The Framework
A structured, evidence-gated methodology for post-quantum cryptographic transition governance. Every cryptographic claim is classified by Evidence Confidence level. The same inputs produce the same action routing every time.
Why the Framework Exists
The standard failure mode in post-quantum advisory: a firm produces an inventory based on assumptions, assigns urgency based on generic threat timelines, and delivers a roadmap that cannot survive contact with the actual engineering environment, the vendor landscape, or the procurement process.
The structural gap in most post-quantum assessments is methodological. When evidence quality is unclassified, assumptions carry the same weight as verified artifacts. When risk types are consolidated rather than separated, long-term confidentiality exposure gets addressed with the same urgency and action types as trust and integrity exposure. When vendor dependency is treated as adjacent rather than central, the roadmap is coherent on paper and unexecutable in practice.
The QRMF was designed to prevent each of those failure modes, systematically.
The Foundational Distinction
Before any assessment begins, two fundamentally different types of quantum risk are separated. Getting this wrong makes the entire risk model wrong.
HNDL
Harvest-Now-Decrypt-Later
An adversary intercepts and stores your encrypted data today. They cannot read it yet. When a cryptographically relevant quantum computer exists, they decrypt it retroactively. The collection phase is already underway, which is why the relevant clock is the collection date, not the decryption date.
What's at risk: any asymmetric encryption protecting data with a long confidentiality lifetime: VPN traffic, encrypted backups, TLS sessions carrying long-lived sensitive data.
The governing question: How long does this data need to remain secret? Apply Mosca's Theorem. If required confidentiality period plus migration timeline exceeds the quantum window estimate, HNDL risk is active and the window is closing.
NON-HNDL
Trust, Integrity, and Authentication
A quantum computer breaks the digital signature algorithms protecting PKI, code signing infrastructure, device identity, and certificate chains. An attacker can forge certificates, sign malware as legitimate software, impersonate a certificate authority, and spoof device identity.
What's at risk: every system that trusts a digital signature, from certificate chains and code signing pipelines to admin access, identity federation, and token validation.
The governing question: What is the blast radius if the certificate authority's signature becomes forgeable?
These two risk types require different action categories, different sequencing, and different ownership routing. A roadmap that conflates them produces the wrong recommendations for both.
The Decision Model
Most cryptographic planning treats the threat as a fixed list: here are the algorithms at risk, migrate them. The adversary is not a fixed list. They are a strategic actor who chooses where to invest cryptanalysis, what to harvest, and when, and who responds to whatever you commit to. Deciding cryptography against an opponent who optimizes against your choices is a game, and the rigorous tool for a game is game theory.
LaMarr Labs models the transition as a leader-follower game: you commit to a cryptographic portfolio first, the adversary best-responds, and the equilibrium identifies the portfolio that holds up against their optimal response rather than against a static threat estimate. A hybrid set is weighted so no single break collapses the estate. This is the answer a single-algorithm migration cannot give: which algorithms, why this specific mix, and why it stays defensible even if one assumption fails.
How the Methodology Works
The QRMF runs in six phases across a structured 10-stage engagement sequence. The same inputs produce the same action routing every time.
01
Orient
Establish scope, stakeholder ownership, and data longevity classifications before discovery begins. The most sensitive decisions in any engagement happen at this stage: which systems are in scope, who controls access, and what data longevity profiles drive the Mosca's Theorem calculations that determine urgency.
02
Inventory
Build the CycloneDX-aligned Cryptographic Bill of Materials across two layers. Discovery captures operational truth: system boundaries, trust boundaries, data flows, and likely cryptographic surfaces in business language. Normalization converts that to algorithm-level inventory with explicit Evidence Confidence per record: Verified, Documented, Inferred, Assumed, or Unknown. Unknown evidence halts action routing; it does not produce recommendations.
03
Assess
Three parallel workstreams: HNDL analysis builds the long-term confidentiality risk register. Non-HNDL analysis maps trust chain exposure and blast radius. Vendor assessment maps every cryptographic surface outside direct organizational control, interrogates vendor roadmaps, and identifies contractual leverage points and blockers.
04
Plan
Risk scoring applies business impact multipliers, with Evidence Confidence gating the weight of each record. Action-Required Generation converts scored records into deterministic, routable actions. Every finding routes to one of twelve defined action categories, each with explicit ownership logic. Where the choice is which cryptography to trust and in what mix, the portfolio-equilibrium model decides it. There is no improvisation.
05
Execute
The roadmap sequences actions into a dependency-aware transition plan aligned to tech refresh cycles, contract renewals, and budget windows. Wave sequencing places high-confidence internal-control items first, complex vendor-dependent work in later waves with defined decision gates.
06
Sustain
The Governance Operating Model establishes decision rights, escalation protocols, quarterly review cadence, and vendor accountability structure that keeps the transition moving across the multi-year horizon PQC migration realistically requires.
What Makes This Different
vs. firms that read the same papers
Most post-quantum advice is assembled from the same public research everyone reads. We verify it against primary sources instead of trusting it. When we reverse-engineered the academic model our portfolio tooling rests on, we found an error its peer reviewers had missed, and the authors confirmed it in writing. That is the difference between citing research and being able to defend it.
vs. scanner-based discovery
A network scanner sees what a connection negotiates, not what a system permits. A server can present a clean handshake and still allow quantum-vulnerable cryptography in its configuration: in one analysis of 8,443 real-world Nginx configurations, 21.8% still permitted TLS 1.0 or 1.1 at the configuration layer while negotiating modern TLS in practice (Balaji et al., 2026). We extract cryptography at the configuration layer, so the inventory reflects what is actually allowed, not just what happened to be observed.
vs. assessments that don't grade their evidence
Most assessments record what they're told and present it as fact. We extract the evidence and grade every finding by Evidence Confidence (Verified, Documented, Inferred, Assumed, or Unknown), and Unknown halts the recommendation instead of papering over the gap. The board sees what's proven versus what's still a question, which is what makes the roadmap defensible to a regulator.
vs. firms with something to sell on the other side
Implementation shops route the roadmap toward the work they want to sell next; a vendor's guidance ends where its product line ends. LaMarr Labs has nothing to sell on the other side and no product to protect, so the roadmap can tell you not to migrate a system, to delay a wave, or to apply pressure to a vendor it has no relationship with. Independence is what makes a recommendation you can take to the board without an asterisk.
vs. point-in-time assessments
Most assessments are a snapshot that goes stale the moment NIST revises a standard or a vendor changes a roadmap, and a Big-4 inventory can describe an environment that has already moved by the time it lands. The portfolio is weighted to stay robust as the threat landscape shifts, and the engagement closes with a governance operating model, decision rights, escalation paths, and a review cadence, so the transition keeps moving across the multi-year horizon it actually takes. The work keeps holding up long after the engagement ends.