{"id":100263,"date":"2025-02-10T14:43:35","date_gmt":"2025-02-10T12:43:35","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=glossary&#038;p=100263"},"modified":"2026-04-13T22:32:14","modified_gmt":"2026-04-13T20:32:14","slug":"what-is-a-cbom","status":"publish","type":"glossary","link":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/","title":{"rendered":"What Is a CBOM? Cryptographic Bill of Materials Guide"},"content":{"rendered":"<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Summary<\/h2>\n\n\n\n\n<blockquote>\n    <p>\u201cA Cryptographic Bill of Materials (CBOM) is a structured, machine\u2011readable inventory of all the cryptographic assets inside an application or system &#8211; algorithms, key pairs, certificates, crypto libraries, protocols and the components that use them. \u201d <\/p>\n    <footer>\n        <span class=\"blockquote__author-name\">Jonathan Singer<\/span>    <\/footer>\n<\/blockquote>\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">What is a Cryptographic Bill of Materials (CBOM)?<\/h2>\n\n\n\n<p>A <strong>Cryptographic Bill of Materials (CBOM)<\/strong> &#8211; sometimes called a <em>cryptography bill of materials<\/em> &#8211; is a standardized way to describe all cryptographic assets and their relationships across your software estate.<\/p>\n\n\n\n<p>At a minimum, a CBOM typically links to SBOM components and captures:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Usage context<\/strong> (which services, code paths, endpoints or containers rely on which crypto assets)<\/li>\n\n\n\n<li>\n<strong>Crypto libraries and modules<\/strong> (for example, OpenSSL, BoringSSL, Bouncy Castle)<\/li>\n\n\n\n<li>\n<strong>Algorithms and modes<\/strong> in use (AES\u2011GCM, ChaCha20\u2011Poly1305, RSA\u2011PSS, ECDSA, SHA\u2011256, etc.)<\/li>\n\n\n\n<li>\n<strong>Protocols and versions<\/strong> (TLS 1.2 vs 1.3, SSH, IPsec, QUIC)<\/li>\n\n\n\n<li>\n<strong>Keys and secrets metadata<\/strong> (key length, key type, location\/HSM reference, rotation policy \u2013 not raw keys)<\/li>\n\n\n\n<li>\n<strong>Certificates and trust anchors<\/strong> (issuers, SANs, expiration, key usage)<\/li>\n<\/ul>\n\n\n\n<p>While some sectors (like medical devices) still use \u201c<strong>cybersecurity bill of materials<\/strong>\u201d to describe a broader security inventory, the emerging standard usage of <strong>CBOM<\/strong> in the AppSec and software supply chain community is firmly <strong>cryptographic<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Why CBOM matters for AppSec and Devs<\/h2>\n\n\n\n<p>For developers and AppSec teams, CBOMs turn \u201cinvisible crypto\u201d into something you can reason about, test and automate around.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Cryptographic vulnerability management<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quickly find <strong>weak or deprecated algorithms<\/strong> (e.g., RSA\u20111024, SHA\u20111, CBC\u2011only cipher suites).<\/li>\n\n\n\n<li>Spot misconfigurations like <strong>TLS 1.0\/1.1 still enabled<\/strong>, missing certificate pinning, or non\u2011FIPS\u2011approved algorithms in regulated environments.<\/li>\n\n\n\n<li>Combine CBOM with reachability and runtime usage to prioritize what\u2019s actually exploitable.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Post\u2011quantum and crypto agility<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Before you can migrate to <strong>post\u2011quantum cryptography (PQC)<\/strong>, you need an accurate map of where classical cryptography is used. CBOM is that map.<\/li>\n\n\n\n<li>A CBOM lets you scope PQC pilots (e.g., \u201call services using RSA\u20112048 certificates issued by CA X\u201d) and track the rollout over time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Compliance and audit readiness<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Many regulatory and industry frameworks already require strong crypto, key management, and certificate hygiene.