Cryptographic Bill of Materials (CBOM)
What is Cryptographic Bill of Materials (CBOM)?
Cryptographic Bill of Materials (CBOM)An inventory that lists every cryptographic asset used by software or systems - algorithms, key lengths, certificates, libraries, and protocols - to support crypto agility and post-quantum readiness.
A CBOM extends the SBOM concept to cryptography. It captures algorithms (e.g. RSA-2048, AES-256-GCM, SHA-256), modes, parameters, key lifecycles, certificates, libraries (such as OpenSSL or BoringSSL), and protocols (TLS 1.3, SSH, IKEv2) along with where and how each is used. CBOMs help organizations identify weak or deprecated cryptography, plan the migration to post-quantum algorithms, comply with national crypto policies, and demonstrate due care to regulators in finance and critical infrastructure. The OWASP CBOM working group and CycloneDX 1.6+ provide a machine-readable format. CBOMs become essential as governments mandate post-quantum readiness assessments and as cryptographic dependencies remain a frequent source of supply-chain vulnerabilities.
● Examples
- 01
CycloneDX CBOM identifying every RSA-1024 dependency for a PQC migration plan.
- 02
CBOM produced during pen test to highlight outdated cipher suites in a payment platform.
● Frequently asked questions
What is Cryptographic Bill of Materials (CBOM)?
An inventory that lists every cryptographic asset used by software or systems - algorithms, key lengths, certificates, libraries, and protocols - to support crypto agility and post-quantum readiness. It belongs to the Application Security category of cybersecurity.
What does Cryptographic Bill of Materials (CBOM) mean?
An inventory that lists every cryptographic asset used by software or systems - algorithms, key lengths, certificates, libraries, and protocols - to support crypto agility and post-quantum readiness.
How does Cryptographic Bill of Materials (CBOM) work?
A CBOM extends the SBOM concept to cryptography. It captures algorithms (e.g. RSA-2048, AES-256-GCM, SHA-256), modes, parameters, key lifecycles, certificates, libraries (such as OpenSSL or BoringSSL), and protocols (TLS 1.3, SSH, IKEv2) along with where and how each is used. CBOMs help organizations identify weak or deprecated cryptography, plan the migration to post-quantum algorithms, comply with national crypto policies, and demonstrate due care to regulators in finance and critical infrastructure. The OWASP CBOM working group and CycloneDX 1.6+ provide a machine-readable format. CBOMs become essential as governments mandate post-quantum readiness assessments and as cryptographic dependencies remain a frequent source of supply-chain vulnerabilities.
How do you defend against Cryptographic Bill of Materials (CBOM)?
Defences for Cryptographic Bill of Materials (CBOM) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cryptographic Bill of Materials (CBOM)?
Common alternative names include: CBOM.
● Related terms
- appsec№ 1068
Software Bill of Materials (SBOM)
A formal, machine-readable inventory of the components, libraries, and dependencies that make up a piece of software, along with their versions and relationships.
- cryptography№ 846
Post-Quantum Cryptography
Classical cryptographic algorithms designed to remain secure against attacks by both classical and large-scale quantum computers.
- cryptography№ 249
Cryptography
The science of securing information through mathematical techniques that provide confidentiality, integrity, authenticity, and non-repudiation in the presence of adversaries.
- appsec№ 1069
Software Supply Chain Security
The discipline of protecting every link of the software production chain - source, dependencies, build, signing, distribution, and deployment - against tampering, malicious code, and integrity loss.
- cryptography№ 172
Cipher Suite
A named combination of cryptographic algorithms — key exchange, authentication, bulk encryption, and integrity — negotiated by protocols such as TLS for a given session.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.