up:: Migration Architecture MOC
What a PQC Migration Costs
A PQC migration cost is the total spend to move an organization’s cryptography off quantum-vulnerable algorithms, driven far more by the labor of finding and replacing cryptography across a large, sprawling estate than by the price of the new algorithms themselves, which are free and standardized.
There’s no single sticker price, because the cost scales with the size of the estate, the number of vendor-controlled surfaces, the amount of legacy hardware with cryptography baked into firmware, and how much crypto-agility the organization builds along the way. The one large, primary-source anchor is the U.S. government’s own projection that migrating priority federal civilian systems between 2025 and 2035 will cost about $7.1 billion in 2024 dollars, a figure produced by the same inventory-and-funding process any large organization has to run to size its own bill.
The short version:
- The new algorithms are free, so the cost is almost entirely labor and coordination, which are finding the cryptography, replacing it, testing it, and managing the vendors who control most of it.
- There’s no universal figure, because cost scales with estate size, vendor-surface count, legacy-hardware share, and compliance scope, so every organization sizes its own from an inventory.
- The largest primary-source anchor is the U.S. government’s estimate of about $7.1 billion in 2024 dollars to migrate priority federal civilian systems from 2025 to 2035, explicitly excluding national security systems.
- The biggest single cost driver is usually legacy systems with cryptography embedded in hardware or firmware, which often can’t be updated and have to be replaced outright.
- Starting late is a cost multiplier, because a deadline-forced sprint pays overtime, loses vendor-timeline leverage, and forfeits the option to phase the spend across budget cycles.
Think of it like the cost of rewiring an old building for a new electrical code. The new outlets and breakers are cheap and standardized, and you could buy every part you need for a rounding error against the total. What the job actually costs is the electricians walking every floor to find where the wiring runs, opening walls that were sealed decades ago, replacing the fixtures that were built into the structure and can’t just be swapped, coordinating with every tenant whose space has to be accessed, and testing that nothing tripped when you were done. The parts were never the price. The labor of touching every wire in a building nobody fully mapped is the price, and a PQC migration is the same shape.
Why does a PQC migration cost anything if the algorithms are free?
Because the expense was never the algorithms, it’s the labor of locating and replacing cryptography scattered across an estate that nobody has fully inventoried. NIST publishes ML-KEM, ML-DSA, and SLH-DSA as free, open standards, and the reference implementations cost nothing to download. What costs money is the human work wrapped around them: finding every place cryptography lives in applications, protocols, certificates, hardware, and third-party products, then replacing each one without breaking what depends on it.
That reframes the whole budget. A PQC migration is a discovery, engineering, and coordination program, priced like any large IT modernization, not a software license you buy once. The U.S. government’s own report on the transition names exactly this dynamic, singling out legacy systems that embed cryptography in hardware or firmware as the systems most difficult and expensive to migrate, because they often can’t be updated and have to be replaced. The parts are free; touching every system that uses them across a decade is what the estimates are counting.
Source: Office of Management and Budget, “Report on Post-Quantum Cryptography,” July 2024, OMB PQC Report.
What are the cost drivers of a PQC migration?
The cost drivers are the categories of labor and replacement that a migration accumulates, and they’re what an organization actually budgets against once discovery has told it the shape of its estate. The table names each driver, what generates the cost, and why it varies between organizations. Every organization’s total is some weighting of these; the mix is what makes two migrations cost very different amounts.
| Cost driver | What generates the cost | Why it varies |
|---|---|---|
| Discovery and inventory | Finding every place cryptography lives across applications, network, certificates, and third parties, often needing specialized tooling | Scales with estate size, sprawl, and how much documentation already exists |
| Engineering and replacement | Swapping algorithms, updating protocol configurations, reissuing certificates, and testing each change | Scales with the number of systems the organization builds and controls itself |
| Legacy and hardware replacement | Systems with cryptography embedded in hardware or firmware that can’t be updated and must be replaced outright | The biggest driver where old operational or embedded hardware is common |
| Vendor and third-party effort | Chasing vendor roadmaps, writing PQC into contracts, and waiting on suppliers | Scales with how much of the estate is vendor-controlled rather than self-built |
| Testing and interoperability | Verifying the larger post-quantum artifacts work across the whole path, per interoperability and size-overhead issues | Higher where old middleboxes or constrained links choke on bigger handshakes |
| Program and governance | The named owner, project management, change management, and cross-team coordination over years | Scales with organizational size and the number of teams involved |
| Crypto-agility investment | Building crypto-agility so the next algorithm change is a configuration swap, not another full program | An up-front cost that lowers the cost of every future transition |
The pattern underneath the table is that the drivers a shallow estimate forgets, which are legacy-hardware replacement, vendor coordination, and program governance, are usually the ones that dominate the real bill. The algorithm swap on a modern, self-built system is the cheap, easy part. The expensive parts are the old hardware you have to replace and the vendors whose timelines you can’t control.
How much does a PQC migration cost in dollars?
There’s no single dollar figure that applies to every organization, and the honest answer is that the cost scales with the estate, so it has to be sized from an inventory rather than quoted from a table. The one authoritative, primary-source anchor is a government-wide estimate, and it’s useful mainly as a sense of scale for a very large, complex estate.
- The federal anchor. The U.S. Office of Management and Budget projected that migrating priority federal civilian information systems, other than national security systems, to post-quantum cryptography between 2025 and 2035 will cost approximately $7.1 billion in 2024 dollars. OMB explicitly frames this as an initial projection carrying “a high, but expected, level of uncertainty,” because it was produced early in the transition as agencies were still building their inventories.
