The PQC Migration Framework Is Free. Attribution Is Not Optional.

I published the Applied Quantum PQC Migration Framework under CC BY 4.0 for a simple reason: the PQC migration problem is too urgent and too consequential to gate behind proprietary restrictions. Every organization running classical cryptography needs to migrate. Most are behind schedule. The last thing this effort needs is for executable migration guidance to sit locked in consulting firms’ SharePoint folders, available only to clients who can pay six- or seven-figure engagement fees.

So the framework is free. All of it. The 8-phase lifecycle, the five sector extensions for Financial Services, Telecommunications, Government & Defense, Critical National Infrastructure/OT, and Payments, the Quick Start Guide, the maturity model, the cost estimation methodology, the templates, the decision frameworks. Free to read, free to use, free to adapt, free to build on commercially. That was a deliberate choice, and I stand behind it.

CC BY 4.0 asks for one thing in return: credit the source.

What this framework introduced

I need to establish something before I get to the point of this article, because it matters for what follows.

I started drafting this methodology in early 2023, and the initial version (v0.1) was published in March of that year. For the next two years, I tested and refined it through real PQC migration engagements, including programs with 120,000+ discrete tasks for telecoms and financial institutions. Version 1.0 was published in June 2025. Version 1.1 followed in March 2026. Version 2.0, published this month, is the current release.

At each major release, I published a comprehensive survey of the global PQC migration framework landscape. The March 2026 survey catalogued over 80 published PQC frameworks from governments, standards bodies, consulting firms, and vendors across 25+ countries. The June 2026 update reviews additional frameworks published since. These surveys are publicly available at PQCFramework.com/research and anyone can verify the claims I’m about to make.

The survey’s own conclusion states that organizations must typically combine four or five separate frameworks — a government-mandated timeline, the PQCC or Dutch Handbook methodology, automated discovery tools, and sector-specific prioritization guidance — to assemble a coherent migration program. The reason is that no single published framework covered the full lifecycle at operational depth.

The Applied Quantum PQC Migration Framework is the first published methodology that does. It covers the complete PQC migration lifecycle in a single integrated framework: executive mandate, business case development, and cost estimation; cryptographic discovery and CBOM documentation; risk prioritization and multi-year program governance; hybrid deployment patterns and PKI architecture evolution; infrastructure performance analysis and vendor supply chain management; with five sector-specific extensions, an integrated maturity model, metrics and KPIs, and a quick start guide. No other published framework matches this scope. The June 2026 survey update confirms that assessment.

That scope alone makes the provenance of this framework clear. But the framework also introduced specific concepts and methodological innovations that did not exist in any published PQC migration guidance before they appeared here:

The Minimum Viable CBOM model, a 4-layer architecture-first approach to cryptographic documentation. Other frameworks either omit CBOM methodology entirely or assume comprehensive discovery as a prerequisite, an approach that I have watched stall programs for months.

Law on Crypto-Agility (Y ≈ K / A), a concise heuristic expressing the inverse relationship between migration effort and built-in agility. The survey found that crypto-agility is “universally emphasized” across frameworks, but none offer a comparable shorthand for communicating the concept to executives or setting program targets.

The TNFL (Trust Now, Forge Later) framing, which names and pairs the authentication-side quantum threat alongside the established HNDL model. The risk that quantum computers will compromise digital signatures is well understood in cryptography, but this framework introduced the specific terminology and the paired HNDL/TNFL taxonomy that treats confidentiality and authentication as distinct risk categories requiring different migration approaches.

Risk-driven discovery scoping as a formalized alternative to “inventory everything.” Most frameworks default to comprehensive cryptographic inventory without any practical scoping methodology for where to start and what to defer.

Cost estimation methodology for PQC migration. The survey explicitly found that cost estimation is “almost entirely absent” across the global framework landscape. Without cost models, CISOs cannot build credible budget requests and programs cannot get funded.

Sector-specific extensions with operational depth across five industries. Some sector-specific guidance existed before this framework (notably GSMA PQ.01–PQ.03 for telecoms), but the survey found that operational guides are “essentially nonexistent” for most industries and that OT/ICS-specific migration guidance is limited to two documents worldwide, neither providing step-by-step methodology. No other framework provides dedicated extensions across Financial Services, Telecommunications, Government & Defense, Critical Infrastructure/OT, and Payments in a single integrated methodology.

A maturity model integrated with phase progression. The survey found that formal PQC maturity models are “scarce,” with only four published globally (PKI Consortium PQCMM, Deloitte CSF 2.0 Profile, Accenture QSMI, and Entrust). This framework’s 5-level model is distinct in mapping directly to migration phases with concrete indicators at each level, providing both a self-assessment tool and a progress tracker tied to the methodology.

