The Applied Quantum PQC Migration Framework is an open-access, practitioner-grounded methodology for planning and executing enterprise-wide post-quantum cryptography migration. Built from real programs — not theory — it provides the complete lifecycle from securing executive mandate through sustained crypto-agility, with sector-specific extensions for the industries facing the greatest complexity.

Licensed under CC BY 4.0. Free to use, adapt, and share — including for commercial purposes — with attribution to Marin Ivezic and Applied Quantum.

THE APPLIED QUANTUM PQC MIGRATION FRAMEWORK


Universal Framework

The Applied Quantum
PQC Migration Framework & Methodology

An open-access, practitioner-grounded methodology covering the complete 8-phase PQC migration lifecycle — from securing executive mandate and building cryptographic inventories through CBOM documentation, risk-prioritized roadmaps, hybrid pilots, infrastructure modernization, and vendor governance.

Includes a maturity model, metrics and KPIs, crypto-agility architecture guidance, regulatory and standards mapping, skills and team structure, and sector adaptation notes. Applicable to any industry.

Version 1.1  ·  March 2026  ·  Marin Ivezic / Applied Quantum  ·  CC BY 4.0

Download Framework PDF →

Sector-Specific Guidance

Framework Extensions


Financial Services Extension

Sector Extension

Financial Services

Phase-by-phase adaptations for payments, banking, and capital markets — addressing HNDL urgency on cross-border flows, HSM migration constraints, PCI DSS v4.0 requirements, and interbank payment complexity.

Download PDF →


Telecommunications Extension

Sector Extension

Telecommunications

Guidance for mobile operators, fixed-line carriers, and converged network providers — covering 5G-AKA, roaming interfaces, GSMA PQ.01–PQ.07 alignment, lawful intercept, vendor concentration, and 3GPP dependencies.

Download PDF →


OT and Critical National Infrastructure Extension

Sector Extension

OT & CNI

Adaptations for energy, utilities, water, transportation, etc. — addressing 15–25 year equipment lifecycles, safety-case recertification, ICS/SCADA constraints, and gateway-based PQC deployment.

Download PDF →


Government and Defense Extension

Sector Extension

Government & Defense

Framework adaptations for federal agencies, defense departments, intelligence organizations, and defense industrial base contractors — covering CNSA 2.0 milestones, NSM-10, FedRAMP/FIPS, etc.

Download PDF →

Framework Architecture

8-Phase Lifecycle with Cross-Cutting Foundations

The framework organizes PQC migration into eight phases — from establishing the executive mandate through continuous vendor governance — supported by five foundational capabilities that run across the entire program. Earlier phases cascade into later ones, while Phases 5 and 6 run iteratively in parallel and Phase 7 operates continuously from day one.

0
Executive Mandate & Business Case
budget · authority · charter
1
Discovery & Inventory
crypto inventory · asset map
2
CBOM & Documentation
MV-CBOM · queryable records

3
Risk Scoring & Prioritization
prioritized migration backlog
4
Roadmap & Governance
multi-year plan · PMO · gates

5
Pilots & Migration
6
Infrastructure & Performance

7
Vendor & Supply Chain Governance
Starts Q1 Year 1 — runs continuously as a permanent governance function

Program Foundations
Capabilities that span every phase — established early, maintained throughout
Maturity Model
Metrics & KPIs
Crypto-Agility
Regulatory Mapping
Skills & Teams

Getting Started

90-Day Quick Start

You don’t need to complete the full framework to begin. The first 90 days establish the foundation that every subsequent phase builds on.

Month 1
Mobilize
Identify executive sponsor
Draft initial business case
Map regulatory obligations
Identify top 20 critical systems
Identify top 10 vendor dependencies

Month 2
Discover
Deploy cryptographic discovery on 3–5 highest-priority systems
Begin Tier-1 vendor outreach
Start building initial CBOM
Assess PKI root CA landscape
Launch team training program

Month 3
Plan
Complete initial scoping assessment
Present findings and business case to board / risk committee
Secure multi-year budget
Establish SteerCo and governance
Define Year 1 roadmap
Ecosystem

Resources & Related Projects

The framework is part of a broader ecosystem of publications, tools, services, and community — all focused on helping organizations navigate the quantum transition.

Quantum Ready

The practitioner’s complete guide to PQC migration — the book companion to this framework. A step-by-step roadmap for CISOs, security architects, and program managers leading the transition to quantum-safe cryptography.

quantumready.com →

Quantum Sovereignty

Strategic leadership in the quantum era — the companion book for policymakers, executives, and board directors. Covers the geopolitical, economic, and national security dimensions of quantum technology.

quantumsovereignty.org →

SANS SEC529

Quantum Security Readiness for Executives — a 1-day, instructor-led SANS course for CISOs and security leaders. Covers the quantum threat, organizational readiness, and building the business case for PQC migration.

View course →

PostQuantum.com

Marin’s personal blog on quantum security with over 1 million monthly readers. In-depth practitioner analysis covering PQC migration, cryptographic inventory, CBOM, hybrid deployment, vendor governance, and sector deep dives.

postquantum.com →

Q-Day.org

Cutting through the hype around Q-Day — the moment quantum computers can break today’s cryptography. Features a transparent CRQC readiness estimator, timeline predictions, and curated analysis from PostQuantum.com.

q-day.org →

Quantum Security Community

A community uniting experts and practitioners around PQC, Q-Day timelines, quantum-safe architectures, and crypto-agility. Join via Slack, discussion forums, and in-person and online events worldwide.

quantum.security →

Applied Quantum

Research-driven professional services firm focused entirely on quantum technologies — from quantum computing and systems integration to strategy, sovereignty advisory, and quantum-safe security across all sectors.

appliedquantum.com →

Secure Quantum

Applied Quantum’s security-focused practice. Hands-on services including PQC readiness assessments, cryptographic inventory and CBOM, crypto-agility consulting, hybrid implementation, quantum risk assessment, and regulatory advisory.

securequantum.com →

PQC Framework

This site — the dedicated home for the Applied Quantum PQC Migration Framework. Download the universal framework and sector extensions, explore the methodology, and find supporting materials.

pqcframework.com →