pith. sign in

arxiv: 2604.12428 · v1 · submitted 2026-04-14 · 💻 cs.CR

Practical Evaluation of the Crypto-Agility Maturity Model

Leonie Wolf , Samson Umezulike , Gurur \"Ondar\"o , Sebastian Schinzel , Fabian Ising This is my paper

Pith reviewed 2026-05-10 15:39 UTC · model grok-4.3

classification 💻 cs.CR
keywords cryptographic agilitymaturity modelmodel evaluationpost-quantum cryptographysecurity assessmentdesign principles
0
0 comments X p. Extension

The pith

The Crypto-Agility Maturity Model only partially satisfies established design principles for maturity models.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper evaluates the Crypto Agility Maturity Model (CAMM), which was proposed to assess how well organizations can adapt their cryptographic systems over time, especially during the shift to post-quantum cryptography. It tests the model against standard design principles for maturity models and finds partial compliance only. The scope and intended users stay unclear, the rules for advancing to each maturity level lack enough detail for consistent checks, and the links between requirements contain overlaps, loops, and gaps. Testing the model on a basic real-world case confirmed these problems, as some higher-level requirements did not fit or made little sense. The authors outline specific changes to support more reliable and repeatable evaluations.

Core claim

The CAMM only partially satisfies established design principles for maturity models: its scope and target groups remain ambiguous, acceptance criteria are insufficiently operationalized limiting verifiability and replicability, and dependency relations exhibit redundancies, cycles, and omissions. Applying the CAMM to a simple real-world scenario further confirmed these issues, as several requirements at higher maturity levels proved inapplicable or unclear.

What carries the argument

Evaluation of the CAMM against established design principles for maturity models, plus its practical application to one simple real-world scenario.

If this is right

  • Organizations attempting to use the current CAMM risk inconsistent or non-replicable results when assessing their cryptographic readiness.
  • The identified issues in scope, criteria, and dependencies reduce the model's usefulness for guiding the transition to post-quantum cryptography.
  • Concrete improvements to the CAMM can produce a version that supports consistent and reliable assessments.
  • A revised model would allow clearer comparisons of cryptographic agility across different organizations or systems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • A fixed version of the CAMM could be incorporated into existing security frameworks or certification processes.
  • Testing the model on more complex, multi-system environments might surface additional practical problems beyond the simple scenario examined.
  • The evaluation highlights that any new maturity model in cryptography should define measurable criteria and dependency graphs before release.

Load-bearing premise

The chosen established design principles for maturity models form the right and sufficient benchmark, and applying the model to one simple real-world scenario is enough to demonstrate its shortcomings.

What would settle it

Multiple independent teams applying the CAMM to the same organization and arriving at identical maturity ratings would indicate that the acceptance criteria are sufficiently operationalized.

Figures

Figures reproduced from arXiv: 2604.12428 by Fabian Ising, Gurur \"Ondar\"o, Leonie Wolf, Samson Umezulike, Sebastian Schinzel.

Figure 1
Figure 1. Figure 1: Dependencies as depicted in [13] . 4.3 Observations Our evaluation revealed several recurring issues with the CAMM Requirements, which we categorize into four areas: recursive references, measurability problems, unclear or undesirable Requirements, and dependency inconsistencies. A detailed overview is provided in [PITH_FULL_IMAGE:figures/full_fig_p012_1.png] view at source ↗
read the original abstract

Cryptographic agility is a key prerequisite for maintaining the long-term security of digital communication, particularly in light of the transition to post-quantum cryptography. To systematically assess this capability, Hohm et al. proposed the Crypto Agility Maturity Model (CAMM). In this work, we present the first evaluation of the CAMM against established design principles for maturity models. Our analysis reveals that the CAMM only partially satisfies these principles: its scope and target groups remain ambiguous; acceptance criteria are insufficiently operationalized, limiting verifiability and replicability; and dependency relations exhibit redundancies, cycles, and omissions. Applying the CAMM to a simple real-world scenario further confirmed these issues, as several requirements at higher maturity levels proved inapplicable or unclear. Based on these findings, we propose concrete improvements to the CAMM to enable more consistent and reliable assessments of cryptographic agility.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper evaluates the Crypto-Agility Maturity Model (CAMM) from Hohm et al. against established design principles for maturity models. It concludes that CAMM only partially satisfies the principles, citing ambiguous scope and target groups, insufficiently operationalized acceptance criteria that limit verifiability, and dependency relations with redundancies, cycles, and omissions. Application of CAMM to one simple real-world scenario is used to illustrate these issues, followed by concrete improvement proposals for more consistent cryptographic agility assessments.

