PQ Rollout Runbook
Execution checklist for policy-driven post-quantum rollout with measurable safety gates and rollback discipline.
Citation-ready summary
- PQ migration rollout should proceed through inventory, pilot, canary, and broad rollout stages.
- Axis control-plane approvals and rollout receipts define stage transitions and accountability.
- Aegis enforcement telemetry is required evidence before promoting migration scope.
TL;DR for security leaders
Approve each stage with explicit blast-radius limits and rollback criteria. Do not accept promotion without a receipt-backed evidence review.
TL;DR for engineers
Automate preflight checks, policy applies, and telemetry collection so every promotion can be repeated or reversed consistently.
Runbook steps
- Inventory all cryptographic touchpoints and owners.
- Define migration policy in Axis by environment and workload cohort.
- Execute pilot in low-risk cohort through Aegis enforcement.
- Capture rollout receipts and telemetry deltas.
- Run canary expansion, then promote to broad rollout if safe.
- Keep rollback policy warm until post-rollout stability window closes.
Vocabulary reference: glossary.
Control-plane policy lifecycle
The lifecycle diagram is used during rollout planning to verify stage ownership, threshold definitions, and rollback readiness before policy promotion.
Periodic standards review cadence
- Monthly: review standards updates and document relevance to active rollout stages.
- Quarterly: reassess migration thresholds, fallback policy, and operator runbooks.
- Event-triggered: run immediate review after major standards changes, ecosystem interoperability incidents, or critical cryptographic disclosures.
Terminology alignment
Use glossary definitions for Aegis, Axis, control plane, enforcement plane, rollout receipts, and PQ migration.
Next related reading
Next: executive FAQ • Evidence: security controls map • Evidence: known limitations • Glossary