This is a straightforward application of ML-KEM to the KEM framework previously defined for CMS. The document is simple and clear. Abstract: typo - parameters sets Introduction: "Prior to standardization, the algorithm was known as Kyber. ML-KEM and Kyber are not compatible." These two sentences do not combine well. How about: "ML-KEM is a standardized and incompatible version of the older Kyber algorithm" 1.2: the FIPS document provides a better explanation of the whole process and seems to be required reading for those new to KEM usage. A bit of extra clarification here would help, e.g. "ss is used by the originator and separately by the recipient to generate a KEK. The KEK is then used to wrap (encrypt) a CMS content encryption key." Alternatively, refer the reader to RFC 9629 for an overview of the process. 1.2: the text that introduces the 3 functions is strange. It state that ML-KEM provides 3 functions, and those correspond to the ones defined in FIPS 203. But isn't this the authoritative document for ML-KEM itself? You might have wanted to say, This document defines 3 functions... An editorial question: you "deep link" to specific algorithm numbers in FIPS 203. Is this legit? Can FIPS publish a new version of the document and mix up the numbers? Terminology: you sometimes use "recipient" and sometimes "responder". 2.1: "ukm" sounds like a useless piece of complexity - even some complexity if you don't implement it. Given that this is a profile of RFC 9629, couldn't you remove it? 2.3, as far as I can tell, you are more strict than RFC 9629 in saying that only keyEncipherment must be asserted. I'm not familiar enough with real-life CMS, but this may be difficult to implement. 2.4: typo - When the one. 3. The hashAlgs OID is listed, but it's not used anywhere in the document. 4. In the paragraph, "Implementations MUST protect the ML-KEM private key", please point out which keys are ephemeral and mention that they must be wiped after use. Also, integrity of the public key is almost as important. And in general, the document never points out that the public key must be protected by the entity that runs KeyGen, e.g. by wrapping the public key in a certificate. Table 2: the caption says "sizes" but the column is named Secret.