CBOM

Part 4: Cryptographic Bill Of Materials (CBOM) – Building The Inventory

/ PQC (Post-Quantum Cryptography) / By

CBOM: the inventory that makes PQC real. See it to secure it.

Quantum risk isn’t solved by algorithms; it’s enabled by visibility.
That’s why, your first step isn’t “new crypto”, it’s the inventory called CBOM.
If you can’t see where RSA/ECC still protects revenue, updates and confidential data, you can’t migrate them.

What’s a CBOM?

A Cryptographic Bill of Materials (CBOM) is a structured, machine-readable inventory that describes all cryptographic assets used by a system or application – algorithms, parameters, keys, certificates, trust stores, crypto libraries, protocols and signing workflows, together with how and where they are used.
You can think of it as an extension of the Software Bill of Materials (SBOM), but focused exclusively on the “crypto” under the hood.

Its primary purpose in the PQC era is to provide the visibility and agility needed to identify and replace algorithms vulnerable to future quantum computers (such as RSA and ECC) with new quantum-resistant standards (such as NIST’s ML-KEM and ML-DSA).

𝑾𝒉𝒂𝒕 𝑫𝒐𝒆𝒔 𝒂 𝑪𝒐𝒎𝒑𝒓𝒆𝒉𝒆𝒏𝒔𝒊𝒗𝒆 𝑪𝑩𝑶𝑴 𝑰𝒏𝒄𝒍𝒖𝒅𝒆?

A robust CBOM goes beyond just listing libraries. Rather, it captures the granular details that enable true cryptographic risk management:

► Cryptographic Algorithms:
□ Type: RSA, ECC, AES, SHA-256, etc.
□ Key Lengths/Parameters: such as RSA-2048, ECC-384, ML-KEM-768.

► Cryptographic Libraries/Modules:
□ Name & Version: OpenSSL, BoringSSL, Windows CNG, Java JCE, etc.
□ Dependencies: Mapping crypto assets to the specific software components that use them.

► Key & Certificate Material:
□ Certificates: X.509 certificates, issuance/expiration dates, Issuer.
□ Keys: Key types (public/private/symmetric), storage (HSM, software keystore).

► Protocols & Usage:
□ Protocols: TLS/SSL version, SSH, IPSec, etc.
□ Cipher Suites: Specific combination of algorithms used for key exchange, encryption and hashing in a protocol session.

𝑩𝒆𝒔𝒕 𝑷𝒓𝒂𝒄𝒕𝒊𝒄𝒆𝒔 & 𝑰𝒏𝒅𝒖𝒔𝒕𝒓𝒚 𝑺𝒕𝒂𝒏𝒅𝒂𝒓𝒅𝒔

The PQC transition makes Crypto-Agility a mandatory capability.

► Standardization: To begin with, leverage industry standards like OWASP CycloneDX (specifically its CBOM extension). Indeed, this is key for automated tooling and cross-tool reporting.

► NIST Guidance: Align your PQC migration plan with the NIST PQC Standards (FIPS 203, 204, 205) and their recommended transition steps, starting with inventory.

► Hybrid Schemes: Adopt a hybrid cryptographic approach during the transition. A good CBOM is essential for managing these dual implementations.

► Continuous Monitoring: Crucially, a CBOM should not be a one-time project.

Our Post-Quantum Readiness Series

This blog article is the first in our Post-Quantum Cyber Readiness Series, where we’ll break down complex concepts into practical steps your organization can take today.

In this series, we will cover: 

Each article will equip CEO’s, CISOs, IT leaders, and Architects with the knowledge and tools to navigate the quantum transition confidently.

Final Thought: Prepare, Don’t Panic

Quantum computing doesn’t spell the end of cybersecurity, but it does require proactive adaptation.

The organizations that start preparing now will not only safeguard their data, but also gain a competitive advantage by ensuring compliance and customer trust in the post-quantum era.

The future of cryptography is already being written.
The only question left is – will you be ready?

Our Post-Quantum Readiness Series

This article is Part 6 of our Post-Quantum Cyber Readiness Series, where we are covering complex concepts.

In this series, we covered: 

Each article will equip CEO’s, CISOs, IT leaders, and Architects with the knowledge and tools to navigate the quantum transition confidently.

Try our PQC Compliance Check tool for Websites

PQC.SINEVIS.COM
pqc_compliance_check_tool