A CBOM (Cryptography Bill of Materials) inventories an organization’s cryptographic assets, while an SBOM (Software Bill of Materials) inventories the software components and dependencies in an application. A CBOM is a cryptography-focused extension of the SBOM concept.
An SBOM lists the software packages, libraries, and dependencies in an application so teams can track vulnerabilities and licensing. A CBOM lists cryptographic assets such as algorithms, keys, certificates, and protocols so teams can find weak or quantum-vulnerable cryptography. Both use the CycloneDX standard, and a CBOM can be generated as part of an SBOM.
Key Takeaways
- An SBOM answers “what software am I running?”; a CBOM answers “what cryptography am I using?”
- A CBOM is an extension of the SBOM concept, and both are expressed in CycloneDX (ECMA-424).
- SBOMs are driven by software supply-chain security; CBOMs are driven by PQC migration and crypto-agility.
- You need both: an SBOM for component risk, a CBOM for cryptographic risk.
- CycloneDX 1.6 (2024) lets a single bill of materials carry both software and cryptographic inventory.
CBOM vs SBOM at a Glance
| SBOM | CBOM | |
|---|---|---|
| Inventories | Software components and dependencies | Cryptographic assets |
| Answers | What software am I running? | What cryptography am I using? |
| Main driver | Software supply-chain security | Post-quantum migration and crypto-agility |
| Format | CycloneDX (ECMA-424) | CycloneDX 1.6 (ECMA-424) |
| Typical contents | Packages, libraries, versions, licenses | Algorithms, keys, certificates, protocols |
What is an SBOM?
A software bill of materials (SBOM) is an inventory of the components, libraries, and dependencies that make up an application. It lets teams track known vulnerabilities, manage licenses, and respond quickly when a flaw is found in a widely used package. SBOMs became mainstream as governments and customers demanded software supply-chain transparency. See SBOM and software supply chain security for detail.
What is a CBOM?
A cryptography bill of materials (CBOM) is an inventory of cryptographic assets: the algorithms, keys, certificates, libraries, and protocols an organization uses. It exists to make cryptography visible so it can be assessed and upgraded, particularly for post-quantum migration. For the full explainer, see what a CBOM is.
Key Differences
The two bills of materials operate at different layers. An SBOM is about the software you assemble; a CBOM is about the cryptography that software relies on. An SBOM might tell you that an application includes OpenSSL, while a CBOM tells you which algorithms and key sizes that application actually uses and which certificates it presents. The drivers differ too: SBOMs are about component and vulnerability risk, while CBOMs are about cryptographic and quantum risk.
How They Overlap
CBOM and SBOM share the CycloneDX standard, and version 1.6 lets a single file carry both. That means the tooling, distribution, and governance you build for one can extend to the other. An organization with a mature SBOM program is well positioned to add cryptographic inventory without adopting a separate format.
Do You Need Both?
Yes. An SBOM manages component and supply-chain risk; a CBOM manages cryptographic and post-quantum risk. They cover different threats and neither replaces the other. Together they give a fuller picture of what your software is made of and how it protects data.
How Encryption Consulting Helps
CBOM Secure builds your cryptographic inventory in the CycloneDX format, so it sits alongside your existing SBOM program and feeds directly into post-quantum migration planning. Encryption Consulting’s PQC Advisory then turns that inventory into a prioritized roadmap, backed by ISO/IEC 27001:2022 and SOC 2 certified practices.
Frequently Asked Questions
Is a CBOM part of an SBOM?
A CBOM can be part of an SBOM or stand on its own. CycloneDX 1.6 lets a single bill of materials carry both software components and cryptographic assets, so a CBOM can be embedded in an SBOM. Conceptually, the CBOM is a cryptography-focused extension of the SBOM idea, sharing the same format and tooling.
Which comes first, SBOM or CBOM?
Most organizations build an SBOM first, because software supply-chain mandates and vulnerability management drove SBOM adoption earlier. The CBOM is newer and is driven by post-quantum migration. The two are complementary, and because they share the CycloneDX format, an SBOM program gives you a foundation to add cryptographic inventory.
Do CBOM and SBOM use the same format?
Yes. Both use CycloneDX, the open bill-of-materials standard published as ECMA-424. CycloneDX 1.6 added native support for cryptographic assets, so the same toolchain and file format can express software components, cryptographic assets, or both together. This shared format is a major reason the two fit naturally side by side.
Why isn’t an SBOM enough for post-quantum readiness?
An SBOM tells you which software and libraries you run, but not which cryptographic algorithms, keys, and certificates are actually in use or how they are configured. Post-quantum migration needs that cryptographic detail to find quantum-vulnerable algorithms. A CBOM provides it, going deeper than the component-level view an SBOM offers.
Who needs a CBOM?
Any organization that must protect long-lived sensitive data, prepare for post-quantum migration, or demonstrate control of its cryptography needs a CBOM. This is especially pressing in regulated sectors such as finance, government, healthcare, and critical infrastructure, and for software vendors whose customers ask for cryptographic transparency alongside an SBOM.
Add cryptographic inventory to your SBOM
Ready to see the cryptography your SBOM can’t? See CBOM Secure in action, or learn what a CBOM is.