How to create a CBOM for quantum readiness

What is a CBOM?

A CBOM is a complete inventory of all the open source, proprietary and commercial software a company uses to understand its cryptographic assets. It records exactly where an organization uses cryptography currently, where it has used it in the past, and it helps assess where it could need to in the future.

CBOMs enable organizations to do the following:

• Identify and monitor where cryptographic algorithms are used.
• Analyze whether current standards are suitable.
• Decide which algorithms need updating and when.
• Become or improve crypto-agility.
• Ensure compliance with industry regulations.

In addition, CBOMs are especially useful when planning a PQC migration. Organizations can map which assets might be vulnerable once quantum computing is widespread, accurately determine their risk posture and then make risk management decisions.

CBOM vs. SBOM

A CBOM is an extension of the software bill of materials. An SBOM is a structured list of all the software an organization uses, broken out by its constituent parts. SBOMs help organizations understand every software component, library and dependency in use, as well as the potential security risks each might introduce.

A CBOM is an SBOM's additional layer, which details an organization's cryptographic assets, including hardware, firmware and software components.

How to create a CBOM

When constructing a CBOM, first consider the scope. Use current asset-tracking databases and SBOMs, or start developing these if they don't exist. The scope could include finding every cryptographic asset or, when preparing for quantum readiness, it can be limited to assets known to use PKI.

After inventorying assets comes the most time-consuming step: discovering which encryption algorithms every single component of every system uses. SBOM tools can help speed up this process. For example, CycloneDX has added CBOM capabilities to its SBOM to track cryptographic components.

A CBOM should contain everything an SBOM includes -- software components, libraries, code dependencies, patch history, suppliers, version numbers, licenses, etc. -- plus the following:

• Cryptographic algorithms and key lengths.
• Cryptographic dependencies.
• Compliance with cryptographic standards.
• Cryptographic certificates and their expiration dates.
• Cryptographic keys and their states.
• Security protocols and policies.

If using a CBOM for quantum readiness, after completing an asset inventory and mapping algorithms in use, it's time to perform a risk assessment for each asset in a post-quantum world. This will be a long process, which is why NIST has advised organizations to start now. Many assets, especially legacy applications, might have cryptographic algorithms that cannot be upgraded easily or even at all -- for example, if they are hardcoded into IoT devices.

Part of the risk management process involves asking vendors if and when they will support PQC. Organizations must then determine if they need to switch vendors and products to be able to adopt PQC in time. This also helps organizations understand the cost implications of an organization-wide PQC migration.

With a completed CBOM, organizations can accurately analyze software in use for PQC and determine where to implement quantum-safe software first and what can wait.

Remember, a CBOM is a living document. Organizations must continually update it as new software is added or removed to ensure they maintain cryptographic -- and soon, PQC -- security.

Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.