The Applied Quantum PQC Migration Framework is an open-access, practitioner-grounded methodology for planning and executing enterprise-wide post-quantum cryptography migration. Built from real programs, not theory, it provides the complete lifecycle from securing executive mandate through sustained crypto-agility, with sector-specific extensions for the industries facing the greatest complexity.
Licensed under CC BY 4.0. Free to use, adapt, and share, including for commercial purposes, with attribution to Marin Ivezic and Applied Quantum.
THE APPLIED QUANTUM PQC MIGRATION FRAMEWORK
The Applied Quantum
PQC Migration Framework & Methodology
An open-access, practitioner-grounded methodology covering the complete 8-phase PQC migration lifecycle, from securing executive mandate and building cryptographic inventories through CBOM documentation, risk-prioritized roadmaps, hybrid pilots, infrastructure modernization, and vendor governance.
Version 2.0 introduced the two-track migration model, the PKI architecture fork with the MTC position, deployment environment classification, cost estimation methodology, and complete SOC and GRC implementation sections. Version 2.1 completes the cycle with explicit positions on hybrid and composite signatures, algorithm-specific vulnerability weighting in risk scoring, SP 800-208 as the deploy-now component of Track B, CBOM security, migration verification and program closure, data-at-rest and AI-assisted migration guidance, counterparty and cloud coordination, and all six sector extensions aligned on a single v2.1 baseline.
Framework Extensions
Financial Services
Banking, capital markets, and insurance. Covers HNDL urgency on cross-border flows, HSM migration constraints, regulatory alignment (G7 CEG, DORA, MAS, HKMA), and 20 industry-specific challenges with phase-by-phase adaptations.
Payments
Card networks, RTGS, SWIFT, payment HSMs, and terminal infrastructure. Anchored by BIS Project Leap Phase 2 findings, covering 10 payment-specific challenges including PCI standards, real-time payment systems, and ATM network security.
Digital Assets
Blockchain, cryptocurrency, DeFi, and tokenized assets. Covers on-chain public key exposure, consensus-level migration, smart contract dependencies, PoS validator risk, ZK proof vulnerabilities, and exchange/custodial infrastructure.
Telecommunications
Guidance for mobile operators, fixed-line carriers, and converged network providers — covering 5G-AKA, roaming interfaces, the 6G standardization window, GSMA PQ.01–PQ.07 alignment, lawful intercept, vendor concentration, and 3GPP dependencies.
OT & CNI
Adaptations for energy, utilities, water, transportation, and other critical infrastructure — addressing 15–25 year equipment lifecycles, safety-case recertification, ICS/SCADA constraints, process historian data, and gateway-based PQC deployment.
Government & Defense
Framework adaptations for federal agencies, defense departments, intelligence organizations, and defense industrial base contractors — covering CNSA 2.0 milestones and the January 2027 acquisition gate, NSM-10, FedRAMP/FIPS, and classified system migration.
8-Phase Lifecycle with Cross-Cutting Foundations
The framework organizes PQC migration into eight phases — from establishing the executive mandate through continuous vendor governance — supported by five foundational capabilities that run across the entire program. Earlier phases cascade into later ones, while Phases 5 and 6 run iteratively in parallel and Phase 7 operates continuously from day one.
Vendor & Supply Chain Governance
Metrics & KPIs
Crypto-Agility
Regulatory Mapping
Skills & Teams
90-Day Quick Start
You don’t need to complete the full framework to begin. The first 90 days establish the foundation that every subsequent phase builds on.
The Applied Quantum PQC Migration Framework was first drafted in March 2023, tested through real migration programs over two years, and first published in full in June 2025. It is the first published PQC migration methodology that covers the complete lifecycle at operational depth in a single integrated framework, from executive mandate and cost estimation through cryptographic discovery, CBOM documentation, risk prioritization, program governance, hybrid deployment, PKI architecture evolution, infrastructure performance analysis, vendor supply chain management, and operational security integration. Before the release of the version 1.1, a comprehensive survey of 80+ published PQC frameworks found that no other single framework covers this full scope; its own conclusion states that organizations must combine four or five separate frameworks to assemble what this one provides.
Beyond its scope, the framework introduced original concepts that did not exist in any prior PQC migration guidance, including the Minimum Viable CBOM, Law on Crypto-Agility, the TNFL (Trust Now, Forge Later) framing, risk-driven discovery scoping, cost estimation methodology, the Two-Track Migration Model, Deployment Environment Classification, SOC detection specifications and incident response playbooks for quantum threats, a cascading KRI framework for PQC governance, crypto-agility as a five-dimensional operational discipline, and sector-specific extensions across six industries (Financial Services, Payments, Telecommunications, Government & Defense, Critical National Infrastructure/OT, and Digital Assets). A full list with supporting survey evidence is published on the license page.
The framework is published under CC BY 4.0 because PQC migration is too important to lock behind paywalls or proprietary restrictions. Anyone can use, adapt, and build on this work, including for commercial purposes, provided they credit Marin Ivezic and Applied Quantum and do not restrict others from doing the same.
If you encounter a PQC migration framework from a consulting firm that covers the same ground, uses very similar concepts, or follows a similar structure, check whether it credits this source. If it does, they are using the framework as intended. If it does not, ask them why.
Resources & Related Projects
The framework is part of a broader ecosystem of publications, tools, and services focused on helping organizations navigate the quantum transition.
A practitioner newsletter tracking regulatory developments, cryptographic research, and vendor readiness changes that affect PQC migration programs. Every issue applies one filter: does this change how organizations plan, execute, or govern their migration?
Marin’s personal blog on quantum security with over 1 million monthly readers. In-depth practitioner analysis covering PQC migration, cryptographic inventory, CBOM, hybrid deployment, vendor governance, and sector deep dives.
The practitioner’s complete guide to PQC migration, the book companion to this framework. A step-by-step roadmap for CISOs, security architects, and program managers leading the transition to quantum-safe cryptography.
Research-driven professional services firm focused entirely on quantum technologies, from quantum computing and systems integration to strategy, sovereignty advisory, and quantum-safe security across all sectors.
Applied Quantum’s security-focused practice. Hands-on services including PQC readiness assessments, cryptographic inventory and CBOM, crypto-agility consulting, hybrid implementation, quantum risk assessment, and regulatory advisory.
Strategic leadership in the quantum era, the companion book for policymakers, executives, and board directors. Covers the geopolitical, economic, and national security dimensions of quantum technology.