Discover
Automated discovery of cryptographic exposure across approved internet-facing assets, systems, protocols, and third-party dependencies.
Loading page content
OMB M-26-15 readiness sprint
120 days to a defensible PQC Migration Plan.
OMB M-26-15 turns post-quantum cryptography migration into execution work. Agencies now need cryptographic inventory, risk prioritization, automation, CBOM visibility, TLS 1.3 readiness, vendor coordination, and migration governance. Qtonic Quantum Corp helps produce the evidence.
- Plan window
- 120 days
- Agencies must submit PQC Migration Plans to OMB and ONCD within 120 days of June 24, 2026.
- Derived due date
- Oct 22, 2026
- The 120-day plan window from the June 24, 2026 memo lands on October 22, 2026.
- Key-establishment target
- 2030
- EO 14412 sets a 2030 target for transition of vulnerable key-establishment systems.
- Digital-signature target
- 2031
- EO 14412 sets a 2031 target for transition of vulnerable digital-signature systems.
Why this matters now
M-26-15 makes PQC migration operational.
Federal agencies must move from awareness to execution. The memo requires agencies to build migration plans, prioritize high-risk systems, use automation where feasible, and align migration with governance, asset management, supply-chain risk, TLS 1.3, zero trust, and cryptographic agility.
The question is no longer "Are you thinking about quantum risk?"
The question is "Can you prove where your cryptographic exposure is and how you will migrate?"
Qtonic Quantum Corp answer
Qtonic Quantum Corp turns PQC requirements into evidence.
Prioritize
Risk-based prioritization of HVAs, high-impact systems, sensitive data, TLS endpoints, exposed services, and CRQC-vulnerable cryptography.
Document
CBOM-grade reporting, executive dashboards, cryptographic inventory outputs, and migration-plan evidence for owners and leaders.
Monitor
Continuous tracking of migration progress, algorithm exposure, cryptographic agility, vendor readiness, and policy drift through QScout Pulse.
M-26-15 requirement mapping.
| M-26-15 requirement | Qtonic Quantum Corp capability |
|---|---|
| PQC Migration Plan within 120 days | Readiness Sprint produces plan inputs, evidence boundaries, findings, and roadmap inputs. |
| Risk-based prioritization | QScout ranks exposure by system criticality, algorithm risk, migration urgency, and data sensitivity. |
| Automated cryptographic inventory | QScout discovers quantum-vulnerable cryptographic signals and produces structured inventory evidence. |
| CBOM visibility | Qtonic Quantum Corp produces CBOM-grade cryptographic evidence where scope authorizes deeper inventory. |
| TLS 1.3 readiness | QScout evaluates TLS exposure, protocol posture, certificate evidence, and migration gaps. |
| Cryptographic agility | QSolve identifies brittle libraries, hardcoded algorithms, owner gaps, and architecture constraints. |
| Third-party coordination | QSolve turns vendor, SaaS, cloud, and supply-chain questions into migration evidence requests. |
| Continuous reporting | QScout Pulse tracks posture, drift, migration progress, and executive reporting signals over time. |
Readiness sprint
M-26-15 Readiness Sprint.
A focused engagement for agencies, federal contractors, FedRAMP providers, SaaS vendors, and critical infrastructure operators that need defensible PQC migration evidence fast.
- 01Cryptographic exposure inventory
- 02Quantum-vulnerable algorithm detection
- 03CBOM or cryptographic bill of materials package where scope permits
- 04TLS 1.3 and hybrid-PQC readiness review
- 05HVA, high-impact, and sensitive-system prioritization model
- 06Cryptographic agility gap assessment
- 07Vendor and third-party PQC readiness review
- 08Zero Trust and PQC dependency map
- 09Executive risk dashboard
- 10OMB M-26-15 migration-plan input package
Source tag: M-26-15 Readiness
This form does not start an automated assessment. A Qtonic Quantum Corp analyst confirms requester authority and scope before work begins.
Built for organizations now in the blast radius.
Federal agencies
Need migration plans, governance, inventory, prioritization, and reporting evidence.
Federal contractors
Need readiness evidence before agency customers turn PQC proof into a procurement question.
Cloud and SaaS providers
Need to show shared-responsibility posture, TLS readiness, cryptographic agility, and vendor alignment.
Critical infrastructure
Need to identify long-lived sensitive data, exposed systems, and quantum-vulnerable dependencies before migration pressure becomes operational risk.
The migration window has started.
2026
Plan and inventory
Build PQC Migration Plan inputs, crypto inventory, ownership, automation path, and risk prioritization.
2027-2028
Pilot and sequence
Validate priority systems, resolve vendor dependencies, and sequence migration work by blast radius.
2028-2030
Priority migration
Move HVAs, high-impact systems, long-lived sensitive data, and exposed asymmetric cryptography first.
Jan 2, 2030
TLS 1.3 support
Support TLS 1.3 in the federal timeline while preparing hybrid and PQC-ready transition paths.
2031
Signature migration
Transition priority digital-signature systems where vulnerable algorithms remain in the trust chain.
2035
Remaining migration
Close the long tail of non-priority systems, vendor dependencies, and cryptographic-agility gaps.
Qtonic Quantum Corp helps organizations start at the only place migration can start: knowing what cryptography they actually use.
One stack for PQC discovery, proof, and migration.
QScout
Cryptographic and external exposure discovery. Identifies quantum-vulnerable signals, protocol risks, TLS posture, and exposed systems.
QScout Pulse
Continuous monitoring of cryptographic debt, migration progress, vendor exposure, and posture drift.
QSolve
Migration planning and governance. Converts findings into architecture, procurement, budget, and roadmap decisions.
QStrike
Governed validation for higher-assurance environments where migration decisions need deeper technical proof.
Buyer-specific next steps.
For agencies
Need to submit a PQC Migration Plan?
We help produce inventory, prioritization, governance inputs, and an evidence package.
Talk to federal teamFor contractors
Your agency customers will ask for PQC evidence.
We help prepare readiness evidence before it becomes a procurement blocker.
Assess contractor readinessFor SaaS and cloud
Prove your cryptographic readiness.
We assess TLS, cryptographic agility, shared-responsibility gaps, and vendor dependencies.
Evaluate SaaS readinessSource-bound claims.
PQC Migration Plans due within 120 days of June 24, 2026.
Used for: Plan inputs, inventory evidence, prioritization, and governance.
2030 key-establishment target, 2031 digital-signature target, CBOM guidance, and proposed FAR rulemaking direction.
Used for: Timeline, contractor-readiness framing, and CBOM evidence path.
NIST approved FIPS 203, 204, and 205 for PQC on August 13, 2024.
Used for: Algorithm migration and standards language.
Initial public draft guidance for migration to PQC.
Used for: Planning guidance; not treated as final law.
CISA product categories help buyers structure PQC adoption questions.
Used for: Vendor and solution-class evidence requests.
Do not wait for the procurement question.
M-26-15 creates a new federal operating reality. Agencies need plans. Contractors need proof. Cloud providers need shared-responsibility clarity. Software vendors need cryptographic agility. Boards need evidence.
Qtonic Quantum Corp helps support migration planning. It does not claim OMB approval, government certification, guaranteed compliance, or required-vendor status.
Prefer the existing federal readiness router? Open Federal PQC Evidence Readiness.