Axon Shield

Crypto-Agility Assessment: Is Your Organization Ready for Algorithm Transitions?

Part of the Post-Quantum PKI Migration Guide

Executive Summary: Crypto-agility—the operational capability to change cryptographic algorithms quickly—determines whether PQC migration costs $1M or $8M. This assessment evaluates your organization's readiness across four dimensions: infrastructure automation, trust management, operational processes, and team capabilities. Organizations scoring below 60/100 should invest in infrastructure modernization before algorithm selection. Organizations scoring 60-79 can pursue PQC migration while building capabilities. Organizations scoring 80+ are ready to deploy post-quantum algorithms on accelerated timelines.

For Decision Makers: Why Assess Crypto-Agility Before Choosing Algorithms

The Question That Determines Cost

Most executives ask: "Which post-quantum algorithm should we choose?"

The better question: "Can we change algorithms without disrupting business operations?"

If the answer is no, then:

  • PQC migration requires rearchitecting certificate infrastructure
  • Timeline extends 12-24 months beyond algorithm deployment
  • Cost balloons from $1M-$2M to $5M-$8M
  • Next algorithm change repeats this entire cycle

If the answer is yes, then:

  • PQC becomes a policy change, not a migration project
  • Timeline shrinks to 6-12 months for algorithm deployment
  • Cost stays within $1M-$2M range
  • Future algorithm changes take weeks and cost <$200K

Take the assessment first, then read the detailed analysis below.

The Crypto-Agility Assessment

Answer each question honestly using the 1-5 scale provided. Be brutal—overscoring creates false confidence and failed migrations.

Section 1: Infrastructure Automation

40% of score

Certificate enrollment, renewal, and deployment

0/40
1

How do applications request certificates?

2

How are certificates renewed before expiration?

3

Do you have infrastructure supporting standard certificate enrollment protocols?

4

How do applications know which Certificate Authorities to trust?

5

Can you switch Certificate Authorities without changing application code?

6

Can you use multiple Certificate Authorities simultaneously?

7

How are new certificates deployed to production infrastructure?

8

How do you test certificate changes before production deployment?

Section 2: Discovery & Visibility

25% of score

Certificate inventory and monitoring

0/25
9

How complete is your certificate inventory?

10

Do you know which applications depend on which certificates?

11

Can you report on which cryptographic algorithms and CA vendors are deployed where?

12

What monitoring exists for certificate health?

13

Can you generate compliance reports for auditors?

Section 3: Operational Processes

20% of score

Team expertise and procedures

0/20
14

How does your change management process handle certificate changes?

15

What PKI expertise exists in your organization?

16

What happens when certificate-related outages occur?

17

How well-documented are your certificate operations?

Section 4: Architecture Patterns

15% of score

Infrastructure flexibility

0/15
18

How effectively do you manage PKI vendor relationships?

19

Does your certificate infrastructure support multi-cloud and hybrid environments?

20

How much does legacy infrastructure constrain your certificate agility?

Your Total Crypto-Agility Score

0 / 100

Score Interpretation

80-100 points: High Crypto-Agility ✅

Status: Ready for accelerated PQC deployment. Your infrastructure supports algorithm transitions.

Recommended timeline:

  • Months 1-6: Test PQC algorithms in non-production
  • Months 7-12: Gradual production rollout
  • Total: 12-18 months to full PQC deployment

Investment focus: Algorithm compatibility testing ($100K-$200K), Team training on PQC ($50K-$100K), Vendor upgrades ($50K-$150K)

Total: $200K-$450K

60-79 points: Medium Crypto-Agility ⚠️

Status: Can pursue PQC migration, but should fill infrastructure gaps concurrently.

Recommended timeline:

  • Months 1-12: Fill infrastructure gaps (automation, monitoring, trust management)
  • Months 13-24: PQC algorithm testing and deployment
  • Total: 24-36 months

Investment focus: Infrastructure modernization ($400K-$800K), PQC algorithm work ($200K-$400K)

Total: $600K-$1.2M

Critical decision: Resist pressure to deploy PQC to current infrastructure without fixing gaps. You'll create technical debt and higher long-term costs.

40-59 points: Low Crypto-Agility ❌

Status: Not ready for PQC deployment. Must build infrastructure foundation first.

Recommended timeline:

  • Months 1-18: Build automation foundation (protocol abstraction, trust management, discovery)
  • Months 19-30: Migrate applications to automated enrollment
  • Months 31-42: PQC algorithm deployment
  • Total: 36-48 months

Investment focus: Infrastructure modernization ($800K-$2M), Organizational change ($200K-$500K), PQC algorithm work ($200K-$400K)

Total: $1.2M-$2.9M

Critical success factor: Secure executive sponsorship. This isn't a PKI project—it's infrastructure modernization.

Below 40 points: Not Ready 🚫

Status: Cannot support PQC migration timeline without fundamental organizational transformation.

Recommended timeline:

  • Months 1-24: Build foundational capabilities (automation, team structure, processes, culture)
  • Months 25-36: Deploy certificate automation as pilot for broader modernization
  • Months 37-54: PQC deployment
  • Total: 48-60 months

Investment focus: Organizational transformation ($500K-$1.5M), Infrastructure modernization ($1M-$3M), PKI/PQC specifically ($500K-$1M)

Total: $2M-$5.5M

Hard truth: Federal deadline of 2030 is probably not achievable without major organizational changes.

Want Expert Crypto-Agility Assessment?

We've conducted crypto-agility assessments for Fortune 500 enterprises and major financial institutions, helping them build PQC readiness while eliminating vendor lock-in.

What we provide:

  • Facilitated assessment with your teams (engineering, security, compliance)
  • Gap analysis with specific remediation roadmap
  • Build vs. buy analysis (in-house automation vs. CertBridge vs. managed service)
  • Executive presentation with timeline and budget recommendations

What makes us different:

  • We've built the infrastructure we're assessing (CertBridge came from real migration failures)
  • No vendor partnerships (honest assessment of your current vendors)
  • Infrastructure-first approach (algorithms are secondary)
  • Customer owns everything (CertBridge deployed in your AWS account)

Contact us for crypto-agility assessment

We'll tell you honestly what score we think you'd achieve, where the biggest gaps are, and whether you should start with infrastructure or can proceed to PQC algorithms.

Related Resources

PQC Migration Guide
Complete overview
PQC Timeline & Mandates
Understand deadlines
PQC Migration Strategy
Detailed implementation roadmap
PKI Readiness Assessment
General PKI capability assessment