What Is a Cryptographic Bill of Materials (CBOM)?

Defining the Cryptographic Bill of Materials

A Cryptographic Bill of Materials (CBOM) is a structured, machine-readable inventory of every cryptographic asset deployed across an organization’s infrastructure. It catalogs algorithms, keys, certificates, protocols, and cryptographic libraries — recording not just what exists, but where each asset is deployed, how it is configured, and what risk it carries.

The concept builds on the Software Bill of Materials (SBOM) model that gained traction after the 2021 Executive Order on Improving the Nation’s Cybersecurity. Where SBOM inventories software components and dependencies, CBOM goes deeper into the cryptographic layer. It answers a different question: not “what software do we run?” but “what cryptography does our infrastructure depend on, and is any of it vulnerable?”

How CBOM Differs from SBOM

SBOM and CBOM serve complementary but distinct purposes. An SBOM lists software packages, versions, and dependency trees. It helps organizations track known vulnerabilities (CVEs) in third-party libraries and manage software supply chain risk.

A CBOM operates at the cryptographic primitive level. It identifies:

• Algorithms in use — RSA-2048, AES-256-GCM, ECDSA P-256, SHA-256, ChaCha20-Poly1305
• Key material metadata — key lengths, creation dates, expiration, rotation status (not the keys themselves)
• Certificate deployments — where X.509 certificates are installed, their chain of trust, and signature algorithms
• Protocol configurations — TLS versions, cipher suites, SSH key exchange methods
• Cryptographic libraries — OpenSSL versions, BouncyCastle configurations, platform-native crypto providers
• Hardware security modules — HSM-protected keys, FIPS validation levels, firmware versions

An SBOM might tell you that a service uses OpenSSL 3.1.4. A CBOM tells you that the same service negotiates TLS 1.2 with RSA-2048 key exchange and AES-128-CBC encryption — and that both the key exchange and the cipher mode are flagged for quantum vulnerability and known weaknesses respectively.

The CycloneDX Standard for CBOM

The OWASP CycloneDX project provides the open standard that defines how CBOMs are structured. CycloneDX version 1.6, released in 2024, introduced first-class support for cryptographic asset types. This means CBOM data follows a standardized schema that security tools, compliance platforms, and risk management systems can consume without custom parsing.

A CycloneDX CBOM document includes:

• Component type declarations — each cryptographic asset is typed (algorithm, certificate, key, protocol, related-crypto-material)
• Algorithm properties — name, variant, key length, mode of operation, padding scheme, quantum-readiness classification
• Certificate properties — subject, issuer, serial number, signature algorithm, validity period
• Protocol properties — version, cipher suites, key exchange mechanisms
• Dependency relationships — which components depend on which cryptographic assets

The standardized format enables automation. Security teams can diff CBOMs across releases, flag newly introduced quantum-vulnerable algorithms, and feed CBOM data into governance dashboards without manual spreadsheet work.

What a CBOM Inventories

A comprehensive CBOM covers cryptographic assets across multiple infrastructure layers:

Application Layer

Source code scanning identifies hardcoded algorithm selections, cryptographic library calls, and key generation patterns. This catches developers using deprecated algorithms (MD5, SHA-1, DES) or insecure configurations (ECB mode, static IVs) before deployment.

Infrastructure Layer

Network scanning discovers TLS configurations on web servers, load balancers, and API gateways. It catalogs cipher suites, certificate chains, and protocol versions across every endpoint. LDAP and Active Directory scanning reveals certificate-based authentication configurations and Kerberos encryption types.

Key Management Layer

Integration with PKI systems, certificate authorities, and key management platforms provides metadata on key lifecycle status — creation, rotation, expiration, and revocation. HSM scanning captures hardware-protected key inventories and FIPS validation levels.

Cloud and Container Layer

Cloud provider API scanning discovers KMS configurations, managed certificate deployments, and encryption-at-rest settings across AWS, Azure, and GCP. Container image scanning identifies cryptographic libraries bundled in Docker images and Kubernetes secrets containing key material references.

Why CBOM Matters Now

Three forces are converging to make CBOM essential:

Post-quantum migration urgency. NIST finalized its first post-quantum cryptography standards in 2024. Organizations must now plan the transition from RSA and ECC to ML-KEM and ML-DSA. That transition starts with knowing where every quantum-vulnerable algorithm is deployed. CBOM provides that baseline.

Regulatory pressure. The NSA’s CNSA 2.0 timeline mandates quantum-resistant algorithms for national security systems by 2030. PCI DSS 4.0 requires inventories of cryptographic assets protecting cardholder data. ISO 27001:2022 expects documented cryptographic controls. CBOM delivers the evidence these frameworks demand.

Cryptographic sprawl. Modern enterprises deploy cryptography across hundreds of services, cloud accounts, and infrastructure components. Manual audits miss embedded cryptography in container images, serverless functions, and third-party integrations. Automated CBOM generation is the only scalable approach.

CBOM as QCecuring’s Next Planned Offering

QCecuring is developing CBOM as its next planned offering, extending the platform’s cryptographic management capabilities beyond certificates and SSH keys into comprehensive cryptographic asset discovery. The planned CBOM capability will integrate with QCecuring’s existing Certificate Lifecycle Management and SSH Key Lifecycle Management platforms, providing a unified view of all cryptographic assets.

The planned approach uses automated scanning across source code, infrastructure, and cloud environments to generate CycloneDX-compliant CBOM reports. These reports will classify each discovered asset by quantum risk level, map assets to compliance framework requirements, and track migration progress as organizations transition to post-quantum algorithms.

For organizations beginning their cryptographic inventory journey, the first step is gaining visibility into certificate and key deployments through QCecuring’s existing platform. That foundation makes the transition to full CBOM coverage straightforward when the capability becomes available. Visit the CBOM product page to learn more about what is planned.