Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
Global Quantum and Post-Quantum Cryptography Security Policy
Purpose
This policy establishes cryptographic agility and post-quantum readiness for web apps, mobile apps, APIs, cloud services, connected devices, hospital systems, healthtech, AI systems and developer tools.
Required inventory
Maintain an inventory of cryptography used for:
- TLS, mTLS, VPN, SSH, certificates, identity tokens and API signing;
- mobile keystores, secure enclave/keychain, Android Keystore, local encrypted storage and push-token flows;
- database encryption, backups, object storage, logs, analytics exports and data warehouses;
- code signing, firmware signing, update channels and package distribution;
- messaging, end-to-end encryption, secrets, KMS, HSMs and hardware devices;
- vendor systems that store or transmit long-lived sensitive data.
Harvest-now-decrypt-later review
Long-lived sensitive data must be reviewed for quantum exposure, including health, genetic, biometric, child, government ID, legal, financial, authentication, trade secret, hospital, critical infrastructure and national-security-adjacent data.
Migration controls
- Build crypto agility so algorithms and key sizes can be changed without rewriting the product.
- Prefer standards-based migration planning using NIST PQC standards and CISA/OMB guidance where applicable.
- Track vendor readiness for FIPS 203 ML-KEM, FIPS 204 ML-DSA and FIPS 205 SLH-DSA.
- Validate interoperability and fallback behavior before enabling PQC or hybrid modes.
- Avoid proprietary “quantum-safe” claims without rigorous review.
- Document compensating controls for legacy clients and mobile OS limitations.
Product and marketing language
Approved language may say: “We maintain a cryptographic inventory and post-quantum migration plan.” Prohibited language without counsel/security approval includes: “quantum-proof,” “unbreakable,” “future-proof,” “military-grade,” or “guaranteed secure.”