Beyond the CBOM Hype: Setting the Record Straight

Misconceptions. Myths. Hype. The conversation around Cryptography Bills of Materials (CBOMs) has gained significant traction, with some presenting them as a comprehensive solution for cryptographic agility, inventories, and quantum-safe transitions. While CBOMs have their merits, the expectations placed on them often overshadow their actual capabilities. It’s time to set the record straight. 

The Push for Cryptographic Inventories
Motivated by the looming quantum threat, the U.S. government has taken proactive steps to ensure organizations understand and manage their cryptographic assets. The National Security Memorandum (NSM-10) issued May 2022 placed requirements on various U.S. government and related entities to inventory and evaluate their cryptographic usage for the purpose of quantum-safe transition planning. Soon after the publication of NSM-10, the U.S. Office of Management and Budget (OMB) published additional guidance (Memorandum M-23-02) to help government agencies meet the requirements of NSM-10. This memorandum also required affected entities to report their cryptographic inventories annually — something which has proven extremely difficult using only open-source software and the tools already in place at the time of the memo’s publication.

Since the publication of NSM-10, the importance of cryptographic inventories has only become more evident. Cryptographic visibility is essential not just for government agencies but for any organization managing cryptographic risk. It is now widely recognized that a critical component of any quantum-safe transition is having visibility and analysis into how an organization uses cryptography. Even beyond the urgency of quantum preparedness, maintaining insight into cryptographic usage is fundamental to managing and strengthening an organization’s security posture — a need that continues to grow. 

In recent years, CBOMs have been introduced as a way to represent cryptographic inventories and facilitate quantum-safe transitions. Moreover, they are often presented as solutions for NSM-10 and M-23-02 compliance, cryptographic agility, and addressing quantum risk. Consequently, the demand for CBOMs has been growing, with many organizations now considering CBOMs to be must-have requirements for their quantum-safe efforts.

But are CBOMs the all-in-one solution so many seem to think they are? To put it simply: no.

What CBOMs Do Well
A CBOM serves as a standardized, machine-readable model for representing information about cryptographic objects. Ideally, they can be generated, read, and expanded by various systems, enabling end-to-end processing within a workflow. The idea is to facilitate an automated (i.e., agile) approach to analyzing and managing an organization’s cryptographic posture. CBOMs are particularly useful in environments with multiple tools that generate or consumer them, as they can be easily combined. Their key advantages include:

  • Standardization. CBOMs provide a consistent format for documenting cryptographic assets.
  • Automation. When integrated with the right tools, CBOMs can support automated cryptographic management processes.
  • Extensibility. When included within Software Bills of Materials (SBOMs), then can enhance supply chain security and compliance tracking.
  • Dependencies. Their structured format can help organizations document cryptographic dependencies (if including SBOM data), aiding management efforts. 

However, much of the enthusiasm around CBOMs stems from misunderstandings about their actual role.

At ISARA, we have observed a disconnect between the concrete benefits CBOMs provide and what many people perceive and expect CBOMs to provide. Although we agree that CBOMs can be useful — especially in future security architectures — we argue that much of the current hype around CBOMs is somewhat misguided. 

Addressing the Misconceptions
The biggest issue with CBOM discussions is the tendency to overstate their capabilities. Let’s address some common misconceptions and highlight the realities.

  1.  Cryptographic Inventories Don’t Come from CBOMs
    A CBOM is not a discovery tool. It is merely a way to represent information about cryptographic assets. That is, they do not generate cryptographic inventories; they only store cryptographic data provided by other tools. 

    Too often, when describing CBOMs, people or articles will state the importance of having an inventory and immediately conclude that organizations need CBOMs. This line of thinking entirely misses the fact that the inventory must still come from elsewhere.

  2. CBOMs Do Not Ensure Cryptographic Agility
    CBOMs alone do not grant crypto agility — they can’t. CBOMs would only be a component of a broader cryptographically agile architecture. Such an architecture would comprise various other systems and processes, many of which might require the ability to process CBOMs. Meaning, crypto agile architectures (automated or otherwise) will be complex. If an organization intends to use CBOMs to achieve crypto agility, that surrounding architecture must still be designed and implemented.

    Too many CBOM discussions sweep this complexity under the rug and perpetuate the misconception that CBOMs enable agility. Crypto agility is important, and we expect to see robust agile architectures emerge more and more in the future. Even so, simply possessing a CBOM does not mean an organization can easily transition between cryptographic standards.

  3. CBOMs Do Not Provide Comprehensive Visibility
    Again, a CBOM is a way to represent information. The accuracy and comprehensiveness of a CBOM depend entirely on the quality of the data sources used to construct it. If the discovery process is flawed or incomplete, the CBOM will reflect those gaps.

    It has become dangerously common for CBOMs to be described as comprehensive inventories of cryptographic assets — as though they are comprehensive by definition. Organizations cannot assume that a CBOM automatically provides a full picture of their cryptographic landscape.

  4. CBOMs Are Not Essential for Quantum Readiness
    While cryptographic inventories are crucial for managing one’s cryptographic posture and planning their quantum-safe transition, there is no real reason why that inventory must be represented as a CBOM. Cryptographic posture management tools can provide the same insights — sometimes more efficiently — without requiring CBOM adoption. In fact, the use of CBOMs on top of cryptographic discovery tools can add complexity and increase costs.

    Here, we can see how one misconception leads to another. By equating CBOMs with (comprehensive) inventories, people are erroneously led to believe that CBOMs are necessary for managing their quantum risk and transitioning to post-quantum cryptography. In practice, the tools used to gather the inventory data can themselves analyze the cryptography, initiate workflows for actioning, create reports for leadership, etc., all without using CBOMs. 

Moving Forward: A Balanced Perspective
CBOMs can be a useful component of a cryptographic risk management strategy. Organizations should carefully evaluate whether CBOMs add meaningful value to their security posture or if existing cryptographic posture management tools can achieve the same goals more efficiently.

Rather than viewing CBOMs as a cure-all, default solution, organizations should focus on:

  • Enhancing Cryptographic Discovery. Invest in robust tools that accurately identify cryptographic assets.
  • Automating Remediation. Ensure that security workflows can act on cryptographic insights in real time.
  • Integrating with Broader Security Strategies. Use CBOMs where they genuinely add value but avoid unnecessary complexity.

By shifting the conversation from hype to practical application, we can ensure that cryptographic security efforts are grounded rather than misplaced expectations. CBOMs have a role to play — but they are not the answer to every cryptographic challenge. In a future blog post, we will examine some of the practical limitations of CBOMs and look at situations where they might not be appropriate.

For organizations looking to learn more about cryptographic posture management and of how cryptographic discovery tools are critical for enabling quantum resiliency and PQC adoption, contact ISARA today.