Configuring PQC Readiness/Post-Quantum Policies

Policies define the cryptographic standards and algorithms used to assess your environment’s readiness for post-quantum cryptography (PQC). A PQC policy lets you establish a cryptographic governance framework that:
  • Continuously evaluates your organization’s algorithms and protocols against the PQC-readiness standards
  • Automatically transforms non-compliant cryptographic elements into compliant ones based on organization-specific policy decisions
It is like your organization’s quantum-readiness rulebook that is used for:
  • Detecting all cryptographic algorithms/protocols in use across applications, infrastructure, and source code
  • Classifying each algorithm as quantum Vulnerable or Quantum Resistant per custom PQC policy
  • Maintaining the auditability of decisions and changes for security and compliance reporting
  • Supporting crypto-agility so policies can evolve with new PQC standards or threat intelligence
AppViewX lets you create custom policies based on your organization’s standards and requirements to override the default standards defined by NIST and the Grover/Shor algorithm. In the following sections, you will be walked through how AppViewX’s Quantum Trust Hub lets you create custom code, certificate, and configuration policies, modify and delete the policies as per revisions in your requirements, and control policy enforcement.
Important: Overrides do not alter the NIST standards or an algorithm's quantum resistance derived from Grover/Shor analysis. They only affect your organization’s Quantum Readiness reporting.

Viewing the PQC Policy Inventory

All PQC policies (code, configuration, and certificate) created by your organization are listed together in the main PQC policy inventory.

Prerequisite: Verify that your user role has the required ACF permission to view policy inventory. To enable ACF permission, click here.

To view the PQC Policy inventory, go to Menu > Quantum Trust Hub > Policy.

The PQC Policy page is displayed.

This page documents all key details related to each governance policy created for your organization’s quantum-readiness framework. It also lets you create, modify, and delete policies, and control policy enforcement.

Understanding the PQC Policy Inventory

Fields Description
Toolbar The PQC policy inventory toolbar has the following options:
  • Search: Enter free text or keywords to search for specific policies in the inventory.
  • Create: To create a new policy (code, configuration, or certificate), click Create. For instructions, see Creating a Policy.
  • Delete: To delete a policy, click . For instructions, see Deleting a Policy.
  • Know More: To read on policies and the types of policies AppViewX supports for its PQC implementation, click .
  • Pagination: Use the pagination control dropdown to select the number of records that will be displayed per page of the inventory.

    You can select to display 25, 50, 75, or 100 records per page of the inventory.

  • Pagination navigation: Use the pagination navigation buttons to move between the pages in the inventory.
  • Refresh: Use the Refresh button to reload the inventory to display the up-to-date records.
Policy Name User-assigned policy name
Description Additional details related to the policy, if and as specified by the user
Policy Scope Cryptographic asset that the policy was created for (code, configuration, certificate)
Policy Enforcement This field controls enabling/disabling a policy.
For instructions and ACF rules, see Enforcing a Policy.
Important: There can be only one active policy at a time.

Creating a Policy

This section of the product lets you create custom policies that can target one or all of the cryptographic assets in your infrastructure, to validate them for quantum-readiness and vulnerabilities.

Prerequisite: Verify that your user role has the required ACF permission to create policies. To enable ACF permission, click here.

Creating a Custom Policy

  1. Go to (Menu) > Qauntum Trust Hub > Policy.
    The Post-Quantum Policy page is displayed, which is your complete policy inventory.
  2. From the toolbar, click Create.
    The Post-Quantum Policy > Create page is displayed.
  3. Under Crypto Policy Management:
    1. In the Policy field (mandatory), enter a descriptive name for identifying your policy.
      Constraints: Spaces and leading special characters are considered invalid for the policy name.
    2. In the Description field, enter additional details related to the policy.
      This could include the purpose of the policy, how it applies, and so on.
    3. Add rules to the policy targeting all or only specific cryptographic assets.
  4. Click Save.
    The policy is created and listed in the PQC policy inventory.

Adding a Code Rule to Your Custom Policy

  1. From the scope toolbar, click Code and then click Add Policy.
    The Add Policy pop-up dialog box is displayed.
  2. Enter/Select the following details for the code rule in your custom policy:
    Important: Overrides do not alter NIST standards or an algorithm's quantum resistance derived from Grover/Shor analysis. They only affect your organization’s Quantum Readiness reporting.
    Fields Description
    *Type To override the default quantum-safety status for an encryption algorithm, from the dropdown list, select the required algorithm type.
    *Override Classification From the dropdown list, select the new quantum-safety status value for the selected algorithm, which will override its default value.
    *Key type & strength From the dropdown list, select the new key type and strength that will override the algorithm’s default values.
    Notes Enter your justification for the override configured using the above fields.

    While this is an optional field, entering the description is a recommended practice to ensure a knowledge base to guide decisions for future configurations to a policy.

    *: Mandatory fields
  3. Click Add Policy Rule.
    The code rule is added to the rule inventory.

    To read on the details in the rule inventory, click here.

Adding a Configuration Rule to Your Custom Policy

  1. From the scope toolbar, click Configuration and then click Add Policy.
    The Add Policy dialog box is displayed.
  2. Enter/Select the following details for the configuration rule in your custom policy:
    Important: Overrides do not alter NIST standards or an algorithm's quantum resistance derived from Grover/Shor analysis. They only affect your organization’s PQC score and Quantum Readiness reporting.
    Fields Description
    *Type To override its default NIST classification, from the following options in the dropdown list, select the required protocol or cipher suite component:
    • Key Exchange
    • Authentication
    *Override Classification From the dropdown list, select the new quantum-safety status value for the selected protocol/cipher suite component, which will override its default value.
    *Key exchange algorithm This field is displayed when Type = Key Exchange.

    Based on your organization's PQC policy, from the dropdown list, select the key exchange algorithm that will override the selected protocol/cipher suite component's default values.

    The dropdown list is populated with only algorithms, and not their curves and key strengths to ensure full coverage for the selected algorithm.
    *Key type & strength This field is displayed when Type = Authentication.

    Based on your organization's PQC policy, from the dropdown list, select the key type and strength that will override the selected protocol/cipher suite component’s default values.
    Business Application From the dropdown list, select one or more business applications that this policy will apply to.

    This is an optional field.

    The rule creation outcome depends on the combination of the input values selected for the Business Application and the Key exchange algorithm/Key type & strength fields.

    This behavior has been explained with the help of multiple use cases here.
    Notes Enter your justification for the override configured using the above fields.

    While this is an optional field, entering the description is a recommended practice to ensure a knowledge base to guide decisions for future configurations to a policy.

    *: Mandatory fields
  3. Click Add Policy Rule.
    The configuration rule is added to the rule inventory.

    To read on the details in the rule inventory, click here.

Use Cases to Understand Configuration Rule Creation Outcomes

Use Case 1: Multiple business applications mapped to one rule

Fields Description
Input User selects more than one value from the Business Application dropdown list
Outcome A separate rule is created for each business application selected.
Example-Input
Example-Outcome

Use Case 2: No business applications selected

Fields Description
Input User does not select any business applications from the dropdown list
Outcome The rule applies to all business applications for the selected key type & strength/key exchange algorithm(s).
Example-Input
Example-Outcome

Use Case 3: Duplicate rule validation

Fields Description
Input User selects a key type and a business application already mapped to each other in an existing policy rule.
Outcome The system prevents duplicate entries to maintain policy integrity and avoid redundancy. In such an event, the following message is displayed: A policy rule with the same business application and configuration already exists. Duplicate rules are not allowed.
Example-Input Assume that the following is an existing rule:
Now, let’s say you attempt to create another rule, the input for which looks like this:
Example-Outcome You will get the above-mentioned error message, as shown in the image below:

Use Case 4: Rule already applied to all applications

Fields Description
Input User selects a key type, which is already mapped to all business applications, and a specific business application from the Business Application dropdown list.
Outcome The system blocks the action since the rule is already globally applied. The following message is displayed: This rule already applies to “All Applications”. Modify the existing rule to restrict it to specific applications.
Example-Input Assume the following is an existing rule in the policy configuration:
Now, let’s say you attempt to create another rule, with the following input values:
Example-Outcome On clicking Add, the following message is displayed:

Use Case 5: Partial acceptance [mixed input]

Fields Description
Input User selects multiple input values, some of which are already mapped in existing rules while some are not mapped to any rules.
Outcome Duplicate entries are skipped. Valid entries are added to the policy inventory.
Example 1-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 1-Outcome The rule with the DH – admin mapping from the existing rules is updated to include the ECDH algorithm, as show in the following image:
Example 2-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 2-Outcome Since the policy rule inventory already has:
  • A rule that maps the DH algorithm to the admin business application
  • A rule for the dev business application
When you click Add after entering the above input values, the outcome is as shown in the following image:
  • The DH – admin mapping in the input values is skipped since a rule already exists.
  • The existing rule for the dev business application is updated to the include the DH algorithm [second entry in the above image].
  • A new rule that maps the Dh algorithm to the qa business application is added to the inventory [as no existing rule mapped this business application].

