Cryptographic Bill of Materials (CBOM):
Your First Step to Quantum Readiness
You can't protect what you can't see. Build a complete inventory of your cryptographic assets to identify quantum-vulnerable encryption and prioritize your PQC migration.
What is a Cryptographic Bill of Materials?
A Cryptographic Bill of Materials (CBOM) is a comprehensive inventory of all cryptographic assets within an organization — algorithms, keys, certificates, libraries, and configurations. It answers the fundamental question: “What cryptography are we using, where, and is it quantum-safe?”
Just as SBOM (Software Bill of Materials) catalogs software dependencies for supply chain security, CBOM catalogs cryptographic implementations for quantum readiness. The key difference: CBOM goes deeper into how cryptography is configured and deployed, not just which libraries are present.
Without a complete CBOM, PQC migration is impossible to plan, budget, or execute. You cannot prioritize what you haven't inventoried. You cannot estimate migration timelines without knowing the full scope of quantum-vulnerable cryptography in your environment.
Why CBOM is Critical for PQC
- NIST IR 8547: Requires cryptographic inventory as prerequisite for migration planning
- OMB M-23-02: Federal agencies must complete crypto inventory by 2027
- CNSA 2.0: NSA mandates PQC migration timeline — inventory is step one
- Enterprise Reality: Average organization has 10-50x more crypto implementations than expected
Key Components of a Cryptographic Inventory
A complete CBOM covers six critical areas across your infrastructure, applications, and data stores.
Algorithms in Use
RSA, ECC, AES, SHA, 3DES, and all cryptographic algorithms deployed across applications and infrastructure.
Key Lengths & Configurations
Key sizes, rotation policies, and cryptographic parameters that determine security strength.
Certificate Authorities & PKI
Root CAs, intermediate CAs, certificate chains, and trust hierarchies.
Key Management Systems
HSMs, cloud KMS, vaults, and all systems responsible for key lifecycle management.
Cryptographic Libraries
All crypto libraries, SDKs, and dependencies in your software supply chain.
Protocol Configurations
TLS versions, cipher suites, and cryptographic protocol settings.
Discovery Methods
Building a complete CBOM requires multiple complementary discovery approaches. No single method captures everything.
Network Traffic Analysis
Passive inspection of TLS handshakes, certificate exchanges, and encrypted protocol negotiations to identify algorithms and configurations in transit.
Code Scanning & SBOM Integration
Static analysis of source code, binaries, and dependencies to identify cryptographic function calls and library usage.
Configuration Audits
Direct inspection of server configurations, HSM settings, and key management system exports.
Certificate Inventory
Comprehensive mapping of all certificates, their algorithms, validity periods, and trust chains.
API & Endpoint Scanning
Active probing of APIs and endpoints to determine cryptographic posture and supported algorithms.
Qscout26: Automated CBOM Generation
Qscout26's 61 specialized modules automatically build your CBOM across 8 categories, including 15 quantum-specific checks for PQC readiness assessment.
Certificate chains, cipher suites, protocol versions, and handshake analysis
HSM configurations, KMS policies, key rotation, and lifecycle management
CA hierarchies, certificate policies, revocation mechanisms
DKIM, DMARC, SPF, S/MIME, and email transport encryption
JWT/JWE, API authentication, session management, token signing
SSH, IPSec, VPN configurations, and protocol crypto
Database encryption, file system crypto, backup encryption
PQC readiness, HNDL exposure, hybrid TLS, migration gaps
Point-in-Time vs. Continuous
Point-in-Time Scan: Qscout26 delivers initial CBOM findings in 7 days, providing a complete snapshot of your cryptographic posture.
Continuous Monitoring: Ongoing subscription tracks cryptographic drift, new deployments, and configuration changes in real-time.
Integration with Asset Management
CBOM data exports to JSON and SARIF formats for integration with existing CMDB, SBOM tools, and vulnerability management platforms.
Maps directly to NIST CSF 2.0 cryptographic controls and feeds into Board Number risk calculations for executive reporting.
CBOM Prioritization Framework
Not all cryptographic assets require immediate attention. Use this framework to prioritize migration based on risk, complexity, and business impact.
Data Sensitivity Classification
30%Public, Internal, Confidential, Restricted, Top Secret — each level increases migration priority.
