You Got the Yes. Now Scope It Right.

Two weeks ago I told you to leave the heat map call with a verbal yes on the migration roadmap. A few of you wrote back. Same question, different wording: “Okay. What does that proposal actually look like?”

Good. Let’s build it.

What You Are Selling

First, get clear on what a quantum migration roadmap actually is because if you are fuzzy on this, the proposal will be fuzzy and the client will feel it.

You are not selling a project. You are selling a program.

Projects have end dates. They get signed off, invoiced, and closed. The budget owner moves on. A quantum migration is a 5-7 year architectural transition that will touch every layer of the client’s environment, transport, identity, data and applications on a rolling schedule tied to vendor readiness, regulatory timelines, and the evolution of the threat landscape.

That is a program. It is scoped in phases. It is governed quarterly. It is billed accordingly.

When you walk in with a project proposal, you are leaving years of recurring revenue on the table and setting yourself up to own a scope that will grow without compensation. Do not do that.

The Three Phase Structure

If you followed the inventory work from two weeks ago, you already have the raw material. Now you sequence it.

Phase One, Quick wins, 90 days. Perimeter and transit layer. TLS configurations, VPN cipher suites, exposed certificate chains. This is your fastest path to demonstrable progress and your proof of concept for the client relationship. Specify the target state, supervise execution, verify it. Done.

Phase Two, Long retention data, 6-18 months. This is the harvest now exposure. Encrypted backups, database key wrapping, archived file stores. NIST finalized ML-KEM and ML-DSA in 2024 – FIPS 203 and 204. Both are production ready. Your vendors should support them. If they do not, document that as a vendor risk and factor it into the timeline.

Phase Three, Applications and APIs, 12-36 months. The long tail. Custom applications, EHR integrations, line of business software, anything calling an external service over a signed or encrypted channel. This phase lives or dies on vendor roadmaps you do not fully control. Build that dependency into your scope explicitly. It protects you when a vendor misses a deadline.

What You Put in the Proposal

Four sections. Nothing more.

One – Executive summary. Two paragraphs. What you found, what it means for their specific data exposure, what the program delivers. Written for the person who will not read the rest of the document.

Two – Findings summary. Pull directly from the inventory one pager. Red, yellow, green by layer. Do not editorialize here. Let the data make the case.

Three – Phase plan. Timeline, deliverables, and your role in each phase. Be specific about what requires vendor coordination and what does not.

Four – Investment. Phase One as a fixed engagement. Phases Two and Three as estimated ranges with a quarterly governance retainer. The retainer is the recurring revenue line. Name it explicitly.

The Conversation They Are Not Expecting

Here is the sentence that changes the dynamic in the room.

“This document is something you can take to your cyber insurer.”

Most of your clients do not know that their insurer is already watching the quantum transition. They do not know that within 18-24 months, carriers writing cyber policies for regulated industries are going to start asking about PQC posture the same way they ask about MFA and EDR today. A documented migration roadmap with a signed engagement letter is the kind of evidence underwriters notice.

You are not just managing their infrastructure anymore. You are building their audit file. That is a different kind of trusted advisor.

The Honest Skill Check

If you got through the inventory, ran the heat map conversation, and landed the roadmap engagement, you have done more quantum-readiness work than 90% of the channel. Genuinely. That matters.

But scoping a three phase PQC migration across a complex client environment requires a level of technical depth that most of us did not come up with. The NIST standards are real documents with real implementation requirements. Vendor roadmap evaluation is a structured discipline. Client facing migration governance is a skill that takes time to build.

Monday Morning Move

  1. Take the verbal yes from two weeks ago and turn it into a written scope by Friday.
  2. Use the three phase structure above as your framework.
  3. Include the cyber insurer line in the executive summary. Watch the room change.

The program is yours to run. Build it right from the start.

Stay sharp.

The Quantum Guy

The information in this post is provided for general informational purposes only and does not constitute professional, legal, technical, or security advice. Readers act on this content at their own discretion and risk; IoTSSA assumes no liability for any loss or damage arising from its use.