Engaging Vendors to Prepare Your Supply Chain for the Post-Quantum Era
Best practices for federal agencies on engaging vendors for post-quantum cryptography (PQC), including communication strategies, contract updates, and supply chain oversight.
Effective stakeholder outreach to vendors is essential for gathering detailed cryptographic information about commercial products and services. As agencies are encouraged to rely more and more on Commercial Off-The-Shelf (COTS) solutions, ongoing vendor communication becomes even more critical, requiring regular touchpoints with suppliers to monitor progress and ensure alignment with federal timeline requirements. Agencies must proactively engage with their technology suppliers to understand current cryptographic implementations and future post-quantum roadmaps.
The vendor engagement process requires a nuanced approach that recognizes the diverse landscape of technology suppliers. Large enterprise vendors may already have established PQC strategies, while smaller specialized vendors may lack awareness of quantum threats entirely. Agencies must tailor their communication strategies accordingly, providing education and support where needed while demanding accountability and transparency from all suppliers.
Developing a communication strategy
This communication strategy should begin with updating contract language and service level agreements to include specific post-quantum cryptography (PQC) requirements and compliance expectations. For example, contracts should specify that vendors must provide migration roadmaps by a certain date, implement NIST-approved PQC algorithms within defined timeframes, and maintain system security throughout the transition period. Service level agreements might include requirements for vendors to notify agencies within 30 days of any changes to their PQC implementation timelines or if quantum vulnerabilities are discovered in their products. Additionally, agencies should request detailed surveys or comprehensive roadmaps that demonstrate how vendors are preparing for the PQC transition, including timelines for algorithm updates, testing procedures, and migration support services.
PQC as part of supply chain strategy
Integration with existing supply chain risk management processes is also crucial for success. PQC considerations should be seamlessly incorporated into established workflows, including requesting specific timelines, understanding technical dependencies, and evaluating vendor capacity to support migration efforts. Agencies should leverage Software Bills of Materials (SBOMs) to identify cryptographic components not only in primary systems but also in third-party libraries, dependencies, and subcomponents that may contain quantum-vulnerable algorithms. This component-level visibility is essential because cryptographic vulnerabilities can exist deep within supply chains, requiring agencies to understand the complete cryptographic footprint of their technology stack, not just surface-level implementations.
Creating a communication framework
We recommend developing a framework that outlines how system owners for COTS solutions discuss PQC migration with their systems vendors. This should be done during the inventory and discovery phase to identify critical dependencies, hardware, and infrastructure needs. Your organization’s Supply Chain Risk Management should consider making updates to their annual third-party assessment process and conduct surveys with solution providers on their roadmap and current programs on the plan to meet PQC compliance. If you have questions about how Maveris has developed a framework with their customers, please contact us at tic@harmonia.com.
In our next post we’ll look at how to budget for PQC efforts.
For Reference: