Post-Quantum Cryptography Migration Frameworks: A Definitive Survey Through March 2026
What 40+ Frameworks Cover, Where They Stop, and What the Applied Quantum PQC Migration Framework Was First to Address
Table of Contents
The post-quantum cryptography migration framework landscape has grown from a handful of early guidance documents in 2020 to dozens of publications spanning governments, standards bodies, industry consortia, consulting firms, and technology vendors. Despite this growth, a striking pattern persists: virtually every framework converges on the same high-level lifecycle — discover, assess, plan, migrate, monitor — yet they diverge sharply on operational depth, and most stop well short of telling organizations how to execute a migration program.
This survey catalogs every structured PQC migration methodology, framework, and guidance document I could identify, published from the earliest entries through March 2026. It assesses each for scope, operational depth, and the specific gap that prompted me to build The Applied Quantum PQC Migration Framework: the gap between strategic roadmaps that tell organizations what to do and execution methodologies that tell them how to do it.
The survey is meant to be honest. Where other frameworks provide capabilities mine does not, I say so. Where mine provides capabilities no other framework does, I present the evidence and let readers verify the claim. Every framework cited includes a link to its source.
How This Survey Was Conducted
I identified candidate frameworks through four channels: systematic searches of standards body publication databases (NIST, ETSI, ENISA, BSI, ANSSI, NCSC-UK, ASD, MAS, CCCS); review of consulting firm and technology vendor publications; academic literature searches across IEEE Xplore, ACM Digital Library, and IACR ePrint; and monitoring of industry consortium outputs (GSMA, FS-ISAC, WEF, CSA, PQCC, PKI Consortium).
For each framework, I recorded the title, publisher, publication date, URL, stated scope, target audience, and — critically — the level of operational detail. I assessed each against a set of capabilities that a CISO or program manager running a real PQC migration would need: Does it help me secure budget? Does it tell me how to run discovery? Does it give me a CBOM architecture? Does it provide a risk scoring model? Does it help me structure a PMO? Does it tell me how to design pilots? Does it address infrastructure modernization? Does it give me vendor governance procedures? Does it provide a maturity model? KPIs? Templates?
No single framework needs to cover every one of these. But any framework claiming to be an end-to-end migration methodology — as opposed to a roadmap, a handbook, or a phase-specific guide — should address the full lifecycle from securing organizational commitment through sustained execution and governance.
Three Categories of PQC Migration Guidance
Not all published guidance is the same kind of document. The distinction matters because practitioners need different things at different stages, and conflating a policy timeline with an execution methodology leads to frustration. I classify the landscape into three categories:
Category 1: Policy frameworks and timelines. These tell organizations when to act and what regulatory or policy environment they operate in. They set deadlines, mandate inventories, and define approved algorithms. They do not tell organizations how to build and run a migration program. Examples: CNSA 2.0, NCSC-UK timelines, ASD planning guidance, MAS advisory, EU Coordinated Roadmap, NIST IR 8547.
Category 2: Strategic roadmaps and handbooks. These describe the phases or stages of a PQC migration at a strategic level, often with useful context on risk assessment, algorithm selection, or hybrid approaches. They answer “what should we do and in what order?” but provide limited procedural detail on how to execute each phase at enterprise scale. Examples: ETSI TR 103 619, Dutch PQC Migration Handbook, PQCC Migration Roadmap, CISA/NSA/NIST Quantum-Readiness factsheet, WEF/Deloitte Quantum Readiness Toolkit.
Category 3: Execution methodologies. These provide the operational detail needed to build and run a multi-year PQC migration program: defined inputs and outputs for each phase, governance and PMO structures, templates, decision frameworks, quality criteria, maturity models, KPIs with targets, and integration points between phases. A program manager should be able to use the document as a daily reference for how to run the program.
Most published guidance falls into Categories 1 or 2. Category 3 — full-lifecycle execution methodologies that are publicly available, vendor-neutral, and cover the entire migration from organizational commitment through sustained governance — is where the landscape has been thinnest.
The Landscape, Chronologically
2019–2020: The Foundations
The earliest structured migration thinking predates any formal framework. The CCC (Computing Community Consortium) workshop report, “Identifying Research Challenges in Post Quantum Cryptography Migration and Cryptographic Agility” (September 2019), identified the research challenges but did not propose an operational methodology.
BSI (Germany), “Migration to Post Quantum Cryptography — Recommendations for action” (April 2020), was the first national agency to publish concrete migration recommendations. It emphasized early risk-managed migration, crypto-agility, and hybrid (classical + PQC) deployment. Category 1/2 — a set of recommendations, not a structured methodology.
ETSI TR 103 619, “Migration strategies and recommendations to Quantum Safe schemes” (July 2020), is the earliest document that can legitimately be called a migration framework. It defines a three-stage model — (1) inventory compilation, (2) migration plan preparation, (3) execution — with questionnaire templates in its annexes covering risk, data, cryptographic, infrastructure, and supplier assessments. Category 2. This is an important document, and it influenced virtually everything that followed. But it operates at a strategic level: it tells you the stages exist and what questions to ask, not how to structure a 120,000-task program, run a PMO, measure progress, or manage vendor dependencies at scale.
2021–2022: Risk Models and Awareness
Mosca’s Quantum Risk Assessment (QRA) formalized the “XYZ” inequality for quantum risk timing — the conceptual model that underpins nearly every subsequent framework’s risk assessment approach. Foundational, but a risk model rather than a migration methodology.
CARAF (Crypto Agility Risk Assessment Framework), published in the Journal of Cybersecurity (2021), provided a five-phase framework (identify threats, inventory, risk estimation, mitigation, roadmap) with IoT and TLS case studies. Category 2 — focused on risk assessment and crypto-agility rather than full migration execution.
ENISA, “Post-Quantum Cryptography: Current State and Quantum Mitigation” (May 2021) and the companion “Post-Quantum Cryptography: Integration Study” (October 2022)** provided analysis of PQC integration into existing protocols and hybrid strategies. Category 1/2 — analysis and integration guidance.
NSA CNSA 2.0 (September 2022) set mandated algorithms and timelines for National Security Systems, with a full transition target of 2035. Category 1 — an algorithm and timeline mandate.
WEF and Deloitte, “Transitioning to a Quantum-Secure Economy” (2022) and the subsequent “Quantum Readiness Toolkit” (June 2023) provided five governance principles for executive leaders. Category 2 — governance-focused, not an execution methodology.
ANSSI (France), “ANSSI views on the post-quantum cryptography transition” (2022, updated 2023), published a three-phase transition timeline: Phase 1 (immediate hybrid introduction), Phase 2 (≥2025, hybrid mandatory), Phase 3 (≥2030, standalone PQC permitted). Category 1 — a position statement with timeline.
March 2023: The Applied Quantum PQC Migration Framework v0.1
In March 2023, I published the first version of The Applied Quantum PQC Migration Framework as v0.1. The motivation was straightforward: I had been advising governments on quantum threats since the early 2000s and had led PQC readiness programs for telecom operators and financial institutions — programs that grew to 120,000+ discrete tasks. The frameworks available at the time (primarily ETSI TR 103 619 and the CISA/NSA guidance that would be published later that year) told organizations the stages of migration but provided no operational guidance for running the program itself.
Version 0.1 already contained the structural elements that would be refined through real-world validation over the following two years:
- Eight phases (Phase 0 through Phase 7) covering the full lifecycle from executive mandate through vendor governance — the only framework at the time to start with a dedicated phase for securing budget, authority, and governance before any technical work begins
- PMO and governance structures including a Steering Committee model, the Quantum Readiness Program Manager (QRPM) role, eight workstreams with defined responsibilities, and decision cadence (weekly PMO, monthly SteerCo, quarterly Board)
- A dedicated vendor and supply chain governance phase (Phase 7) as a continuous function, not a subtopic within another phase — reflecting the reality that vendor dependencies are the primary constraint on migration timelines
- A five-level maturity model for benchmarking organizational progress
- KPIs with specific targets for board-level and operational reporting
- Cross-cutting program foundations (maturity model, metrics, crypto-agility, regulatory mapping, skills and teams) as capabilities that span every phase
Version 0.1 was deliberately released as a working document — an initial structure informed by real program experience, published openly so practitioners could evaluate and challenge it.
Mid-to-Late 2023: Government Roadmaps Emerge
CISA/NSA/NIST, “Quantum-Readiness: Migration to Post-Quantum Cryptography” (August 2023), published a joint factsheet establishing a Quantum-Readiness Roadmap: form a project team, conduct cryptographic inventory, assess supply chain, engage vendors. Category 1 — a checklist of preparatory activities with no execution detail beyond the phase names themselves.
NIST SP 1800-38, “Migration to Post-Quantum Cryptography” (Volumes A, B, C; preliminary drafts April and December 2023), is the most technically detailed US government publication on PQC migration. Volume B demonstrates cryptographic discovery tools; Volume C tests PQC algorithm interoperability in TLS 1.3, SSH, X.509, QUIC, and HSMs. Category 2/3 for discovery and testing specifically, but deliberately scoped as a practice guide demonstrating specific tools in specific scenarios — not as a program methodology. It does not address governance, PMO structures, budget planning, maturity assessment, vendor governance, or cross-cutting program management.
GSMA Post-Quantum Telco Network Task Force published PQ.01 “Post Quantum Telco Network Impact Assessment” (February 2023) and PQ.02 “Guidelines for Quantum Risk Management for Telco” (September 2023). Category 2 — impact assessment and risk management guidance for the telecom sector.
FS-ISAC, “Preparing for a Post-Quantum World by Managing Cryptographic Risk” (March 2023) and companion PQC Risk Model technical paper, incorporating Mosca’s QRA and CARAF. Category 2 — risk assessment methodology for financial services.
2024: The Dutch Handbook and Sector-Specific Guidance
The Dutch PQC Migration Handbook (AIVD/CWI/TNO), 2nd revised and extended edition (December 2024), is the most comprehensive government-backed migration guide published before my framework’s v1.0. It provides a three-step approach (quantum-vulnerability diagnosis, planning, execution), organizational “personas” to help different types of organizations calibrate their approach, a detailed CBOM methodology, and a companion PQChoiceAssistant tool for algorithm selection. Contributors include TNO, TU Delft, TU Eindhoven, NCSC-NL, Radboud University, KPN, ABN AMRO, Deloitte, and KPMG.
The Dutch Handbook is an excellent guide — I recommend it to practitioners alongside my framework. Where it differs from an execution methodology: it does not provide a PMO or governance structure, a maturity model, KPIs with specific targets, sector extensions, a dedicated vendor governance process, board reporting templates, or a 90-day quick start. It tells you the right things to do; it does not tell you how to structure and manage the program that does them. Category 2.
GSMA PQ.03 v2.0, “Quantum Safe Use Cases & Migration” (October 2024), is one of the most operationally detailed sector-specific documents in the landscape. It includes Gantt charts for VPN, TLS, PKI, and MACsec migration; CBOM guidance; crypto-agility methodology; Zero Trust integration; and dependency analysis. Category 2/3 for telecom specifically — but it is a sector-specific guide, not a universal methodology.
ETSI TR 104 016 (October 2024) updated ETSI’s migration framework with an iterative divide-and-conquer approach to migration execution. Category 2.
Hasan, Simpson, Baee et al., “A Framework for Migrating to Post-Quantum Cryptography: Security Dependency Analysis and Case Studies,” IEEE Access (2024), proposed a full enterprise migration framework using existing inventories plus security-dependency analysis. The most complete academic methodology. Category 2 — a research framework.
MAS (Singapore), “Advisory on Addressing the Cybersecurity Risks Associated with Quantum” (February 2024), directed all Singapore financial institutions to maintain awareness, conduct cryptographic inventories, and develop PQC strategies. Category 1.
IBM Quantum Safe methodology continued to mature through 2024 with the Discover → Observe → Transform three-phase model, supported by proprietary tooling (Explorer, Advisor, Remediator) and the AI-powered Quantum Safe Migration Orchestrator (QSMO). IBM is the only vendor combining algorithm development (co-developer of two of three NIST PQC standards), dedicated tooling, and a consulting methodology. Category 3 for clients who engage IBM’s consulting practice — but the methodology is not publicly documented as a standalone reference, and it is designed to operate within IBM’s product ecosystem. It is not available as a vendor-neutral, open methodology.
DigiCert, “The Ultimate Guide to Post-Quantum Cryptography” and the Tabletop-in-a-Box migration simulation exercise provided discovery, inventory, and pilot planning worksheets. Category 2 — strong on specific phases, not a full methodology.
2023–2024: Version 0.1 Validation Through Real Programs
Between March 2023 and early 2025, the Applied Quantum PQC Migration Framework v0.1 was tested against real migration programs across financial services, telecommunications, and critical infrastructure. This validation period shaped the framework’s evolution in two ways:
First, it confirmed which structural elements held up under operational pressure. The eight-phase lifecycle, the PMO governance model, the dedicated vendor governance phase, and the maturity model all proved essential and survived largely intact. Organizations that attempted to skip Phase 0 (executive mandate) predictably stalled within 6–12 months.
Second, it identified areas requiring expansion. The Minimum Viable CBOM model, the risk-driven discovery scoping approach, specific KPI targets with year-over-year trajectories, and detailed common-failure documentation for each phase were all refined based on what went wrong (and what went right) in actual programs.
June 2025: The Applied Quantum PQC Migration Framework v1.0
Version 1.0 incorporated the lessons from two years of validation. It represented the first publicly available, vendor-neutral, full-lifecycle execution methodology for enterprise PQC migration — and as the survey below demonstrates, no comparable document existed at the time of its publication.
Early-to-Mid 2025: Government Timelines Converge
NCSC-UK, “Timelines for migration to post-quantum cryptography” (March 2025), published the most specific national timeline: Phase 1 by 2028 (discovery and planning), Phase 2 by 2031 (high-priority migration), Phase 3 by 2035 (complete migration). Migration options include in-place upgrade, re-platform, retire, run-to-EOL, and tolerate. Category 1 — strong on timelines and migration-option taxonomy.
NIST CSWP 39, “Considerations for Achieving Crypto Agility” (Initial Public Draft, March 2025), outlined a crypto-agility strategic plan: governance, asset visibility, policy enforcement, risk management, automated tooling. Category 2 — focused on agility rather than migration program management.
NIST IR 8547 (Initial Public Draft, November 2024), set the deprecation and disallowance timelines that anchor every migration program: quantum-vulnerable algorithms deprecated after 2030 and disallowed after 2035. Category 1.
PQCC (Post-Quantum Cryptography Coalition / MITRE), “PQC Migration Roadmap” (May 28, 2025), provides an overview of four stages: preparation, baseline understanding, planning and execution, and monitoring and evaluation. Founded by IBM Quantum, Microsoft, MITRE, PQShield, and SandboxAQ, the PQCC brings significant institutional credibility. The roadmap is a useful strategic document for CIOs and CISOs beginning the journey. Category 2 — it covers the what at a strategic level; it does not provide the governance structures, templates, KPIs, maturity model, or procedural detail needed to execute the program.
Deloitte, “Cryptographic Resilience: A CSF 2.0 Community Profile” (April 2025, Initial Draft), mapped PQC migration activities to the NIST Cybersecurity Framework 2.0, with a four-tier maturity model (Tiers 0–4). Category 2 — a compliance mapping, not an execution methodology. A useful tool for organizations already using CSF 2.0 for governance.
ASD (Australia), “Planning for post-quantum cryptography” (updated with LATICE framework, September 2025), set the most aggressive global timeline: cease using traditional asymmetric cryptography by end of 2030. The LATICE framework (Locate, Assess, Triage, Implement, Certify, Evaluate) provides a structured five-phase model. Category 2.
Canadian Centre for Cyber Security, “ITSM.40.001: Roadmap for the migration to post-quantum cryptography” (June 23, 2025), defined three phases (Preparation, Identification, Transition) with milestones for federal government systems. Category 1/2.
Late 2025: Maturity Models and Vendor Guidance
PKI Consortium, “Post-Quantum Cryptography Maturity Model (PQCMM)” (October 27, 2025), published six maturity levels (0–5) for PQC adoption. The PQCMM differs from my framework’s maturity model in a significant way: it evaluates the PQC readiness of products and services in the supply chain, while my maturity model assesses organizational readiness across seven domains. Both are needed — they serve different purposes. The PKI Consortium’s PQCMM was published 31 months after my framework’s v0.1 included an organizational maturity model.
Accenture Quantum Security Maturity Index, Entrust Crypto Agility Maturity Assessment, and PwC’s five-phase framework were each published or became publicly visible during 2025. The first two focus on maturity assessment (one capability area); PwC’s framework emphasizes supply-chain risk and a PQC Centre of Excellence governance model. All are Category 2.