Algorithm Vulnerability Scoring
25%Shor-vulnerable algorithms (RSA, ECC, DH) scored higher than symmetric algorithms with adequate key lengths.
Migration Complexity Assessment
20%Systems with deep crypto dependencies, legacy code, or third-party constraints require more time.
Business Criticality Weighting
25%Revenue-generating systems, customer-facing applications, and regulatory-scoped assets prioritized.
Priority Scoring Example
| System | Sensitivity | Vulnerability | Complexity | Criticality | Priority Score |
|---|---|---|---|---|---|
| Customer Payment API | 95 | 90 | 70 | 100 | 91.5 |
| Internal HR Portal | 60 | 85 | 40 | 50 | 62.5 |
| Public Marketing Site | 10 | 85 | 20 | 30 | 36.0 |
7-Step Guide to Building Your CBOM
A practical framework for creating your first cryptographic inventory in 4 weeks.
Define Scope and Objectives
Week 1Identify all systems, applications, and infrastructure components that will be included in the cryptographic inventory. Set coverage targets (e.g., 95%+ of enterprise systems) and define success criteria.
Deploy Automated Discovery Tools
Weeks 1-2Implement network traffic analysis, code scanning, and configuration auditing tools. Configure passive monitoring and schedule active scans across all in-scope environments.
Catalog Algorithms and Key Lengths
Week 2Document all cryptographic algorithms in use, key lengths, and configurations. Create a structured inventory database with consistent naming conventions.
Inventory PKI and Certificate Infrastructure
Week 2-3Map certificate authorities, certificate chains, key management systems (HSMs, KMS), and certificate lifecycle management processes across the organization.
Assess Cryptographic Libraries and Dependencies
Week 3Identify all cryptographic libraries, SDKs, and third-party dependencies. Integrate with existing SBOM processes and identify version-specific vulnerabilities.
Classify Quantum Vulnerability
Week 3-4Score each cryptographic asset against quantum vulnerability criteria. Apply the prioritization framework to rank systems for migration planning.
Establish Continuous Monitoring
Week 4 + OngoingImplement ongoing cryptographic drift detection, change management integration, and regular review cadence to keep the CBOM current.
Frequently Asked Questions
How long does it take to build a CBOM?
Initial CBOM creation typically takes 2-4 weeks for mid-sized organizations and 1-3 months for large enterprises. This includes automated discovery (1-2 weeks), manual verification and gap-filling (1-2 weeks), and classification/prioritization (1 week). Qscout26 accelerates this to 7 days for initial findings with continuous monitoring thereafter.
What tools are used for cryptographic discovery?
Cryptographic discovery combines multiple approaches: network traffic analysis (TLS inspection, protocol scanning), static code analysis (grep-based and AST parsing), configuration audits (HSM, KMS, PKI), certificate transparency log monitoring, API endpoint scanning, and SBOM integration. Qscout26 provides 61 specialized modules across 8 categories for comprehensive coverage.
How often should I update my cryptographic inventory?
Best practice is continuous monitoring with formal reviews quarterly. At minimum, update the CBOM whenever major infrastructure changes occur, new applications deploy, or cryptographic policies change. NIST and OMB M-23-02 recommend maintaining a current inventory as part of PQC migration readiness.
What's the difference between CBOM and SBOM?
SBOM (Software Bill of Materials) lists all software components and dependencies in an application. CBOM (Cryptographic Bill of Materials) specifically inventories cryptographic algorithms, keys, certificates, and related configurations. A CBOM can be derived from SBOM data but goes deeper into cryptographic implementation details that SBOM alone does not capture.
Start Your Cryptographic Discovery with Qscout26
Get your complete CBOM in 7 days. Qscout26's 61 modules automatically discover and classify cryptographic assets across your enterprise, with 15 quantum-specific checks for PQC readiness assessment.
Related Resources
Methodology & Proof Points
Board Number scoring, quantum hardware validation, and sample deliverables.
PQC Readiness Checklist
Step-by-step checklist for post-quantum migration planning.
Algorithm Reference
Quantum vulnerability status for RSA, ECC, AES, ML-KEM, ML-DSA, and more.
Assessment Services
Qscout26 rapid assessment, Qstrike26 quantum testing, Qsolve26 migration advisory.
What Is HNDL?
Complete guide to Harvest Now, Decrypt Later attacks and risk mitigation.