Configuring PQC Readiness/Post-Quantum Policies

Policies define the cryptographic standards and algorithms used to assess your environment’s readiness for post-quantum cryptography (PQC). A PQC policy lets you establish a cryptographic governance framework that:

Continuously evaluates your organization’s algorithms and protocols against the PQC-readiness standards
Automatically transforms non-compliant cryptographic elements into compliant ones based on organization-specific policy decisions

It is like your organization’s quantum-readiness rulebook that is used for:

Detecting all cryptographic algorithms/protocols in use across applications, infrastructure, and source code
Classifying each algorithm as quantum Vulnerable or Quantum Resistant per custom PQC policy
Maintaining the auditability of decisions and changes for security and compliance reporting
Supporting crypto-agility so policies can evolve with new PQC standards or threat intelligence

AppViewX lets you create custom policies based on your organization’s standards and requirements to override the default standards defined by NIST and the Grover/Shor algorithm. In the following sections, you will be walked through how AppViewX’s Quantum Trust Hub lets you create custom code, certificate, and configuration policies, modify and delete the policies as per revisions in your requirements, and control policy enforcement.

Important: Overrides do not alter the NIST standards or an algorithm's quantum resistance derived from Grover/Shor analysis. They only affect your organization’s PQC score and Quantum Readiness reporting.

Viewing the PQC Policy Inventory

All PQC policies (code, configuration, and certificate) created by your organization are listed together in the main PQC policy inventory.

Prerequisite: Verify that your user role has the required ACF permission to view policy inventory. To enable ACF permission, click here.

To view the PQC Policy inventory, go to Menu > Quantum Trust Hub > Policy.

The PQC Policy page is displayed.

This page documents all key details related to each governance policy created for your organization’s quantum-readiness framework. It also lets you create, modify, and delete policies, and control policy enforcement.

Understanding the PQC Policy Inventory


Fields	Description
Toolbar	The PQC policy inventory toolbar has the following options: Search: Enter free text or keywords to search for specific policies in the inventory. Create: To create a new policy (code, configuration, or certificate), click Create. For instructions, see Creating a Policy. Delete: To delete a policy, click . For instructions, see Deleting a Policy. Know More: To read on policies and the types of policies AppViewX supports for its PQC implementation, click . Pagination: Use the pagination control dropdown to select the number of records that will be displayed per page of the inventory. You can select to display 25, 50, 75, or 100 records per page of the inventory. Pagination navigation: Use the pagination navigation buttons to move between the pages in the inventory. Refresh: Use the Refresh button to reload the inventory to display the up-to-date records.
Policy Name	User-assigned policy name
Description	Additional details related to the policy, if and as specified by the user
Policy Scope	Cryptographic asset that the policy was created for (code, configuration, certificate)
Policy Enforcement	This field controls enabling/disabling a policy. For instructions and ACF rules, see Enforcing a Policy. Important: There can be only one active policy at a time.

Creating a Policy

This section of the product lets you create custom policies that can target one or all of the cryptographic assets in your infrastructure, to validate them for quantum-readiness and vulnerabilities.

Prerequisite: Verify that your user role has the required ACF permission to create policies. To enable ACF permission, click here.

Creating a Custom Policy

Go to (Menu) > Qauntum Trust Hub > Policy.
The Post-Quantum Policy page is displayed, which is your complete policy inventory.
From the toolbar, click Create.
The Post-Quantum Policy > Create page is displayed.
Under Crypto Policy Management:
1. In the Policy field (mandatory), enter a descriptive name for identifying your policy.
  Constraints: Spaces and leading special characters are considered invalid for the policy name.
2. In the Description field, enter additional details related to the policy.
  This could include the purpose of the policy, how it applies, and so on.
3. Add rules to the policy targeting all or only specific cryptographic assets.
  - To add a code-related rule to the policy, go to the Code tab.
    For instructions, see Adding a Code Rule to Your Custom Policy.
  - To add a configuration-related rule to the policy, go to the Configuration tab.
    For instructions, see Adding a Configuration Rule to Your Custom Policy.
  - To add a certificate-related rule to the policy, go to the Certificate tab.
    For instructions, see Adding a Certificate Rule to Your Custom Policy.
Click Save.
The policy is created and listed in the PQC policy inventory.

Adding a Code Rule to Your Custom Policy

From the scope toolbar, click Code and then click Add Policy.

The Add Policy pop-up dialog box is displayed.

Enter/Select the following details for the code rule in your custom policy:

Important: Overrides do not alter NIST standards or an algorithm's quantum resistance derived from Grover/Shor analysis. They only affect your organization’s PQC score and Quantum Readiness reporting.


