Skip to content

Quantum Security Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Quantum Security Policy
Framework Reference: Secure Controls Framework – Quantum Security (QTS)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Quantum Security requirements established by Summit Technology Holdings, LLC (STH). It documents the operational practices used to govern quantum computing risk, assess cryptographic exposure across FRHC systems and applications, and maintain visibility into the cryptographic landscape in preparation for a post-quantum cryptography (PQC) transition.


This standard applies to all FRHC systems, applications, services, and data that rely on cryptographic protections, including the PatientRemedi v1 and v2 applications, Azure and AWS cloud infrastructure, Microsoft 365 services, on-premises infrastructure, and any systems that process, store, or transmit electronic protected health information (ePHI) or other sensitive data.


FRHC participates in the enterprise quantum risk governance structure established by STH. The CISO serves as the FRHC quantum migration lead, with authority to coordinate PQC transition activities across FRHC systems, applications, and infrastructure.

Quantum computing risk is reviewed by the Computer Security Team (CST) and escalated to STH as part of ongoing enterprise governance and risk oversight. Material quantum risk findings are reported to STH for inclusion in Board of Directors and executive leadership discussions.

  • Parent Policy Mapping: STH Quantum Security Policy, Section 3.1
  • SCF Mapping: QTS-01 (Quantum Risk Governance)

3.2 Cryptographic Agility Risk Assessment (CARA)

Section titled “3.2 Cryptographic Agility Risk Assessment (CARA)”

FRHC performs a Cryptographic Agility Risk Assessment (CARA) covering the PatientRemedi v1 and v2 applications and their supporting infrastructure across Azure, AWS, and on-premises environments. The CARA identifies cryptographic dependencies most vulnerable to quantum-enabled cryptanalytic threats and prioritizes them based on potential business impact, with particular attention to systems handling ePHI or long-lived sensitive data.

The CARA scope includes Azure Key Vault, Microsoft 365 and Entra ID cryptographic configurations, AWS-managed cryptographic services, TLS configurations across application endpoints, and on-premises systems including backup infrastructure. Third-party services and integrations that perform cryptographic operations on FRHC data are also assessed.

CARA results are documented and used to inform PQC migration planning activities coordinated with STH.

  • Parent Policy Mapping: STH Quantum Security Policy, Section 3.2
  • SCF Mapping: QTS-02 (Cryptographic Agility Risk Assessment (CARA))

3.3 Post-Quantum Cryptography (PQC) Discovery & Visibility

Section titled “3.3 Post-Quantum Cryptography (PQC) Discovery & Visibility”

FRHC maintains an ongoing discovery process to identify cryptographic dependencies across FRHC-managed systems, application codebases, and infrastructure. Discovery combines automated scanning of application source code and infrastructure configurations with manual review of cloud service configurations, on-premises system cryptographic settings, third-party SDK usage, and integration protocols.

Discovery activities are performed at least annually and following significant changes to FRHC application architecture, infrastructure, or third-party service dependencies.

  • Parent Policy Mapping: STH Quantum Security Policy, Section 3.3
  • SCF Mapping: QTS-04 (Post-Quantum Cryptography (PQC) Discovery & Visibility)

FRHC maintains a current inventory of cryptographic assets identified through the discovery process. The inventory covers the PatientRemedi v1 and v2 applications and their supporting infrastructure across cloud and on-premises environments and includes, at a minimum:

  • Algorithms in use (asymmetric and symmetric)
  • Key lengths
  • Cryptographic libraries (e.g., Azure SDK cryptographic modules, runtime language libraries, on-premises cryptographic components)
  • Protocols (e.g., TLS versions in use across application endpoints, inter-service communications, and backup transport)
  • Associated FRHC applications and services utilizing the cryptography
  • FIPS validation status from the Cryptographic Module Validation Program (CMVP), including certificate number where applicable

The inventory is reviewed and updated at least annually and following significant changes to the technology environment. It serves as a primary input to the CARA and future PQC transition planning activities. The CISO is responsible for maintaining the inventory and presenting updates to the CST.

  • Parent Policy Mapping: STH Quantum Security Policy, Section 3.4
  • SCF Mapping: QTS-04.1 (Post-Quantum Cryptography (PQC) Asset Inventory)

FRHC maintains evidence supporting quantum security activities, including quantum risk governance records, CARA documentation, discovery outputs, and the cryptographic asset inventory. The CISO reviews quantum security activities with the CST at least annually. Evidence is retained to support SOC 2 Type II audits, HIPAA Security Rule compliance assessments, and STH enterprise governance oversight.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Quantum Security Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
  • AICPA SOC 2 Trust Services Criteria: Security (CC3.2, CC3.3, CC6.1)

Framework Alignment:

  • QTS-01 – Quantum Risk Governance
  • QTS-02 – Cryptographic Agility Risk Assessment (CARA)
  • QTS-04 – Post-Quantum Cryptography (PQC) Discovery & Visibility
  • QTS-04.1 – Post-Quantum Cryptography (PQC) Asset Inventory

RevDescriptionDateApproved
-Standard createdJuly 2026M Machin

Internal Use Only