Stop Calling It A 'CBOM'

1 day ago 5

Atsushi Yamada, CEO of ISARA Corporation, advises enterprises on crypto posture management strategies to prepare for the post-quantum era.

getty

The cryptographic security industry has settled on a term: cryptographic bill of materials, or CBOM.

This term is meant to evoke the software bill of materials (SBOM) movement, which earned the software supply chain a long-overdue dose of transparency.

The borrowed acronym sounds reasonable, but it is wrong. Based on my experience leading a firm that advises enterprises on their crypto posture management strategies, the wrongness has a cost.​

What A Bill Of Materials Actually Is​

A bill of materials (BOM), by definition, is a manufacturer's declaration.

In other words, it is the supplier telling the buyer what's inside the product. The supplier knows what went in because the supplier built it. The buyer doesn't have to take the product apart to find out since the supplier already documented it.

That is the entire point of a BOM: It is a transparency mechanism rooted in the party that has the most knowledge.

SBOMs work within this framework.

In this case, a vendor ships software and publishes an SBOM listing the open-source components, versions and licenses that went into the build. The buyer can read it.

The buyer can scan then scan the SBOM for known vulnerabilities with disassembling the binary to figure out what is inside. ​

Why Most Things Called 'CBOMs' Aren't

Now consider what most platforms in the cryptographic posture market are calling a CBOM.

Often, a third-party scanner runs against the customer's environment to identify cryptographic objects like algorithms, keys, certificates, library versions and protocol configurations. The scanner then produces a list that is presented to the buyer as the CBOM.​

That is not a bill of materials since the supplier didn't produce it. The buyer's tool produced it, by inspecting the running environment from the outside.

It is, at best, a cryptographic inventory, which is often useful. But it is not a CBOM.

The distinction matters because of what external scanning cannot do. There is a hard technical limit to how far any external tool can take apart a finished, shipped product to identify everything inside it.

Some cryptographic primitives are statically linked, optimized away, called only under specific runtime conditions or executed inside hardware modules the scanner cannot inspect. A scanner can identify what is observable, but it cannot, by definition, identify what is not.

In other words, a BOM is supposed to be comprehensive, but a scan is, by construction, only partial.​

What The Mislabel Is Hiding

Calling a third-party inventory a CBOM lets suppliers off the hook.

The buyer's security team thinks they have transparency, because the platform produced a document with that name, while the supplier never had to disclose anything. In this case, the supplier was never even asked.

With many CBOMs, the transparency burden has been transferred from the manufacturer—who actually knows what is inside the product—to the buyer's tooling, which has to guess.

This is exactly the problem SBOMs were designed to solve, and the cryptographic posture industry is recreating it under a borrowed name. The industry took the acronym and skipped the part that made the original concept work: the manufacturer's declaration.​

What Crypto Inventory Platforms Can And Can't Legitimately Claim

Crypto inventory and discovery platforms do useful work. They discover what they can observe, rank it by risk and tie findings to remediation. That is valuable.

However, calling the output a CBOM overstates what the discipline can produce externally and obscures the fact that the more reliable answer requires the supplier.

A defensible claim from a discovery platform looks like this: "This is the cryptography we observed across the environment, here is what we could not observe, here is the residual risk you carry from the gap." ​

The Procurement Shift

To create true CBOMs, the fix is the same one that made SBOMs work: Buyers ask for it, and vendors disclose it. ​This means it would become a procurement requirement, where cryptographic disclosure becomes a buying criterion.

A CBOM at point of purchase would include: the cryptographic algorithms, primitives, key sizes, protocol versions and configurations the product was built with and the conditions under which each is invoked. The buyer can then evaluate it the same way as an SBOM to make an informed purchasing decision.

This shifts the discovery cost and accountability onto the party, the manufacturer, that can afford it and who already knows the answer.

In short, a CBOM is a manufacturer's declaration that is verifiable, comparable across vendors, and that is offered as a buying input rather than as a post-purchase scan result.​​

Why The Language Matters

Industries evolve to the behaviors that procurement demands. SBOM became a buying criterion, and supplier disclosure followed.

CBOM was supposed to play the same role for cryptography. Instead, the term turned it into something the buyer's stack produces about the supplier's product. That redefinition may be convenient for vendors who don't want to disclose, but it is not convenient for buyers, and it could slow the industry's progress on transparency.​

Calling things by their right name is how you get the right behavior from suppliers. Until buyers ask vendors for a real CBOM, vendors will keep shipping products with cryptography buyers cannot see. The acronym was always meant to do the same work the SBOM acronym did. Use it that way, or don't use it at all.​


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Read Entire Article