Reference
Standards and framework alignment
LatticeScan does not define its own standard. It measures against the standards and frameworks that govern the post-quantum transition, so that a result maps directly to the requirements an organization already faces. This page states how.
NIST FIPS 203 (ML-KEM)
The US federal standard for post-quantum key encapsulation, published August 2024. ML-KEM is the mechanism replacing classical key exchange.
Alignment. LatticeScan tests each endpoint for hybrid ML-KEM key exchange (X25519MLKEM768) and grades primarily on its presence.
csrc.nist.govNIST FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA)
The US federal standards for post-quantum digital signatures, published August 2024.
Alignment. LatticeScan records each certificate signature algorithm and reports whether it is classical or post-quantum. No public certificate authority issues post-quantum certificates yet, which the report states explicitly.
csrc.nist.govNSA CNSA 2.0
The National Security Agency’s suite requiring post-quantum algorithms for national security systems, on a published timeline.
Alignment. The algorithms LatticeScan tests for (ML-KEM, ML-DSA) are those named by CNSA 2.0. Reports use the same algorithm identifiers.
nsa.govUS Executive Order 14412 and OMB M-26-15
The June 2026 executive order and its execution memo direct federal agencies and their contractors toward post-quantum cryptography, and call for a Cryptographic Bill of Materials (CBOM).
Alignment. LatticeScan produces a cryptographic inventory exportable as a CycloneDX CBOM, the artifact these instruments describe as the foundation of a migration plan.
whitehouse.govCISA post-quantum guidance
CISA maintains the federal quantum-readiness guidance and, under the executive order, is defining the minimum elements of a CBOM.
Alignment. The LatticeScan CBOM is built to CycloneDX and will be aligned to CISA’s minimum-elements guidance once published.
cisa.govISO/IEC 27001:2022, control A.8.24
“Use of cryptography” requires an organization to document the cryptography it uses and how it is managed.
Alignment. A LatticeScan report is a dated record of the cryptographic algorithms actually deployed on public endpoints, which is the evidence this control asks for.
iso.orgCSA Cloud Controls Matrix (CEK domain)
The Cloud Security Alliance’s cryptography, encryption and key-management controls (CEK-04, 05, 07, 21).
Alignment. Each report maps its findings to these controls: algorithm inventory, change management, risk assessment, and key inventory.
cloudsecurityalliance.orgPKI Consortium PQCMM
The Post-Quantum Cryptography Maturity Model rates products and services on a 0 to 5 scale for supply-chain and procurement use.
Alignment. A LatticeScan assessment measures the external evidence relevant to the model’s lower levels. A full PQCMM rating requires an independent assessment covering internal systems as well.
pkic.orgFor how each measurement is made, see the assessment methodology. For the dated obligations behind these standards, see the regulatory timeline.