A CBOM (Cryptography Bill of Materials) is a structured, machine-readable inventory of all the cryptographic assets (algorithms, keys, certificates, libraries, and protocols) used across an organization’s software and systems.
A CBOM extends the software bill of materials (SBOM) concept to cryptography. It catalogs every algorithm, key, certificate, and protocol in use so teams can find weak or quantum-vulnerable cryptography, prove compliance, and plan post-quantum migration. CycloneDX added native CBOM support in version 1.6 (2024), making it the de facto format for cryptographic inventory.
Key Takeaways
- A CBOM inventories cryptographic assets, not software packages.
- It is the foundation of post-quantum readiness and crypto-agility: you cannot migrate what you cannot see.
- CycloneDX 1.6 (2024) added native CBOM support and is the standard format, published as ECMA-424.
- A CBOM helps meet emerging expectations to inventory cryptography ahead of PQC migration.
- Building a CBOM means discovering cryptography across source code, binaries, certificates, and network traffic.
What is a CBOM?
A CBOM is to cryptography what an SBOM is to software. It catalogs every cryptographic asset across your systems so you can answer a simple but previously hard question: where is cryptography used, and which algorithms are we relying on? Without that answer, securing or upgrading cryptography is guesswork.
The concept gained urgency with post-quantum cryptography. To migrate off quantum-vulnerable algorithms, organizations first need to find them, and a CBOM is the inventory that makes that possible. It pairs naturally with crypto-agility, which is the ability to act on what the inventory reveals.
CBOM vs SBOM in Brief
An SBOM lists software packages and dependencies; a CBOM lists cryptographic assets. They share the CycloneDX format and can be combined, but they answer different questions. For a full comparison, see CBOM vs SBOM.
What a CBOM Contains
A CBOM inventories cryptographic assets and their relationships. The main categories are below.
| Asset type | Examples |
|---|---|
| Algorithms | RSA, ECDSA, AES, SHA-256, ML-KEM, ML-DSA. |
| Keys and key material | Public and private keys, key pairs, shared secrets, tokens. |
| Certificates | X.509 TLS, code signing, and device certificates. |
| Protocols | TLS, SSH, IPsec, and their versions. |
| Libraries | OpenSSL, BoringSSL, and other cryptographic libraries in use. |
Why You Need a CBOM Now
Three forces make cryptographic inventory urgent. First, post-quantum migration requires finding all quantum-vulnerable cryptography before it can be replaced. Second, harvest-now, decrypt-later attacks mean sensitive data encrypted today with vulnerable algorithms is already exposed to future quantum decryption. Third, regulators and customers increasingly expect organizations to demonstrate control over their cryptographic assets, which a CBOM provides.
How to Build a CBOM
A CBOM is produced through cryptographic discovery across several sources:
- Scan source code and binaries for cryptographic algorithm and library usage.
- Inspect certificate stores and key management systems for certificates and keys.
- Analyze network traffic to identify protocols and versions in use.
- Normalize all findings into the CycloneDX CBOM format.
- Re-run discovery continuously, because cryptography changes as code and infrastructure change.
CycloneDX and the CBOM Standard
CycloneDX is the open standard behind CBOM. Version 1.6, released in 2024, added native support for cryptographic assets, and CycloneDX is published as the Ecma International standard ECMA-424. Because it is machine-readable and widely supported by tooling, CycloneDX has become the de facto way to express a CBOM and to exchange cryptographic inventory across the software supply chain.
How Encryption Consulting Helps
CBOM Secure is Encryption Consulting’s cryptographic discovery and inventory platform. It scans your environment for algorithms, keys, certificates, and protocols, builds a CycloneDX CBOM, and highlights weak or quantum-vulnerable cryptography so you can plan post-quantum migration with confidence. It is backed by ISO/IEC 27001:2022 and SOC 2 certified practices.
Frequently Asked Questions
What is the difference between a CBOM and an SBOM?
An SBOM (Software Bill of Materials) inventories the software components and dependencies in an application. A CBOM (Cryptography Bill of Materials) inventories cryptographic assets such as algorithms, keys, certificates, and protocols. A CBOM is a cryptography-focused extension of the SBOM concept, and both are expressed in the CycloneDX standard.
What format is a CBOM?
The de facto format is CycloneDX, which added native CBOM support in version 1.6 in 2024 and is published as the Ecma International standard ECMA-424. CycloneDX is machine-readable and available in JSON, XML, and Protocol Buffers, so a CBOM can be generated, shared, and processed automatically by tooling across the supply chain.
Why is a CBOM important for post-quantum cryptography?
You cannot migrate cryptography you cannot see. Post-quantum migration requires finding every place RSA, elliptic-curve, and other quantum-vulnerable algorithms are used. A CBOM provides that inventory, letting teams locate weak cryptography, prioritize by risk, and track progress toward quantum-resistant algorithms such as ML-KEM and ML-DSA. It is the foundation of any PQC roadmap.
What goes in a CBOM?
A CBOM catalogs cryptographic assets: algorithms (such as RSA, AES, ML-KEM), cryptographic keys and key pairs, digital certificates, libraries, and protocols like TLS. CycloneDX also models related material such as public and private keys, shared secrets, and tokens, along with the relationships between these assets and the software components that use them.
How do you create a CBOM?
A CBOM is built through cryptographic discovery: scanning source code, binaries, and configuration for algorithm and library usage, inspecting certificates and key stores, and analyzing network traffic for protocols in use. The findings are normalized into the CycloneDX CBOM format. Because environments change, discovery should be continuous rather than a one-time scan.
See your cryptography clearly
Ready to inventory every algorithm, key, and certificate you run? See CBOM Secure in action.