Foundational research papers, regulatory analysis, and practical guides. Primary-source anchored. All free to read and download. No email required to access anything.
Each paper establishes the analytical and governance framework for its pillar. Subsequent implementation guides and assessments reference these documents.
NIST published FIPS 203, 204, and 205 in August 2024. The governance gap — no CBOM inventory, no owner, no vendor mandate, no board briefing — is what prevents migration. This paper establishes why PQC migration fails at the governance layer and builds the framework for mid-market organizations. Includes sector-specific analysis for healthcare, defense, and financial services. Updated with ASD LATICE framework and CBOM (ECMA-424) coverage.
Privacy law was designed for human-controlled data processing. Machine learning systems don't satisfy that assumption. This paper maps the foundational tensions between GDPR, CPRA, HIPAA, and the EU AI Act against actual ML system architecture. Includes the Article 32 + HNDL argument — why Harvest Now, Decrypt Later makes quantum risk a present-tense GDPR compliance obligation for organizations holding long-lived sensitive data.
Commercial space is critical infrastructure by function — GPS timing, satellite imagery, LEO communications — regardless of formal designation. Most dependent organizations have never assessed satellite operators as vendor risk. Built around the Viasat KA-SAT incident, GPS spoofing as systemic threat, and software supply chain risk as the underexamined vector. Includes a four-phase governance framework aligned to NIST IR 8401.
Deep-dives into specific governance questions — built for the executive who needs to act, the legal counsel who needs to advise, and the practitioner who needs to implement.
GDPR Article 32 requires "state of the art" security today. NIST published post-quantum standards in August 2024. Harvest Now, Decrypt Later is an active collection operation. These three facts create a compliance argument most privacy teams haven't analyzed — and most DPIAs haven't addressed.
Read article →Australia's ASD has mandated a completed PQC transition plan by end of 2026 — including for SMBs using cloud services. B2B startups selling to Australian government, defense, or financial services need this plan or they'll lose contracts. This is what it requires and how to build it in a 4–6 week sprint.
Read article →Enterprise procurement teams are demanding PQC migration roadmaps, CBOMs, and privacy compliance documentation from vendors. Most B2B startups can't answer. This is what's happening, why it's getting worse, and what the Enterprise Trust Pack does about it in 4–6 weeks.
Read article →The assessments give you a scored starting point in under ten minutes. The discovery call goes deeper into what's specific to your organization.