Misconceptions. Myths. Hype. The conversation around Cryptography Bills of Materials (CBOMs) has gained significant traction, with some presenting them as a comprehensive solution for cryptographic agility, inventories, and quantum-safe transitions. While CBOMs have their merits, the expectations placed on them often overshadow their actual capabilities. It’s time to set the record straight.
The Push for Cryptographic Inventories
Motivated by the looming quantum threat, the U.S. government has taken proactive steps to ensure organizations understand and manage their cryptographic assets. The National Security Memorandum (NSM-10) issued May 2022 placed requirements on various U.S. government and related entities to inventory and evaluate their cryptographic usage for the purpose of quantum-safe transition planning. Soon after the publication of NSM-10, the U.S. Office of Management and Budget (OMB) published additional guidance (Memorandum M-23-02) to help government agencies meet the requirements of NSM-10. This memorandum also required affected entities to report their cryptographic inventories annually — something which has proven extremely difficult using only open-source software and the tools already in place at the time of the memo’s publication.
Since the publication of NSM-10, the importance of cryptographic inventories has only become more evident. Cryptographic visibility is essential not just for government agencies but for any organization managing cryptographic risk. It is now widely recognized that a critical component of any quantum-safe transition is having visibility and analysis into how an organization uses cryptography. Even beyond the urgency of quantum preparedness, maintaining insight into cryptographic usage is fundamental to managing and strengthening an organization’s security posture — a need that continues to grow.
In recent years, CBOMs have been introduced as a way to represent cryptographic inventories and facilitate quantum-safe transitions. Moreover, they are often presented as solutions for NSM-10 and M-23-02 compliance, cryptographic agility, and addressing quantum risk. Consequently, the demand for CBOMs has been growing, with many organizations now considering CBOMs to be must-have requirements for their quantum-safe efforts.
But are CBOMs the all-in-one solution so many seem to think they are? To put it simply: no.
What CBOMs Do Well
A CBOM serves as a standardized, machine-readable model for representing information about cryptographic objects. Ideally, they can be generated, read, and expanded by various systems, enabling end-to-end processing within a workflow. The idea is to facilitate an automated (i.e., agile) approach to analyzing and managing an organization’s cryptographic posture. CBOMs are particularly useful in environments with multiple tools that generate or consumer them, as they can be easily combined. Their key advantages include:
However, much of the enthusiasm around CBOMs stems from misunderstandings about their actual role.
At ISARA, we have observed a disconnect between the concrete benefits CBOMs provide and what many people perceive and expect CBOMs to provide. Although we agree that CBOMs can be useful — especially in future security architectures — we argue that much of the current hype around CBOMs is somewhat misguided.
Addressing the Misconceptions
The biggest issue with CBOM discussions is the tendency to overstate their capabilities. Let’s address some common misconceptions and highlight the realities.
Moving Forward: A Balanced Perspective
CBOMs can be a useful component of a cryptographic risk management strategy. Organizations should carefully evaluate whether CBOMs add meaningful value to their security posture or if existing cryptographic posture management tools can achieve the same goals more efficiently.
Rather than viewing CBOMs as a cure-all, default solution, organizations should focus on:
By shifting the conversation from hype to practical application, we can ensure that cryptographic security efforts are grounded rather than misplaced expectations. CBOMs have a role to play — but they are not the answer to every cryptographic challenge. In a future blog post, we will examine some of the practical limitations of CBOMs and look at situations where they might not be appropriate.
For organizations looking to learn more about cryptographic posture management and of how cryptographic discovery tools are critical for enabling quantum resiliency and PQC adoption, contact ISARA today.