<\/li>\n\n\n\n<li>A CBOM gives auditors a <strong>structured artifact<\/strong> that shows which crypto you use, where, and how it\u2019s governed &#8211; paired with your SBOM and <strong>software supply chain security<\/strong> controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Incident response and threat hunting<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When a new protocol\u2011level bug or library vulnerability drops, you can query the CBOM: \u201cWhich services depend on vulnerable TLS cipher suites or this version of OpenSSL?\u201d<\/li>\n\n\n\n<li>That shortens the time from <strong>\u201cnew crypto issue announced\u201d<\/strong> to <strong>\u201cwe know exactly where we\u2019re exposed\u201d<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Developer guardrails<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CBOM data can feed policies in CI\/CD that <strong>block builds<\/strong> when new code introduces disallowed algorithms or informal \u201cshadow crypto\u201d libraries.<\/li>\n\n\n\n<li>Combined with <strong>Software Composition Analysis (SCA)<\/strong>, it helps enforce secure crypto defaults alongside dependency hygiene.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">What Does a CBOM Include?<\/h2>\n\n\n\n<p>A CBOM builds on your <strong>SBOM<\/strong> (the list of components) and enriches it with crypto\u2011specific metadata. Practically, a CBOM usually includes:<\/p>\n\n\n\n<div style=\"height:28px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Component inventory (from SBOM)<\/strong>\n<ul class=\"wp-block-list\">\n<li>\n<code>componentRef<\/code> or package URL (purl)<\/li>\n\n\n\n<li>Version, hash, provenance<\/li>\n\n\n\n<li>Link back to your SBOM entry<br><em>(See the Checkmarx glossary entry <a href=\"https:\/\/checkmarx.com\/blog\/sbom-what-it-is-and-why-you-should-care\/\">\u201cWhat is an SBOM?\u201d<\/a> and the <a href=\"https:\/\/checkmarx.com\/learn\/supply-chain-security\/understanding-software-bill-of-materials-sbom\/\">SBOM knowledge hub article<\/a> for context.)<\/em>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\n<strong>Cryptographic assets<\/strong>\n<ul class=\"wp-block-list\">\n<li>Crypto libraries\/modules (OpenSSL, BoringSSL, Bouncy Castle, OS crypto APIs)<\/li>\n\n\n\n<li>Algorithms and modes (AES\u2011256\u2011GCM, RSA\u20113072, ECDH\u2011P256, SHA\u2011384, HKDF, etc.)<\/li>\n\n\n\n<li>Protocols and versions (TLS 1.2\/1.3, SSH, IPsec profiles, VPN suites)<\/li>\n\n\n\n<li>Credentials &amp; key material <em>metadata<\/em> (key IDs, type, length, storage reference, rotation rules)<\/li>\n\n\n\n<li>Certificates and CA chains (issuers, serials, expiry dates, keyUsage, extendedKeyUsage)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\n<strong>Usage and exploitability context<\/strong>\n<ul class=\"wp-block-list\">\n<li>Code\u2011level references (file\/function where crypto is invoked)<\/li>\n\n\n\n<li>Service\/endpoints that rely on each crypto asset<\/li>\n\n\n\n<li>Runtime usage (observed in production vs only in fallback paths)<\/li>\n\n\n\n<li>Reachability \/ call graphs to crypto functions, aligned with what your <strong><a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\">SCA<\/a><\/strong> and <a href=\"https:\/\/checkmarx.com\/product\/aspm\/\"><strong>ASPM<\/strong> <\/a>tooling already calculates.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\n<strong>Risk and control metadata<\/strong>\n<ul class=\"wp-block-list\">\n<li>Known vulnerabilities in crypto libraries or protocols (CVEs\/CWEs, CVSS\/EPSS where available)<\/li>\n\n\n\n<li>Policy violations (e.g., non\u2011approved algorithms, key lengths below policy)<\/li>\n\n\n\n<li>Mappings to compensating controls (e.g., WAF rules, mTLS enforcement, HSM usage)<\/li>\n\n\n\n<li>Recommended fixes (upgrade paths, configuration changes, alternative algorithms)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Plus, the CBOM provides a risk-centric inventory of security-relevant elements, including hardware, firmware, configurations, cryptographic algorithms, security controls and known