Practical Evaluation of the Crypto-Agility Maturity Model

TL;DR

This paper critically evaluates the Crypto Agility Maturity Model (CAMM), revealing its limitations and proposing concrete improvements to enhance its effectiveness in assessing cryptographic agility.

Contribution

The study provides the first systematic evaluation of CAMM against established principles and offers specific recommendations for its improvement.

Findings

CAMM only partially satisfies design principles

Scope and target groups are ambiguous

Higher maturity level requirements are unclear or inapplicable

Abstract

Cryptographic agility is a key prerequisite for maintaining the long-term security of digital communication, particularly in light of the transition to post-quantum cryptography. To systematically assess this capability, Hohm et al. proposed the Crypto Agility Maturity Model (CAMM). In this work, we present the first evaluation of the CAMM against established design principles for maturity models. Our analysis reveals that the CAMM only partially satisfies these principles: its scope and target groups remain ambiguous; acceptance criteria are insufficiently operationalized, limiting verifiability and replicability; and dependency relations exhibit redundancies, cycles, and omissions. Applying the CAMM to a simple real-world scenario further confirmed these issues, as several requirements at higher maturity levels proved inapplicable or unclear. Based on these findings, we propose concrete improvements to the CAMM to enable more consistent and reliable assessments of cryptographic agility.