About CBOM

The Cryptographic Bill of Materials (CBOM) is an open specification for enumerating cryptographic dependencies in software systems, infrastructure, and hardware. It provides a standardized, machine-readable format for understanding what cryptography is deployed where — the critical first step in post-quantum migration and cryptographic compliance.

Why We Built This

With NIST's 2035 deadline for deprecating classical asymmetric cryptography and CNSA 2.0 requiring post-quantum algorithms in National Security Systems by 2030, every organization needs a complete inventory of their cryptographic dependencies. Existing approaches — extending SBOM formats with cryptographic properties — fall short because cryptographic inventory has fundamentally different requirements: different lifecycle cadences, different stakeholders, infrastructure-layer coverage, and protocol negotiation complexity that software inventory formats weren't designed to handle.

Maintained By

Attested Intelligence Holdings LLC specializes in cryptographic compliance infrastructure and standards development. The company maintains the CBOM specification, the cbom.io website, and open source CBOM tooling.

Roadmap

Q1 2026 — Complete

Specification v1.0.0

  • CBOM Specification v1.0.0 published (CC-BY-4.0)
  • JSON Schema (Draft 2020-12) released
  • cbom.io documentation site launched
  • 3 example CBOM documents published
Q2 2026 — In Progress

Community & Feedback

  • Public comment period for specification
  • CycloneDX / SPDX interoperability appendices
  • Industry working group formation
Q3 2026 — Planned

Open Source Tooling

  • cbom-scan CLI: automated CBOM generation
  • TLS, source code, certificate, and cloud KMS scanners
  • GitHub Actions integration for CI/CD pipelines
Q4 2026 — Planned

Ecosystem Expansion

  • Specification v1.1.0 incorporating community feedback
  • Migration planning dashboard (open source)
  • Enterprise integration guides

Related Resources

  • mldsa.io — ML-DSA (Module-Lattice-Based Digital Signature Algorithm) resources
  • mlkem.io — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) resources

License

Contact

For specification feedback, partnership inquiries, or general questions: info@attestedintelligence.com