March 2026: The Applied Quantum PQC Migration Framework v1.1
Version 1.1 is a major expansion of v1.0, incorporating deployment environment classification, cost estimation methodology, a regulatory timeline table, the hybrid approach jurisdictional compliance matrix, and detailed sector extensions for financial services, telecommunications, OT and critical national infrastructure, and government and defense. Each sector extension includes adapted business case arguments, governance modifications, phase-by-phase adaptations, a sector-specific maturity model supplement, and sector-specific KPIs.
The complete framework at v1.1 spans 135 pages in the universal document plus four sector extensions, covering eight phases (Phase 0–7), five cross-cutting program foundations, a five-level maturity model across seven assessment domains, board-level and operational KPI packs, a 90-day quick start checklist, a board reporting template, five appendices including a decision tree and hybrid jurisdictional compliance matrix, and evidence dossier guidance for audit and regulatory preparation.
Comparative Analysis: What Each Framework Covers
The table below assesses each major framework against the capabilities a program manager needs to execute a PQC migration. A filled cell indicates the framework provides substantive, actionable guidance on that capability — not merely mentioning it exists.
| Capability | ETSI TR 103 619 (2020) | Dutch Handbook (2024) | NIST SP 1800-38 (2023) | PQCC Roadmap (2025) | GSMA PQ.03 (2024) | IBM QSafe | Deloitte CSF 2.0 (2025) | Applied Quantum v1.1 (2026) |
|---|---|---|---|---|---|---|---|---|
| Executive mandate / business case phase | — | — | — | — | — | — | — | ✓ |
| Cryptographic discovery methodology | Questionnaire | Diagnosis step | ✓ (demo) | Mentioned | ✓ | ✓ (tooling) | Mapped to CSF | ✓ |
| CBOM architecture / MV-CBOM | — | ✓ | — | — | ✓ | ✓ (invented CBOM) | — | ✓ (MV-CBOM) |
| Risk scoring model | Risk assessment questionnaire | Risk classification | — | — | Risk management | ✓ | Mapped to CSF | ✓ (scoring formula) |
| PMO / governance structure | — | — | — | — | — | Internal methodology | — | ✓ (8 workstreams, RACI, cadence) |
| Multi-year roadmap guidance | Planning stage | Planning step | — | ✓ | ✓ (Gantt charts) | ✓ | — | ✓ |
| Pilot design methodology | — | — | ✓ (interop testing) | — | ✓ | ✓ | — | ✓ |
| Infrastructure modernization (PKI/HSM) | — | Algorithm selection | ✓ (HSM testing) | — | ✓ | ✓ | — | ✓ |
| Dedicated vendor governance phase | Supplier assessment questionnaire | Mentioned | — | — | — | — | — | ✓ (continuous function) |
| Maturity model (organizational) | — | — | — | — | — | — | Tiers 0–4 (CSF-aligned) | ✓ (5 levels, 7 domains) |
| KPIs with specific targets | — | — | — | — | — | — | — | ✓ (board + operational) |
| Board reporting template | — | — | — | — | — | — | — | ✓ |
| 90-day quick start | — | — | — | — | — | — | — | ✓ |
| Sector extensions | — | — | — | — | Telecom only | — | — | ✓ (4 sectors) |
| Cross-cutting program foundations | — | — | — | — | — | — | — | ✓ (5 foundations) |
| Evidence dossier (audit/regulatory) | — | — | — | — | — | — | — | ✓ |
| Common failures per phase | — | — | — | — | — | — | — | ✓ |
| Defined inputs/outputs per phase | — | — | Partial | — | — | Internal | — | ✓ |
| Open, vendor-neutral, CC BY 4.0 | Free (ETSI members) | Free | Free | Free | Free (GSMA members) | Proprietary | Free | ✓ (CC BY 4.0) |
What the Applied Quantum Framework Introduced
Based on this survey, the following capabilities were first provided by the Applied Quantum PQC Migration Framework. Each claim is verifiable against the publication dates and contents of the frameworks cataloged above.
