An organization with board reporting obligations on quantum risk, a regulatory environment that is beginning to ask questions, or an upcoming audit that will touch cryptographic posture needs one thing first: an accurate picture of where the exposure actually is.

This engagement produces that picture in a bounded, time-fixed scope. The deliverable is a board-ready risk baseline: a documented view of cryptographic exposure, HNDL and Non-HNDL risk profile, and a clear assessment of where gaps require immediate governance attention and where active migration planning is warranted. Written for the board and defensible to the regulator. This is the document that allows leadership to understand the exposure and commission the transition work that follows.

WHAT THIS ENGAGEMENT INCLUDES

• —Quantum risk framing calibrated to data longevity profile and operational environment
• —Cryptographic presence map covering PKI, TLS termination, code signing, identity infrastructure, and third-party dependencies
• —HNDL and Non-HNDL risk classification for in-scope systems, with Evidence Confidence documented per finding
• —Vendor dependency snapshot covering cryptographic surfaces outside direct control and current vendor roadmap posture
• —Board-ready risk and investment memorandum: a document the board, legal team, and regulator can review, with risk framed in business impact language

WHO THIS IS FOR · CISOs and CTOs with board reporting obligations on quantum risk, organizations entering a regulatory environment beginning to require documented PQC readiness posture, and leadership teams that need a defensible starting point before committing to a full transition program.

Addie LaMarr leads every Baseline engagement personally.

A redacted sample Board-Ready Risk & Investment Memorandum is available to read in full.

The Blueprint takes an organization from no visibility to a board-approved, engineering-executable, procurement-usable transition plan. The entire QRMF runs across this engagement — full Pre-CBOM and CBOM inventory, HNDL and Non-HNDL risk registers, vendor dependency and leverage assessment, scored risk model, action-required generation with ownership routing, and phased roadmap development.

DELIVERABLES AT STAGE 10

• —

  Cryptographic Inventory Strategy

  A complete, evidence-classified map of where cryptography exists across systems, data flows, and vendor dependencies. Every entry has an Evidence Confidence level. Every unknown is labeled.

• —

  Prioritized Risk Model

  HNDL and Non-HNDL risk registers in executive language, scored by business impact, data longevity, and migration complexity. Mosca's Theorem applied to the actual environment.

• —

  Board-Ready Roadmap

  A phased, dependency-aware transition plan with wave sequencing, decision gates, vendor escalation requirements, and investment narrative.

• —

  Governance Operating Model

  Decision rights, escalation paths, quarterly review cadence, and vendor accountability structure for the multi-year horizon PQC migration requires.

Addie LaMarr leads the governance design, executive alignment, and board deliverable review on every Blueprint engagement.

The QRMF produces a roadmap. The roadmap is a point-in-time document. As NIST standards evolve, as vendor roadmaps shift, and as organizational priorities change, the governance structure that keeps the transition on track requires ongoing maintenance.

The Governance Retainer provides quarterly board memo refresh, vendor posture reviews for the critical dependencies identified in the initial engagement, and monthly decision support — capped at defined hours, with defined response windows and explicit exclusions.

This is an access retainer: structured around capped hours, defined response windows, and explicit scope boundaries. Offered selectively to organizations that have completed an initial engagement and have an established transition governance structure.