Using CBOM for Post-Quantum Risk Assessment

The Quantum Risk Assessment Challenge

Post-quantum cryptography migration is the largest cryptographic transition in computing history. Every organization that uses RSA, ECC, or Diffie-Hellman — which is every organization — must eventually replace these algorithms with quantum-resistant alternatives. The question is not whether to migrate, but how to prioritize and sequence the work.

Risk assessment is the starting point. Not all quantum-vulnerable deployments carry the same risk. An RSA-2048 key protecting a 30-year mortgage database faces a different threat profile than the same algorithm securing an ephemeral chat session. Effective migration planning requires understanding both the cryptographic vulnerability and the business context of each deployment.

A Cryptographic Bill of Materials provides the data foundation for this assessment. Without a CBOM, organizations attempt risk assessment through interviews, documentation review, and targeted scanning — methods that produce incomplete, point-in-time snapshots. With a CBOM, every cryptographic asset is inventoried, classified, and contextualized, enabling systematic risk-based prioritization.

Quantum Vulnerability Classification

The first step in CBOM-based risk assessment is classifying every discovered cryptographic asset by its quantum vulnerability. This classification is based on well-understood cryptanalytic results:

Quantum-Vulnerable (Shor’s Algorithm Targets)

Shor’s algorithm, running on a sufficiently large quantum computer, breaks the mathematical problems underlying these algorithms in polynomial time:

• RSA (all key sizes) — integer factorization
• ECC (all curves — P-256, P-384, P-521, Curve25519) — elliptic curve discrete logarithm
• Diffie-Hellman (classical DH and ECDH) — discrete logarithm
• DSA — discrete logarithm
• ElGamal — discrete logarithm

These algorithms are used for key exchange, digital signatures, and key encapsulation. They protect TLS connections, code signing, certificate chains, SSH sessions, and VPN tunnels. Their replacement is the core of PQC migration.

Quantum-Reduced (Grover’s Algorithm Targets)

Grover’s algorithm provides a quadratic speedup for brute-force search, effectively halving the security level of symmetric algorithms:

• AES-128 — reduced from 128-bit to 64-bit effective security
• SHA-256 — reduced collision resistance, though still considered adequate for most applications
• 3DES — already deprecated, quantum attack further reduces security

The standard mitigation is to double key lengths: use AES-256 instead of AES-128. Most organizations already use AES-256 for sensitive data, making this category lower priority than Shor’s algorithm targets.

Quantum-Safe (No Known Quantum Advantage)

These algorithms and key sizes are considered safe against known quantum attacks:

• AES-256 — 128-bit effective security under Grover’s, still well above practical attack thresholds
• SHA-384, SHA-512, SHA-3 — adequate security margins under quantum speedup
• ML-KEM (CRYSTALS-Kyber) — NIST-standardized quantum-resistant key encapsulation
• ML-DSA (CRYSTALS-Dilithium) — NIST-standardized quantum-resistant digital signatures
• SLH-DSA (SPHINCS+) — NIST-standardized hash-based signatures

CBOM classification annotates each discovered asset with one of these categories, providing an immediate visual map of quantum risk across the infrastructure.

Risk Prioritization Framework

Quantum vulnerability classification alone is not sufficient for migration planning. An organization with 10,000 quantum-vulnerable deployments cannot migrate them all simultaneously. Prioritization requires combining cryptographic risk with business context.

Data Sensitivity and Longevity

The harvest-now-decrypt-later (HNDL) threat means data encrypted today with quantum-vulnerable algorithms can be captured and stored for future decryption. The risk is proportional to how long the data remains sensitive:

• High priority: Financial records, medical data, trade secrets, government classified information, legal communications — sensitive for decades
• Medium priority: Business communications, operational data, session tokens with moderate lifespans
• Lower priority: Ephemeral data, public information encrypted for integrity rather than confidentiality

CBOM data, combined with data classification metadata, enables this prioritization. The CBOM identifies which algorithms protect which systems, and data classification identifies which systems handle sensitive, long-lived data.

Regulatory Deadlines

Compliance frameworks impose specific timelines. CNSA 2.0 requires quantum-resistant algorithms for software signing by 2025 and for all national security systems by 2033. PCI DSS 4.0 requires strong cryptography for cardholder data protection. Organizations subject to these frameworks must prioritize the systems that fall under regulatory scope.

CBOM compliance mapping identifies which cryptographic assets fall under which regulatory requirements, enabling migration planners to sequence work by deadline rather than by arbitrary priority.

System Criticality and Change Risk

Some systems are easier to migrate than others. A modern microservice with crypto-agile design can swap algorithms with a configuration change. A legacy mainframe application with hardcoded RSA calls requires months of development and testing.

Migration planning must account for change risk. High-criticality systems with complex change processes need longer lead times. CBOM deployment context data — which systems use which algorithms, how those algorithms are configured, and what dependencies exist — informs realistic migration timelines.

Building the Migration Roadmap

With CBOM data classified and prioritized, organizations can build a phased migration roadmap:

Phase 1: Inventory and classify. Generate a comprehensive CBOM. Classify all assets by quantum vulnerability. Map assets to compliance frameworks and data sensitivity levels. This phase produces the baseline that all subsequent planning depends on.

Phase 2: Prioritize and sequence. Rank quantum-vulnerable deployments by combined risk score (data sensitivity × regulatory deadline × system criticality). Identify quick wins — systems where algorithm replacement is straightforward — and long-pole items that require extended development cycles.

Phase 3: Pilot migration. Select a small number of systems for initial PQC algorithm deployment. Test ML-KEM for key exchange and ML-DSA for signatures in controlled environments. Validate performance, compatibility, and operational procedures.

Phase 4: Systematic rollout. Migrate systems in priority order, updating the CBOM after each migration to track progress. Use CBOM diff reports to verify that quantum-vulnerable algorithms are being replaced and that no new quantum-vulnerable deployments are introduced.

Phase 5: Continuous monitoring. Maintain ongoing CBOM generation to detect regression — new deployments that introduce quantum-vulnerable algorithms, configuration changes that downgrade cipher suites, or library updates that revert to classical algorithms.

Tracking Migration Progress

CBOM is not a one-time assessment tool. Its value compounds over time as organizations use it to track migration progress. By generating CBOM snapshots at regular intervals (weekly, monthly, or aligned with release cycles), organizations can measure:

• Percentage of quantum-vulnerable assets migrated — the headline metric for executive reporting
• Migration velocity — how many assets are being migrated per period
• Regression rate — how many new quantum-vulnerable deployments are introduced between snapshots
• Compliance gap closure — progress toward specific regulatory deadlines

These metrics transform PQC migration from an abstract initiative into a measurable program with clear progress indicators.

QCecuring’s Planned CBOM for PQC Risk Assessment

QCecuring is developing CBOM as its next planned offering, with quantum risk classification and migration tracking as core capabilities. The planned approach will automatically classify every discovered cryptographic asset by quantum vulnerability, map assets to compliance framework timelines, and generate migration progress reports.

Organizations preparing for PQC migration today can start by establishing cryptographic visibility through QCecuring’s existing Certificate Lifecycle Management platform. Certificate inventory provides the foundation for understanding where quantum-vulnerable signature algorithms and key exchange mechanisms are deployed — the first step in any PQC risk assessment.