Use Case 6: Consolidation to all applications

Fields Description
Input User selects an input value mapped to a specific business application and attempts to map it to all business applications
Outcome Existing application-specific rule is updated to all applications rule. The following message is displayed: Existing application-specific rules have been replaced with an “All” applications rule.
Example 1-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 1-Outcome When you click Add, the policy rule inventory is updated as shown in the following image:
In the existing rule that mapped the DH algorithm with the admin business application [first entry in the existing rules list], the business application has been updated to All.
Example 2-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 2-Outcome When you click Add, the policy rule inventory is updated as shown in the following image:

Adding a Certificate Rule to Your Custom Policy

  1. From the scope toolbar, click Certificate and then click Add Policy.
    The Add Policy pop-up dialog box is displayed.
  2. Enter/Select the following details for the certificate rule in your custom policy:
    Important: Overrides do not alter NIST standards or an algorithm's quantum resistance derived from Grover/Shor analysis. They only affect your organization’s PQC score and Quantum Readiness reporting.
    Fields Description
    *Type To override the default quantum-safety status for an encryption algorithm, from the dropdown list, select the required algorithm type.
    *Override Classification From the dropdown list, select the new quantum-safety status value for the selected algorithm, which will override its default value.
    *Key type & strength From the dropdown list, select the key type and strength that will override the selected algorithm’s default values.
    Business Application From the dropdown list, select one or more business applications that this policy will apply to.

    This is an optional field.

    The rule creation outcome depends on the combination of the input values selected for the Business Application and the Key type & strength fields.

    This behavior has been explained with the help of multiple use cases here.
    Notes Enter your justification for the override configured using the above fields.

    While this is an optional field, entering the description is a recommended practice to ensure a knowledge base to guide decisions for future configurations to a policy.

    *: Mandatory fields
  3. Click Add Policy Rule.
    The certificate rule is added to the rule inventory.

    To read on the details in the rule inventory, click here.

Use Cases to Understand Certificate Rule Creation Outcomes

Use Case 1: Multiple business applications mapped to one rule

Fields Description
Input User selects more than one value from the Business Application dropdown list
Outcome A separate rule is created for each business application selected.
Example-Input
Example-Outcome

Use Case 2: No business applications selected

Fields Description
Input User does not select any business applications from the dropdown list
Outcome The rule applies to all business applications for the selected key type & strength/key exchange algorithm(s).
Example-Input
Example-Outcome

Use Case 3: Duplicate rule validation

Fields Description
Input User selects a key type and a business application already mapped to each other in an existing policy rule.
Outcome The system prevents duplicate entries to maintain policy integrity and avoid redundancy. In such an event, the following message is displayed: A policy rule with the same business application and configuration already exists. Duplicate rules are not allowed.
Example-Input Assume that the following is an existing rule:
Now, let’s say you attempt to create another rule, the input for which looks like this:
Example-Outcome You will get the above-mentioned error message, as shown in the image below:

Use Case 4: Rule already applied to all applications

Fields Description
Input User selects a key type, which is already mapped to all business applications, and a specific business application from the Business Application dropdown list.
Outcome The system blocks the action since the rule is already globally applied. The following message is displayed: This rule already applies to “All Applications”. Modify the existing rule to restrict it to specific applications.
Example-Input Assume the following is an existing rule in the policy configuration:
Now, let’s say you attempt to create another rule, with the following input values:
Example-Outcome On clicking Add, the following message is displayed:

Use Case 5: Partial acceptance [mixed input]

Fields Description
Input User selects multiple input values, some of which are already mapped in existing rules while some are not mapped to any rules.
Outcome Duplicate entries are skipped. Valid entries are added to the policy inventory.
Example 1-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 1-Outcome When you click Add, the rule with the RSA-512 – Auto Link Table Field 1_1 mapping from the existing rules is updated to include RSA-1024, as show in the following image:
Example 2-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 2-Outcome Since the policy rule inventory already has:
  • A rule that maps RSA-512 to the Auto Link Table Field 1_1 business application
  • A rule for the Auto Link Table Field 1_10 business application
When you click Add after entering the above input values, the outcome is as shown in the following image:
  • The RSA-512 – Auto Link Table Field 1_1 mapping in the input values is skipped since a rule already exists.
  • The existing rule for the Auto Link Table Field 1_10 business application is updated to the include RSA-512 [second entry in the above image].
  • A new rule that maps RSA-512 to the Auto Link Table Field 1_11 business application is added to the inventory [as no existing rule is mapped to this business application].

