PUBLISHER: IDC | PRODUCT CODE: 2086867
PUBLISHER: IDC | PRODUCT CODE: 2086867
This IDC Market Perspective discusses the need for third-party post-quantum readiness. The quantum threat to enterprise data security is not a future risk - it is a present, compounding threat across two dimensions. Harvest now, decrypt later (HNDL) attacks are collecting encrypted data today for retroactive decryption. Trust now, forge later (TNFL) - introduced by IDC as the authentication-layer counterpart to HNDL - describes adversaries harvesting signed artifacts currently to retroactively forge provenance records that organizations and regulators cannot distinguish from authentic ones. With NIST finalizing three PQC standards in August 2024, CISA issuing federal procurement guidance in January 2026, and NIST IR 8547 proposing to deprecate and ultimately disallow quantum-vulnerable asymmetric algorithms by 2030 and 2035, respectively, the regulatory landscape has converted migration from a planning exercise into a compliance obligation.This document is part 1 of a two-part IDC Market Perspective series. It establishes the strategic and threat context for PQC readiness in third-party risk management - including the HNDL and TNFL threat dimensions, Mosca's inequality prioritization framework, emerging Quantum Security Posture Management and Quantum TRiSCM operating models, and the five quantum governance dimensions and trust KPIs that mature programs are adopting. Quantum Risk Is Already Here: A Provider's Guide to Demonstrating Third-Party Cryptographic Readiness Before Q-Day, Part 2 - Assessment Framework and Deployment Guide (IDC #US54672326, forthcoming) delivers the complete 48-question Third-Party Quantum Encryption Readiness Assessment Framework. Providers that cannot demonstrate a credible migration posture across both encryption and authentication now risk material findings before formal mandates arrive."Two clocks are running simultaneously for every technology provider. The first is the HNDL clock; data encrypted currently under quantum-vulnerable algorithms is potentially readable within a decade, and it cannot be re-encrypted retroactively. The second is the TNFL clock: every artifact signed currently under a quantum-vulnerable key extends the attack surface that adversaries will exploit once quantum computers have advanced to the point of breaking standard encryption. Neither clock can be paused. The only rational response is to treat PQC migration not as a future project but as the most time-sensitive infrastructure program your organization has ever run - and to build the governance, inventory, and crypto-agility foundations before your customers ask for them," says Philip D. Harris, CISSP, CCSK, research director, Governance, Risk, and Compliance Solutions at IDC.