CBOM

A CBOM, or Cryptographic Bill of Materials, is a comprehensive inventory that catalogs all cryptographic elements used within a software application, system, or product. This includes encryption algorithms, key lengths, certificate chains, libraries, protocols, and even policy configurations. A CBOM helps identify how and where cryptographic techniques are applied, and whether those implementations meet modern security standards.

CBOMs are particularly critical for managing cryptographic hygiene, avoiding deprecated algorithms (e.g., SHA-1), and preparing for future risks like quantum computing.

Cryptographic assets are fundamental to data privacy, secure communications, and digital trust. However, misused, outdated, or improperly configured cryptography can expose private data, intellectual property, communications,  services, authentication and access. 

Advances in quantum computers are likely to make traditional cryptography mechanisms unsafe to use in the 2030s. This necessitates migration to more secure ways of protecting digital infrastructure and services, especially organizations in highly regulated sectors like finance, healthcare, government, and aerospace. CBOMs are valuable for migration planning, providing insight into systems, services, applications and software components that leverage cryptography.

CBOMs allow organizations to:

• Prepare for migration to quantum safe applications, services and systems
• Proactively identify which cryptographic assets may be deprecated and unsafe
• Support cryptographic agility (the ability of a system to readily change its cryptographic algorithms or mechanisms)
• Satisfy regulatory and customer requirements for strong encryption
• Prepare for cryptographic-related supply chain audits or compliance frameworks

CBOMs are created by analyzing the software stack using static code analysis, dynamic inspection, binary scanning, or configuration reviews. CBOMs can be produced as part of secure development workflows or during third-party software evaluations.

CBOMs can capture information about:

• Type of cryptographic asset (e.g. algorithms, certificates, keys and protocols) and related materials such as tokens, hard-coded secrets or passwords
• Properties that uniquely define each asset e.g. algorithm properties include “function” or “NIST Quantum Security Level” whereas  certificate properties include “Issuer” and “Not Valid After Date” 
• Asset dependencies e.g. distinguishing between libraries that implement algorithms, and applications that 'use' algorithms from a library
• Software components that use or depend on a cryptographic asset

CBOMs provided in a standardized, machine-readable format enable automated analysis such as checking for policy compliance.

• Post-Quantum Cryptography (PQC) Readiness: Inventory of cryptographic assets enables migration planning and prioritization
• Compliance Readiness: Meet encryption mandates under PCI-DSS, HIPAA, GDPR, FIPS, and others.
• Proactive Risk Management: Identify use of expired, deprecated or vulnerable cryptographic assets.
• Customer Assurance: Demonstrate strong cryptographic practices to partners and clients.
• Cryptographic Agility: An inventory of cryptographic assets enables organizations to test and deploy changes more efficiently. 
• Incident Response: Quickly assess exposure when a cryptographic vulnerability is disclosed.

• Deprecation Awareness: Detect and replace insecure algorithms like MD5 or RC4.
• Key Rotation Enforcement: Monitor key usage and ensure regular rotation.
• TLS/SSL Hardening: Ensure only secure protocol versions and cipher suites are in use.
• Cryptographic Isolation: Identify and limit use of shared secrets or exposed keys.

• FIPS or Common Criteria Certification Readiness: Catalog cryptographic implementations and configurations to validate compliance with strict certification requirements.
• Customer Crypto Policy Alignment: Demonstrate that your use of cryptography meets partner and customer encryption standards and expectations.
• Crypto Inventory and Lifecycle Management: Maintain an up-to-date record of cryptographic assets, libraries, and keys to support secure operations and reduce technical debt.
• Quantum-Readiness Assessments: Identify algorithms and key lengths vulnerable to quantum attacks and prepare for cryptographic agility.
• Supply Chain Reviews for Cryptographic Risk: Evaluate third-party software and services for weak or deprecated cryptographic practices that could introduce systemic vulnerabilities.

• Tooling Fragmentation: There’s no universal standard yet for CBOM formats.
• Library Abstraction: Some high-level frameworks obscure underlying crypto usage.
• Key Exposure Risks: Sensitive key material should not be exposed in CBOM exports.
• Cross-team Coordination: Crypto hygiene spans developers, DevOps, and security teams.