Vendor & Supply Chain Risk

Assess vendor PQC readiness, build scorecards, and manage supply chain cryptographic risk.

Why Vendor PQC Risk Matters

Your organization's quantum readiness is only as strong as your weakest vendor. Third-party software, hardware, and cloud services form the backbone of enterprise cryptographic infrastructure. If a critical vendor lacks support, your entire migration timeline is at risk.

“Supply chain risks are among the most significant challenges for PQC migration. Organizations must evaluate vendors' cryptographic capabilities and ensure contractual commitments to post-quantum readiness.”

— NIST SP 1800-38 (Draft), PQC Migration Handbook

Harvest Now, Decrypt Later

Vendors handling sensitive data in transit are immediate targets. Every unpatched vendor extends your exposure window.

Compliance Cascade

Regulatory deadlines (, ) apply to your full supply chain, not just your own code.

Single Points of Failure

A single vendor dependency on classical-only crypto can block your entire PQC migration program.

Vendor PQC Scorecards

A vendor scorecard provides a structured, repeatable method for evaluating how well-prepared each vendor is for the post-quantum transition. Scores are weighted across dimensions that map to real migration risk factors.

Key Dimensions
  • • PQC algorithm support (ML-KEM/FIPS 203, ML-DSA/FIPS 204, SLH-DSA/FIPS 205)
  • • FIPS 140-3 validation status
  • • Published PQC migration roadmap
  • • Crypto agility capability
  • • SBOM/CBOM delivery
  • • Hybrid mode support
Scoring Methodology
  • • Each dimension scored 0–100
  • • Weights reflect migration impact
  • • FIPS dimension auto-scored from product data
  • • Composite score drives risk tier
  • • Exportable for procurement reviews

CBOM: Crypto Bill of Materials

A (Cryptographic Bill of Materials) extends the SBOM concept to track every cryptographic algorithm, key, certificate, and protocol used by a software product. Demanding CBOMs from vendors is the single most impactful step toward supply chain quantum readiness.

What a CBOM Reveals

Algorithm inventory, key sizes, protocol versions, certificate types, and quantum vulnerability status per component.

Standard Format

CycloneDX 1.6+ includes a crypto extension for machine-readable CBOM data. The CycloneDX community (cyclonedx.org) maintains the specification, originally an OWASP project.

Vendor Requirement

Include CBOM delivery requirements in vendor contracts with defined frequency, format, and scope expectations.

FIPS Validation Tiers

Not all “FIPS compliance” claims are equal. Understanding the tiers helps you assess real vendor cryptographic maturity.

FIPS 140-3 Validated

Module has passed CMVP testing. Highest assurance level for cryptographic modules.

FIPS 140-3 Submitted

Module is in the CMVP testing queue. Validation pending but commitment demonstrated.

FIPS 140-2 Validated

Legacy validation. NIST sunsets FIPS 140-2 certificates; migration to 140-3 required.

FIPS Mode / Self-Claim

Vendor claims FIPS-mode operation but has no CMVP certificate. Lowest assurance.

Vendor Assessment Framework

A structured approach to evaluating vendors ensures consistent, auditable assessments across your supply chain. Follow this framework when engaging vendors on PQC readiness.

1
Inventory

Catalog all vendor products that handle cryptographic operations

2
Request CBOM

Ask vendors for Crypto Bill of Materials (CycloneDX format)

3
Score Readiness

Apply the PQC readiness scorecard across 6 dimensions

4
Contract Requirements

Embed PQC migration clauses in vendor agreements

5
Monitor & Reassess

Track vendor progress quarterly; escalate non-compliance

Related Resources

Migration Catalog
Browse PQC-ready products across infrastructure layers
Compliance Tracker
FIPS, CNSA 2.0, and international PQC compliance requirements
Crypto Agility
Architecture patterns for algorithm-agile vendor integration
Risk Assessment
Run a full PQC readiness assessment for your organization

Build vendor scorecards, generate contract clauses, and map supply chain risk.