Vendor questionnaires are starting to include post-quantum language. That is good. It is also risky. A broad question such as “Are you quantum safe?” invites broad answers. Procurement teams need clauses that create evidence, timelines, and accountability without forcing suppliers into claims they cannot honestly make.
The better question in 2026 is not whether a vendor is done. Almost nobody is done across every product, protocol, certificate, signature, hardware module, and dependency. The better question is whether the vendor knows its exposure and has a credible path to reduce it.
What to ask for
- A product-level cryptographic inventory or a summary suitable for customers under NDA.
- Current use of RSA, ECDH, ECDSA, EdDSA, finite-field Diffie-Hellman, and related public-key mechanisms.
- Support plans for NIST-standardized PQC algorithms such as ML-KEM, ML-DSA, and SLH-DSA where relevant.
- Known blockers: hardware limits, protocol dependencies, certification constraints, customer-managed components, or third-party libraries.
- Planned support for hybrid key exchange in TLS, SSH, VPN, or other remote-access paths where applicable.
- Notification commitments when cryptographic posture changes materially.
What to avoid
Avoid clauses that demand undefined “quantum-proof” status. That wording is not precise, and it may push vendors into defensive answers. Avoid requiring a single algorithm everywhere. The right algorithm depends on use case, standards status, interoperability, certification needs, and lifecycle constraints.
Also avoid treating a roadmap as a control. A roadmap is useful only if it has owners, dates, dependencies, and evidence that can be reviewed over time.
Contract language that helps both sides
Good clauses ask vendors to maintain a cryptographic inventory, disclose material quantum-vulnerable dependencies for the purchased product, provide migration plans for supported versions, and cooperate in testing when post-quantum or hybrid options become available. They should also address long-lived data and product support periods, because a short contract can still protect data that remains sensitive for years.
The procurement outcome to aim for
Procurement should make quantum readiness observable. The goal is not to reject every supplier that still uses classical public-key cryptography. The goal is to avoid buying systems that cannot explain where cryptography lives, how it will change, and who is responsible when standards and customer requirements move.
Further reading: CISA product categories for PQC adoption, NIST PQC project, NSA post-quantum cybersecurity resources.