First published in v0.1 (March 2023)
1. First full-lifecycle (8-phase) PQC migration execution methodology. Prior to March 2023, the most complete framework was ETSI TR 103 619 (July 2020), which defined three stages. The CISA/NSA/NIST factsheet (August 2023) would later list preparatory activities. The Dutch Handbook (December 2024) would provide a three-step approach. The PQCC Roadmap (May 2025) would define four stages. None of these provided the eight-phase structure with defined inputs, activities, outputs, quality criteria, and common failures for each phase.
2. First dedicated Phase 0 — Executive Mandate and Business Case. No PQC migration framework before (or since, as of March 2026) starts with a full phase dedicated to securing budget, authority, governance structures, and multi-year organizational commitment. Other frameworks begin at discovery or awareness, implicitly assuming the organizational prerequisites are already in place. In my experience running these programs, this assumption causes more program failures than any technical challenge. Phase 0 exists because programs that skip it stall within 6–12 months.
3. First PQC-specific organizational maturity model. The v0.1 maturity model assessed organizational readiness across multiple domains at five levels (Unaware → Optimized). The PKI Consortium’s PQCMM (October 2025) provides a product/vendor maturity model — a different and complementary instrument. Deloitte’s CSF 2.0 Community Profile (April 2025) maps to CSF Tiers 0–4. Accenture’s Quantum Security Maturity Index appeared in 2025. Entrust’s Crypto Agility Maturity Assessment focuses on agility specifically. None of these were published before March 2023, and none assess organizational readiness across the seven domains (Cryptographic Inventory, Governance & Ownership, Risk & Compliance, Migration Execution, Vendor & Supply Chain, Crypto-Agility & Architecture, Skills & Training) that the Applied Quantum maturity model covers.
4. First quantified KPI pack with specific year-over-year targets. No other PQC migration framework provides specific KPI targets (e.g., “Coverage: Year 1: 10%, Year 2: 60%, Year 3: 95% of Tier-1 endpoints on hybrid/PQC key exchange”). Other frameworks that mention metrics do so at the level of “track progress” — they do not specify what to measure, what targets to set, or how to report results to a board.
5. First dedicated vendor and supply chain governance phase. Phase 7 exists as a continuous governance function starting Q1 Year 1 and running permanently — not a section within another phase. Other frameworks mention vendor engagement (ETSI TR 103 619 includes a supplier assessment questionnaire; FS-ISAC published a vendor questionnaire; the Dutch Handbook mentions vendor management), but none dedicate a full phase with procedures, questionnaire templates, governance cadence, and integration points to other phases. This design reflects the reality that vendor dependencies — not technical complexity — are the primary constraint on migration timelines for most organizations.
6. First PMO and governance structure designed for PQC migration scale. The v0.1 framework specified eight workstreams (Inventory & Discovery; Network & TLS/VPN; PKI & Code Signing; Applications & Platforms; Embedded/IoT/OT; Policy/Compliance/Procurement; Vendor Orchestration; Education & Change Management), a Quantum Readiness Program Manager (QRPM) role, Steering Committee structure, RACI model, and decision cadence. No other framework provides this level of governance architecture.
7. First framework to treat crypto-agility as an end-state architecture goal, not a feature. While NIST CSWP 39 (March 2025 draft) would later address crypto-agility strategies, and CARAF (2021) provided a risk assessment framework for agility, the Applied Quantum framework was the first to position crypto-agility as the program’s target end-state: “The goal of PQC migration is not merely to swap RSA for ML-KEM; it is to build the organizational capability to change cryptographic algorithms routinely.” This framing, combined with the Crypto-Agility KPI (percentage of services that can swap key-agreement algorithm via configuration within two weeks), makes agility measurable and accountable.
First published in v1.0 (June 2025) or v1.1 (March 2026)
8. The Minimum Viable CBOM (MV-CBOM) model. IBM invented the CBOM concept, and CycloneDX provides the standard format. The MV-CBOM is my contribution to how organizations should build their CBOM: a four-layer architecture (Infrastructure → Platform → Application → Embedded/Third-Party) that provides coverage of the highest-exposure, most-controllable cryptographic usage first, rather than attempting comprehensive enumeration that delays migration indefinitely. The Dutch Handbook provides CBOM methodology, and GSMA PQ.03 includes CBOM guidance, but neither uses the architecture-first layered approach.