Use Case 6: Consolidation to all applications

Fields Description
Input User selects an input value mapped to a specific business application and attempts to map it to all business applications
Outcome Existing application-specific rule is updated to all applications rule. The following message is displayed: Existing application-specific rules have been replaced with an “All” applications rule.
Example 1-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 1-Outcome When you click Add, the policy rule inventory is updated as shown in the following image:
In the existing rule that mapped RSA-512 to the RSA-512 – Auto Link Table Field 1_1 business application [first entry in the existing rules list], the business application has been updated to All.
Example 2-Input Assume the following are existing rules in the policy configuration:
Now, let’s say you attempt to create a new rule with the following input values:
Example 2-Outcome When you click Add, the policy rule inventory is updated as shown in the following image:
  • In the existing rule that mapped RSA-512 to the Auto Link Table Field 1_1 business application [second entry in the existing rules list], the business application has been updated to All.
  • Since RSA-512 is now mapped to All business applications, it is removed from the rule that maps RSA-768 and RSA-1024 to the Auto Link Table Field 1_10 business application.

Understanding the Rule Inventory

The rule inventory for each cryptographic asset (code, configuration, and certificate) is displayed in the corresponding tab on the toolbar.

Common Inventory Functions

Fields Description
Search Enter free text or keywords to search for specific policies in the inventory.
To delete a rule from the inventory, select the corresponding checkbox and click .
Pagination Use the pagination control dropdown to select the number of records that will be displayed per page of the inventory.

You can select to display 25, 50, 75, or 100 records per page of the inventory.
Pagination navigation Use the pagination navigation buttons to move between the pages in the inventory.

Rule Details

Fields Description
Type Algorithm/protocol/cipher suite component for which the quantum-status classification has been modified
Key Type & Strength Default key type and strength of the selected algorithm/protocol/cipher suite component
Default Quantum Status Default quantum-status of the selected algorithm/protocol/cipher suite component
Organization override New quantum-status classification assigned to the selected algorithm/protocol/cipher suite component, which will override the default value
Added By Name of the user who created the policy rule
Date Date on which the policy rule was created

Enforcing a Policy

At a time, only one active policy can govern the PQC-focused scans for quantum-readiness. The admin user can enable/disable a policy, to activate the required policy.

Enabling ACF for Policy Enforcement

Note: To learn how to enable the ACF permission for the user roles to access the Policy under Quantum Trust Hub, click here.

Enabling/Disabling a Policy

To enable a policy, from the Policy Enforcement column in the PQC Policy inventory, turn on the toggle key.
Note: You will not be able to enable a policy unless the active policy has been disabled.
To disable a policy, from the Policy Enforcement column in the PQC Policy inventory, turn off the toggle key.
Important: When a policy is enabled, the currently enabled policy is automatically disabled. Before disabling a policy, it is mandatory that at least one other policy is enabled. All policies cannot be disabled. If this is attempted the message Disabling this policy requires enabling another applicable policy. is displayed.

Modifying a Policy

Important: The default policy cannot be modified.

Prerequisite: Verify that your user role has the required ACF permission to modify policies. To enable ACF permission, click here.

  1. From the PQC Policy inventory, click the Policy Name of the policy that has to be modified.
    Policy details entered at the time of policy creation are displayed.
  2. Update the policy details as required.
    For field descriptions, see the corresponding instruction in Creating a Policy.
  3. Click Save.
  4. Click Update.
    A confirmation message is displayed to indicate if the policy update was a success or a failure.

    If the policy update is a success, all reports are updated immediately according to the modifications made.

Deleting a Policy

Important: The default policy cannot be deleted.

Prerequisite: Verify that your user role has the required ACF permission to delete policies. To enable ACF permission, click here.

  1. From the PQC Policy inventory, select the checkbox corresponding to the policy you want to delete.
    You can select more than one policy.
  2. From the toolbar, click Delete.
    The selected policy is/policies are deleted.