The client is going to say it. Probably soon.
“Hold on. We already pay you for managed services. This PQC migration should be included in the current SLA.”
That line is coming. It is not a budget objection. It is a category mistake. The client is treating a one time architectural transformation as routine maintenance. They are not the same thing.
Your managed services SLA covers keeping the environment running against threats that existed when the contract was signed. Patch management. Endpoint monitoring. Backup verification. Incident response on known vectors. That is operational maintenance.
Post-quantum migration is not maintenance. It’s discovery and replacement of the cryptographic foundation itself. The work spans on premise systems, cloud environments, endpoints, certificates, code signing keys, API libraries, and third party dependencies. None of that existed in scope when most SLAs were written.
The historical parallel is exact. In 2014 clients said cloud migration should be included in the IT contract. It was not. It was a project. In 2017 they said cybersecurity audits should be included in managed services. They were not. They became a separate practice. Today the same argument appears for PQC. Same fight, third round.
Here is the boundary in plain terms.
Inside the SLA Outside the SLA
Patch the OS Replace the cryptographic primitive in the OS
Renew the certificate Re-architect the PKI hierarchy
Monitor the firewall Inventory every TLS handshake, IPsec tunnel, and embedded crypto library
Backup the database Re-encrypt data at rest under hybrid or PQC algorithms
Manage the VPN Replace appliances that cannot support ML-KEM
Crypto inventory alone runs 120 to 400 labor hours on a typical mid-market environment. It requires specialized tooling and produces a Cryptographic Bill of Materials that did not exist in any prior contract. Migration itself is a multi year program measured in hundreds of thousands of dollars for most organizations. Bundling either into the flat monthly fee sets the precedent that every future architectural shift is free. That precedent destroys margin and leaves the client with an underfunded migration that fails when the real deadline arrives.
The right answer in the room is not defensive. It is clarifying.
“I hear you. Your SLA covers us maintaining the environment you have today against the threats we both understood when we signed it. What we are talking about now is mapping every cryptographic asset across your business and replacing the algorithms because the standards have changed. That is a defined project with a start, an end, and deliverables. It is the same reason your cloud migration was not covered under the 2012 contract and your cybersecurity audit was not covered under the 2015 SLA. We are happy to scope it. Here is what the phases look like.”
Then lay out the three phases: discovery, risk assessment and prioritization, and phased remediation. Price the inventory as a fixed engagement. Price the migration as a multi year program. Both are new work.
The clients who push hardest on this today are the same ones who will demand the most when timelines slip in 2031. Giving it away now is the least client friendly move you can make. An underfunded migration is a failed migration. The advisor role means telling them the truth about scope before the pitchforks come out.
This is what staying in the trusted advisor seat looks like on a Tuesday afternoon.
Stay sharp.
The Quantum Guy
The information in this post is provided for general informational purposes only and does not constitute professional, legal, technical, or security advice. Readers act on this content at their own discretion and risk; IoTSSA assumes no liability for any loss or damage arising from its use.
Leave A Comment