- Key Takeaways
- What CycloneDX Is and Where It Came From
- BOM Types CycloneDX Supports
- What CycloneDX Describes
- CycloneDX and the Cryptography Bill of Materials (CBOM)
- CycloneDX Version History
- Looking Ahead: CycloneDX 2.0 and the Transparency Exchange Language
- Common Use Cases
- How Encryption Consulting Helps
- Frequently Asked Questions
- Inventory Your Cryptography in CycloneDX Format
CycloneDX is an open-source Bill of Materials (BOM) standard, created by OWASP and standardized by Ecma International as ECMA-424, that describes the components, services, dependencies, and cryptographic assets in software and systems for supply chain transparency and risk reduction.
CycloneDX is a full-stack Bill of Materials standard used to inventory what software and systems are made of. It supports several BOM types, including a Software BOM (SBOM), Cryptography BOM (CBOM), Hardware BOM (HBOM), and AI/ML BOM, and expresses them in JSON, XML, or Protocol Buffers. Originally an OWASP project, it is now the Ecma International standard ECMA-424, maintained by Technical Committee TC54.
Key Takeaways
- CycloneDX is a full-stack Bill of Materials standard from OWASP, formally standardized as Ecma International ECMA-424 and maintained by Technical Committee TC54.
- The current version is 1.7, released October 21, 2025, and adopted as ECMA-424 2nd Edition by the Ecma General Assembly in December 2025.
- CycloneDX supports multiple BOM types from one specification: SBOM (software), CBOM (cryptography), HBOM (hardware), SaaSBOM (services), OBOM (operations), and AI/ML-BOM, expressed in JSON, XML, or Protocol Buffers.
- The Cryptography Bill of Materials (CBOM) capability, introduced in v1.6 and expanded in v1.7, catalogs cryptographic algorithms, keys, certificates, and protocols, making CycloneDX a foundational format for post-quantum readiness.
- CycloneDX and SPDX are the two BOM formats recognized under US Executive Order 14028; SPDX originated with a license-compliance focus, CycloneDX with a security focus.
What CycloneDX Is and Where It Came From
CycloneDX is a standard for describing what software and systems are built from. Modern applications are assembled from first-party code, third-party libraries, open-source packages, services, and the cryptography that protects them. CycloneDX provides a structured, machine-readable way to inventory all of it so organizations can find vulnerabilities, meet compliance requirements, and understand their supply chain.
The project originated in 2017 within OWASP, the Open Worldwide Application Security Project. In December 2025, CycloneDX was formally adopted as an Ecma International standard, ECMA-424, developed by Ecma Technical Committee TC54. Strategic direction is managed by the CycloneDX Core Working Group, backed by the OWASP Foundation. The specification is developed openly on GitHub.
BOM Types CycloneDX Supports
A single specification covers many inventory types, which is what “full-stack” means in CycloneDX’s description of itself.
- SBOM (Software Bill of Materials): The core use case: an inventory of software components, versions, licenses, and dependencies.
- CBOM (Cryptography Bill of Materials): An inventory of cryptographic assets (algorithms, keys, certificates, and protocols) and their dependencies. Introduced in v1.6.
- HBOM (Hardware Bill of Materials): An inventory of hardware components, useful for IoT and embedded systems.
- SaaSBOM (Software-as-a-Service BOM): An inventory of external services and APIs a system calls, including endpoints and data flows.
- OBOM (Operations Bill of Materials): A full-stack inventory of a runtime environment: operating system packages, configurations, and services.
- AI/ML-BOM (Machine Learning Bill of Materials): An inventory of machine learning models and datasets, introduced in v1.5.
CycloneDX also supports Vulnerability Disclosure Reports (VDR), Vulnerability Exploitability eXchange (VEX), and CycloneDX Attestations (CDXA) for compliance evidence. All BOM types can be expressed in JSON, XML, or Protocol Buffers.
What CycloneDX Describes
The CycloneDX object model organizes supply chain data into a defined schema. Its primary building blocks include:
- Components: First-party and third-party software, hardware, ML models, source code, and configurations, with manufacturer, license, and provenance details.
- Services: External APIs the software calls, including endpoints, authentication requirements, and data flow across trust boundaries.
- Dependencies: A dependency graph capturing both direct and transitive relationships between components and services.
- Vulnerabilities: Known vulnerabilities carried in the core specification since v1.4, enabling VDR and VEX use cases.
- Compositions: Statements about how complete the known relationships are, so a consumer knows what the BOM does and does not cover.
CycloneDX and the Cryptography Bill of Materials (CBOM)
The Cryptography Bill of Materials is the CycloneDX capability most relevant to cryptographic governance and post-quantum migration. A CBOM describes cryptographic assets (algorithms, keys, certificates, and the protocols that use them) and their relationships to software components.
CBOM was introduced in CycloneDX v1.6 (April 2024) alongside CycloneDX Attestations. Version 1.7 expanded it significantly, adding an Algorithm Family object and a standardized, machine-readable Cryptography Registry of algorithm families and elliptic curves. The v1.6 “curve” property was deprecated in favor of the new standardized curve list. These additions address a real problem found in government and critical-infrastructure CBOM deployments: inconsistent naming of cryptographic algorithms across tools, which had hindered policy enforcement and post-quantum readiness assessment.
Because it can inventory exactly which algorithms and key sizes are in use and where, a CBOM is a foundational first step for post-quantum cryptography migration. NIST‘s SP 1800-38 practice guide emphasizes cryptographic asset inventory as a prerequisite for the transition to quantum-safe algorithms, and CycloneDX CBOM is one of the standard formats for expressing that inventory.