vulnerabilities. It aims to give organizations a clearer picture of their cybersecurity posture by mapping out potential attack vectors, outdated security measures and misconfigurations that could be exploited by threat actors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CBOM Example (illustrative JSON only):<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n  \"componentRef\": \"pkg:maven\/com.example\/payment-service@1.4.0\",\n  \"cryptoAssets\": &#91;\n    {\n      \"id\": \"frontend-tls\",\n      \"type\": \"protocol\",\n      \"protocol\": \"TLS\",\n      \"version\": \"1.2\",\n      \"libraries\": &#91;\"OpenSSL 1.1.1w\"],\n      \"algorithms\": &#91;\"RSA-2048\", \"AES-128-GCM\", \"SHA256\"],\n      \"certificates\": &#91;\n        {\n          \"id\": \"cert-frontend-2025\",\n          \"issuer\": \"Let's Encrypt\",\n          \"notBefore\": \"2024-06-01T00:00:00Z\",\n          \"notAfter\": \"2025-06-01T00:00:00Z\",\n          \"keyType\": \"RSA\",\n          \"keySize\": 2048\n        }\n      ],\n      \"keys\": &#91;\n        {\n          \"id\": \"k8s-secret\/payment-tls-key\",\n          \"store\": \"kubernetes\",\n          \"rotationPolicy\": \"365d\"\n        }\n      ]\n    },\n    {\n      \"id\": \"token-signing\",\n      \"type\": \"signature\",\n      \"algorithms\": &#91;\"ES256\"],\n      \"library\": \"Nimbus JOSE + JWT\",\n      \"usage\": &#91;\"OIDC_ID_TOKEN\", \"OIDC_ACCESS_TOKEN\"]\n    }\n  ],\n  \"vulnerabilities\": &#91;\n    {\n      \"id\": \"CVE-2024-XXXX\",\n      \"affects\": &#91;\"OpenSSL 1.1.1w\"],\n      \"severity\": \"HIGH\",\n      \"reachable\": true\n    }\n  ],\n  \"policies\": &#91;\n    {\n      \"rule\": \"min_rsa_key_size\",\n      \"status\": \"violation\",\n      \"details\": \"RSA-2048 in use; organization baseline is RSA-3072 or higher.\"\n    }\n  ]\n}\n<\/code><\/pre>\n\n\n\n<div style=\"height:52px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This is <strong>not<\/strong> a formal schema, but it illustrates how CBOMs tie component identities (from SBOM) to crypto libraries, algorithms, keys and certificates, plus risk metadata.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">CBOM vs. SBOM vs. \u201cCybersecurity Bill of Materials\u201d<\/h2>\n\n\n\n<div class=\"responsive-table-container\">\n    <table class=\"comparison-table comparison-table--cbom-sbom\">\n        <thead>\n            <tr>\n                <th>Term<\/th>\n                <th>Scope \/ Focus<\/th>\n                <th>What It Covers<\/th>\n                <th>How It\u2019s Used in Practice<\/th>\n            <\/tr>\n        <\/thead>\n        <tbody>\n            <tr>\n                <td><strong>SBOM (Software Bill of Materials)<\/strong><\/td>\n                <td>Component inventory &amp; software supply chain<\/td>\n                <td>\n                    List of software components, versions, and dependencies,\n                    usually expressed in SPDX or CycloneDX.\n                <\/td>\n                <td>\n                    Foundation for software supply chain risk management, vulnerability management,\n                    and license\/compliance tracking.\n                <\/td>\n            <\/tr>\n            <tr>\n                <td><strong>CBOM (Cryptographic Bill of Materials)<\/strong><\/td>\n                <td>Cryptography &amp; crypto configuration overlay on top of SBOM<\/td>\n                <td>\n                    Inventory of cryptographic libraries, algorithms, keys, certificates, protocols,\n                    and their relationships to software components.\n                <\/td>\n                <td>\n                    Used to manage cryptographic risk, support post-quantum migration,\n                    enforce crypto policies, and prove crypto hygiene across applications.\n                <\/td>\n            <\/tr>\n            <tr>\n                <td><strong>Cybersecurity Bill of Materials<\/strong><\/td>\n                <td>Broader security-centric inventory for specific industries<\/td>\n                <td>\n                    Security-relevant components and vulnerabilities across a device or system.