Playbook
Q-Day readiness: a 90-day playbook for mid-market teams
You do not need a three-year strategy deck on day one. You need a 90-day plan with artifacts your board and auditors can verify.
Days 1–30: Baseline inventory
- Run live or fixture scan on external TLS footprint
- Export CycloneDX CBOM JSON
- Map findings to active frameworks (NSM-10, CMMC, PCI-DSS 4.0, HIPAA)
- Present readiness score and top-five findings to leadership
Days 31–60: Prioritize and assign
- Rank backlog by deadline tier and HNDL shelf-life
- Assign owners to top findings
- Pilot hybrid TLS on non-production path
- Download executive briefing at
/q-day/briefingfor board readout
Days 61–90: Prove and monitor
- Attach re-scan proof to first remediation items
- Schedule Monitor cadence aligned to release cycle
- Pitch Monitor tier before next board cycle
- Verify signed reports at
/verifyindependently
Honest expectations
Quantum-vulnerable does not mean broken today. This playbook produces inventory evidence — not a formal audit attestation. Google and Cloudflare's 2029 planning signals mean migration work starts now regardless of exact Q-Day date.
Continue on the Q-Day hub: Q-Day readiness hub
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- Google bumps up Q Day deadline to 2029Ars Technica · 2026-03Coverage of Google's accelerated 2029 post-quantum readiness target and industry timeline shift.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.