R52 — PQC Migration Plan Absence (Governance)

Q: How do security teams mitigate PQC Migration Plan Absence (Governance)?

In CISO Game, PQC Migration Plan Absence (Governance) is reduced by Prevention (40%), Awareness (30%), Detection (10%), Response (10%) subscores. Real-world programs use the same control families, with category investments such as PQC Migration Roadmap + Crypto Inventory.

Q: Why does PQC Migration Plan Absence (Governance) matter to a CISO?

Severity 6 (Moderate). PQC migration plan absence is the governance-side parallel to R35. Even if the cryptographic urgency is years out, NIST has set 2030–2035 transition deadlines and federal procurement is starting to require migration roadmaps. Programs without a documented PQC plan will face audit findings before they face attackers.

Stress-test PQC Migration Plan Absence (Governance) in the Fintech IPO crunch scenario Tight budget, hawkish board, regulatory eye on you.

Start playing →

R52 Governance Severity 6 · Moderate Residual offset +10

NIST PQC, NSM-10, OMB M-23-02 expect a documented migration roadmap with crypto inventory. R35 covers the cryptographic exposure; R52 is the governance failure of having no plan.

What is PQC Migration Plan Absence (Governance)?

NIST PQC, NSM-10, OMB M-23-02 expect a documented migration roadmap with crypto inventory. R35 covers the cryptographic exposure; R52 is the governance failure of having no plan. CISO Game tracks this as R52 in the live risk register, severity 6 (Moderate), category Governance.

How does CISO Game model PQC Migration Plan Absence (Governance)?

Exposure for R52 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

PQC migration plan absence is the governance-side parallel to R35. Even if the cryptographic urgency is years out, NIST has set 2030–2035 transition deadlines and federal procurement is starting to require migration roadmaps. Programs without a documented PQC plan will face audit findings before they face attackers.

How do security teams mitigate PQC Migration Plan Absence (Governance)?

The dominant subscore levers for this risk are:

Prevention subscore — weight 40%
Awareness subscore — weight 30%
Detection subscore — weight 10%
Response subscore — weight 10%

Residual offset: +10 exposure points are structural — no product fully removes them. Real-world parallels: zero-day windows, vendor monoculture, regulator unpredictability.

Sector-specific: only material when the company's tech profile is one of: Government, Healthcare, Manufacturing, On-Prem Traditional.

Which investments mitigate PQC Migration Plan Absence (Governance)?

Products in CISO Game that reduce exposure to R52:

PQC Migration Roadmap + Crypto InventoryGovernance

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does PQC Migration Plan Absence (Governance) matter to a CISO?

Governance risk is the structural risk that lives in audits, attestations, and board reporting. PQC Migration Plan Absence (Governance) is the kind of risk that lands a CISO in front of a regulator regardless of how well their controls actually work.

How can you test your mitigation strategy?

Click Play CISO Game free to see R52 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test PQC Migration Plan Absence (Governance) in the Fintech IPO crunch scenario →