Every credible post-quantum migration plan starts with the same uncomfortable admission: most enterprises do not know where their cryptography lives. Keys, certificates, algorithms and protocols are embedded in applications, firmware, containers, scripts and third-party services accumulated over decades. You cannot migrate what you cannot see, which is why a Cryptographic Bill of Materials, or C-BOM, has become the essential first deliverable of any quantum-readiness programme. A C-BOM is an organised inventory of every cryptographic algorithm, key, certificate, library and protocol in use across your systems, modelled on the now-familiar Software Bill of Materials. The encouraging news is that building a useful first version is a scoped, achievable project. This is a practical 90-day plan to get there. Why a C-BOM, and why now The urgency is twofold. NIST published its post-quantum standards in 2024, and guidance now points to deprecating RSA and elliptic-curve algorithms for new systems around 2030 and disallowing them by 2035. Meanwhile, "harvest now, decrypt later" means data encrypted today with classical algorithms can be captured now and broken once a cryptographically relevant quantum computer exists. The migration clock is already running. A C-BOM is the foundation that makes migration manageable. It consolidates discovered assets into a structured inventory, reduces blind spots, and gives security leaders the visibility to prioritise. CISA guidance already encourages organisations to automate the collection of cryptographic characteristics and report their crypto inventory regularly; a C-BOM operationalises exactly that expectation. There is a strategic point worth making to the board as well. A C-BOM is not only a quantum-migration tool; it is a cryptographic risk register that pays for itself long before Q-Day. The same inventory that flags quantum-vulnerable algorithms also surfaces expired certificates, weak key sizes, deprecated protocols and unmanaged trust anchors, the everyday crypto debt that causes outages and audit failures today. Framed that way, the 90-day investment earns its keep immediately and positions the organisation for the transition ahead. Days 1–30: Discover The first month is about breadth. The goal is to find cryptography everywhere it hides, not to perfect the catalogue yet. Deploy scanners that identify cryptographic usage across binaries, containers, firmware and infrastructure-as-code templates, and pull certificate data from your CA, load balancers, key stores and endpoints. Combine automated discovery with structured interviews of application and platform owners, because some cryptography lives in configuration and vendor integrations that scanners miss. By day 30 you should have a raw, deliberately over-inclusive map of where cryptographic assets exist. Days 31–60: Inventory and classify The second month turns raw findings into a structured C-BOM. For each asset, capture the attributes that decision-making will need. Algorithms and key sizes in use, and the protocols and versions that rely on them. Certificates and trust anchors, including issuer, expiry and where each is deployed. Keys and secrets metadata, such as type, location and ownership, without exposing the secrets themselves. Usage context, the application or service, its data sensitivity, and its exposure. Adopt a standard format such as CycloneDX, which supports cryptographic asset modelling, so the C-BOM integrates with existing tooling and stays machine-readable. Classification is where the inventory becomes actionable: tag each asset as quantum-vulnerable, transitional or quantum-safe. Days 61–90: Prioritise and plan The final month converts the inventory into a roadmap. Not all cryptography carries equal risk, so prioritise by a simple matrix: data sensitivity and longevity against quantum vulnerability and migration difficulty. Long-lived secrets protecting high-value data with vulnerable algorithms rise to the top; short-lived, low-exposure assets can wait. From that ranking, produce a phased migration plan with owners and timelines, and crucially, build crypto-agility into the target state so future algorithm changes do not require another full discovery exercise. Establish the C-BOM as a living artifact, regenerated continuously through CI/CD and asset-management integration rather than a one-off snapshot. From inventory to ongoing trust A C-BOM delivered in 90 days is not the finish line; it is the control plane for everything that follows. With visibility established, an enterprise can migrate in priority order, demonstrate progress to regulators, and respond quickly when standards evolve. The organisations that will navigate the post-quantum transition calmly are not the ones with the most cryptographers; they are the ones that can answer, on any given day, exactly what cryptography they run and where. eMudhra's emCA and CertiNext support this lifecycle directly, automating certificate discovery, issuance and renewal so the cryptographic inventory stays current and the path to a quantum-safe estate stays under control. Starting your crypto discovery? eMudhra's emCA and CertiNext help enterprises build and maintain a living cryptographic inventory and migrate to quantum-safe PKI in priority order. Talk to eMudhra → https://emudhra.com/en/contact-us Tags: Post Quantum Cryptography Certificate Lifecycle Management About the Author eMudhra Limited eMudhra Editorial represents the collective voice of eMudhra, providing expert insights on the latest trends in digital security, cryptographic identities, and digital transformation. Our team of industry specialists curates and delivers thought-provoking content aimed at helping businesses navigate the evolving landscape of cybersecurity and trust services with confidence.