The Post-Quantum Fragility Index (PQFI) provides a rigorous analytical framework for classifying organisations by their structural fragility with respect to the quantum threat. Its operational applicability depends, however, on the availability of automatically and reproducibly measurable indicators: percentage of assets using cryptographically vulnerable algorithms, visibility gap, data lifetime, cryptographic debt, and PQC maturity. In practice, most organisations do not have this information in structured form. Without it, the PQFI remains a formula without inputs. This article proposes the Crypto Inventory Framework (CIF): a five-layer Crypto Inventory and Post-Quantum Assessment platform that automates the full pipeline from cryptographic surface discovery to PQFI computation and institutional reporting. The CIF architecture consists of: Discovery Engine — eight specialised modules (TLS-S, SSH-S, CERT-A, PKI-D, HSM-D, VPN-D, CLD-D, OT-S) operating in passive, active, and agent-based modes to produce Crypto Asset Records (CAR) across the full cryptographic surface; CBOM Engine — normalisation, deduplication, and PQC classification (Q-SAFE / Q-TRANSITIONAL / Q-VULNERABLE / Q-UNKNOWN) of all detected assets into a versioned, auditable Crypto Bill of Materials exportable in CycloneDX JSON format; Indicator Computation Engine — formalised computation of all five PQFI indicators (IalgI₀₋₆ Ialg, IdlI₃₋ Idl, IcbomI₂₁₎₌ Icbom, IdebtI₃₄₁ₓ Idebt, PQR) with explicit evidence levels (OBSERVED / INFERRED / DECLARED / ABSENT) for each input; PQFI Engine — application of the PQFI formula with contribution decomposition, operative band assignment, and temporal trend computation; Dashboard & Reporting — cryptographic fragility heatmap, asset ranking by Priority Score, organisational PQFI report, and CBOM export for NIS2 supervisory authorities. An illustrative case study applies the full CIF pipeline to a simulated public administration entity (891 assets, CBOM coverage 55. 7%, PQFI = 59. 1, Orange band), demonstrating how the contribution decomposition translates the index into a prioritised PQC migration plan. The article also discusses the CIF as a potential supervisory infrastructure for NIS2 competent authorities, the security classification requirements for CBOM transmission, and the relationship with the CFI → NCFI → ECFI predictive surveillance architecture. The CIF is not a catalogue of scanning tools: it is the operational implementation of the PQFI theoretical framework, transforming the measurement of post-quantum organisational fragility from a manual exercise to a continuous, reproducible, and institutionally usable process.
Leva et al. (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: