US Government Is Working on CBOMs But Discovery and Inventories Are a Local Problem
In a significant move towards enhancing cyber security, particularly in light of impending advancements in quantum computing, the U.S. government is making strides in the development of Cryptographic Bill of Materials (CBOMs). This initiative aims to create a comprehensive inventory of cryptographic components used by organizations. Unlike conventional Software Bills of Materials (SBOMs) that detail software components, a CBOM focuses specifically on the cryptographic algorithms employed and their compliance with post-quantum standards.
On June 22, an executive order issued by President Donald Trump mandated U.S. federal agencies to outline the basic elements of a CBOM. Many enterprises are questioning whether the deadlines set by the U.S. will set a global precedent for such frameworks, similar to how the General Data Protection Regulation (GDPR) established itself as an international benchmark for privacy protection back in 2018. However, experts in the industry express skepticism regarding this notion, emphasizing the necessity for a universally accepted language surrounding CBOMs, which would facilitate clearer communication and compliance across sectors.
The executive order delineates responsibilities for both the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), granting them until March 2027 to define the critical components that must be included in an organization’s cryptographic inventory. Furthermore, it involves the Secretary of State coordinating with NIST to engage with foreign governments and key industry sectors to promote the adoption of NIST-standardized post-quantum cryptographic algorithms.
Organizations across various industries are gearing up for what is being referred to as "Q-Day," the day when quantum computers may possess the capability to breach current public-key cryptography mechanisms. Yet, during discussions with industry practitioners about post-quantum cryptography, two key issues frequently arise. Firstly, there is a consensus that each organizational environment is unique, indicating that a one-size-fits-all solution could falter. Secondly, the specifics of both "what" should be included in a CBOM and "how" to achieve compliance may not be perfectly outlined by regulatory bodies.
Steve Vaile, a consulting director for the EMEA region at Applied Quantum, articulated that while the CBOM standard will define necessary components, it stops short of providing guidance on acquisition strategies. He remarked, “The CBOM standard simply tells what you need to have. It does not talk about how to get it.” The "what" aspect, comprising the data fields necessary for a thorough cryptographic inventory, is expected to be straightforward to standardize. This consensus on the fundamentals of quantum readiness may lead businesses outside the U.S. to evaluate the American SBOM approach and adopt it independently, primarily due to the impracticality of reinventing data models in today’s resource-constrained security budgets.
Conversely, the "how" relates to the challenge of uncovering every certificate and identifying legacy algorithms embedded within outdated code. Missteps in this area could lead to substantial costs for organizations. The complexity of discovery is particularly pronounced for established enterprises operating with legacy infrastructures, as noted by Matous Vambersky, a consultant specializing in post-quantum cryptography. He relayed that many of his EMEA clients are proactively aligning with NIST guidelines, staying ahead of the upcoming March deadline.
Nevertheless, Vambersky cautioned against interpreting early alignment as a guarantee of long-term compliance, stressing that many organizations are gravitating towards NIST’s standards due to their maturity rather than an unwavering commitment to them.
Insights gained from existing SBOM compliance efforts also underscore the complexities enterprises might face while scaling up to include CBOMs. A 2026 adoption survey conducted by ENISA in the European Union revealed that 78% of organizations had initiated SBOM programs; however, only a mere 9% reported having a mature, automated implementation. Moreover, nearly 40% of organizations highlighted that they never receive SBOMs from software suppliers, with 60% citing ongoing issues regarding data quality, including incomplete or inconsistent component information. It is hoped that the transition to CBOMs will proceed more smoothly.
Moreover, businesses located outside of the U.S. are encouraged not to wait for CISA and NIST to initiate their discovery processes. They are advised to begin immediately, ensuring their data models retain enough flexibility to incorporate common schemas in the future. While the 270-day deadline set forth by Trump’s executive order addresses a portion of the CBOM challenge, it is essential to recognize that the overarching problem entails much more than simply establishing basic guidelines.
Ultimately, Washington’s efforts will undoubtedly contribute a valuable checklist for CBOM implementation. However, the critical audit work will require localized initiatives, tailored to each country’s specific needs, ultimately resting on the infrastructure owners to undertake this monumental task.
