PQC Migration Planner - SpinDynamics.io

Overview

This free tool analyzes your cryptographic inventory and generates a phased migration plan that prioritizes high-risk systems and aligns with federal compliance deadlines.

Planning Inputs:

Cryptographic asset inventory (from inventory scanner)
Data classification levels (public, confidential, secret, top-secret)
Data retention periods (short-term vs. long-lived)
System exposure (internet-facing, internal, isolated)
Compliance requirements (FedRAMP, CMMC, HIPAA, PCI-DSS)

⚠️ Important Disclaimer

Educational Purpose Only: All code samples and scripts provided on this page are for educational and illustrative purposes. They are NOT production-ready and have NOT been thoroughly tested in all environments.

Sample Code: These are example implementations to demonstrate concepts and approaches
Not Production Ready: Code requires additional testing, error handling, and security hardening before production use
No Warranty: Use at your own risk. We provide no guarantees about functionality, security, or fitness for any particular purpose
Testing Required: Always test thoroughly in non-production environments before deployment
Security Review: Have code reviewed by qualified security professionals before production use

Recommendation: Treat these examples as starting points for learning and development. Adapt, test, and validate according to your specific requirements and security standards.

Migration Planning Scripts to Run

Script 1: Risk-Based Prioritization Engine

Scores each asset based on threat exposure and data sensitivity

#!/usr/bin/env python3
"""PQC Migration Prioritization Tool"""

import json
from datetime import datetime, timedelta

def calculate_priority_score(asset):
    """Calculate migration priority (0-100)"""
    score = 0

    # Data classification (0-25 points)
    classification = asset.get('data_classification', 'public')
    classification_scores = {
        'top-secret': 25,
        'secret': 20,
        'confidential': 15,
        'internal': 10,
        'public': 5
    }
    score += classification_scores.get(classification, 5)

    # Data retention period (0-20 points)
    retention_years = asset.get('retention_years', 1)
    if retention_years >= 10:
        score += 20
    elif retention_years >= 5:
        score += 15
    elif retention_years >= 2:
        score += 10
    else:
        score += 5

    # System exposure (0-20 points)
    if asset.get('internet_facing', False):
        score += 20
    elif asset.get('partner_accessible', False):
        score += 15
    elif asset.get('internal_only', False):
        score += 10

    # Algorithm vulnerability (0-20 points)
    algorithm = asset.get('algorithm', '').upper()
    key_size = asset.get('key_size', 0)

    if 'RSA' in algorithm:
        if key_size <= 2048:
            score += 20
        elif key_size <= 3072:
            score += 15
        else:
            score += 10
    elif 'ECC' in algorithm or 'ECDSA' in algorithm:
        score += 18
    elif 'DH' in algorithm:
        score += 17

    # Compliance requirements (0-15 points)
    if asset.get('fedramp', False) or asset.get('cmmc', False):
        score += 15
    elif asset.get('hipaa', False) or asset.get('pci_dss', False):
        score += 12
    elif asset.get('gdpr', False):
        score += 10

    return min(score, 100)  # Cap at 100

def generate_migration_plan(inventory_file):
    """Generate phased migration plan"""

    with open(inventory_file) as f:
        inventory = json.load(f)

    assets = inventory.get('assets', [])

    # Calculate priority for each asset
    for asset in assets:
        asset['priority_score'] = calculate_priority_score(asset)

    # Sort by priority
    assets.sort(key=lambda x: x['priority_score'], reverse=True)

    # Assign to phases
    critical = [a for a in assets if a['priority_score'] >= 70]
    high = [a for a in assets if 50 <= a['priority_score'] < 70]
    medium = [a for a in assets if 30 <= a['priority_score'] < 50]
    low = [a for a in assets if a['priority_score'] < 30]

    # Generate timeline
    start_date = datetime.now()

    plan = {
        "plan_date": start_date.isoformat(),
        "inventory_file": inventory_file,
        "total_assets": len(assets),

        "phases": {
            "Phase 1 - Discovery": {
                "start_date": start_date.isoformat(),
                "end_date": (start_date + timedelta(weeks=8)).isoformat(),
                "duration": "8 weeks",
                "activities": [
                    "Complete cryptographic asset inventory",
                    "Identify all quantum-vulnerable systems",
                    "Assess vendor PQC readiness",
                    "Establish governance framework",
                    "Create compliance baseline"
                ],
                "assets": []
            },

