Just as a Software Bill of Materials (SBOM) catalogs every software component in your application stack, a Cryptographic Bill of Materials (CBOM) catalogs every cryptographic asset in your organization. It answers the fundamental question: what encryption algorithms, keys, certificates, protocols, and libraries are deployed across your entire enterprise?
Without a CBOM, PQC migration is impossible. You cannot migrate what you do not know exists. You cannot prioritize what you have not inventoried. And you cannot demonstrate compliance without documentation.
India's PQC Task Force mandates CBOM generation as a core M1 deliverable. CNSA 2.0 assumes complete cryptographic visibility. And every Quantum Risk Assessment (QERA) begins with the CBOM.
What Is a CBOM?
A Cryptographic Bill of Materials is a comprehensive, machine-readable inventory of every cryptographic asset deployed within an organization. It captures:
- Algorithms: Every encryption, hashing, signing, and key exchange algorithm in use (RSA-2048, AES-256-GCM, SHA-256, ECDH P-256, etc.)
- Keys: All cryptographic keys, their sizes, purposes, creation dates, rotation schedules, and storage locations
- Certificates: Every X.509 certificate, including CA certificates, server certificates, client certificates, code signing certificates, with full chain details
- Protocols: TLS versions and cipher suites, SSH versions and algorithms, IPSec configurations, DNSSEC settings
- Libraries: All cryptographic libraries (OpenSSL, BoringSSL, NSS, Bouncy Castle, Windows CNG), their versions, and where they are deployed
- Hardware: HSMs, TPMs, and other cryptographic hardware with their firmware versions and algorithm support
- Quantum classification: Each asset classified as Quantum Vulnerable, Quantum Resistant, or Quantum Safe
Think of CBOM as the "ground truth" document that tells you exactly what cryptography your organization is running, where it is running, and whether it will survive the quantum transition.
Why CBOM Matters
Shadow Cryptography
Just as shadow IT describes unauthorized technology deployments, "shadow cryptography" describes cryptographic implementations that security teams do not know about. Developers embed encryption in applications. DevOps teams configure TLS on containers. IoT vendors use proprietary protocols. Without a CBOM, these cryptographic deployments are invisible -- and unmanaged.
Compliance Evidence
Regulators and auditors will increasingly ask: "Show us your quantum readiness." The CBOM is the evidence. It demonstrates that you know what algorithms you are running, which ones are quantum-vulnerable, and what your migration plan is. The Task Force's M1 milestone specifically requires this documentation.
Migration Planning
Without knowing your starting point, you cannot plan the journey. The CBOM tells you how many systems need migration, what types of migration are required (algorithm swap, protocol upgrade, library update, hardware replacement), and what dependencies exist. It is the foundation of every cost estimate, timeline, and resource plan.
Risk Quantification
The CBOM feeds into the QERA risk scoring model, enabling quantitative risk assessment. Without it, risk assessment is guesswork.
What a CBOM Entry Looks Like
Each CBOM entry should capture the following attributes:
- Asset ID: Unique identifier for the cryptographic asset
- Asset type: Algorithm, key, certificate, protocol, library, or hardware
- Algorithm details: Algorithm name, variant, key size, mode of operation
- Location: System, application, network segment, cloud account where deployed
- Purpose: Key exchange, encryption, signing, hashing, authentication
- Owner: Team or individual responsible for the asset
- Quantum status: Vulnerable, Resistant, or Safe
- Risk score: Composite quantum risk score (0-100)
- Data classification: Sensitivity of data protected by this asset
- Expiry/rotation: Certificate expiry date, key rotation schedule
- Dependencies: Other systems that depend on this cryptographic asset
- Migration status: Not started, In progress, Completed
The Task Force CBOM Mandate
The India PQC Task Force report is unambiguous about the CBOM requirement:
Task Force M1 Requirement
"All organizations handling sensitive data shall complete a comprehensive Cryptographic Bill of Materials covering their entire digital estate by the end of FY 2026-27. The CBOM shall be maintained as a living document, updated continuously as the cryptographic estate evolves. Priority 1 sectors (BFSI, Government, Defense) shall complete their initial CBOM by Q2 FY 2026-27."
This means banks must have their CBOM ready by September 2026. Government agencies by September 2026. All other organizations by March 2027. These are not aspirational targets -- they are compliance deadlines.
Generating Your CBOM with QuantumVault
QuantumVault's Quantum Scanner automates CBOM generation through four scanning modes:
- Network scanning: Discovers TLS certificates, SSH configurations, VPN settings, and DNSSEC records across your network without agents. Scans external and internal surfaces.
- Agent-based scanning: Lightweight agents on servers and endpoints discover local cryptographic configurations, key stores, certificate stores, and library installations.
- Code scanning: CI/CD pipeline integration scans source code repositories for cryptographic library imports, algorithm references, and hardcoded cryptographic parameters.
- Cloud API scanning: Direct integration with AWS KMS, Azure Key Vault, Google Cloud KMS, and cloud certificate managers to inventory cloud-hosted cryptographic assets.
The result is a unified, searchable, continuously updated CBOM that meets the Task Force's M1 requirements. QuantumVault exports CBOM data in CycloneDX and SPDX formats for integration with existing SBOM tools and compliance workflows.
CBOM in 5 Days
A typical mid-size enterprise (5,000-20,000 employees) can generate a comprehensive initial CBOM in 3-5 business days using QuantumVault's Quantum Scanner. This includes network discovery, certificate inventory, protocol analysis, and quantum vulnerability classification. Compare this to 3-6 months for manual inventory methods.
Maintaining Your CBOM
A CBOM is only useful if it is current. Cryptographic estates change constantly as new applications are deployed, certificates are renewed, libraries are updated, and configurations are modified. QuantumVault provides:
- Continuous scanning: Automated re-scanning at configurable intervals (daily, weekly) to detect changes
- Change alerts: Real-time notifications when new cryptographic assets are discovered or existing ones change
- Drift detection: Alerts when cryptographic configurations deviate from your defined policies
- Certificate expiry tracking: Proactive alerts for upcoming certificate expirations
- Compliance status: Continuous assessment against Task Force M1/M2/M3 requirements
Conclusion
CBOM is to PQC migration what the map is to the journey. Without it, you are navigating blindly in a landscape that is about to change dramatically. With it, you have complete visibility into your cryptographic estate, clear priorities for migration, and audit-ready evidence of compliance.
The Task Force deadline is approaching. QuantumVault can generate your CBOM in days. Start today.
Generate Your CBOM Automatically
QuantumVault's Quantum Scanner discovers and inventories your entire cryptographic estate in days, not months.
Start Your PQC Assessment →