What is a CBOM (Cryptography Bill of Materials)?
A CBOM is a machine-readable inventory of the cryptography in your software — every algorithm, key, certificate, and protocol, plus whether it's quantum-vulnerable. It's the crypto-focused cousin of an SBOM, and the CycloneDX standard defines the common format.
You've probably heard of an SBOM — a Software Bill of Materials listing your dependencies. A CBOM does the same thing for cryptography specifically, and it has become the foundational artifact of post-quantum migration.
What's in a CBOM
A CBOM catalogs your cryptographic assets and their properties:
- Algorithms — RSA, ECDSA, AES, SHA-256, etc., with their primitive type (signature, key-agreement, hash…) and parameters.
- Quantum status — each asset's
nistQuantumSecurityLevel: is it broken by a quantum computer or not? - Keys and certificates — where they live and how they're used.
- Evidence — for source-derived CBOMs, the exact file and line where an algorithm is used.
The standard: CycloneDX
The most widely-adopted CBOM format is CycloneDX (an OWASP project, now also ECMA-424). CycloneDX 1.6 added first-class support for cryptographic-asset components, so a CBOM is just a CycloneDX document focused on crypto — which means it drops straight into the same SBOM tooling and pipelines your security team already uses.
Why auditors and buyers want one
You cannot migrate off quantum-vulnerable cryptography until you know where it is. That's why a cryptographic inventory is the first thing NIST IR 8547 and federal guidance call for — and increasingly the first thing a security questionnaire or vendor due-diligence process asks of you. A standard, machine-readable CBOM is how you answer that question credibly instead of with a spreadsheet someone hand-built.
Generate a CycloneDX CBOM from a real repo scan — free, downloadable.
Generate a CBOM →