20-point crypto agility checklist

Inventory & visibility

1. Document all TLS endpoints exposed to the internet
2. Inventory code-signing and artifact signing keys
3. Map JWKS and OAuth/OIDC signing algorithms
4. Catalog HSM and KMS key types and sizes
5. Identify third-party SaaS with embedded legacy crypto

Risk & deadlines

1. Apply Mosca inequality (X + Y > Z) to long-lived data
2. Classify HNDL exposure for archived ciphertext
3. Map findings to NSM-10 / CNSA 2.0 / NIST IR 8547 tiers
4. Set internal migration milestones before regulatory deadlines
5. Prioritize by data sensitivity, not alphabetically

Migration & proof

1. Assign owners to every quantum-vulnerable finding
2. Define hybrid TLS rollout plan (ML-KEM + legacy fallback)
3. Require re-scan verification after each remediation sprint
4. Export CycloneDX CBOM for CMDB and GRC ingestion
5. Maintain signed evidence pack for each audit cycle

Operations & monitoring

1. Schedule recurring crypto posture scans (not annual panic)
2. Alert on new quantum-vulnerable endpoints after deploy
3. Detect certificate and cipher suite regressions
4. Track readiness score trend for board reporting
5. Integrate drift alerts with Slack, email, or SIEM webhooks