Source: Office of Management and Budget, “Report on Post-Quantum Cryptography,” July 2024, OMB PQC Report.
- How that number was produced. The $7.1 billion didn’t come from a formula, it came from a reporting loop. OMB M-23-02 directed federal agencies to submit a prioritized inventory of their cryptographic systems and then an assessment of the funding required to migrate them, and the government-wide figure is the aggregate of those agency assessments. That’s the same two-step any large organization runs to size its own migration, which is inventory first, then cost the inventory.
Source: Office of Management and Budget, “Migrating to Post-Quantum Cryptography,” Memorandum M-23-02, November 18, 2022, OMB M-23-02.
- Why a per-organization figure isn’t quotable. The federal number covers a decade of migration across the entire civilian government, so it can’t be scaled down to a single enterprise by any simple ratio. A specific organization’s cost depends on its own estate size, its legacy-hardware share, and its vendor mix, which is exactly why the inventory has to come first. Any published or vendor-quoted per-organization figure that isn’t grounded in that organization’s own inventory should be treated as an estimate to challenge, not a number to plan against.
[OPERATOR VERIFY]if you intend to cite any specific per-enterprise or per-system dollar figure, source it to that engagement’s own inventory or a named primary study, because no defensible universal per-organization figure exists.
Why does starting late cost more?
Because a deadline-forced migration pays premiums a phased one avoids, so the same work costs measurably more when it’s compressed against a hard date. The cost of delay isn’t a penalty someone charges you, it’s the difference between doing the migration calmly and doing it in a panic.
- Compression pays overtime. Discovery and replacement take years for a large estate, so an organization that starts when the deadline is close does the same work faster, with more parallel effort, more contractor time, and less slack, all of which cost more per unit of work done.
- Late buyers lose vendor leverage. Much of the estate is vendor-controlled, and the moment to negotiate a vendor’s migration timeline is at procurement and renewal, not the week before a deadline. An organization that waits loses the negotiating room to get vendor timelines aligned to its own.
- A late start forfeits phasing. Starting early lets the spend spread across multiple budget cycles, which is easier to fund and easier to absorb. A late start forces the cost into a narrow window, where it competes with everything else and can’t be smoothed.
Mosca’s theorem is the formal version of this: when the years your data must stay secret plus the years your migration takes exceed the years until a quantum computer arrives, you’re already behind, and behind is the expensive place to be. The cheapest migration is the one that started early enough to be phased, and every year of delay narrows that window.
Common misconceptions
- “The algorithms cost money, so that’s the budget.” The algorithms are free NIST standards. The cost is the labor of finding and replacing cryptography across the estate, plus replacing legacy hardware that can’t be updated. The parts were never the price.
- “There’s a standard per-system cost I can multiply out.” Cost scales with estate specifics, legacy-hardware share, and vendor mix, so a per-system multiplier misleads. The defensible number comes from your own inventory, not a generic rate card.
- “The $7.1 billion federal figure tells me what my organization will pay.” That figure covers a decade of migration across the whole federal civilian government and excludes national security systems, so it’s a scale anchor, not a number you can divide down to one enterprise.
- “Buying a discovery tool is the main expense.” Tooling is one line item. The larger drivers are usually legacy-hardware replacement, vendor coordination, and multi-year program governance, which tooling helps with but doesn’t remove.
- “We can defer the cost with no penalty.” Deferral is itself a cost, because a compressed, deadline-forced migration pays overtime, loses vendor-timeline leverage, and forfeits the ability to phase the spend. Waiting raises the bill rather than lowering it.
Questions people ask
How much does a PQC migration cost? There’s no single figure, because it scales with the size and complexity of the estate. The one large primary-source anchor is the U.S. government’s estimate of about $7.1 billion in 2024 dollars to migrate priority federal civilian systems between 2025 and 2035, which is a sense of scale for a very large estate rather than a per-organization number.
Source: Office of Management and Budget, “Report on Post-Quantum Cryptography,” July 2024, OMB PQC Report.
Why can’t you just tell me a number for my organization? Because the cost depends on your estate size, how much of it is legacy hardware with cryptography baked in, and how much is vendor-controlled, none of which is known until you run discovery. The inventory is what produces your defensible number, which is why it’s the first funded phase.
What’s the most expensive part of a migration? For most large organizations it’s legacy systems with cryptography embedded in hardware or firmware, which often can’t be updated and have to be replaced outright. The U.S. government’s report names exactly these systems as the most difficult and expensive to migrate.
How was the federal $7.1 billion figure calculated? It’s the aggregate of individual agency funding assessments. OMB M-23-02 directed agencies to inventory their cryptographic systems and then assess the funding needed to migrate them, and the government-wide projection sums those assessments.
Does the $7.1 billion include the Department of Defense and intelligence agencies? No. The figure explicitly excludes national security systems, so the true whole-of-government cost is higher than the published civilian number.
Will building crypto-agility make the migration more expensive? It adds up-front cost and lowers the cost of every future transition. Crypto-agility is what keeps the next algorithm change a configuration swap rather than another full multi-year program, so it’s usually the cheapest insurance in the whole budget.
How do I keep vendor costs from ballooning? Put the requirement into the contract at procurement and renewal, when your leverage is highest. A vendor timeline negotiated early costs far less than one you’re chasing against a deadline, because a late buyer has no leverage to compress a supplier’s schedule.
Everything here is the map, given freely. When your team needs its estate inventoried, its cost drivers weighted against its own legacy-hardware and vendor mix, and a phased budget that starts before the expensive window opens, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-14 · Maintained by Addie LaMarr, LaMarr Labs.