Significance. Cryptographic agility is a critical capability for long-term security, especially during the shift to post-quantum cryptography. A structured evaluation of CAMM can help refine maturity models for practical use in the field. The work offers actionable suggestions that could enhance replicability if the identified gaps are resolved, though its impact depends on the robustness of the chosen benchmark and validation approach.

major comments (2)
  1. [Evaluation of CAMM (analysis section)] The central claim that CAMM 'only partially satisfies' the principles rests on the unexamined selection of those principles as the benchmark. The manuscript does not discuss why the chosen general maturity-model design principles are appropriate or sufficient for a crypto-specific model, nor does it consider security-tailored alternatives; this choice directly affects the validity of the partial-satisfaction conclusion and the proposed improvements.
  2. [Scenario application section] The scenario application is presented as confirmation of the defects, but reliance on a single simple real-world scenario is load-bearing for the claim that the issues (inapplicable higher-level requirements, etc.) are general. The manuscript should explain the scenario selection criteria and why it is representative rather than convenient, as a narrow case does not reliably demonstrate broad problems in scope, operationalization, and dependencies.
minor comments (2)
  1. [Introduction or related work] Clarify the exact source and number of the 'established design principles' early in the paper (e.g., via a dedicated subsection or table) to improve traceability.
  2. [Throughout] Ensure consistent cross-referencing to the original CAMM paper when describing levels, requirements, and dependencies to avoid ambiguity for readers unfamiliar with Hohm et al.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed comments, which help strengthen the rigor of our evaluation of the CAMM. We address each major comment below and will revise the manuscript to incorporate the suggested clarifications and expansions.

read point-by-point responses

  1. Referee: [Evaluation of CAMM (analysis section)] The central claim that CAMM 'only partially satisfies' the principles rests on the unexamined selection of those principles as the benchmark. The manuscript does not discuss why the chosen general maturity-model design principles are appropriate or sufficient for a crypto-specific model, nor does it consider security-tailored alternatives; this choice directly affects the validity of the partial-satisfaction conclusion and the proposed improvements.

    Authors: We agree that an explicit justification for selecting the general maturity-model design principles (drawn from established works such as those by Becker et al. and Mettler) is needed to support the validity of our 'partially satisfies' conclusion. These principles were chosen because they offer a domain-agnostic, widely validated framework for assessing structural soundness, operationalization, and dependencies in any maturity model, including crypto-specific ones; cryptographic agility fundamentally involves organizational process maturity rather than purely technical security properties. We will add a dedicated subsection in the analysis section explaining this rationale, referencing the literature on maturity model design, and briefly reviewing why security-tailored alternatives (e.g., from NIST post-quantum guidelines or ENISA reports) were not used as the primary benchmark—they tend to focus on specific controls rather than holistic model evaluation criteria. This addition will also clarify how the proposed improvements remain robust under the chosen framework. revision: yes

  2. Referee: [Scenario application section] The scenario application is presented as confirmation of the defects, but reliance on a single simple real-world scenario is load-bearing for the claim that the issues (inapplicable higher-level requirements, etc.) are general. The manuscript should explain the scenario selection criteria and why it is representative rather than convenient, as a narrow case does not reliably demonstrate broad problems in scope, operationalization, and dependencies.

    Authors: We acknowledge that a single scenario provides only illustrative support rather than comprehensive validation, and the manuscript should have included selection criteria to address potential concerns about convenience. The scenario was chosen as a minimal yet realistic enterprise network example involving migration to post-quantum cryptography, selected to isolate the identified CAMM issues (e.g., inapplicable higher-level requirements) without confounding variables from complex multi-vendor environments. We will revise the scenario section to explicitly state the selection criteria (simplicity for clarity, alignment with common industry use cases documented in NIST and ENISA reports on cryptographic agility), discuss its representativeness for typical organizational settings, and add a limitations paragraph noting that broader validation with additional scenarios would be valuable in future work. This will better frame the scenario as confirmatory illustration rather than standalone proof of generality. revision: yes

Circularity Check

0 steps flagged

No significant circularity: evaluation applies external design principles to CAMM without reduction to self-inputs

full rationale

The paper's core chain—selecting established external design principles for maturity models, applying them to assess CAMM's scope/operationalization/dependencies, confirming via one scenario, and proposing improvements—draws on independent literature benchmarks rather than self-definitions, fitted parameters renamed as predictions, or load-bearing self-citations. No equations or derivations reduce by construction to the paper's own inputs; the analysis remains self-contained against external standards with no evidence of the patterns that would indicate circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The work rests on external established design principles for maturity models (not invented here) and a single illustrative scenario; no free parameters, new axioms, or invented entities are introduced.

pith-pipeline@v0.9.0 · 5456 in / 1072 out tokens · 27225 ms · 2026-05-10T15:39:37.520033+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

25 extracted references · 25 canonical work pages

  1. [1]

    On the State of Crypto-Agility

    Nouri Alnahawi, Nicolai Schmitt, Dr Alexander Wiesmaier, Dr Andreas Heine- mann, and Tobias Grasmeyer. On the State of Crypto-Agility. Tagungsband zum, 18:103–126, 2022

    work page 2022

  2. [2]

    Strategic framework for crypto agility and quantum risk assessment

    ATIS. Strategic framework for crypto agility and quantum risk assessment. Tech- nical report, ATIS, January 2024. White paper / technical report

    work page 2024

  3. [3]

    Developing Maturity Models for IT Management

    Jörg Becker, Ralf Knackstedt, and Jens Pöppelbuß. Developing Maturity Models for IT Management. Business & Information Systems Engineering , 1(3):213–222, June 2009

    work page 2009

  4. [4]

    Considerations for Achieving Cryptographic Agility: Strategies and Practices

    Lily Chen. Considerations for Achieving Cryptographic Agility: Strategies and Practices. Technical Report NIST CSWP 39 ipd, National Institute of Standards and Technology, Gaithersburg, MD, 2025

    work page 2025

  5. [5]

    Report on Post-Quantum Cryptography

    Lily Chen, Stephen Jordan, Yi-Kai Liu, Dustin Moody, Rene Peralta, Ray Perlner, and Daniel Smith-Tone. Report on Post-Quantum Cryptography. Technical Report NIST IR 8105, National Institute of Standards and Technology, April 2016

    work page 2016

  6. [6]

    Towards a Business Process Management Maturity Model

    Tonia de Bruin and Michael Rosemann. Towards a Business Process Management Maturity Model. Proceedings of the 13th European Conference on Information Systems, 521–532, January 2005. 18 Wolf, Umezulike, Öndarö, Schinzel, Ising

    work page 2005

  7. [7]

    Assessment of Industry 4.0 Maturity Models by Design Principles

    Dinara Dikhanbayeva, Sabit Shaikholla, Zhanybek Suleiman, and Ali Turkyilmaz. Assessment of Industry 4.0 Maturity Models by Design Principles. Sustainabil- ity, 12(23):9927, January 2020. Number: 23 Publisher: Multidisciplinary Digital Publishing Institute

    work page 2020

  8. [8]

    A coordinated implementation roadmap for the transition to post-quantum cryptography, 2025

    EU PQC Workstream. A coordinated implementation roadmap for the transition to post-quantum cryptography, 2025

    work page 2025

  9. [9]

    Building cryptographic agility in the financial sector: Effective, efficient change in a post quantum world

    FS-ISAC. Building cryptographic agility in the financial sector: Effective, efficient change in a post quantum world. Technical report, FS-ISAC, October 2024. White paper / technical report

    work page 2024

  10. [10]

    Paradigm of Post- quantum Cryptography and Crypto-agility: Strategy Approach of Quantum-safe Techniques:

    Olaf Grote, Andreas Ahrens, and César Benavente-Peces. Paradigm of Post- quantum Cryptography and Crypto-agility: Strategy Approach of Quantum-safe Techniques:. In Proceedings of the 9th International Conference on Pervasive and Embedded Computing and Communication Systems , pages 91–98, Vienna, Austria,

    work page

  11. [11]

    SCITEPRESS - Science and Technology Publications

    work page

  12. [12]

    Andreas Heinemann. CAMM. https://camm.h-da.io/

    work page

  13. [13]

    Design science in information systems research

    Alan R Hevner, Salvatore T March, Jinsoo Park, and Sudha Ram. Design science in information systems research. MIS quarterly , pages 75–105, 2004

    work page 2004

  14. [14]

    Towards a Maturity Model for Crypto-Agility Assessment

    Julian Hohm, Andreas Heinemann, and Alexander Wiesmaier. Towards a Maturity Model for Crypto-Agility Assessment. In Guy-Vincent Jourdan, Laurent Mounier, Carlisle Adams, Florence Sèdes, and Joaquin Garcia-Alfaro, editors, Foundations and Practice of Security, pages 104–119, Cham, 2023. Springer Nature Switzerland

    work page 2023

  15. [15]

    Anne Frances Johnson and Lynette I. Millett. Cryptographic agility and interop- erability: proceedings of a workshop . The National Academies Press, Washington, D.C., 2017. OCLC: 1002698828

    work page 2017

  16. [16]

    Framework for the develop- ment of maturity based self-assessments for process improvement

    Arno Kühn, Tobias Bensiek, and Jürgen Gausemeier. Framework for the develop- ment of maturity based self-assessments for process improvement. DS 75-1: Pro- ceedings of the 19th International Conference on Engineering Design (ICED13), Design for Harmonies, Vol.1: Design Processes, Seoul, Korea, 19-22.08.2013 , pages 119–128, 2013. ISBN: 9781904670445

    work page 2013

  17. [17]

    CARAF: Crypto Agility Risk Assessment Framework

    Chujiao Ma, Luis Colon, Joe Dera, Bahman Rashidi, and Vaibhav Garg. CARAF: Crypto Agility Risk Assessment Framework. Journal of Cybersecurity , 7(1):tyab013, February 2021

    work page 2021

  18. [18]

    Maturity assessment models: a design science research approach

    Tobias Mettler. Maturity assessment models: a design science research approach. International Journal of Society Systems Science , 3(1/2):81, 2011

    work page 2011

  19. [19]

    D. Nelson. Crypto-Agility Requirements for Remote Authentication Dial-In User Service (RADIUS), November 2011. RFC6421

    work page 2011

  20. [20]

    Toward a Common Understanding of Cryptographic Agility – A Systematic Review, February 2025

    Christian Näther, Daniel Herzinger, Jan-Philipp Steghöfer, Stefan-Lukas Gazdag, Eduard Hirsch, and Daniel Loebenberger. Toward a Common Understanding of Cryptographic Agility – A Systematic Review, February 2025. arXiv:2411.08781 [cs]

    work page arXiv 2025

  21. [21]

    Considerations for achieving crypto agility - strategies and practices

    National Institute of Standards and Technology. Considerations for achieving crypto agility - strategies and practices. Technical Report CSWP 39 2pd, Na- tional Institute of Standards and Technology (NIST), 2025

    work page 2025

  22. [22]

    Identifying research challenges in post quantum cryptography migration and cryptographic agility

    David Ott, Christopher Peikert, and other workshop participants. Identifying research challenges in post quantum cryptography migration and cryptographic agility

    work page

  23. [23]

    Designing and Evaluating Prescriptive Maturity Models: A Design Science-Oriented Approach

    Lena Otto, Katja Bley, and Lorenz Harst. Designing and Evaluating Prescriptive Maturity Models: A Design Science-Oriented Approach. In 2020 IEEE 22nd Con- ference on Business Informatics (CBI) , volume 2, pages 40–47, June 2020. ISSN: 2378-1971. Practical Evaluation of the Crypto-Agility Maturity Model 19

    work page 2020

  24. [24]

    Paulk, B

    M.C. Paulk, B. Curtis, M.B. Chrissis, and C.V. Weber. Capability maturity model, version 1.1. IEEE Software , 10(4):18–27, July 1993

    work page 1993

  25. [25]

    What makes a useful maturity model? a framework of general design principles for maturity models and its demon- stration in business process management

    Jens Poeppelbuss and Maximilian Roeglinger. What makes a useful maturity model? a framework of general design principles for maturity models and its demon- stration in business process management. In 19th European Conference on Infor- mation Systems, ECIS 2011 , 2011

    work page 2011