CycloneDX Version History
CycloneDX has evolved steadily since its first release. Major milestones:
| Version | Released | Notable additions |
|---|---|---|
| 1.0 | March 2018 | First release; introduced the Package URL (purl) scheme |
| 1.2 | May 2020 | SWID tags, service components, JSON format alongside XML |
| 1.3 | May 2021 | Protocol Buffers serialization; composition completeness |
| 1.4 | January 2022 | Vulnerabilities added to the core spec (VEX/VDR) |
| 1.5 | June 2023 | ML-BOM (machine learning), formulation (MBOM) |
| 1.6 | April 2024 | CBOM (cryptography) and CycloneDX Attestations (CDXA); ratified as ECMA-424 1st Edition |
| 1.7 | October 2025 | Expanded CBOM, Cryptography Registry, patent metadata; ECMA-424 2nd Edition (Dec 2025) |
Looking Ahead: CycloneDX 2.0 and the Transparency Exchange Language
CycloneDX has publicly stated that a future version 2.0 will move toward an API-first design, described as the CycloneDX Transparency Exchange Language, a superset of the CycloneDX BOM. As of July 2026 this is forward-looking direction announced by the project, not a released standard. Organizations adopting CycloneDX today should build on v1.7, which is the current ratified specification.
Common Use Cases
- Software supply chain security: Generating an SBOM for every build so vulnerable components can be found quickly when a new CVE is disclosed.
- Regulatory compliance: Meeting SBOM requirements such as those stemming from US Executive Order 14028, which recognizes CycloneDX as an approved format.
- Post-quantum readiness: Producing a CBOM to inventory cryptographic assets as the first step toward quantum-safe migration.
- Cryptographic governance: Identifying deprecated algorithms, weak key sizes, or expired certificates across an environment.
- AI and ML transparency: Documenting models and datasets with an AI/ML-BOM.
How Encryption Consulting Helps
Encryption Consulting’s CBOM Secure cryptographic discovery and inventory service scans your environment for algorithms, keys, certificates, and protocols and produces a CycloneDX-format Cryptography Bill of Materials, so the output is portable across any tool that reads the standard. From there, EC’s Post-Quantum Cryptography Advisory Services use that CBOM to prioritize quantum-vulnerable assets and plan a migration to ML-KEM (FIPS 203) and ML-DSA (FIPS 204). Backed by ISO/IEC 27001:2022 and SOC 2 certified practices.
Frequently Asked Questions
What is CycloneDX used for?
CycloneDX is used to create a Bill of Materials that inventories what software and systems are made of. The most common use is generating a Software Bill of Materials (SBOM) to track components and find vulnerabilities, but CycloneDX also supports cryptography inventories (CBOM), hardware (HBOM), services (SaaSBOM), operations (OBOM), and AI/ML models. Organizations use it for supply chain security, regulatory compliance, and post-quantum cryptography readiness.
What is the difference between CycloneDX and SPDX?
CycloneDX and SPDX are the two Bill of Materials formats recognized under US Executive Order 14028. SPDX, an ISO/IEC standard, originated with a focus on open-source license compliance. CycloneDX, now Ecma standard ECMA-424, originated with a security focus and supports a broad range of BOM types including cryptography (CBOM) and hardware (HBOM). Many tools can produce both formats, and the two increasingly overlap in capability.
What is the latest version of CycloneDX?
The latest version is CycloneDX 1.7, released October 21, 2025. It was adopted as Ecma International standard ECMA-424, 2nd Edition, by the Ecma General Assembly in December 2025. Version 1.7 is backward compatible with versions 1.4 through 1.6 and adds expanded cryptography support, a standardized Cryptography Registry, and patent metadata fields. A future API-first version 2.0 has been announced but is not yet released.
Is CycloneDX free and open source?
Yes. CycloneDX is an open-source standard developed under the OWASP Foundation and standardized by Ecma International as ECMA-424. The specification is developed openly on GitHub, and the standard is free to use. A large ecosystem of free, open-source, and commercial tools supports generating and consuming CycloneDX BOMs.
What is a CBOM in CycloneDX?
A Cryptography Bill of Materials (CBOM) is a CycloneDX capability that inventories cryptographic assets (algorithms, keys, certificates, and protocols) and their dependencies within a system. It was introduced in CycloneDX v1.6 (April 2024) and expanded in v1.7 with an Algorithm Family object and a standardized Cryptography Registry. A CBOM is a foundational step for post-quantum cryptography migration, because you cannot plan a migration for cryptography you have not inventoried.
What formats can a CycloneDX BOM be written in?
A CycloneDX BOM can be expressed in JSON, XML, or Protocol Buffers. JSON and XML are human- and machine-readable and are the most widely used. Protocol Buffers, added in version 1.3, is a compact binary format intended for efficient machine-to-machine transport of BOM data. All three formats are officially registered IANA media types.
Inventory Your Cryptography in CycloneDX Format
A CycloneDX CBOM is the first step toward crypto-agility and post-quantum readiness. See how CBOM Secure builds your cryptographic inventory, or talk to an Encryption Consulting PQC advisor.
- Key Takeaways
- What CycloneDX Is and Where It Came From
- BOM Types CycloneDX Supports
- What CycloneDX Describes
- CycloneDX and the Cryptography Bill of Materials (CBOM)
- CycloneDX Version History
- Looking Ahead: CycloneDX 2.0 and the Transparency Exchange Language
- Common Use Cases
- How Encryption Consulting Helps
- Frequently Asked Questions
- Inventory Your Cryptography in CycloneDX Format
