Cryptography underpins every secure transaction, communication, and identity verification process. As organizations race to modernize their security posture, understanding what cryptographic components exist within their systems, and how they are configured, is critical.
Enter the Cryptographic Bill of Materials (CBOM), a concept that builds on the widely known Software Bill of Materials (SBOM) by focusing specifically on the cryptographic capabilities embedded in software applications.
What Is a Cryptographic Bill of Materials?
A CBOM is a structured inventory of the cryptographic elements built into a software application. It lists critical components such as:
- Algorithms (e.g., AES-256, RSA-2048)
- Libraries (e.g., OpenSSL, Bouncy Castle)
- Keys and supported key sizes (e.g., RSA-2048, ECC-384)
By formalizing this information, a CBOM establishes an initial understanding of a software version’s cryptographic architecture.
This visibility aids in identifying potential vulnerabilities or misalignments with security standards and supports audits and compliance with frameworks like NIST.
The Limitations of CBOM for Cryptographic Visibility
While a CBOM provides valuable insights, it has inherent limitations:
- Static view: A CBOM reflects built-in capabilities but does not capture how software is configured or used in a specific organization.
- Lack of operational data: It won’t indicate whether an organization is using SHA-1 or SHA-256, even if both algorithms are supported.
- Deployment blind spots: Configuration details, key provisioning, and updates are not captured.
In short, a CBOM alone cannot provide a full picture of an organization’s cryptographic posture.
Moving Beyond CBOM: Building a Cryptographic Inventory
A comprehensive cryptographic inventory extends far beyond static software capabilities. It captures every cryptographic asset and operation across the enterprise, including:
- Keys, certificates, and secrets
- Algorithms, ciphers, and protocols
- Keystores and libraries
- Policies, vulnerabilities, and dependencies
This inventory should document:
- Built-in capabilities of software and hardware.
- Organization-specific configurations (e.g., which algorithms are enabled, key rotation policies).
- Operational usage (e.g., how cryptography is applied to protect sensitive data).
For example, it might detail that a server uses an HSM to store TLS keys rotated every 90 days, or specify the cipher suites enabled on a web server to ensure alignment with organizational policies.
CBOM and Cryptographic Inventory: Complementary, Not Competitive
A CBOM and a cryptographic inventory work best together:
- Scope: CBOM focuses on built-in cryptographic capabilities; inventory covers the broader enterprise landscape, including configurations and usage.
- Purpose: CBOM aids in identifying potential weaknesses in software releases; inventory supports holistic cryptographic risk management.
- Data Sources: CBOM is derived from source code; inventory requires collecting data from heterogeneous systems and environments.
- Dynamic Updates: CBOM is tied to software releases; inventory must evolve continuously with infrastructure changes.
- Policy Insights: CBOM identifies weaknesses; inventory provides compliance insights across the digital ecosystem.
By integrating both, organizations gain a full-spectrum view of their cryptographic posture, which is critical for vulnerability management, compliance, and preparing for challenges like post-quantum cryptography.
Why This Matters Now
As threats evolve and compliance frameworks tighten, organizations must shift from reactive cryptographic management to proactive cryptographic posture management.
CBOM provides a crucial building block, but the ultimate goal is a living, organization-wide cryptographic inventory that enables continuous visibility, risk prioritization, and remediation.
This approach positions organizations to confidently address today’s vulnerabilities and prepare for tomorrow’s challenges, such as quantum computing, without costly replatforming or downtime.
Key Takeaway
A CBOM is necessary but not sufficient. It provides essential insight into what cryptographic components are present in your software, but it must be operationalized within a broader cryptographic inventory to deliver true security and compliance value.
Next Steps
Start by assessing whether your organization maintains a CBOM and how it integrates with your wider cryptographic management practices. From there, explore solutions that support both static capability mapping and dynamic inventory for ongoing risk reduction and compliance.
