries, cloud providers, and platforms ship PQC support |
| 2030+ | Deprecation of vulnerable algorithms begins | RSA, ECDSA, ECDH phased out of compliance frameworks |
Organizations that start their cryptographic inventory now have three to four years to execute a controlled, phased migration. Those that wait will face compressed timelines, emergency patching, and the risk of non-compliance with frameworks that will increasingly require quantum-resistant cryptography.
A cryptographic inventory isn't just a list of certificates. It maps every touchpoint where your organization uses cryptography:
TLS certificates and configurations, VPN tunnels (IPsec, WireGuard), SSH keys and host configurations, wireless authentication (802.1X)
API authentication tokens, OAuth/SAML integrations, code-signing certificates, database encryption (TDE, column-level), file/disk encryption
Hardware security modules (HSMs), key management systems (KMS), PKI infrastructure and certificate authorities, cloud provider encryption (AWS KMS, Azure Key Vault)
Third-party libraries (OpenSSL, BouncyCastle), vendor integrations and partner connections, firmware with embedded cryptographic functions, legacy systems with hardcoded algorithms
For each asset, the inventory captures the algorithm in use (RSA-2048, ECDSA P-256, AES-128, etc.), the key length, the protocol version, the certificate expiration, and — critically — whether the asset is quantum-vulnerable.
Not every algorithm is equally threatened by quantum computing. Your inventory should classify each asset by its quantum vulnerability:
| Algorithm | Type | Quantum Risk | PQC Replacement |
|---|---|---|---|
| RSA-2048/4096 | Key exchange / Signatures | Critical | ML-KEM / ML-DSA |
| ECDSA / ECDH | Signatures / Key exchange | Critical | ML-DSA / ML-KEM |
| AES-256 | Symmetric encryption | Low | No change needed |
| AES-128 | Symmetric encryption | Moderate | Upgrade to AES-256 |
| SHA-256 | Hashing | Low | No change needed |
| SHA-1 / MD5 | Hashing | Already broken | Upgrade to SHA-256+ |
The critical insight: asymmetric cryptography (RSA, ECC) is what quantum computing threatens most directly. Symmetric algorithms like AES-256 and hashing algorithms like SHA-256 are largely safe. This means your migration priority should focus on key exchange, digital signatures, and PKI infrastructure.
If cryptographic inventories are this important, why do so few organizations have them?
It's genuinely hard to do. Cryptography is deeply embedded — in source code, in configuration files, in firmware, in third-party dependencies, in SaaS integrations you don't control. A manual audit would take months of engineering time, and the result would be outdated before it's finished.
Nobody owns it. Cryptographic assets span infrastructure, application development, security, compliance, and vendor management. No single team has visibility across all of them.
It wasn't urgent — until now. When the quantum threat was theoretical, the inventory could wait. With finalized standards and active "harvest now, decrypt later" campaigns, the urgency is real.
A properly executed cryptographic inventory delivers more than a spreadsheet. The output should include:
A Post-Quantum Readiness Assessment (PQRA) is the structured engagement that produces this inventory. It typically runs four to eight weeks depending on environment complexity and covers discovery, classification, risk assessment, and roadmap development.
The key is starting before the pressure hits. Organizations that build their inventory now can migrate methodically — testing interoperability, validating performance, and phasing changes into existing upgrade cycles. Those that wait will be doing it under deadline pressure with less room for error.
The question isn't whether your cryptography needs to change. The NIST standards have answered that. The question is whether you know what needs to change — and in what order.
ACQUIR delivers Post-Quantum Readiness Assessments that produce comprehensive cryptographic inventories aligned with NIST FIPS 203/204/205. Schedule a discovery call to discuss your organization's readiness.