In v2.0, the framework added the Two-Track Migration Model separating key exchange and signature/authentication as parallel migration tracks, Deployment Environment Classification anchored by the FIPS 140-3 validation gap, and a definitive position on Merkle Tree Certificates for public Web PKI where the survey notes that “post-quantum authentication remains an unsolved challenge at web scale.”

There are additional original contributions (the “Q-Day as confidence crisis” reframing, the vendor governance emphasis that the survey confirms receives “only superficial treatment” in other frameworks, the quarter-by-quarter Year 1 plan), but the point is made. This is not a collection of minor additions to established guidance. It is a complete, integrated methodology with a substantial body of original concepts, built from real program experience, documented with a publication timeline going back to March 2023. The survey evidence establishing the absence of these contributions from prior guidance is published and independently verifiable.

I am spelling this out because it matters for what comes next.

The problem

Several consulting firms have taken this framework, removed my name and Applied Quantum’s attribution, made minimal or cosmetic changes, and presented it to their clients as their own proprietary methodology. Some have added their own copyright notices. Some restrict further redistribution.

Every one of these actions violates the license under which the work was made available.

CC BY 4.0 is one of the most permissive licenses in existence. It permits commercial use and derivative works without restriction. It asks for one thing: attribution. A firm that strips that attribution has not “developed a framework.” It has taken someone else’s published work and put its own name on it. When that work contains original concepts, original terminology, and original methodological contributions that are documented and dated, the provenance is not a matter of opinion.

Adding a proprietary copyright notice while removing the original attribution is worse. CC BY 4.0 explicitly prohibits applying legal terms that restrict others from doing what the license permits. Converting openly licensed work into a proprietary document violates both the attribution requirement and the no-additional-restrictions clause.

To be direct: I have no objection to consulting firms using this framework with their clients. That was the entire point of publishing it the way I did. A firm that credits the source, extends the methodology with its own sector expertise, and adds value through implementation support is doing exactly what the license encourages. Several firms are doing this well, and their clients benefit from it.

My objection is specific: removing the attribution, claiming original concepts as your own, and charging clients a premium for methodology they could access freely with proper context. That is misrepresentation of authorship, and in the case of the original contributions listed above, it is misrepresentation of intellectual origin.

What this means if you are evaluating PQC migration consulting

If your consulting firm has presented a PQC migration framework as part of an engagement, I’d encourage you to compare it against the published framework before making decisions.

Some things to look for: an 8-phase lifecycle with phases that match or closely parallel Phases 0 through 7. Use of specific terminology that originated here: “Minimum Viable CBOM,” crypto-agility expressed as Y ≈ K / A, “Trust Now, Forge Later,” “risk-driven discovery scoping,” “Two-Track Migration Model,” “Deployment Environment Classification.” Cost estimation methodology, maturity model structures, or vendor governance frameworks that follow the same logic, particularly where the published survey documents these as absent from other guidance. Sector extensions whose structures track this framework’s published extensions.

If their framework credits this one, that is good practice. Effective PQC migration programs will draw on multiple public resources, and transparency about sources is a mark of competence.

If their framework does not credit any external sources and bears a strong resemblance to this one, consider what you are paying for. The same methodology is available at PQCFramework.com at no cost, in its original and most current form, maintained by the practitioner who developed it. Your consulting budget may be better spent on firms that add genuine implementation expertise on top of openly available methodology rather than on firms that repackage it.

Ask a simple question: does your PQC migration framework build on any publicly available methodologies? If so, which ones? Firms confident in their own contributions will answer without hesitation.

What good adoption looks like

The best use of this framework is by organizations that take it, adapt it to their specific environment, and build working programs from it. Some do this internally. Some work with consultants who bring implementation expertise, project management capability, and hands-on experience that a written framework cannot provide. Either path works.

Consulting firms add real value when they bring something beyond the methodology itself: deep knowledge of a client’s technology stack, experience running similar migrations, relationships with vendors and regulators, and the operational capacity to execute at scale. A firm that openly credits this framework and then demonstrates why their team is the right one to help implement it is making an honest case.

I published this framework openly because the PQC migration problem is larger than any single firm. Thousands of organizations need to migrate. The more widely good methodology is available, the better the outcomes will be for everyone.

CC BY 4.0 makes that possible. All it requires is that the chain of attribution stays intact. Credit the source. Indicate your changes. Don’t restrict what others can do with the original. That is the entire bargain.

---

The full license terms, publication history, and a detailed list of the framework’s original contributions are published at PQCFramework.com/license.