Creative Commons Attribution 4.0 International (CC BY 4.0)

You are free to

•  Share — copy and redistribute the material in any medium or format, for any purpose, including commercial

•  Adapt — remix, transform, and build upon the material for any purpose, including commercial

Under the following terms

•  Attribution — You must give appropriate credit to Marin Ivezic and Applied Quantum, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.

•  No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.

Suggested attribution

Provenance and publication history

The Applied Quantum PQC Migration Framework is the original work of Marin Ivezic, founder and CEO of Applied Quantum. It draws on 25+ years of cryptography and quantum security experience, including leading PQC migration programs with 120,000+ discrete tasks for telecommunications operators and financial institutions.

The initial draft (v0.1) was published in March 2023. For the next two years, the methodology was tested and refined through real-world migration engagements before the first full public release (v1.0) in June 2025.

Comprehensive surveys of the global PQC migration framework landscape, published alongside each major release, are available at PQCFramework.com/research. These surveys catalogue every known PQC framework, methodology, and guidance document worldwide and assess their operational depth.

What this framework introduced

When v1.0 was published in June 2025, a systematic survey catalogued over 80 published PQC frameworks from governments, standards bodies, consulting firms, and vendors across 25+ countries. The survey’s own conclusion states that organizations must typically combine four or five separate frameworks — a government-mandated timeline, the PQCC or Dutch Handbook methodology, automated discovery tools, and sector-specific prioritization guidance — to assemble a coherent migration program, because no single published framework covered the full lifecycle at operational depth.

The Applied Quantum PQC Migration Framework is the first published methodology that covers the complete PQC migration lifecycle in a single integrated framework — from executive mandate, business case development, and cost estimation through cryptographic discovery, CBOM documentation, risk prioritization, multi-year program governance, hybrid deployment patterns, PKI architecture evolution, infrastructure performance analysis, and vendor supply chain management — with dedicated sector extensions, an integrated maturity model, metrics and KPIs, and a quick start guide. No other published framework matches this scope at operational depth.

The June 2026 survey update, conducted for the v2.0 release, reviews additional frameworks published since and confirms this assessment.

Beyond this integrated scope, the framework introduced specific concepts and methodological innovations that did not exist in any published PQC migration guidance prior to their publication here:

• The Minimum Viable CBOM model — a 4-layer architecture-first approach to cryptographic documentation that rejects the completeness trap. The survey found that other frameworks either omit CBOM methodology entirely or assume comprehensive discovery is a prerequisite, an approach that stalls programs at Phase 2.
• Law on Crypto-Agility (Y ≈ K / A) — a concise heuristic expressing the inverse relationship between migration effort, estate complexity, and built-in agility. While the survey found that crypto-agility is “universally emphasized” across frameworks, none offer a comparable shorthand for communicating the concept to executives or setting program targets.
• The TNFL (Trust Now, Forge Later) framing — the risk that quantum computers will compromise digital signatures is well understood in cryptography, but this framework introduced the specific “Trust Now, Forge Later” terminology and the paired HNDL/TNFL taxonomy that treats confidentiality and authentication as distinct risk categories requiring different migration approaches.
• Risk-driven discovery scoping — a formalized alternative to “inventory everything” that prioritizes high-value data, critical services, and exposed interfaces. The survey found that most frameworks default to comprehensive inventory without practical scoping methodology.
• Cost estimation methodology for PQC migration — the survey explicitly found that cost estimation is “almost entirely absent” across the global framework landscape. This framework provides structured cost estimation guidance at both the program and phase level.
• Sector-specific extensions with operational depth across five industries — dedicated extensions for Financial Services, Telecommunications, Government & Defense, Critical National Infrastructure/OT, and Payments. Some sector-specific guidance existed before this framework (notably GSMA PQ.01–PQ.03 for telecoms), but the survey found that operational guides are “essentially nonexistent” for most industries and that OT/ICS-specific migration guidance is limited to two documents globally, neither providing step-by-step methodology. No other framework provides extensions across this breadth of sectors in a single integrated methodology.
• A maturity model integrated with phase progression — the survey found that formal PQC maturity models are “scarce,” with only four published globally (PKI Consortium PQCMM, Deloitte CSF 2.0 Profile, Accenture QSMI, and Entrust). This framework’s 5-level model is distinct in mapping directly to migration phases with concrete indicators at each level, serving as both self-assessment tool and progress tracker tied to the methodology.
• The Two-Track Migration Model (v2.0) — separating key exchange migration (driven by HNDL exposure) and signature/authentication migration (driven by TNFL risk and PKI evolution) as parallel tracks with different urgency drivers, deployment patterns, and infrastructure dependencies.
• Deployment Environment Classification (v2.0) — a classification system for mapping migration approaches to real infrastructure environments, anchored by the FIPS 140-3 validation gap as a hard deployment constraint for regulated organizations.
• PKI Architecture Evolution with a definitive position on Merkle Tree Certificates (v2.0) — where the survey notes that “post-quantum authentication remains an unsolved challenge at web scale,” this framework takes an explicit position on the MTC path rather than deferring with “monitor and wait.”
• Vendor governance as the primary external constraint — the survey found that supply chain and third-party cryptography management receives “only superficial treatment in most frameworks.” Vendor dependency is treated here as the single most significant variable an organization cannot control, with dedicated assessment templates, RFP clauses, and governance cadences.
• Q-Day reframed as a confidence crisis — the analytical framing of Q-Day as a systemic trust collapse rather than a technical outage, with distinct implications for how organizations prepare.