\n                <\/td>\n                <td>\n                    Seen in regulated verticals (for example, medical devices). The term \u201cCBOM\u201d\n                    here is broader, but in AppSec it is now mainly understood as a\n                    **cryptographic bill of materials**.\n                <\/td>\n            <\/tr>\n        <\/tbody>\n    <\/table>\n<\/div>\n<style>\n.responsive-table-container {\n    width: 100%;\n    overflow-x: auto;\n    -webkit-overflow-scrolling: touch;\n}\n \n.comparison-table--cbom-sbom td {\n    padding-inline: 16px;\n    padding-block: 10px;\n}\n<\/style>\n\n\n\n<div style=\"height:23px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>For AppSec teams, the most practical pattern is: <strong>SBOM for components, CBOM for crypto, plus broader software supply chain security (SSCS) for the full risk picture.<\/strong><\/p>\n\n\n<script src=\"https:\/\/player.vimeo.com\/api\/player.js\"><\/script>\n<script src=\"https:\/\/www.youtube.com\/iframe_api\"><\/script>\n<div class=\"aticle-video-wrapper\">\n    <p class=\"section-description-top\">Checkmarx Feature Highlight<\/p>    <h3>Generate SBOMs Automatically<\/h3>\n    <div class=\"aticle-video-box\">\n                    <pre><\/pre>\n                        <iframe id=\"vimeoPlayer\" allowfullscreen title=\"vimeo Video Player\" src=\"https:\/\/player.vimeo.com\/video\/1138848546?badge=0&#038;autopause=0&#038;player_id=0&#038;app_id=58479%22&#038;autoplay=0&#038;loop=1?color&amp;muted=1&amp;title=1&amp;portrait=1&amp;byline=1&amp;h=b8faf3a510#t=\"><\/iframe>\n                        <a href=\"#\" class=\"video-overlay-image-link\" aria-label=\"Video thumbnail\">\n                        <img decoding=\"async\" class=\"video-overlay-image\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/5-Generate-SBOMs-Automatically-with-Checkmarx-SCA\u2122-YouTube-10-14-2024_10_50_AM.png\" alt=\"Checkmarx SBOM tool demo video cover\" loading=\"lazy\">\n                    <\/a>\n            <\/div>\n    <p>The US Federal Government mandates that any organizations working with US Federal government must be able to provide an SBOMs. Save time and headache ensuring you have an up-to-date inventory of 3rd party packages being used within your software projects with Checkmarx SCA <\/p>\n            <a href=\"https:\/\/checkmarx.com\/product\/sbom\/\" class=\"btn btn-2 btn-bg accent demo\">SBOM<\/a>\n        <\/div>\n<script>\n    \/\/ For youtube video only\n    var playerReady = false;\n    var player;\n\n    function onYouTubeIframeAPIReady() {\n        const iframe = document.querySelector('iframe.youtube-player');\n        if (!iframe) {\n            console.warn('Youtube player not found');\n            return;\n        }\n\n        player = new YT.Player(iframe, {\n            events: {\n                onReady: () => {\n                    playerReady = true;\n                }\n            }\n        });\n    }\n\n\n    document.addEventListener('DOMContentLoaded', () => {\n        let videoBtn = document.querySelector('.youtube-overlay-image-link');\n\n        if (!videoBtn) return;\n\n\n        videoBtn.addEventListener('click', (e) => {\n            e.preventDefault();\n            videoBtn.style.display = 'none';\n\n            if (!player || !playerReady) {\n                console.warn('The player isn\\'t ready yet');\n                return;\n            }\n\n            player.playVideo();\n\n        })\n    })\n<\/script>\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">CBOM in ASPM: best practices for developers &amp; AppSec<\/h2>\n\n\n\n<p>To make CBOMs actually useful (and not just another artifact), treat them as part of your <strong>Application Security Posture Management (ASPM)<\/strong> and SDLC:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<strong>Start from a solid SBOM<\/strong>\n<ul class=\"wp-block-list\">\n<li>Use tooling (like <strong><a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\">Checkmarx SCA<\/a><\/strong> and SBOM capabilities) to generate accurate SBOMs for each service in standard formats (CycloneDX or SPDX).