Search papers, labs, and topics across Lattice.
This paper evaluates the Crypto Agility Maturity Model (CAMM), a framework for assessing an organization's ability to adapt to new cryptographic standards, particularly in the context of post-quantum cryptography. The authors find that the CAMM suffers from ambiguities in scope, insufficiently operationalized acceptance criteria, and problematic dependency relations between maturity levels. By applying the CAMM to a real-world scenario, they highlight these issues and propose concrete improvements to enhance its consistency and reliability.
The Crypto Agility Maturity Model (CAMM) – intended to help organizations prepare for post-quantum cryptography – may be more of a hindrance than a help, due to ambiguities and inconsistencies revealed in this first practical evaluation.
Cryptographic agility is a key prerequisite for maintaining the long-term security of digital communication, particularly in light of the transition to post-quantum cryptography. To systematically assess this capability, Hohm et al. proposed the Crypto Agility Maturity Model (CAMM). In this work, we present the first evaluation of the CAMM against established design principles for maturity models. Our analysis reveals that the CAMM only partially satisfies these principles: its scope and target groups remain ambiguous; acceptance criteria are insufficiently operationalized, limiting verifiability and replicability; and dependency relations exhibit redundancies, cycles, and omissions. Applying the CAMM to a simple real-world scenario further confirmed these issues, as several requirements at higher maturity levels proved inapplicable or unclear. Based on these findings, we propose concrete improvements to the CAMM to enable more consistent and reliable assessments of cryptographic agility.