Back
Cookies Notice
This site uses cookies to deliver services and to analyze traffic.
CBOM
← Back to
glossary
← Back
to
glossary
What Is CBOM?
A cryptographic bill of materials (CBOM) is a structured inventory of all cryptographic assets used within a software application, system, or infrastructure. It catalogs encryption algorithms, key lengths, certificate configurations, hashing functions, protocol versions, and the libraries that implement them. The goal is to give organizations a clear, queryable record of how and where cryptography is applied across their software portfolio.
CBOMs have gained urgency as organizations prepare for post-quantum cryptography migration. Knowing which cryptographic primitives are in use, and where, is a prerequisite for assessing exposure to quantum-capable attacks and planning algorithm transitions without breaking production systems.
CBOM vs SBOM and Other BOM Types
A software bill of materials (SBOM) catalogs the components that make up a piece of software: open-source libraries, third-party packages, and their dependency relationships. It answers the question “what is this software built from?” A CBOM answers a different question: “what cryptographic mechanisms does this software use, and how are they configured?”
The table below shows how CBOM relates to other BOM types:
| BOM Type | Focus | Primary Use Cases |
| SBOM | Software components and dependencies | Vulnerability management, license compliance, supply chain risk |
| CBOM | Cryptographic algorithms, keys, certificates, protocols | Crypto-agility, quantum readiness, compliance with cryptographic standards |
| HBOM | Hardware components and firmware | Supply chain integrity, firmware vulnerability tracking |
| PBOM | Pipeline artifacts, build tools, and processes | Build provenance and completeness |
SBOMs and CBOMs are complementary. An SBOM might identify that an application uses OpenSSL 3.1, but only a CBOM reveals which specific algorithms, cipher suites, and key configurations that OpenSSL instance is using. Organizations building a practical SBOM program should consider extending their inventory practices to include CBOM data for complete supply chain visibility.
Related Content: PBOM vs. SBOM
What a CBOM Includes
A comprehensive CBOM captures cryptographic usage across multiple layers of the application stack. The core elements include:
- Algorithms and cipher suites: Every symmetric encryption algorithm (AES-256, ChaCha20), asymmetric algorithm (RSA-2048, ECDSA P-256), and hashing function (SHA-256, SHA-3) in use, along with the specific cipher suites configured for TLS and other protocols.
- Key material metadata: Key lengths, key generation methods, rotation schedules, and storage locations. The CBOM does not store actual keys, only the metadata needed to assess cryptographic strength and lifecycle management.
- Certificates: X.509 certificates, their issuers, validity periods, signature algorithms, and where they are deployed. This includes both public-facing TLS certificates and internal certificates used for service-to-service authentication.
- Protocol versions: TLS versions, SSH configurations, IPsec settings, and other protocol-level cryptographic choices that affect transport security.
- Cryptographic libraries: The specific libraries implementing cryptographic operations (OpenSSL, BoringSSL, libsodium, platform-native APIs), their versions, and their locations in the codebase or runtime environment.
- Configuration context: Where each cryptographic asset is used, which application or service depends on it, and whether it meets current organizational and regulatory standards.
CBOM security depends on keeping this inventory accurate and current. Static snapshots go stale quickly, especially in environments where infrastructure is provisioned dynamically and configurations change with every deployment.
CBOM Use Cases and Benefits
A well-maintained CBOM enables several high-value security and compliance outcomes:
- Post-quantum readiness: Quantum computers will eventually break RSA, ECC, and other widely used asymmetric algorithms. A CBOM lets organizations identify every instance of vulnerable cryptography and plan migration to quantum-resistant alternatives like ML-KEM or ML-DSA. Without a CBOM, teams are blind to the scope of the transition.
- Crypto-agility: The ability to swap cryptographic algorithms quickly when vulnerabilities are discovered or standards change. A CBOM provides the map needed to execute algorithm rotations across a large portfolio without missing instances buried in legacy code or third-party dependencies.
- Compliance and audit: Regulations like PCI DSS, HIPAA, and FedRAMP include specific cryptographic requirements. A CBOM provides auditable evidence of compliance by documenting which algorithms and key lengths are in use and where deprecated primitives still exist.
- Vulnerability response: When a cryptographic vulnerability is disclosed (like the Heartbleed bug in OpenSSL, or weaknesses in specific hash functions), a CBOM enables rapid impact assessment. Teams can query the inventory to find every affected component and prioritize remediation.
- Certificate lifecycle management: Tracking certificate expiration, renewal schedules, and issuer relationships prevents outages caused by expired certificates and reduces risk from certificates signed with deprecated algorithms.
For organizations scaling their CBOM certification and compliance efforts, automating CBOM generation from source code, container images, and cloud workloads is essential. Manual inventory approaches cannot keep pace with modern deployment velocity.
FAQs
How is a CBOM different from a traditional Software Bill of Materials (SBOM)?
An SBOM lists software components and dependencies. A CBOM specifically inventories cryptographic assets: algorithms, keys, certificates, and protocols used within those components.
Which cryptographic assets and metadata should always be captured in a CBOM?
At minimum: encryption algorithms, key lengths, hashing functions, certificate details, protocol versions, cryptographic library versions, and the application context where each asset is used.
How can organizations automatically generate CBOMs from source code, containers, and cloud workloads?
Automated tools scan codebases for cryptographic API calls, analyze container images for library versions and configurations, and query cloud services for TLS and certificate settings to build the inventory.
Why is a CBOM important for post-quantum cryptography planning and crypto-agility?
A CBOM reveals every instance of quantum-vulnerable cryptography across the portfolio, enabling teams to scope migration efforts, prioritize high-risk systems, and execute algorithm transitions methodically.
Who owns CBOM governance in a typical organization: AppSec, crypto teams, or platform engineering?
Ownership varies, but it typically falls to a cross-functional group. Platform engineering generates the data, AppSec integrates it into risk workflows, and a dedicated crypto or compliance team sets policy.
See Apiiro in action
Meet with our team of application security experts and learn how Apiiro is transforming the way modern applications and software supply chains are secured. Supporting the world’s brightest application security and development teams: