Secure Controls Framework
Download The SCF

Quantum Security (QTS)

Domain Principle

Mitigate quantum-enabled cryptographic risks through governance structures that operationalize Post-Quantum Cryptography (PQC) risk management practices.

Domain Intent

Organizations identify, assess and mitigate risks associated with Cryptographically Relevant Quantum Computers (CRQCs), including risks that may render legacy cryptographic mechanisms ineffective, through cryptographic inventory, prioritization, migration planning and cryptographic agility.

Domain Guide

Cryptographically Relevant Quantum Computers (CRQCs) pose a threat to asymmetric cryptography, including RSA, ECC and DH key exchange, that is not addressed by any existing cryptographic control. The QTS domain governs the organizational response to that threat through governance structures that operationalize Post-Quantum Cryptography (PQC) risk management practices.

 

The SCF's intent for QTS requires cryptographic inventory, risk prioritization, migration planning and cryptographic agility. The inventory requirement connects to CRY: organizations that don't know where they use RSA can't begin planning a PQC migration. The agility requirement acknowledges that PQC algorithm selection is still evolving and organizations need cryptographic architectures that can adopt new algorithms as standards mature.

 

QTS warrants its own domain because the quantum threat operates on a different timeline than most security risks. CRQCs capable of breaking current public-key cryptography do not yet exist, but "harvest now, decrypt later" attacks are a present threat for long-lived sensitive data. Organizations need to begin migration planning before the threat is fully realized, which requires governance and planning discipline that existing cryptographic controls don't address.