9. Sector extension architecture. The universal framework plus four sector-specific extensions (financial services, telecommunications, OT/CNI, government and defense) — each providing adapted business case arguments, governance modifications, phase-by-phase adaptations, sector maturity model supplement, and sector KPIs — is unique in the landscape. GSMA PQ.03 is telecom-specific but is not structured as an extension of a universal methodology. FS-ISAC provides financial-sector risk models but not sector adaptations of a full lifecycle. No other framework provides a universal core with modular sector adaptations.
10. Phase-by-phase common failure documentation. Each phase in the framework includes a “Common Failures” section documenting the patterns I have observed cause programs to stall or fail at that stage. Examples: “Innovation project framing” (Phase 0), “Treating discovery as a project with an end date” (Phase 1), “Completeness trap” (Phase 2, CBOM), “Delegating to vendors” (Phase 0/Phase 7). No other framework systematically documents common failure modes for each phase.
11. The 90-day Quick Start Checklist providing 14 concrete deliverables a program should produce in its first 90 days, from sponsor identification through first hybrid pilot targets, is unique to this framework.
12. Board reporting template with specific KPIs (maturity level with trend, coverage, trust, inventory, vendor, key risks, decisions required, budget status, next quarter milestones) designed for quarterly board/risk committee presentations.
13. Evidence dossier guidance specifying the continuously updated evidence package needed for audit and regulatory preparation (CBOM snapshots, pilot test reports, vendor commitment letters, policy documents, SteerCo minutes, training records, risk register).
14. Interdependency mapping between phases — each phase documents backward dependencies (what must be complete), forward feeds (what this phase enables), and parallel-run guidance (what can overlap).
15. Risk-driven discovery scoping — the Priority A/B/C tiering approach that begins Phase 1 with the top 20 revenue-generating or mission-critical systems rather than attempting estate-wide discovery, combined with the explicit guidance on integrating 14 existing organizational data sources (BIA, CMDB, SBOM, certificate management, CSPM, and others) to accelerate cryptographic inventory.
The Gap That Persists
This survey reveals a clear pattern: the PQC migration guidance landscape is overwhelmingly concentrated in Category 1 (policy frameworks and timelines) and Category 2 (strategic roadmaps and handbooks). Category 3 — full-lifecycle execution methodologies — remains sparse.
This is not a criticism of the documents in Categories 1 and 2. Every framework surveyed here provides genuine value. ETSI TR 103 619 established the foundational stage model. The Dutch Handbook is the best practitioner guide for understanding the migration problem. NIST SP 1800-38 provides unmatched technical depth on discovery tooling and algorithm interoperability. GSMA PQ.03 is the most operationally detailed sector-specific guide. The PQCC Roadmap provides a useful strategic starting point backed by major institutional credibility. IBM’s methodology has been proven in real engagements.
But the gap between “understand what to do” and “know how to run the program” is where organizations are getting stuck. A CISO who reads ETSI TR 103 619 understands the three stages. A CISO who reads the Applied Quantum PQC Migration Framework knows how to charter the program, structure the PMO, run discovery on the highest-priority systems first, build an MV-CBOM, score and sequence risks, design governance that survives leadership changes, manage vendor dependencies as a continuous function, measure progress with specific KPIs, and report to the board with evidence the auditors will accept.
That is the gap this framework was built to fill.
Conclusion
As of March 2026, the PQC migration framework landscape contains dozens of useful documents, but they cluster heavily in two categories: policy frameworks that set deadlines and approved algorithms, and strategic roadmaps that describe migration stages at a high level. The gap between these documents and what organizations need to execute a multi-year, enterprise-wide PQC migration program has been, and remains, the defining challenge of the PQC transition.
The Applied Quantum PQC Migration Framework was built to address that gap. First published in March 2023, validated through real migration programs, and expanded through v1.0 (June 2025) and v1.1 (March 2026), it introduced the first eight-phase full-lifecycle execution methodology, the first dedicated executive mandate phase, the first PQC-specific organizational maturity model, the first quantified KPI pack, the first dedicated vendor governance phase, the first sector extension architecture, and the first systematic common-failure documentation for PQC migration.
Every framework cited in this survey is linked to its source. Every “first” claim is verifiable against the publication dates and documented contents of the frameworks cataloged here. Where I have missed a framework that should be included, I welcome correction — email [email protected].
The framework is and will remain free, open, and available at PQCFramework.com under CC BY 4.0.
Frameworks Cited in This Survey (Chronological)
| Date | Framework | Publisher | Category | URL |
|---|---|---|---|---|
| Sept 2019 | Research Challenges in PQC Migration | CCC | Research | arXiv:1909.07353 |
| Apr 2020 | Migration to PQC — Recommendations | BSI (Germany) | 1/2 | bsi.bund.de |
| Jul 2020 | TR 103 619: Migration strategies | ETSI | 2 | etsi.org |
| 2021 | CARAF: Crypto Agility Risk Assessment | Ma, Colon et al. | 2 | ResearchGate |
| May 2021 | PQC: Current State and Quantum Mitigation | ENISA | 1/2 | enisa.europa.eu |
| Sept 2022 | CNSA 2.0 | NSA | 1 | media.defense.gov |
| Oct 2022 | PQC Integration Study | ENISA | 1/2 | enisa.europa.eu |
| 2022 | ANSSI views on PQC transition | ANSSI (France) | 1 | ssi.gouv.fr |
| 2022 | Transitioning to a Quantum-Secure Economy | WEF / Deloitte | 2 | weforum.org |
| Feb 2023 | PQ.01: Telco Network Impact Assessment | GSMA | 2 | gsma.com |
| Mar 2023 | Applied Quantum PQC Migration Framework v0.1 | Marin Ivezic / Applied Quantum | 3 | pqcframework.com |
| Mar 2023 | Preparing for a Post-Quantum World | FS-ISAC | 2 | fsisac.com |
| Apr/Dec 2023 | SP 1800-38: Migration to PQC (drafts) | NIST NCCoE | 2/3 | csrc.nist.gov |
| Jun 2023 | Quantum Readiness Toolkit | WEF / Deloitte | 2 | weforum.org |
| Aug 2023 | Quantum-Readiness: Migration to PQC | CISA / NSA / NIST | 1 | cisa.gov |
| Sept 2023 | PQ.02: Risk Management for Telco | GSMA | 2 | gsma.com |
| Feb 2024 | MAS Advisory on Quantum Cybersecurity | MAS (Singapore) | 1 | mas.gov.sg |
| 2024 | Hasan et al.: PQC Migration Framework | IEEE Access | 2 | ieee.org / arXiv:2307.06520 |
| Oct 2024 | PQ.03 v2.0: Quantum Safe Migration | GSMA | 2/3 (telecom) | gsma.com |
| Oct 2024 | TR 104 016: Iterative migration | ETSI | 2 | etsi.org |
| Nov 2024 | IR 8547: Transition to PQC Standards (draft) | NIST | 1 | csrc.nist.gov |
| Dec 2024 | PQC Migration Handbook, 2nd ed. | AIVD / CWI / TNO | 2 | publications.tno.nl |
| Mar 2025 | CSWP 39: Crypto Agility (draft) | NIST | 2 | csrc.nist.gov |
| Mar 2025 | Timelines for migration to PQC | NCSC (UK) | 1 | ncsc.gov.uk |
| Apr 2025 | Cryptographic Resilience CSF 2.0 Profile | Deloitte | 2 | deloitte.com |
| May 2025 | PQC Migration Roadmap | PQCC / MITRE | 2 | mitre.org |
| Jun 2025 | Applied Quantum PQC Migration Framework v1.0 | Marin Ivezic / Applied Quantum | 3 | pqcframework.com |
| Jun 2025 | ITSM.40.001: PQC Migration Roadmap | CCCS (Canada) | 1/2 | cyber.gc.ca |
| Oct 2025 | PQCMM: PQC Maturity Model | PKI Consortium | 2 | pkic.org |
| Mar 2026 | Applied Quantum PQC Migration Framework v1.1 | Marin Ivezic / Applied Quantum | 3 | pqcframework.com |
Marin Ivezic is the founder and CEO of Applied Quantum, author of PostQuantum.com, and creator of the Applied Quantum PQC Migration Framework. He is also the author of Quantum Ready, a practitioner's guide to organizational quantum readiness. A former Fortune Global 500 CISO/CTO who has served as a Big 4 partner and leader at Accenture and IBM, he has advised governments on quantum threats since the early 2000s and led PQC migration programs across financial services, telecommunications, and critical infrastructure.
