Build a Cryptographic Bill of Materials, Not Just a Spreadsheet of Certificates

A practical design for a continuously maintained cryptographic bill of materials that connects algorithms, keys, protocols, components, data, owners, and post-quantum migration decisions.

Edilec Research Updated 2026-07-13 Cybersecurity

A cryptographic bill of materials is useful only when it answers operational questions: which business service depends on a vulnerable algorithm, where the implementation comes from, what data or function it protects, who can change it, and whether a replacement has been tested. A certificate spreadsheet answers only a narrow subset. It misses hard-coded algorithms, library defaults, application protocols, firmware verification, code-signing formats, hardware security modules, API gateways, partner connections, and cryptography hidden inside purchased products. That omission becomes expensive during a post-quantum migration because teams discover dependencies only after a protocol or key change breaks production.

The NIST NCCoE migration project describes cryptographic inventory as a record of algorithms, protocols, keys, certificates, systems, components, and protected data, without storing secret key material. Joint CISA, NSA, and NIST guidance similarly calls for discovery across network protocols, endpoints, servers, application libraries, firmware, update mechanisms, and CI/CD pipelines. Treat those categories as the minimum coverage model, then connect them in a machine-readable CBOM that can change with the estate.

Define the decisions the CBOM must support

Start with decisions, not fields. A PQC program needs to rank migrations, identify systems that cannot accept a larger key or signature, contact suppliers, plan dual-algorithm operation, and prove that old cryptography has been removed. Incident responders may need to find every service using a compromised library or certificate authority. Architects need to detect policy exceptions. Asset owners need upcoming certificate, key, and product end-of-support dates. Write these queries as acceptance tests for the inventory. If the proposed data model cannot answer them with attributable evidence, adding more scanner output will not make the CBOM complete.

DecisionRequired relationshipsEvidenceAction produced
Prioritize PQC workData lifetime, exposure, algorithm, service criticalityData classification and observed crypto useRanked migration backlog
Replace a libraryComponent version, consumers, API, build artifactSBOM, build manifest, runtime traceCompatibility test set
Respond to deprecationAlgorithm, key length, protocol, policy exceptionConfiguration and handshake observationsOwner and deadline
Manage a supplierProduct, vendor, embedded crypto, support releaseSupplier CBOM and contract evidenceUpgrade or exit decision
Prove completionOld and new states, deployment, validation resultScan history and change recordSigned closure evidence

Design a relational CBOM data model

CycloneDX CBOM dependency graph linking an nginx application through libssl and TLS 1.2 to algorithms, a certificate, and referenced key material
CycloneDX models cryptographic dependencies as relationships: the application depends on a library that provides a protocol, whose algorithms, certificate, and key references remain separate connected assets.

Model entities separately so one observation does not become an overloaded row. Useful entities include business service, deployable asset, software component, cryptographic primitive, protocol, key or certificate metadata, cryptographic operation, protected data class, external counterparty, supplier, environment, owner, and discovery observation. Relationships carry the meaning: a service uses a component; the component invokes an algorithm for a named operation; that operation protects a data flow; a certificate chains to an issuer; a supplier supports a replacement in a particular release. Keep provenance, collection time, confidence, and last verification on every observation.

Six-stage CBOM control loop from decision scope through data modeling, multi-plane discovery, reconciliation, migration action, and continuous refresh
The CBOM control loop connects observed cryptography to services, data, owners, and verified migration states.

Do not place private keys, symmetric keys, seeds, recovery material, or sensitive plaintext in the CBOM. Store identifiers and management metadata: key type, size, purpose, owning vault or HSM, non-secret fingerprint, rotation state, and reference to the authoritative system. The CycloneDX CBOM capability provides structured representations for algorithms, certificates, protocols, and related cryptographic assets. Use a standard where it fits, but preserve local links to services, data classifications, owners, findings, and migration work because those relationships turn component facts into risk decisions.

Collect evidence from multiple planes

No single discovery technique sees the whole system. Static source and binary analysis can find algorithm calls and bundled libraries but may miss dynamically selected providers. Configuration collection sees enabled suites but not necessarily negotiated use. Network observation reveals actual handshakes but misses dormant disaster-recovery paths and internal cryptography. Certificate management systems know issuance and expiry but not every consumer. HSM and cloud key-management inventories reveal managed keys, while build manifests reveal dependencies. Supplier attestations are essential for appliances and SaaS, yet should be tagged as declared rather than observed evidence. Reconcile these planes instead of declaring one tool authoritative for all fields.