<\/li>\n\n\n\n<li>SBOM becomes the backbone your CBOM references.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\n<strong>Automate CBOM generation in CI\/CD<\/strong>\n<ul class=\"wp-block-list\">\n<li>Scan source code, containers, and infrastructure definitions for crypto libraries and configurations.<\/li>\n\n\n\n<li>Generate or update CBOMs on every build so they stay aligned with your<a href=\"https:\/\/checkmarx.com\/learn\/supply-chain-security\/software-supply-chain-security-guide\/\"> <strong>supply chain security<\/strong><\/a> posture.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\n<strong>Connect CBOM data to reachability and runtime<\/strong>\n<ul class=\"wp-block-list\">\n<li>Combine CBOM fields with code\u2011level <a href=\"https:\/\/checkmarx.com\/learn\/software-composition-analysis\/what-is-reachability-analysis\/\">reachability <\/a>and runtime telemetry to prioritize the cryptographic issues that are actually exploitable in production.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\n<strong>Policy\u2011driven enforcement<\/strong>\n<ul class=\"wp-block-list\">\n<li>Use CBOM data to express guardrails such as:\n<ul class=\"wp-block-list\">\n<li>\u201cNo new services may ship with RSA keys under 3072 bits.\u201d<\/li>\n\n\n\n<li>\u201cBlock builds if TLS 1.0\/1.1 is enabled.\u201d<\/li>\n\n\n\n<li>\u201cAlert when certificates will expire in less than 30 days.\u201d<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Enforce those policies with your <a href=\"https:\/\/checkmarx.com\/learn\/devsecops\/what-is-cicd-security\/\">CI\/CD<\/a> and <a href=\"https:\/\/checkmarx.com\/how-aspm-and-ai-are-reshaping-appsec\/\">ASPM workflows<\/a>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\n<strong>Expose CBOMs to the right stakeholders<\/strong>\n<ul class=\"wp-block-list\">\n<li>Developers need actionable details (file, line, service, recommended fix).<\/li>\n\n\n\n<li>\n<a href=\"https:\/\/checkmarx.com\/blog\/devops-architects-guide-to-developer-friendly-appsec-tools\/\">Security architects<\/a> and crypto owners need aggregation (which business systems rely on which algorithms).<\/li>\n\n\n\n<li>Auditors and regulators need evidence (exportable CBOM\/SBOM bundles for specific apps or releases).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\">How Checkmarx helps<\/h2>\n\n\n\n<p>Checkmarx doesn\u2019t just generate lists of components &#8211; it gives you the <strong>AppSec context<\/strong> you need as a foundation for CBOM initiatives:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong><a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\">Checkmarx SCA<\/a><\/strong> generates SBOMs in industry\u2011standard formats and correlates them with vulnerability, reachability, license and malicious\u2011package data.<\/li>\n\n\n\n<li>\n<strong><a href=\"https:\/\/checkmarx.com\/solutions\/software-supply-chain-security\/\">Checkmarx Software Supply Chain Security<\/a><\/strong> adds broader visibility into repository health, build pipelines and open\u2011source risk so you can understand where cryptographic libraries are coming from and how they\u2019re used.<\/li>\n\n\n\n<li>These capabilities give AppSec and crypto teams the raw data &#8211; components, dependencies, vulnerabilities and usage &#8211; that can be enriched into a <strong>cryptographic bill of materials<\/strong> for each application.<\/li>\n<\/ul>\n\n\n\n<p>As CBOM standards and tooling continue to mature, having accurate SBOMs and strong SCA in place is the fastest way to be CBOM\u2011ready.<\/p>\n\n\n<section class=\"section-block-info light-theme\">\n    <div class=\"main-wrapper block-info__wrapper\">\n        <div class=\"block-info center\">\n\t\t\t\n\t\t\t<h2 class=\"section-title article-anchor\" id=\"article-anchor-8\">[Report] Beyond SBOM: AI, Malicious Packages, and Everything In Between<\/h2>\t\t\t<p class=\"section-description\">We surveyed over 900 AppSec professionals to identify actionable strategies you can implement today to improve your SSCS, beyond the software bill of materials (SBOM) to compile this free report.