Cryptography Bill of Materials (CBOM)

 

Discover, manage and report on cryptography in preparation for quantum safe systems and applications

A Cryptography Bill of Materials (CBOM) describes cryptographic assets and their dependencies. Discovering, managing, and reporting on cryptographic assets is necessary as the first step on the migration journey to quantum-safe systems and applications. Cryptography is typically buried deep within components used to compose and build systems and applications. As part of an agile cryptographic approach, organizations should seek to understand what cryptographic assets they are using and facilitate the assessment of the risk posture to provide a starting point for mitigation.

BOM With Embedded Cryptographic Assets

CycloneDX supports embedding cryptographic assets into existing SBOM or HBOMs. Leveraging this approach has the benefit in that the dependency graph can include all software and hardware components, their dependencies, and which components provide various cryptographic capabilities.

BOM With Embedded CBOM

Independent SBOM and CBOM

To facilitate cryptographic agility, independent SBOM/HBOM and CBOM may be leveraged and optionally specify the configuration made to enable or disable cryptographic features and functions.

Independent SBOM and CBOM Document

High-Level Object Model

CycloneDX Object Model Swimlane

Examples

BOMs demonstrating CBOM capabilities can be found at https://github.com/CycloneDX/bom-examples

Additional Capabilities

CycloneDX Supporters

Apiiro
Bloomberg
Contrast Security
Ecma International
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype