What is a Cryptographic Bill of Materials (CBOM), and why procurement will demand one
You cannot migrate to post-quantum crypto if you do not know what crypto you use. A CBOM inventories it � and buyers are starting to require a signed one.
You cannot migrate what you cannot see. Most organizations have no complete picture of where they use cryptography � which algorithms, in which libraries, protecting which data, with what key sizes. That blindness is the single biggest obstacle to a post-quantum migration, and it is why a new artifact is entering procurement checklists: the Cryptographic Bill of Materials, or CBOM. Modeled on the software bill of materials, a CBOM (standardized as a CycloneDX profile, ECMA-424) is a structured inventory of your cryptographic assets � algorithms, protocols, certificates, and where each is used.
The reason it is becoming a requirement, not a nicety, is timing. NIST finalized the post-quantum standards in 2024, and the US CNSA 2.0 guidance sets hard expectations: new national-security systems on post-quantum algorithms by 2027, broad migration through 2030-2035. Enterprise and government buyers are beginning to ask vendors to disclose their PQC readiness, and a CBOM is the machine-readable way to answer. A CBOM lets you find your quantum-vulnerable algorithms (RSA, ECDSA, ECDH) versus the post-quantum ones (ML-KEM, ML-DSA) and prioritize the migration by data lifetime rather than guesswork.
There is a second, quieter requirement: the CBOM itself must be trustworthy. An inventory you can silently edit after the fact is not evidence for an auditor or a buyer. Sealing the CBOM with a signature and an independent timestamp makes it tamper-evident and non-backdateable. Doing that seal with a post-quantum signature (Dilithium-2, NIST FIPS 204) is the consistent choice � a compliance artifact about surviving quantum computers should not itself be secured by a signature a quantum computer will break. Be precise about scope: sealing a CBOM proves the inventory existed in that form at that time and was signed by that key; it is not an audit of whether the inventory is correct or complete, and it is not a compliance certification. It is resistant to known classical and quantum attacks per NIST, not unbreakable. But as the honest, verifiable starting point of a PQC migration � and increasingly the thing a buyer asks to see � it is quickly becoming standard.
Try it yourself — live, free, verifiable in 30 seconds:
Seal your CBOM (PQC-signed) →