Cryptographic bill of materials (CBOM)

A cryptographic bill of materials (CBOM) is a machine-readable inventory of the cryptographic assets a system uses: algorithms, protocols, keys, certificates, and the libraries that implement them, together with their dependencies. It extends the software bill of materials (SBOM) idea to the details that matter for cryptographic migration.

What it records

A CBOM captures each algorithm and parameter set in use (for example RSA-2048 or ML-KEM-768), where it appears in the codebase and infrastructure, and how components depend on one another. The CycloneDX standard defines a CBOM format so tools can generate and exchange these inventories automatically.

Role in migration

A CBOM is the durable output of a Cryptographic inventory and the data that makes Cryptographic agility actionable: teams cannot replace what they cannot see. NIST migration guidance treats a complete inventory as the first step, because it lets planners locate quantum-vulnerable algorithms and prioritize their replacement with Post-quantum cryptography.

Sources

  1. CycloneDX Cryptography Bill of Materials (CBOM) (CycloneDX, 2024)
  2. Migration to Post-Quantum Cryptography (NIST NCCoE, 2024)
Cite this entry
"Cryptographic bill of materials (CBOM)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/cbom@misc{pqwiki-cbom, title = {Cryptographic bill of materials (CBOM)}, howpublished = {\url{https://postquantum.wiki/cbom}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }