Learn
0%
Build
0%

PQC Governance & Policy

Establish governance frameworks, define roles, and create policies that guide your organization's PQC transition.

Why PQC Governance Matters

The transition to is not just a technical upgrade — it's an enterprise-wide transformation that touches every system, vendor, and compliance obligation. Without formal governance, organizations risk fragmented migration efforts, missed deadlines, and security gaps.

OMB Memorandum M-23-02 directs federal agencies to establish governance structures with clear roles, responsibilities, and executive sponsorship for their cryptographic transition to post-quantum algorithms — a model that applies equally to private-sector organizations managing complex PQC migrations.

— OMB M-23-02, Migrating to Post-Quantum Cryptography (2022)

Coordination

Align security, engineering, compliance, and procurement teams on a unified migration roadmap.

Accountability

Clear ownership of decisions — who selects algorithms, who approves exceptions, who tracks compliance.

Consistency

Enterprise-wide cryptographic standards prevent teams from making conflicting algorithm and library choices.

RACI: Roles & Responsibilities

A RACI matrix (Responsible, Accountable, Consulted, Informed) is the standard tool for mapping governance roles to migration activities. Every PQC program needs clarity on who does the work, who owns the decision, who provides input, and who needs to know.

R
Responsible

Does the work

A
Accountable

Owns the decision

C
Consulted

Provides input

I
Informed

Kept in the loop

Key rule: Each activity should have exactly one "A" (Accountable) to avoid diffusion of responsibility. Multiple "R" and "C" assignments are common for cross-functional work.

Policy Hierarchy

PQC governance requires a layered policy framework. Each layer provides increasing specificity, from enterprise-wide principles to team-level procedures.

1
Enterprise Cryptographic Policy

High-level principles: approved algorithms, prohibited algorithms, exception process, compliance obligations.

Approved by CISO / Board

2
Key Management Policy

Key lifecycle rules: generation, storage, rotation, destruction. HSM requirements. PQC key sizes and parameters.

Approved by CISO / CTO

3
Vendor Crypto Requirements

What cryptographic capabilities vendors must demonstrate. PQC readiness criteria for procurement.

Approved by Procurement / CISO

4
Migration Timeline Policy

Deadlines for each migration phase, system prioritization criteria, hybrid deployment requirements.

Approved by CTO / CISO

Learning module content can be inaccurate. Please double-check its information. Report inaccuracies in PQC Today GitHub Discussions.