Convert
Remediation backlog prioritization by deadline tier
Migration planning fails when backlog items lack owners, effort estimates, and deadline-tier ordering. Convert ties remediation to framework clocks and re-scan proof.
Prioritize by three axes
- Deadline tier — NSM-10 (2035), CNSA 2.0 (2030–2033), NIST IR 8547 (2030), CMMC (2026–2030)
- Data shelf-life — HNDL exposure for long-lived records
- Blast radius — external TLS, code signing, VPN concentrators first
ECC may break before RSA
Recent research suggests ECC-256 — widely used in TLS and VPNs — may fall on an earlier timeline than RSA-2048 for offline attacks. Tag both algorithm families in your inventory; do not assume RSA migration always comes first.
Convert workflow
- Import prioritized backlog from Assess or Monitor scan.
- Assign owners, target dates, and dependency ordering.
- Apply fixes in your environment.
- Run verification scan and attach proof to each item.
- Export board pack with live
workflowStatus.
What auditors see
Signed reports remain verifiable at /verify. Convert merges Postgres remediation status into auditor JSON exports — evidence the fix stayed fixed.
Continue on the Q-Day hub: Convert tier overview
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- Q-Day: Accelerated Timeline Across Wider Attack SurfaceQuantum Computing Report · 2026-04Research summary on ECC-256 potentially breaking before RSA-2048 on accelerated timelines.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.