Evidence planeStrong coverageCommon blind spotReconciliation key
Source and binary scanCalls, constants, bundled providersRuntime selection and remote servicesRepository, component, build digest
Runtime and networkNegotiated protocols and active endpointsDormant paths and payload encryptionAsset, process, destination
PKI and key managementCertificates, managed keys, lifecycleUnmanaged stores and application semanticsFingerprint or key reference
Configuration managementAllowed suites and policyActual use and local overridesAsset and configuration version
Supplier evidenceEmbedded product and roadmap claimsLocal configuration and evidence freshnessProduct version and contract
Manual architecture reviewBusiness purpose and protected dataRapid drift and technical detailService and accountable owner

Normalize observations and score confidence

Normalize algorithm names, object identifiers, protocol versions, key sizes, certificate fingerprints, component identifiers, and environment labels before deduplication. RSA may appear as a library symbol, certificate public-key algorithm, SSH host-key type, or policy label; those are related observations, not interchangeable facts. Retain raw evidence for audit, map it to a canonical taxonomy, and record whether use is configured, observed, inferred, or supplier-declared. A confidence score should drive follow-up, never hide uncertainty. Conflicting observations become work items: for example, a scanner finds RSA code while production telemetry shows only ML-KEM-enabled test traffic.

Connect every finding to migration state

Inventory without workflow decays into reporting theatre. Add a migration state such as discovered, validated, risk-assessed, target selected, dependency blocked, pilot scheduled, dual-operation, production migrated, legacy disabled, and independently verified. Record the target standard and profile, not merely the word quantum-safe. The NIST PQC project is the authoritative source for standardized algorithms and updates; local profiles must still specify protocol integration, parameters, provider validation, interoperability, and fallback policy. Link each state change to a ticket, change record, test result, approver, and review date.

Operate the CBOM as a continuous control

Generate CBOM fragments during builds, ingest cloud and PKI changes, observe selected protocols at runtime, and reconcile supplier updates on a schedule. Event-driven updates should follow a new component version, certificate issuance, algorithm-policy change, architecture release, asset retirement, or vendor roadmap revision. Measure coverage by critical service and evidence plane, stale observations, unowned findings, conflicting records, and time from discovery to validated disposition. Snapshot signed exports for audits and migration milestones, while keeping the operational graph current. A spreadsheet may remain a convenient review view, but it should be a projection of governed records rather than the system of truth.

Phase CBOM delivery around useful evidence

Begin with two critical services and trace transport, signing, and stored-data cryptography from business purpose to observed implementation. Confirm canonical identifiers, provenance, ownership, data links, and refresh events before connecting more scanners. Next, automate build, PKI, cloud key-management, and network observations; route conflicts to service owners instead of silently choosing one source. Add supplier records only with product versions, evidence dates, and local configuration links. A service is onboarded when its owner validates relationships, evidence-plane blind spots are explicit, material findings have migration states, and change events refresh the record. Expand coverage by business criticality, then use stale observations, unknown owners, unresolved conflicts, and verified legacy removal as governance metrics. This sequencing proves that the CBOM supports real decisions before volume makes an inadequate model costly to replace.

Govern schema changes as carefully as scanner changes. A new field should have a decision use, source, validation rule, steward, and compatibility plan. Restrict access because the graph can reveal critical systems and trust relationships even without secrets. Test exports for accidental key material and sensitive topology. Back up the inventory, rehearse restore, and sign milestone snapshots so auditors can distinguish what was known at a past date from later discovery. When an asset retires, preserve enough history to explain earlier risk and evidence while removing obsolete operational access. These controls make the CBOM itself a dependable security system.

Cryptographic bill of materials key takeaways

  • Define the migration, deprecation, incident, and supplier decisions before selecting fields or tools.
  • Represent algorithms, operations, components, keys, protocols, data, services, owners, and counterparties as linked entities.
  • Combine static, runtime, configuration, PKI, key-management, architecture, and supplier evidence.
  • Keep secret material out of the CBOM while retaining non-secret lifecycle and provenance metadata.
  • Turn every material finding into an owned migration state with tests and closure evidence.
  • Measure critical-service coverage and freshness, not the raw number of discovered cryptographic objects.

Cryptographic bill of materials FAQ

Is a CBOM the same as an SBOM? No. An SBOM identifies software components and dependencies. A CBOM represents cryptographic assets and use. The two should link because a component may implement or invoke cryptography, but neither replaces the other.

Should certificates be included? Yes, with non-secret metadata, chains, uses, consumers, expiry, and management references. They are one class of cryptographic asset, not the boundary of the inventory.

How complete must the first release be? Complete enough to expose uncertainty. Begin with critical services and high-value data, document evidence-plane coverage and blind spots, then expand through automated collection and owner validation.

Conclusion

A defensible CBOM is a living map from cryptographic implementation to business consequence and change authority. Build it from multiple evidence planes, preserve provenance, make uncertainty visible, and connect records to migration workflow. That design supports PQC planning today and the next emergency algorithm transition without forcing the organization to rediscover its cryptography under pressure.

Continue with related articles

Crypto Agility Roadmap: Build the Capability to Change Cryptography Safely

Create a repeatable way to discover, authorize, test, deploy, verify, and retire cryptographic mechanisms across applications, protocols, hardware, vendors, and partners.

Cybersecurity · Myth: Quantum computers will soon break all encryption. Reality: Current quantum computers lack the power to break modern encryption, but the threat is real and growing. Businesses must act now to prepare for future quantum threats without waiting for quantum computers to become viable.