\r\n\r\n <\/p>\n\t\t\t<div class=\"actions\">\n\t\t\t\t        <a href=\"https:\/\/info.checkmarx.com\/beyond-sbom-trends\" class=\"btn btn-2 btn-bg white demo\">Download Report<\/a>\n        \t\t\t\t\t\t\t<\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<p>Checkmarx provides the <strong>building blocks<\/strong> you need to stand up a CBOM practice:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate accurate SBOMs and continuously scan for open\u2011source vulnerabilities, malicious packages and license risk with <strong>Checkmarx SCA<\/strong>.<\/li>\n\n\n\n<li>Strengthen <strong>software supply chain security<\/strong> with solutions that monitor repositories, pipelines, and runtime usage.<\/li>\n<\/ul>\n\n\n\n<p>From there, you can extend your SBOM and SCA data model to include cryptographic inventory and policy metadata, producing CBOMs tailored to your organization\u2019s crypto standards.<\/p>\n\n\n\n<section class=\"section-accordion\">\n    <div class=\"main-wrapper section-accordion__wrapper\">\n        <h2 class=\"section-title article-anchor\" id=\"article-anchor-9\">FAQs<\/h2>\n        <div class=\"fag-accordion__wrapper\">\n            <div class=\"js-accordion fag-accordion\">\n                <div>\n\n                                            <div class=\"js-accordion__item fag-accordion__item \">\n                            <h3 class=\"js-accordion__btn fag-accordion__btn\">\n                                <svg width=\"34px\" height=\"23px\" viewbox=\"0 0 34 23\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                                    <g id=\"Page-1\" stroke=\"none\" stroke-width=\"1\" fill=\"none\" fill-rule=\"evenodd\">\n                                        <g id=\"Shape\" transform=\"translate(0.939453, 1.530000)\" stroke-width=\"3\">\n                                            <path d=\"M19.810947,20.4179 L31.029947,9.14 M30.029947,10.1989 L0,10.1989 M31.029947,11.26 L19.810947,0\"><\/path>\n                                        <\/g>\n                                    <\/g>\n                                <\/svg>\n                                Is a CBOM required?                            <\/h3>\n                            <div class=\"js-accordion-content fag-accordion__content\">\n                                <p>Regulators and customers increasingly expect SBOMs, and many programs extend them with risk metadata similar to a CBOM. Practically, teams adopt CBOMs to accelerate response and prove due diligence.<\/p>\n                            <\/div>\n                        <\/div>\n                                                <div class=\"js-accordion__item fag-accordion__item \">\n                            <h3 class=\"js-accordion__btn fag-accordion__btn\">\n                                <svg width=\"34px\" height=\"23px\" viewbox=\"0 0 34 23\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                                    <g id=\"Page-1\" stroke=\"none\" stroke-width=\"1\" fill=\"none\" fill-rule=\"evenodd\">\n                                        <g id=\"Shape\" transform=\"translate(0.939453, 1.530000)\" stroke-width=\"3\">\n                                            <path d=\"M19.810947,20.4179 L31.029947,9.14 M30.029947,10.1989 L0,10.1989 M31.029947,11.26 L19.810947,0\"><\/path>\n                                        <\/g>\n                                    <\/g>\n                                <\/svg>\n                                What formats should we use?                            <\/h3>\n                            <div class=\"js-accordion-content fag-accordion__content\">\n                                <p>Keep your SBOM in &lt;em&gt;SPDX&lt;\/em&gt; or &lt;em&gt;CycloneDX&lt;\/em&gt; and store your CBOM as a linked artifact (JSON\/JSON\u2011LD) that references SBOM components plus security fields (reachability, runtime usage, fix versions, control mapping).