The SCF QTS (Quantum Security) domain addresses cryptographic and technology risks from quantum computing. QTS controls cover Post-Quantum Cryptography readiness, cryptographic inventory requirements, algorithm agility design, and migration planning for NIST-standardized algorithms including FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). Organizations subject to NSA CNSA 2.0 or federal PQC mandates can use SCF QTS as their migration control baseline.
The SCF QTS domain was developed to address the growing regulatory and operational pressure organizations face as quantum computing capabilities advance.
The domain provides controls across several key areas: cryptographic algorithm inventory (identifying all current uses of RSA, ECC, and other quantum-vulnerable algorithms); Post-Quantum Cryptography migration planning and prioritization; algorithm agility requirements (designing systems to support cryptographic algorithm substitution without full re-architecture); key management controls for hybrid classical and post-quantum transitions; vendor and supply chain cryptographic requirements; and monitoring of NIST CMVP validation status for deployed cryptographic modules.
The QTS domain maps to NSA CNSA 2.0 suite requirements, CISA post-quantum guidance, NIST SP 800-131A Rev. 2, and the PQC standards finalized by NIST in August 2024: FIPS 203 (ML-KEM/CRYSTALS-KYBER), FIPS 204 (ML-DSA/CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA/SPHINCS+).
Organizations in federal, defense, financial, and critical infrastructure sectors can use SCF QTS to structure and document their PQC transition programs.
Keep Exploring
References