Fields	Description
*Type	To override the default quantum-safety status for an encryption algorithm, from the dropdown list, select the required algorithm type.
*Override Classification	From the dropdown list, select the new quantum-safety status value for the selected algorithm, which will override its default value.
*Key type & strength	From the dropdown list, select the new key type and strength that will override the algorithm’s default values.
Notes	Enter your justification for the override configured using the above fields. While this is an optional field, entering the description is a recommended practice to ensure a knowledge base to guide decisions for future configurations to a policy.
: Mandatory fields*

Click Add Policy Rule.
The code rule is added to the rule inventory.
To read on the details in the rule inventory, click here.

Adding a Configuration Rule to Your Custom Policy

From the scope toolbar, click Configuration and then click Add Policy.

The Add Policy pop-up dialog box is displayed.

Enter/Select the following details for the configuration rule in your custom policy:


Fields	Description
*Type	To override its default NIST classification, from the dropdown list, select the required protocol or cipher suite component.
*Override Classification	From the dropdown list, select the new quantum-safety status value for the selected protocol/cipher suite component, which will override its default value.
*Key type & strength	From the dropdown list, select the key type and strength that will override the selected protocol/cipher suite component’s default values.
Notes	Enter your justification for the override configured using the above fields. While this is an optional field, entering the description is a recommended practice to ensure a knowledge base to guide decisions for future configurations to a policy.
: Mandatory fields*

Click Add Policy Rule.
The configuration rule is added to the rule inventory.
To read on the details in the rule inventory, click here.

Adding a Certificate Rule to Your Custom Policy

From the scope toolbar, click Certificate and then click Add Policy.

The Add Policy pop-up dialog box is displayed.

Enter/Select the following details for the certificate rule in your custom policy:


Fields	Description
*Type	To override the default quantum-safety status for an encryption algorithm, from the dropdown list, select the required algorithm type.
*Override Classification	From the dropdown list, select the new quantum-safety status value for the selected algorithm, which will override its default value.
*Key type & strength	From the dropdown list, select the key type and strength that will override the selected algorithm’s default values.
Notes	Enter your justification for the override configured using the above fields. While this is an optional field, entering the description is a recommended practice to ensure a knowledge base to guide decisions for future configurations to a policy.
: Mandatory fields*

Click Add Policy Rule.
The certificate rule is added to the rule inventory.
To read on the details in the rule inventory, click here.

Understanding the Rule Inventory

The rule inventory for each cryptographic asset (code, configuration, and certificate) is displayed in the corresponding tab on the toolbar.

Common Inventory Functions


Fields	Description
Search	Enter free text or keywords to search for specific policies in the inventory.
	To delete a rule from the inventory, select the corresponding checkbox and click .
Pagination	Use the pagination control dropdown to select the number of records that will be displayed per page of the inventory. You can select to display 25, 50, 75, or 100 records per page of the inventory.
Pagination navigation	Use the pagination navigation buttons to move between the pages in the inventory.

Rule Details


Fields	Description
Type	Algorithm/protocol/cipher suite component for which the quantum-status classification has been modified
Key Type & Strength	Default key type and strength of the selected algorithm/protocol/cipher suite component
Default Quantum Status	Default quantum-status of the selected algorithm/protocol/cipher suite component
Organization override	New quantum-status classification assigned to the selected algorithm/protocol/cipher suite component, which will override the default value
Added By	Name of the user who created the policy rule
Date	Date on which the policy rule was created

Enforcing a Policy

At a time, only one active policy can govern the PQC-focused scans for quantum-readiness. The admin user can enable/disable a policy, to activate the required policy.

Enabling ACF for Policy Enforcement

Note: To learn how to enable the ACF permission for the user roles to access the Policy under Quantum Trust Hub, click here.

Enabling/Disabling a Policy

To enable a policy, from the Policy Enforcement column in the PQC Policy inventory, turn on the toggle key.

Note: You will not be able to enable a policy unless the active policy has been disabled.

To disable a policy, from the Policy Enforcement column in the PQC Policy inventory, turn off the toggle key.

Important: When a policy is enabled, the currently enabled policy is automatically disabled. Before disabling a policy, it is mandatory that at least one other policy is enabled. All policies cannot be disabled. If this is attempted the message Disabling this policy requires enabling another applicable policy. is displayed.

Modifying a Policy

Important: The default policy cannot be modified.

Prerequisite: Verify that your user role has the required ACF permission to modify policies. To enable ACF permission, click here.

From the PQC Policy inventory, click the Policy Name of the policy that has to be modified.
Policy details entered at the time of policy creation are displayed.
Update the policy details as required.
For field descriptions, see the corresponding instruction in Creating a Policy.
Click Save.
Click Update.
A confirmation message is displayed to indicate if the policy update was a success or a failure.
If the policy update is a success, all reports are updated immediately according to the modifications made.

Deleting a Policy

Important: The default policy cannot be deleted.

Prerequisite: Verify that your user role has the required ACF permission to delete policies. To enable ACF permission, click here.

From the PQC Policy inventory, select the checkbox corresponding to the policy you want to delete.
You can select more than one policy.
From the toolbar, click Delete.
The selected policy is/policies are deleted.