<\/p>\n                            <\/div>\n                        <\/div>\n                        <\/div>\n<div>                        <div class=\"js-accordion__item fag-accordion__item \">\n                            <h3 class=\"js-accordion__btn fag-accordion__btn\">\n                                <svg width=\"34px\" height=\"23px\" viewbox=\"0 0 34 23\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                                    <g id=\"Page-1\" stroke=\"none\" stroke-width=\"1\" fill=\"none\" fill-rule=\"evenodd\">\n                                        <g id=\"Shape\" transform=\"translate(0.939453, 1.530000)\" stroke-width=\"3\">\n                                            <path d=\"M19.810947,20.4179 L31.029947,9.14 M30.029947,10.1989 L0,10.1989 M31.029947,11.26 L19.810947,0\"><\/path>\n                                        <\/g>\n                                    <\/g>\n                                <\/svg>\n                                How does Checkmarx help?                            <\/h3>\n                            <div class=\"js-accordion-content fag-accordion__content\">\n                                <p>&lt;a href=&#8221;https:\/\/checkmarx.com\/cxsca-open-source-scanning\/&#8221;&gt;Checkmarx SCA&lt;\/a&gt; generates SBOMs, enriches with vulnerability and reachability data, detects malicious packages via &lt;a href=&#8221;https:\/\/checkmarx.com\/product\/malicious-packages\/&#8221;&gt;MPP&lt;\/a&gt;, prevents exposed secrets with &lt;a href=&#8221;https:\/\/checkmarx.com\/product\/secrets-detection\/&#8221;&gt;Secrets Detection&lt;\/a&gt;, and centralizes governance in &lt;a href=&#8221;https:\/\/checkmarx.com\/product\/aspm\/&#8221;&gt;ASPM&lt;\/a&gt;.<\/p>\n                            <\/div>\n                        <\/div>\n                                        <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"FAQPage\",\"url\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"Is a CBOM required?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Regulators and customers increasingly expect SBOMs, and many programs extend them with risk metadata similar to a CBOM. Practically, teams adopt CBOMs to accelerate response and prove due diligence.\"}},{\"@type\":\"Question\",\"name\":\"What formats should we use?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Keep your SBOM in &lt;em&gt;SPDX&lt;\/em&gt; or &lt;em&gt;CycloneDX&lt;\/em&gt; and store your CBOM as a linked artifact (JSON\/JSON\u2011LD) that references SBOM components plus security fields (reachability, runtime usage, fix versions, control mapping).\"}},{\"@type\":\"Question\",\"name\":\"How does Checkmarx help?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"&lt;a href=&#8221;https:\/\/checkmarx.com\/cxsca-open-source-scanning\/&#8221;&gt;Checkmarx SCA&lt;\/a&gt; generates SBOMs, enriches with vulnerability and reachability data, detects malicious packages via &lt;a href=&#8221;https:\/\/checkmarx.com\/product\/malicious-packages\/&#8221;&gt;MPP&lt;\/a&gt;, prevents exposed secrets with &lt;a href=&#8221;https:\/\/checkmarx.com\/product\/secrets-detection\/&#8221;&gt;Secrets Detection&lt;\/a&gt;, and centralizes governance in &lt;a href=&#8221;https:\/\/checkmarx.com\/product\/aspm\/&#8221;&gt;ASPM&lt;\/a&gt;.\"}}]}<\/script>\n\n\n<p><em>Last updated:<\/em> December 8, 2025<\/p>","protected":false},"excerpt":{"rendered":"<p>Summary What is a Cryptographic Bill of Materials (CBOM)? A Cryptographic Bill of Materials (CBOM) &#8211; sometimes called a cryptography bill of materials &#8211; is a standardized way to describe all cryptographic assets and their relationships across your software estate. At a minimum, a CBOM typically links to SBOM components and captures: While some sectors [&hellip;]<\/p>\n","protected":false},"author":92,"featured_media":96965,"template":"","glossary-tags":[1422,1421,8,1420],"class_list":["post-100263","glossary","type-glossary","status-publish","has-post-thumbnail","hentry","glossary-tags-cbom","glossary-tags-sbom","glossary-tags-sca","glossary-tags-software-composition-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What Is a CBOM? Cryptographic Bill of Materials Guide - Checkmarx<\/title>\n<meta name=\"description\" content=\"A Cryptographic Bill of Materials (CBOM) inventories algorithms, keys, certificates and crypto libraries, extending SBOMs to harden AppSec and software supply chains.