The Framework
A structured, evidence-gated methodology for post-quantum cryptographic transition governance. Every cryptographic claim is classified by Evidence Confidence level. The same inputs produce the same action routing every time.
Why the Framework Exists
The standard failure mode in post-quantum advisory: a firm produces an inventory based on assumptions, assigns urgency based on generic threat timelines, and delivers a roadmap that cannot survive contact with the actual engineering environment, the vendor landscape, or the procurement process.
The structural gap in most post-quantum assessments is methodological. When evidence quality is unclassified, assumptions carry the same weight as verified artifacts. When risk types are consolidated rather than separated, long-term confidentiality exposure gets addressed with the same urgency and action types as trust and integrity exposure. When vendor dependency is treated as adjacent rather than central, the roadmap is coherent on paper and unexecutable in practice.
The QRMF was designed to prevent each of those failure modes, systematically.
The Foundational Distinction
Before any assessment begins, two fundamentally different types of quantum risk are separated. Getting this wrong makes the entire risk model wrong.
HNDL
Harvest-Now-Decrypt-Later
An adversary intercepts and stores your encrypted data today. They cannot read it yet. When a cryptographically relevant quantum computer exists, they decrypt it retroactively. This attack is already in its collection phase.
What's at risk: any asymmetric encryption protecting data with a long confidentiality lifetime: VPN traffic, encrypted backups, TLS sessions carrying long-lived sensitive data.
The governing question: How long does this data need to remain secret? Apply Mosca's Theorem. If required confidentiality period plus migration timeline exceeds the quantum window estimate, HNDL risk is active and the window is closing.
NON-HNDL
Trust, Integrity, and Authentication
A quantum computer breaks the digital signature algorithms protecting PKI, code signing infrastructure, device identity, and certificate chains. An attacker can forge certificates, sign malware as legitimate software, impersonate a certificate authority, and spoof device identity.
What's at risk: every system that trusts a digital signature — certificate chains, code signing pipelines, admin access, identity federation, token validation.
The governing question: What is the blast radius if the certificate authority's signature becomes forgeable?
These two risk types require different action categories, different sequencing, and different ownership routing. A roadmap that conflates them produces the wrong recommendations for both.
How the Methodology Works
The QRMF runs in six phases across a structured 10-stage engagement sequence. The same inputs produce the same action routing every time.
01
Orient
Establish scope, stakeholder ownership, and data longevity classifications before discovery begins. The most sensitive decisions in any engagement happen at this stage: which systems are in scope, who controls access, and what data longevity profiles drive the Mosca's Theorem calculations that determine urgency.
02
Inventory
Build the Cryptographic Bill of Materials across two layers. Pre-CBOM discovery captures operational truth: system boundaries, trust boundaries, data flows, and likely cryptographic surfaces in business language. CBOM normalization converts that to algorithm-level inventory with explicit Evidence Confidence per record: Verified, Documented, Inferred, Assumed, or Unknown. Unknown evidence halts action routing; it does not produce recommendations.
03
Assess
Three parallel workstreams: HNDL analysis builds the long-term confidentiality risk register. Non-HNDL analysis maps trust chain exposure and blast radius. Vendor assessment maps every cryptographic surface outside direct organizational control, interrogates vendor roadmaps, and identifies contractual leverage points and blockers.
04
Plan
Risk scoring applies business impact multipliers, with Evidence Confidence gating the weight of each record. Action-Required Generation converts scored records into deterministic, routable actions. Every finding routes to one of twelve defined action categories, each with explicit ownership logic. There is no improvisation.
05
Execute
The roadmap sequences actions into a dependency-aware transition plan aligned to tech refresh cycles, contract renewals, and budget windows. Wave sequencing places high-confidence internal-control items first, complex vendor-dependent work in later waves with defined decision gates.
06
Sustain
The Governance Operating Model establishes decision rights, escalation protocols, quarterly review cadence, and vendor accountability structure that keeps the transition moving across the multi-year horizon PQC migration realistically requires.
What Makes This Different
vs. Big 4 firms
Tighter logic, more deterministic structure, and fewer layers between evidence and roadmap. Large engagements carry a specific operational risk: the codebase and vendor landscape shift during a 12-18 month timeline, so the inventory arrives describing an environment that has already moved. Phase 1 at LaMarr Labs completes in two to four weeks. The inventory is current when it lands.
vs. Generic cybersecurity firms
Cryptographic specificity, real separation of confidentiality risk from trust and integrity risk, and a transition architecture that accounts for vendor dependency as a central constraint rather than an afterthought.
vs. Implementation shops
Structural independence, board-legible planning, and a roadmap that does not depend on selling a product or service against.
vs. Vendors
Neutrality, willingness to apply vendor pressure where warranted, and a governance system built around the client's interests rather than the vendor's roadmap timeline.