Practical Evaluation of the Crypto-Agility Maturity Model
For organizations transitioning to post-quantum cryptography, this work identifies critical flaws in the only existing maturity model for crypto-agility, but the contribution is incremental as it primarily critiques and suggests refinements.
The paper evaluates the Crypto-Agility Maturity Model (CAMM) against established design principles, finding it only partially satisfies them due to ambiguous scope, insufficient operationalization, and flawed dependency relations. The authors propose concrete improvements to enable more consistent assessments.
Cryptographic agility is a key prerequisite for maintaining the long-term security of digital communication, particularly in light of the transition to post-quantum cryptography. To systematically assess this capability, Hohm et al. proposed the Crypto Agility Maturity Model (CAMM). In this work, we present the first evaluation of the CAMM against established design principles for maturity models. Our analysis reveals that the CAMM only partially satisfies these principles: its scope and target groups remain ambiguous; acceptance criteria are insufficiently operationalized, limiting verifiability and replicability; and dependency relations exhibit redundancies, cycles, and omissions. Applying the CAMM to a simple real-world scenario further confirmed these issues, as several requirements at higher maturity levels proved inapplicable or unclear. Based on these findings, we propose concrete improvements to the CAMM to enable more consistent and reliable assessments of cryptographic agility.