CBOM

A CBOM, or Cryptographic Bill of Materials, is a comprehensive inventory that catalogs all cryptographic elements used within a software application, system, or product. This includes encryption algorithms, key lengths, certificate chains, libraries, protocols, and even policy configurations. A CBOM helps identify how and where cryptographic techniques are applied, and whether those implementations meet modern security standards.

CBOMs are particularly critical for managing cryptographic hygiene, avoiding deprecated algorithms (e.g., SHA-1), and preparing for future risks like quantum computing.

Cryptographic assets are fundamental to data privacy, secure communications, and digital trust. However, misused, outdated, or improperly configured cryptography can expose private data, intellectual property, communications,  services, authentication and access. 

Advances in quantum computers are likely to make traditional cryptography mechanisms unsafe to use in the 2030s. This necessitates migration to more secure ways of protecting digital infrastructure and services, especially organizations in highly regulated sectors like finance, healthcare, government, and aerospace. CBOMs are valuable for migration planning, providing insight into systems, services, applications and software components that leverage cryptography.

CBOMs allow organizations to:

• Prepare for migration to quantum safe applications, services and systems
• Proactively identify which cryptographic assets may be deprecated and unsafe
• Support cryptographic agility (the ability of a system to readily change its cryptographic algorithms or mechanisms)
• Satisfy regulatory and customer requirements for strong encryption
• Prepare for cryptographic-related supply chain audits or compliance frameworks

CBOMs are created by analyzing the software stack using static code analysis, dynamic inspection, binary scanning, or configuration reviews. CBOMs can be produced as part of secure development workflows or during third-party software evaluations.