#KEYMASTER: From SBOMs to CBOMs – Why Software Producers Must Map Their Crypto Assets

In this #KEYMASTER session, Sven Rajala, International PKI Man of Mystery, and cybersecurity expert Olle Johansson dive into the emerging concept of Cryptography Bill of Materials (CBOM), the cryptographic counterpart to the Software Bill of Materials (SBOM). They explore why software manufacturers, not just consumers, need to care about tracking the cryptographic components in their software, especially in light of upcoming post-quantum cryptography (PQC) requirements and regulatory pressures. The conversation also touches on the state of tooling (e.g., CycloneDX, SPDX), the importance of standardized identifiers for crypto assets, and the need for better industry engagement and long-term planning, particularly in IoT and embedded systems.

Watch video on YouTube

Conclusion

If you are a software vendor or security leader, here is the takeaway: You need to start tracking your cryptographic assets today. Regulations and post-quantum transitions are on the horizon, and without a CBOM, you simply will not know:

• What crypto you are using
• Where it is deployed
• How to prioritize your migration strategy

Much like SBOMs helped illuminate software supply chains, CBOMs will be essential for cryptographic readiness and risk management. Open-source communities are leading the way, but industry-wide adoption is still lagging. Now is the time to build crypto agility into your products, before regulators or attackers force your hand.

Want to get involved?

Check out:

• CycloneDX Cryptography BOM Working Group
• SPDX efforts at the Linux Foundation
• Explore Keyfactor's new products featuring advanced discovery capabilities to uncover cryptographic issues and stay ahead of emerging threats proactively: InfoSec Global and CipherInsights acquisitions

Learn more

Find all our #KEYMASTER videos and more on Keyfactor for Developers – Your hub for cryptography, PKI, and signing.