What is the CSA Quantum Readiness Index (QRI)?

The CSA Quantum Readiness Index is a maturity model published by the Cloud Security Alliance for measuring an organization preparedness for the post-quantum cryptography transition. It scores five domains — Governance, Risk Assessment, Technology, Training and Capability, and External Engagement — on a five-level scale from L0 (Unaware) to L4 (Optimized).

How long does the QuantumSecure Assessment take?

The self-service assessment takes 30–45 minutes for a security or risk leader to complete. A facilitated workshop format with multiple stakeholders typically runs 90 minutes and produces higher-fidelity scores because it surfaces disagreement across functions.

Is the assessment really free?

Yes. The CSA QRI Assessment is free with no signup paywall. You receive a maturity score per domain, a heatmap, and a baseline remediation plan. The Discovery, Migration, and Certificate Authority products require paid plans.

What do the QRI maturity levels mean?

L0 Unaware: no quantum risk awareness. L1 Aware: leadership recognizes the risk but no program exists. L2 Defined: policies and an inventory are in motion. L3 Managed: active migration program with measurable KPIs. L4 Optimized: continuous crypto-agility, hybrid PQC in production, and quantitative risk reporting to the board.

How does QRI relate to NIST and CNSA guidance?

QRI is a maturity model; NIST FIPS 203/204/205 and CNSA 2.0 are the algorithmic and timeline standards QRI measures progress against. A higher QRI level corresponds to deeper alignment with NIST PQC standards and faster compliance with CNSA 2.0 deadlines.

L1Assess — Layer 1 of the platform

Quantum Readiness Assessment

Forty questions across five domains. Ten minutes of your time. A board-ready CSA Quantum Readiness Index score (L0–L3) and a prioritised, costed action plan you can hand to your CISO.

CSA QRI L0–L35 domains × 8 questionsPDF + JSON exportNo data leaves your tenant

Sample artefact

Overall posture

GovernanceL2

Risk AssessmentL1

TechnologyL1

Training & CapabilityL0

External EngagementL1

Sample executive summary: 3 quick wins identified, estimated 90 days to L2.

Who it's for

CISOs who need a board-ready quantum risk answer
Security architects scoping a PQC migration
GRC teams aligning to CSA / NIST guidance
Anyone preparing for regulator questions on PQC

What you get

Per-domain L0–L3 score and weighted average
Heatmap by domain with reasoning
Prioritised action plan (HIGH / MEDIUM / LOW)
L2 / L3 / L4 handoff hints for each action
PDF executive summary, JSON for API consumption

How it works

Step 1

Answer the questionnaire

Five domains, eight questions each. Pick one of four options per question (L0 = "we have not started"; L3 = "we are ahead of regulators").

Step 2

Get scored against CSA QRI

Each question is weighted; each domain gets an L0–L3 level. Overall posture is the floor across domains so weak areas surface, not average away.

Step 3

Hand the plan to your CISO

Prioritised actions with effort bands and explicit handoffs into L2 (Discovery), L3 (Migration), or L4 (CA) for one-click follow-through.