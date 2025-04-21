Quantum computing can solve certain mathematical problems at much greater speeds than classical computers -- opening a world of opportunities for many industries. The collateral damage, however, is that longstanding asymmetric cryptographic algorithms, such as RSA, will become crackable.

It might be five to 10 years away, but NIST and the National Security Agency advise organizations to begin their post-quantum cryptography (PQC) migrations now. This will not only help prevent "harvest now, decrypt later" attacks, but also ensure organizations are prepared cryptographically once quantum computing goes mainstream.

A key step in improving quantum security hygiene and starting a PQC migration is inventorying all cryptographic systems in use, determining how they interact with the organization's software and understanding which might need updating for a PQC world. This process creates a cryptographic bill of materials (CBOM).

What is a CBOM? A CBOM is a complete inventory of all the open source, proprietary and commercial software a company uses to understand its cryptographic assets. It records exactly where an organization uses cryptography currently, where it has used it in the past, and it helps assess where it could need to in the future. CBOMs enable organizations to do the following: Identify and monitor where cryptographic algorithms are used.

Analyze whether current standards are suitable.

Decide which algorithms need updating and when.

Become or improve crypto-agility.

Ensure compliance with industry regulations. In addition, CBOMs are especially useful when planning a PQC migration. Organizations can map which assets might be vulnerable once quantum computing is widespread, accurately determine their risk posture and then make risk management decisions.

CBOM vs. SBOM A CBOM is an extension of the software bill of materials. An SBOM is a structured list of all the software an organization uses, broken out by its constituent parts. SBOMs help organizations understand every software component, library and dependency in use, as well as the potential security risks each might introduce. A CBOM is an SBOM's additional layer, which details an organization's cryptographic assets, including hardware, firmware and software components.