            "Phase 2 - Pilot": {
                "start_date": (start_date + timedelta(weeks=8)).isoformat(),
                "end_date": (start_date + timedelta(weeks=12)).isoformat(),
                "duration": "4 weeks",
                "activities": [
                    "Deploy hybrid PQC in test environment",
                    "Benchmark performance impact",
                    "Test interoperability",
                    "Train security teams",
                    "Update security policies"
                ],
                "assets": []
            },

            "Phase 3 - Critical Assets": {
                "start_date": (start_date + timedelta(weeks=12)).isoformat(),
                "end_date": (start_date + timedelta(weeks=52)).isoformat(),
                "duration": "10 months",
                "activities": [
                    "Migrate top-secret and secret data systems",
                    "Upgrade internet-facing services",
                    "Deploy PQC for long-lived data",
                    "Update PKI infrastructure"
                ],
                "assets": critical
            },

            "Phase 4 - High Priority": {
                "start_date": (start_date + timedelta(weeks=52)).isoformat(),
                "end_date": (start_date + timedelta(weeks=78)).isoformat(),
                "duration": "6 months",
                "activities": [
                    "Migrate FedRAMP/CMMC systems",
                    "Upgrade internal services",
                    "Deploy hybrid certificates"
                ],
                "assets": high
            },

            "Phase 5 - Standard Migration": {
                "start_date": (start_date + timedelta(weeks=78)).isoformat(),
                "end_date": (start_date + timedelta(weeks=104)).isoformat(),
                "duration": "6 months",
                "activities": [
                    "Migrate remaining vulnerable systems",
                    "Phase out classical-only crypto",
                    "Update documentation"
                ],
                "assets": medium + low
            }
        },

        "compliance_milestones": {
            "2025": "All new systems PQC-capable (CNSA 2.0)",
            "2030": "All NSS using PQC (CNSA 2.0)",
            "2033": "Classical crypto phased out (CNSA 2.0)"
        }
    }

    return plan

def print_migration_plan(plan):
    """Pretty print the migration plan"""
    print("\\n" + "="*80)
    print("PQC MIGRATION ROADMAP")
    print("="*80)
    print(f"Generated: {plan['plan_date']}")
    print(f"Total Assets: {plan['total_assets']}")

    for phase_name, phase_data in plan['phases'].items():
        print(f"\\n{phase_name}")
        print("-" * 80)
        print(f"Duration: {phase_data['duration']}")
        print(f"Start: {phase_data['start_date'][:10]}")
        print(f"End: {phase_data['end_date'][:10]}")

        print(f"\\nActivities:")
        for activity in phase_data['activities']:
            print(f"  • {activity}")

        if phase_data['assets']:
            print(f"\\nAssets to Migrate: {len(phase_data['assets'])}")
            # Show top 5 assets
            for asset in phase_data['assets'][:5]:
                print(f"  [{asset['priority_score']:3d}] {asset.get('name', 'Unnamed')}")
                print(f"       {asset.get('algorithm', 'Unknown')} - {asset.get('usage', 'General')}")
            if len(phase_data['assets']) > 5:
                print(f"  ... and {len(phase_data['assets']) - 5} more")

    print("\\n" + "="*80)
    print("CNSA 2.0 COMPLIANCE TIMELINE")
    print("="*80)
    for year, requirement in plan['compliance_milestones'].items():
        print(f"{year}: {requirement}")

    print("\\n" + "="*80)

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print("Usage: python migration_planner.py inventory.json")
        sys.exit(1)

    inventory_file = sys.argv[1]
    plan = generate_migration_plan(inventory_file)

    # Save plan
    output_file = "pqc-migration-plan.json"
    with open(output_file, 'w') as f:
        json.dump(plan, f, indent=2)

    print_migration_plan(plan)

    print(f"\\nMigration plan saved to: {output_file}")

Run: python migration_planner.py crypto-inventory.json

Script 2: Gantt Chart Timeline Generator

Creates visual timeline for migration phases

python shared/generate_timeline.py \
  --plan pqc-migration-plan.json \
  --output reports/migration-timeline.html \
  --format gantt

Script 3: Resource & Timeline Estimator

Estimates effort and timeline based on asset count

python shared/estimate_resources.py \
  --inventory crypto-inventory.json \
  --output reports/resource-estimate.html

