PQC Migration Framework v2.0 Released: What Changed, Why It Matters, and a Note on Attribution

June 8, 2026 – When I first published the Applied Quantum PQC Migration Framework in March 2023, the PQC migration field had plenty of guidance telling organizations what to do (conduct an inventory, prioritize, migrate) but nothing showing them how to do it end-to-end. The framework filled that gap: eight phases, from executive mandate through vendor governance, with the operational depth that a program manager could actually execute against.

For three years, that was a claim I made based on experience. In March 2026, I published the receipts. A systematic survey of every PQC migration methodology I could find catalogued over 80 published frameworks from governments, standards bodies, consulting firms, and vendors across 25+ countries. The survey’s conclusion confirmed what practitioners had been telling me: no single published framework covered the complete migration lifecycle at operational depth. Organizations were stitching together four or five separate documents to assemble what the Applied Quantum framework provided in one place.

Since that survey, version 1.1 has been downloaded over 15,000 times. The feedback from those practitioners, and from the programs I continue to lead, exposed a new set of problems that v1.1 did not adequately address.

Today I am publishing version 2.0, alongside a companion survey update covering everything published between March and June 2026. The conclusion: the gap persists. No new framework addresses the deployment-reality challenges that emerged this quarter. Once again, the Applied Quantum framework is the first to respond.

The Problem Shifted

Version 1.1 told organizations how to build and run a PQC migration program: secure the mandate, build the inventory, score the risks, plan the roadmap, design the pilots, modernize the infrastructure, govern the vendors. Eight phases, five cross-cutting foundations, a maturity model, KPIs, sector extensions. Validated through real programs with 120,000+ tasks.

What v1.1 did not adequately address was what happens when those programs reach production deployment and encounter an environment that is messier than any framework anticipated.

Between March and June 2026, three things happened that forced a rethink.

Google set a 2029 completion target for its own PQC migration. When the company that operates Chrome and Android sets a timeline six years ahead of NIST’s 2035 disallowance deadline, that timeline becomes a constraint for everyone whose systems interact with Google’s.

Let’s Encrypt committed to Merkle Tree Certificates as its path to post-quantum Web PKI, targeting production in 2027. Let’s Encrypt issues a dominant share of public TLS certificates. Organizations that planned PKI migration as a straightforward algorithm swap now need to plan for two parallel architectures.

And the FIPS 140-3 validation gap became a hard deployment constraint. No validated module offers PQC algorithms in approved mode. SafeLogic submitted the first PQC-capable module to CMVP in May 2026, but for regulated organizations, the gap determines deployment sequencing in ways that no framework had modeled.

What v2.0 Adds

The full changelog is published separately. Here are the additions that address gaps no other published framework covers.

The two-track migration model separates key exchange (Track A, driven by HNDL exposure) and signature/authentication (Track B, driven by TNFL risk and PKI evolution) as parallel tracks. Track A is deployable today with hybrid ML-KEM. Track B depends on PKI architecture decisions, FIPS validation timelines, and the MTC standardization path. Treating them as a single sequence was causing organizations to either delay key exchange protection while waiting for signature readiness, or neglect signature migration entirely because key exchange felt “done.”

Deployment environment classification introduces four tiers (Unrestricted, FIPS-Aware, FIPS-Required, CNSA 2.0) that determine when and how PQC can enter production for each class of system. A web application in an unrestricted environment can deploy hybrid TLS today. A payment processing system in a FIPS-required environment cannot until validated modules exist. The roadmap construction in Phase 4 now accounts for this explicitly.

PKI architecture evolution takes a definitive position on the emerging split: MTCs for public Web PKI, X.509 with PQC signature algorithms for internal enterprise PKI (mTLS, VPN certificates, code signing, device authentication). No other framework addresses this fork.

SOC implementation specifies five detection use cases with illustrative rules and thresholds (hybrid downgrade, cryptographic drift, certificate lifecycle anomalies, TNFL signing integrity, enhanced HNDL indicator detection), a three-horizon quantum CTI model, four incident response playbooks, five tabletop exercise scenarios, and a phased implementation roadmap. I have published a separate SOC Quantum Playbook expanding on the framework’s SOC architecture.

GRC implementation provides a 17-indicator cascading KRI framework across three organizational levels (board, CISO, operational), risk appetite statement templates, a regulatory intelligence process, audit and assurance procedures, and the GRC-SOC handoff that makes detection capabilities function. The companion GRC Quantum Playbook covers this in depth.

Crypto-agility expanded from principles to practice. The v1.1 section covered six architectural principles and an OKR table. Version 2.0 treats crypto-agility as a five-dimensional operational discipline (architecture, operations, governance, skills, supply chain), each with a testable criterion, a four-year implementation roadmap, and six OKRs with measurement methods. This reflects what I have observed in programs that attempted to implement agility: the architecture is the easy part. The organizational capability to actually execute an algorithm swap in under two weeks is where most programs fall short.

