Quantum migration isn’t a future concern, it’s a present-tense priority. In this episode of Shielded: The Last Line of Cyber Defense, Johannes Lintzen and Dr. Garfield Jones take a deep dive into the practical challenges of post-quantum migration, focusing on how organizations can apply the APA framework (Awareness, Preparedness, Action) to make their cybersecurity future-proof. From procurement and inventory to legacy system challenges and vendor alignment, Dr. Jones shares a tactical roadmap to help organizations start moving today.

Dr. Garfield Jones is the Associate Chief of Strategic Technology at CISA, part of the U.S. Department of Homeland Security. He is a leading figure in quantum security strategy and played a key role in shaping the APA framework (Awareness, Preparedness, Action). With expertise in AI, machine learning, and infrastructure protection, he is helping U.S. agencies and partners prepare for a cryptographic future shaped by quantum computing.

Quantum migration starts with the APA model: Awareness, Preparedness, and Action. Awareness means identifying your cryptographic footprint across software, hardware, vendors, and internal systems. Preparedness requires budgeting for upgrades, creating internal migration roadmaps, and prioritizing systems based on risk. Action brings these plans to life with procurement updates, patching schedules, contract renegotiations, and system deployments. Migration is not a future problem, it is an urgent operational priority. Organizations that delay will face steeper costs, rushed transitions, and possible security gaps. Key Question: Has your organization operationalized the APA framework into an actionable migration plan?

Quantum migration needs a clear owner, not a committee. Assign a PQC champion empowered to lead across security, IT, procurement, and leadership. Their first mission is a cryptographic inventory. Catalog every place encryption, digital signatures, and cryptographic key management are used, including internal systems, APIs, certificates, and vendor platforms. Inventorying is not optional. Without a full map, risk prioritization, budgeting, and timeline development are impossible. Key Question: Have you appointed a PQC champion and started building a verified cryptographic inventory?

Post-quantum migration will not happen overnight. Many environments must support both classical and quantum-safe algorithms during a multi-year transition. Prioritize forward-facing, high-risk systems first, such as customer portals, external interfaces, and remote authentication systems. Assess which assets require full replacement versus those that can use middleware, protocol proxies, or hybrid solutions. Planning for coexistence ensures operational continuity while securing the most critical assets first. Key Question: Has your team mapped systems into categories for full replacement or phased hybrid upgrades?

Every new system you buy should already be on the path to post-quantum compliance. Update RFP templates, procurement policies, and vendor contracts to include requirements for PQC readiness, adoption of NIST-approved algorithms, and cryptographic agility. Ensure vendors demonstrate their quantum migration roadmap during evaluations. Procurement is not just a finance issue, it is your frontline for securing future resilience. Key Question: Have you updated procurement processes to require quantum-resilient solutions and vendor roadmaps?

Automation can rapidly identify cryptographic assets, but it is not enough on its own. Combine automated cryptographic discovery with manual verification. Experts catch context-specific errors, validate system relevance, and prioritize risks effectively. A blended approach ensures your inventory is accurate, comprehensive, and ready to drive informed migration planning.

Key Question: Are you combining automated discovery with expert manual validation in your cryptographic inventory?

Compliance deadlines such as OMB 23-02 are more than bureaucratic hurdles. They are action triggers that can align leadership support, unlock budgets, and drive internal momentum. Treat compliance mandates as organizational deadlines for inventorying, planning, and upgrading systems. Organizations that start now will avoid costly last-minute scrambles.

Key Question: Are you treating compliance frameworks as strategic accelerators for quantum migration?

Quantum threats target encryption and authentication systems equally. Digital signatures, certificates, identity management platforms, and transactional validation must all be post-quantum ready. Organizations should assess their PKI infrastructure now and plan parallel upgrade tracks for data protection and system trust. Key Question: Are authentication systems fully included in your post-quantum migration roadmap?

AI and machine learning can improve cryptographic discovery, pattern detection, and asset categorization. However, AI tools should augment, not replace, expert decision-making. Experts are essential for validating asset contexts, prioritizing risks, and building migration schedules. Maintain human oversight for all strategic migration decisions. Key Question: Is your AI deployment structured to enhance, not replace, expert-driven migration work?

Different countries may adopt different post-quantum standards. Your systems must be flexible enough to negotiate between varying algorithms and maintain secure interoperability across borders. Build that flexibility into your communications protocols and infrastructure planning today. Key Question: Are your systems architected for algorithm negotiation and cross-border post-quantum compatibility?

Quantum readiness does not stop at your organizational boundaries. Vendors, contractors, and suppliers must also align with post-quantum standards. Engage partners early to assess their migration plans, share best practices, and synchronize timelines where possible. A secure organization surrounded by vulnerable suppliers remains exposed. Key Question: Are your suppliers and partners actively aligning to post-quantum standards with you?

Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.

Need help subscribing? Click here for step-by-step instructions.