Specification v1.0.0 Released

Cryptographic Bill
of Materials

An open specification for enumerating cryptographic dependencies in software, infrastructure, and hardware.

Read the Specification → View on GitHub →

system.cbom.json


  "cbomVersion": "1.0.0",
  "components": [
    "name": "TLS-RSA-2048",
    "algorithmId": "RSA",
    "parameterSet": "2048",
    "quantumSafe": false,
    "migrationTarget": "ML-KEM-768"
  ]

Organizations Cannot Migrate What They Cannot Enumerate

The NIST 2035 deadline requires full deprecation of classical asymmetric cryptography in National Security Systems. Migration planning requires knowing exactly what cryptography is deployed where. SBOMs enumerate software dependencies but don't capture cryptographic dependencies — algorithms, protocols, keys, certificates, and their configurations. CBOM fills this gap with a purpose-built, machine-readable format for cryptographic inventory.

How It Works

Discover

Automated scanning of source code, configurations, network endpoints, and infrastructure.

Enumerate

Standardized CBOM format captures every cryptographic component with full context.

Assess

Quantum risk, compliance status, and migration effort assessed for each component.

Migrate

Prioritized roadmap based on dependency ordering and deadline proximity.

The 2035 Deadline Is Closer Than You Think

NIST has set 2035 as the deadline for deprecating classical asymmetric cryptography in National Security Systems (CNSA 2.0). RSA must be replaced by 2030. Post-quantum migration planning starts with visibility into your current cryptographic posture.

Read the Specification →

Purpose-Built for Cryptographic Inventory

Standalone Format

Not an SBOM extension. CBOM models cryptographic components as first-class entities with their own lifecycle, independent of software updates.

Quantum Risk Assessment

Built-in fields for quantum vulnerability classification, migration effort estimation, and priority-based replacement planning.

Infrastructure Coverage

Beyond software: HSMs, TPMs, network devices, cloud KMS, certificate authorities, and protocol negotiation configurations.

Dependency Graphs

Model how cryptographic components depend on each other — cipher suites reference key exchange, bulk cipher, and hash components.

Compliance Mapping

Map components to regulatory frameworks like FedRAMP, PCI-DSS, and CMMC with per-component compliance status tracking.

Temporal Analysis

Compare CBOM snapshots over time to detect drift, track migration progress, and alert on posture changes.

Stay Updated

Subscribe for specification updates, tooling releases, and post-quantum migration guidance.

Subscribe for Updates

Cryptographic Billof Materials