← Back to Blog

CBOM vs. CycloneDX Crypto Extension: Complementary, Not Competing

· Attested Intelligence Holdings LLC

A common question when people first encounter CBOM: "CycloneDX 1.6 already has crypto properties. Why do we need another format?" It's a fair question, and the answer matters because getting cryptographic inventory right is too important to get wrong by choosing the wrong tool.

What CycloneDX Does Well

CycloneDX is an excellent SBOM format. Version 1.6 added a cryptoProperties extension that allows tagging software components with their cryptographic characteristics — algorithm names, primitives, parameter sets, certification levels, and protocol bindings. For organizations that already generate CycloneDX SBOMs, this extension provides basic crypto visibility with zero additional tooling.

If your needs are simple — "what crypto libraries does this application use?" — CycloneDX's extension may be sufficient.

Where a Standalone Format Adds Value

The limitations emerge when cryptographic inventory needs go beyond software component tagging:

Lifecycle independence. Cryptographic components change on a different cadence than software. A NIST deprecation announcement changes your crypto posture without changing your software. An OpenSSL upgrade changes your SBOM without necessarily changing your crypto posture. Coupling these inventories creates noise in both directions.

Infrastructure coverage. HSMs, TPMs, network device configurations, certificate authorities, cloud KMS services — much of an organization's cryptographic surface area lives outside the software stack entirely. SBOM formats, by design, model software components.

Migration planning. Post-quantum migration requires fields that don't belong in an SBOM: replacement references, migration effort estimation, dependency-ordered migration sequences, quantum vulnerability classification, and temporal posture comparison.

Protocol negotiation. TLS cipher suite configuration is an ordered preference list with runtime negotiation. Modeling what a server is willing to accept vs. what it actually negotiates requires first-class protocol binding support.

The Coexistence Model

CBOM and CycloneDX are complementary layers, not competing formats:

  • CycloneDX SBOM answers: "What software do we run, and what are its dependencies?"
  • CBOM answers: "What cryptography do we use, where is it deployed, and what needs to change?"

CBOM includes an explicit sbomReference field for cross-referencing CycloneDX or SPDX documents. A CBOM component can point to the SBOM component that implements it. They link together without duplicating data.

Choose Both

For organizations serious about both software supply chain security and post-quantum migration readiness: generate SBOMs for your software supply chain, generate CBOMs for your cryptographic posture, and cross-reference them. Each format is purpose-built for its domain.

The full interoperability mapping between CBOM and CycloneDX 1.6 is documented in Appendix B of the specification.