This study addresses structural limitations in the existing Cryptographic Agility Maturity Model (CAMM)—specifically, ambiguities in target population definition, lack of operationalizable acceptance criteria, and problematic dependency structures—that hinder its practical application and empirical validation. For the first time, the research conducts a systematic empirical evaluation of CAMM by integrating established maturity model design principles with a multi-case study methodology, revealing from both theoretical and practical perspectives why its high-maturity requirements are difficult to implement in real-world settings. Building on these findings, the work proposes targeted refinements that substantially enhance the model’s consistency, reliability, and practical utility, thereby offering an actionable improvement framework for cryptographic agility governance.

Cryptographic agility is a key prerequisite for maintaining the long-term security of digital communication, particularly in light of the transition to post-quantum cryptography. To systematically assess this capability, Hohm et al. proposed the Crypto Agility Maturity Model (CAMM). In this work, we present the first evaluation of the CAMM against established design principles for maturity models. Our analysis reveals that the CAMM only partially satisfies these principles: its scope and target groups remain ambiguous; acceptance criteria are insufficiently operationalized, limiting verifiability and replicability; and dependency relations exhibit redundancies, cycles, and omissions. Applying the CAMM to a simple real-world scenario further confirmed these issues, as several requirements at higher maturity levels proved inapplicable or unclear. Based on these findings, we propose concrete improvements to the CAMM to enable more consistent and reliable assessments of cryptographic agility.