CONCEPT Cited by 1 source

Cryptographic Bill of Materials (CBOM)

Definition

A Cryptographic Bill of Materials (CBOM) is an inventory of all cryptographic algorithms, protocols, keys, and implementations used in a given hardware or software product — analogous to a Software Bill of Materials (SBOM) but focused on the cryptographic layer.

EO 14409 (June 2026) directs CISA and NIST to publish guidance on minimum CBOM elements within 270 days.

Limitations (Cloudflare critique)

Cloudflare argues a CBOM should not be treated as a prerequisite for action on PQC migration:

1. Production latency — a detailed CBOM of every algorithm in every library in every product takes an entire procurement cycle of discovery tooling and consulting to produce.
2. Staleness — by the time an exhaustive inventory is complete, the system has changed.
3. Blind spots — a CBOM doesn't list systems that should be using cryptography but are not.
4. Lacks context — a CBOM lists keys without understanding their purpose, making risk assessment difficult.

A CBOM lists keys without an understanding of their purpose, making them less useful for organizations trying to understand the risk associated with a quantum-vulnerable key. (Source: sources/2026-06-23-cloudflare-post-quantum-eo-milestone)

Relationship to quantum impact inventory

Cloudflare proposes concepts/quantum-impact-inventory as a more productive framing — prioritize by impact of compromise and feasibility of mitigation rather than exhaustive enumeration. Fill in the full CBOM details over time once you've already started migrating your most exposed systems.

Seen in

• sources/2026-06-23-cloudflare-post-quantum-eo-milestone — EO directs CISA/NIST to define minimum CBOM elements; Cloudflare argues for quantum impact inventory instead