Two new sector extensions bring the total to six. The Payments extension was previously covered within Financial Services but has been separated into its own document, reflecting the complexity of cross-border payment flows, real-time settlement systems, card network cryptographic dependencies, and the BIS Leap Phase 2 findings. The Digital Assets extension is new, covering blockchain protocols, DeFi smart contract cryptographic dependencies, custodial wallet infrastructure, and the challenge of migrating systems where cryptographic algorithms are embedded in consensus mechanisms and on-chain logic.

The Evidence

I am making specific claims about what this framework introduced to the field. Those claims carry weight only if they can be verified. That is why I publish the surveys.

The March 2026 survey catalogued every structured PQC migration methodology I could identify, from ETSI TR 103 619 (July 2020) through the PQCC Migration Roadmap (May 2025), the Dutch PQC Migration Handbook (December 2024), and Meta’s engineering playbook (April 2026). Each framework was assessed for scope, operational depth, and specific capabilities. The comparison table, the “first” claims, and the evidence supporting each claim are published and independently verifiable. Every framework cited includes a link to its source.

The June 2026 update reviewed everything published between March and June 2026. Meta’s five-level maturity model. The IACR ePrint risk framework for legacy systems. The SSRN cost estimation paper. The IETF PLANTS drafts. The conclusion: no new framework addresses more than one or two of the seven deployment-reality challenges that v2.0 covers as an integrated methodology.

These surveys are not marketing documents. They are reference works. If I have missed a framework, I want to know about it. The contact information is on PQCFramework.com. If someone publishes a framework that covers ground mine does not, I will add it to the next survey and credit it.

On Attribution

I need to address something directly, because avoiding it would be dishonest.

The PQC Migration Framework is published under CC BY 4.0. This is one of the most permissive open licenses available. Anyone can use it, adapt it, build commercial services on top of it, and sell those services. The only requirement is attribution: credit Marin Ivezic and Applied Quantum, link to PQCFramework.com, and indicate if changes were made.

I chose CC BY 4.0 because PQC migration is too important to gate behind proprietary restrictions. The framework exists so that organizations can migrate, not so that I can sell licenses. Every concept, every template, every decision tree in the framework is free to use.

What I did not anticipate was the speed at which several consulting firms would take the framework, run the text through an AI paraphrasing tool, apply their own branding, and present it to clients as proprietary methodology. I have seen engagement proposals with my eight-phase structure, my terminology (“Minimum Viable CBOM,” “risk-driven discovery scoping,” “Trust Now, Forge Later”), my governance model (the QRPM role, the SteerCo structure, the eight workstreams), and my maturity model, with no mention of the source. In at least two cases, these were presented alongside press releases announcing the firm’s “new” PQC migration methodology.

I want to be clear about what this is and what it is not.

It is not a legal dispute. CC BY 4.0 violations are enforceable, but I have no interest in litigation. I would rather spend that energy on the next version of the framework.

It is not a complaint about competition. Consulting firms helping organizations migrate to PQC is a good thing. If a firm uses my framework, adds its own expertise, credits the source, and delivers excellent migration programs, that is exactly the outcome I hoped for when I chose CC BY 4.0.

What concerns me is the pattern where a firm strips the attribution, presents the work as proprietary, and then charges clients a premium for access to “their” methodology. This harms clients, who pay for a proprietary framework when the original is available for free. It harms the broader PQC migration effort, because it fragments what should be a shared reference into multiple incompatible branded versions. And it undermines the incentive for practitioners to publish openly.

I have published a detailed attribution guide explaining what proper use looks like and how organizations evaluating consulting proposals can identify frameworks derived from this one. The license page documents every original contribution with dated provenance and survey evidence.

If your consulting firm presents a PQC migration framework and you recognize the structure, ask them whether it builds on published methodologies, and which ones. You are better served by consultants who are transparent about their sources than by firms presenting repackaged open-source work as proprietary innovation.

What Comes Next

Version 2.0 addresses the deployment-reality gaps that emerged in the first half of 2026. The next set of challenges will come from the deployment data itself: which hybrid configurations cause interoperability failures in production, how organizations handle the first real PQC vulnerability disclosure, what the actual cost data shows versus estimates, and how the MTC transition affects certificate lifecycle management at scale.

The framework will continue to evolve as those lessons accumulate. The surveys will continue to track the global methodology landscape. Both remain free, open, and available at PQCFramework.com.

If you are starting a PQC migration program, the framework and the Quick Start Guide will get you from zero to a chartered, governed program in 90 days. If you are mid-program and encountering deployment constraints, the v2.0 additions on environment classification, the two-track model, and the PKI architecture fork address the specific problems that are stalling programs in production.

If you are a practitioner who has used the framework and has feedback, corrections, or experience to share, I want to hear from you. The framework is better when it reflects what actually works in the field, not just what looks good on paper.

For additional reading, the Practical Steps to Quantum Readiness guide provides the end-to-end migration playbook, and Quantum Ready brings the complete picture together in a single reference.