# Outputs:
# - Estimated timeline (months)
# - Team size recommendations
# - Hardware/software requirements
# - Training needs

Prioritization Criteria

Factor	Weight	Scoring
Data Classification	25%	Top-Secret (25) > Secret (20) > Confidential (15) > Internal (10) > Public (5)
Retention Period	20%	10+ years (20) > 5+ years (15) > 2+ years (10) > Short-term (5)
System Exposure	20%	Internet-facing (20) > Partner access (15) > Internal only (10)
Algorithm Vulnerability	20%	RSA-2048 (20) > ECC (18) > RSA-3072 (15) > RSA-4096 (10)
Compliance Requirements	15%	FedRAMP/CMMC (15) > HIPAA/PCI-DSS (12) > GDPR (10) > None (0)

Sample Migration Plan Output

================================================================================
PQC MIGRATION ROADMAP
================================================================================
Generated: 2024-11-06T14:30:00Z
Total Assets: 856

Phase 1 - Discovery
--------------------------------------------------------------------------------
Duration: 8 weeks
Start: 2024-11-06
End: 2025-01-01

Activities:
  • Complete cryptographic asset inventory
  • Identify all quantum-vulnerable systems
  • Assess vendor PQC readiness
  • Establish governance framework
  • Create compliance baseline

Phase 3 - Critical Assets
--------------------------------------------------------------------------------
Duration: 10 months
Start: 2025-01-01
End: 2025-11-01

Assets to Migrate: 127

  [ 95] prod-vault-signing-key
       RSA-2048 - Code signing for firmware updates
  [ 92] customer-data-encryption-key
       RSA-2048 - Long-term customer data encryption (10+ years)
  [ 89] vpn-gateway-primary
       RSA-2048 - Internet-facing VPN gateway
  [ 87] pki-root-ca-key
       RSA-4096 - Root CA certificate authority
  [ 85] classified-storage-key
       RSA-2048 - Secret classification storage
  ... and 122 more

Phase 4 - High Priority
--------------------------------------------------------------------------------
Duration: 6 months
Start: 2025-11-01
End: 2026-05-01

Assets to Migrate: 284

  [ 68] api-gateway-cert
       ECDSA-P256 - External API TLS certificate
  [ 65] internal-ca-intermediate
       RSA-3072 - Internal PKI intermediate CA
  ... and 282 more

================================================================================
CNSA 2.0 COMPLIANCE TIMELINE
================================================================================
2025: All new systems PQC-capable (CNSA 2.0)
2030: All NSS using PQC (CNSA 2.0)
2033: Classical crypto phased out (CNSA 2.0)
================================================================================

Recommended Actions by Phase

Phase 1: Discovery (Weeks 1-8)

Run crypto inventory scanner on all environments
Document data classifications and retention policies
Contact vendors for PQC product roadmaps
Establish PQC governance committee
Create baseline compliance report

Phase 2: Pilot (Weeks 9-12)

Deploy hybrid PQC in isolated test environment
Run performance benchmarks
Test integration with existing systems
Conduct PQC training for security teams
Draft updated security policies

Phase 3: Critical Assets (Months 4-14)

Migrate top-priority assets identified in plan
Start with long-lived, high-classification data
Upgrade internet-facing TLS endpoints
Modernize PKI infrastructure with PQC roots
Implement hybrid certificates for backward compatibility

Phase 4: High Priority (Months 14-20)

Migrate FedRAMP and CMMC-compliant systems
Upgrade VPN gateways and secure communications
Deploy PQC for code-signing and software updates

Phase 5: Standard Migration (Months 20-26)

Complete migration of remaining assets
Phase out classical-only cryptography
Update disaster recovery plans
Document lessons learned

CNSA 2.0 Compliance Alignment

CNSA 2.0 Requirements:

2025: All new software/firmware must support CNSA 2.0 algorithms
2025-2030: All new procurement must be PQC-capable
2030: All NSS network infrastructure must use PQC for classified traffic
2033: All NSS must have transitioned away from classical-only cryptography

The migration plan automatically aligns with CNSA 2.0 deadlines and flags any at-risk systems that may not meet compliance timelines.

Additional Resources

Full PQC Assessment - Complete vulnerability scanning
Crypto Inventory Scanner - Asset discovery
Performance Benchmarking - Capacity planning
CNSA 2.0 Fact Sheet - NSA guidance
PQC Security Section - Implementation guides

PQC Migration Planning Tool