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What Is a CBOM? Cryptographic Bill of Materials Guide - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"A Cryptographic Bill of Materials (CBOM) inventories algorithms, keys, certificates and crypto libraries, extending SBOMs to harden AppSec and software supply chains.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-13T20:32:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1101\" \/>\n\t<meta property=\"og:image:height\" content=\"618\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/\",\"url\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/\",\"name\":\"What Is a CBOM? Cryptographic Bill of Materials Guide - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp\",\"datePublished\":\"2025-02-10T12:43:35+00:00\",\"dateModified\":\"2026-04-13T20:32:14+00:00\",\"description\":\"A Cryptographic Bill of Materials (CBOM) inventories algorithms, keys, certificates and crypto libraries, extending SBOMs to harden AppSec and software supply chains.\",\"breadcrumb\":{\"@id\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp\",\"width\":1101,\"height\":618},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Glossary\",\"item\":\"https:\/\/checkmarx.com\/glossary\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What Is a CBOM? Cryptographic Bill of Materials Guide\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What Is a CBOM? Cryptographic Bill of Materials Guide - Checkmarx","description":"A Cryptographic Bill of Materials (CBOM) inventories algorithms, keys, certificates and crypto libraries, extending SBOMs to harden AppSec and software supply chains.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/","og_locale":"en_US","og_type":"article","og_title":"What Is a CBOM? Cryptographic Bill of Materials Guide - Checkmarx","og_description":"A Cryptographic Bill of Materials (CBOM) inventories algorithms, keys, certificates and crypto libraries, extending SBOMs to harden AppSec and software supply chains.","og_url":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-04-13T20:32:14+00:00","og_image":[{"width":1101,"height":618,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/","url":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/","name":"What Is a CBOM? Cryptographic Bill of Materials Guide - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp","datePublished":"2025-02-10T12:43:35+00:00","dateModified":"2026-04-13T20:32:14+00:00","description":"A Cryptographic Bill of Materials (CBOM) inventories algorithms, keys, certificates and crypto libraries, extending SBOMs to harden AppSec and software supply chains.","breadcrumb":{"@id":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/07\/sbom.webp","width":1101,"height":618},{"@type":"BreadcrumbList","@id":"https:\/\/checkmarx.com\/glossary\/what-is-a-cbom\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Glossary","item":"https:\/\/checkmarx.com\/glossary\/"},{"@type":"ListItem","position":2,"name":"What Is a CBOM? Cryptographic Bill of Materials Guide"}]},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary\/100263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/glossary"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/92"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary\/100263\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/96965"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=100263"}],"wp:term":[{"taxonomy":"glossary-tags","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary-tags?post=100263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}