Seed Round: $0.25/FRAC — Listing at $1.00 (300% ROI) — Buy Now
← Blog
#cbom#post-quantum#crypto-agility

What is a Cryptographic Bill of Materials (CBOM), and why procurement will demand one

You cannot migrate to post-quantum crypto if you do not know what crypto you use. A CBOM inventories it � and buyers are starting to require a signed one.

You cannot migrate what you cannot see. Most organizations have no complete picture of where they use cryptography � which algorithms, in which libraries, protecting which data, with what key sizes. That blindness is the single biggest obstacle to a post-quantum migration, and it is why a new artifact is entering procurement checklists: the Cryptographic Bill of Materials, or CBOM. Modeled on the software bill of materials, a CBOM (standardized as a CycloneDX profile, ECMA-424) is a structured inventory of your cryptographic assets � algorithms, protocols, certificates, and where each is used.

The reason it is becoming a requirement, not a nicety, is timing. NIST finalized the post-quantum standards in 2024, and the US CNSA 2.0 guidance sets hard expectations: new national-security systems on post-quantum algorithms by 2027, broad migration through 2030-2035. Enterprise and government buyers are beginning to ask vendors to disclose their PQC readiness, and a CBOM is the machine-readable way to answer. A CBOM lets you find your quantum-vulnerable algorithms (RSA, ECDSA, ECDH) versus the post-quantum ones (ML-KEM, ML-DSA) and prioritize the migration by data lifetime rather than guesswork.

There is a second, quieter requirement: the CBOM itself must be trustworthy. An inventory you can silently edit after the fact is not evidence for an auditor or a buyer. Sealing the CBOM with a signature and an independent timestamp makes it tamper-evident and non-backdateable. Doing that seal with a post-quantum signature (Dilithium-2, NIST FIPS 204) is the consistent choice � a compliance artifact about surviving quantum computers should not itself be secured by a signature a quantum computer will break. Be precise about scope: sealing a CBOM proves the inventory existed in that form at that time and was signed by that key; it is not an audit of whether the inventory is correct or complete, and it is not a compliance certification. It is resistant to known classical and quantum attacks per NIST, not unbreakable. But as the honest, verifiable starting point of a PQC migration � and increasingly the thing a buyer asks to see � it is quickly becoming standard.

Try it yourself — live, free, verifiable in 30 seconds:

Seal your CBOM (PQC-signed)

Get honest updates on post-quantum crypto & verifiable AI. No spam, unsubscribe anytime.

FRACTAL AI S.A.S. · Honest claim: resistant to all known classical & quantum attacks per NIST FIPS 203/204 — not “unbreakable”.