These concepts, their specific terminology, and the framework’s overall structure are matters of public record with a dated publication history going back to March 2023. The survey evidence documenting their absence from prior frameworks is published and independently verifiable.

What attribution requires in practice

CC BY 4.0 is one of the most permissive open licenses in existence. It permits commercial use, derivative works, and redistribution without restriction. It imposes a single binding condition: attribution. This is not a courtesy or a suggestion. It is the legal requirement that makes the license valid.

Proper attribution means:

1.  Credit Marin Ivezic and Applied Quantum as the original authors

2.  Provide a link to PQCFramework.com or the license

3.  Indicate what changes were made (if any)

4.  Do not add restrictions that prevent others from using the original

An organization that uses this framework, credits it, and extends it with its own expertise or client-specific adaptations is doing exactly what the license intends. That use strengthens the broader PQC migration effort and is encouraged.

An organization that takes this framework, removes the attribution, adds its own branding, and presents it to clients as proprietary methodology has violated the license in two ways: removing the required attribution, and applying additional restrictions that CC BY 4.0 explicitly prohibits.

Adding a proprietary copyright notice to derivative work based on CC BY 4.0 material while stripping the original attribution does not convert that work into proprietary intellectual property. The original license terms follow the work.

A note to organizations evaluating PQC migration consulting

If your consulting firm has presented a PQC migration framework as part of an engagement proposal or program plan, you may want to compare it against this publicly available framework.

Indicators that a consulting framework may be derived from this one:

•  An 8-phase lifecycle with phases matching or closely paralleling Phases 0–7 described here

•  Use of terms originated in this framework: “Minimum Viable CBOM,” crypto-agility expressed as Y ≈ K / A, “Trust Now, Forge Later,” “risk-driven discovery scoping,” “Deployment Environment Classification,” or “Two-Track Migration Model”

•  Cost estimation methodology, maturity model structures, or vendor governance frameworks that follow the same logic and sequence — particularly where the framework survey documents these as absent from other published guidance

•  Sector extensions for Financial Services, Telecommunications, Government & Defense, Critical Infrastructure/OT, or Payments with structures that track this framework’s published extensions

•  A “Q-Day as confidence crisis” framing, HNDL/TNFL as a paired threat taxonomy, or phase structures that replicate this framework’s specific sequencing and interdependency model

This framework was first drafted in March 2023 and first published in full in June 2025. Many of its distinctive concepts and methodological contributions have no precedent in prior PQC migration guidance, as documented in the published framework surveys.

If a firm has adapted this framework and credited it properly, that reflects well on their judgment. Effective PQC programs will draw on multiple public resources, and that is exactly the kind of use CC BY 4.0 encourages.

If a firm is presenting this framework’s structure and original concepts as proprietary work without attribution, you should know that the same methodology is available here at no cost, in its original and most current form, maintained by the practitioner who developed it from real program experience.

Ask your consulting firm whether their framework builds on publicly available methodologies, and which ones. You are better served by consultants who are transparent about their sources than by firms presenting repackaged open-source work as proprietary innovation.

Disclaimer

The framework is provided as-is, without warranty of any kind, express or implied. It does not constitute legal, regulatory, or professional advice. Organizations should seek qualified professional guidance for their specific circumstances.

The licensor does not waive any rights or authorize any use beyond what is permitted by this license. For the full legal text, see CC BY 4.0 Legal Code.