CycloneDX 1.7 and CBOM: The New Standard for PQC Migration

The countdown to the quantum era is no longer theoretical. With NIST finalizing its Post-Quantum Cryptography (PQC) standards, organizations are racing to assess their exposure to the quantum threat.

But you cannot migrate what you cannot find.

This is where the Cryptographic Bill of Materials (CBOM) becomes the most critical document in your security posture. With the evolution of CycloneDX (specifically the cryptographic support introduced in v1.6 and refined in v1.7), the industry has a powerful new weapon to assist with quantum readiness and the PQC migration.

What is CycloneDX?

CycloneDX is a flagship OWASP project that has become the "universal language" of the software supply chain. While it started in 2018 as a standard for software components, it has evolved rapidly.

• Version 1.6 (April 2024) was a milestone release, becoming the first specification to support cryptographic assets specifically for Post-Quantum Cryptography (PQC) readiness.
• Version 1.7 builds upon this foundation, offering even deeper granularity for hybrid key encapsulation and complex crypto-agility scenarios.

It’s worth noting that CycloneDX defines the data model, but generating and maintaining a complete CBOM still requires continuous discovery, enrichment, and correlation across environments.

SBOM vs. CBOM: The "Ingredients" vs. The "Behavior"

To secure your infrastructure, you need to understand the difference between a standard SBOM and a CBOM.

• SBOM (The Inventory): Tells you which libraries are present (e.g., "We have OpenSSL 3.0").
• CBOM (The Deep Dive): Tells you how cryptography is actually implemented.

As noted in the OWASP Guide, simply knowing a library exists is insufficient. You need to capture Crypto Properties. For example, knowing you use "AES" isn't enough; a CBOM distinguishes between the algorithm family (AES) and the specific instantiation (e.g., AES-128-GCM), which defines the actual security level.

3 Reasons Why You Need a CBOM Now

1. True Dependency Mapping

One of the most powerful features of CycloneDX CBOM is how it handles dependencies. It doesn't just show that App A depends on Library B. It uses a provides relationship to show that Library B implements a specific algorithm (like RSA-2048) or protocol (like TLS 1.2).

This allows you to map the full chain: Application → Library → Protocol → Algorithm → Key. If a specific algorithm is found to be quantum-vulnerable, you can instantly trace exactly which applications are consuming it.

2. Full Key Lifecycle Management

A static inventory is useless if it doesn't track state. CycloneDX CBOM aligns with NIST SP 800-57 to track the lifecycle of cryptographic keys. It doesn't just list a key; it tracks its state:

• Pre-activation: Generated but not in use (aligned with Design/Build phases).
• Active: Currently encrypting/decrypting live data.
• Compromised/Destroyed: Flagging a key as "Compromised" in your CBOM allows for automated revocation and prevents that key from being used in future builds.

3. Compliance with CNSA 2.0 and DORA

The regulatory net is tightening.

• EU’s DORA (Digital Operational Resilience Act) mandates strict digital operational resilience and third-party risk management for financial entities. A CBOM provides the necessary inventory to map and monitor the cryptographic dependencies that underpin your operational stability.
• NSA’s CNSA 2.0 mandates a transition to quantum-resistant algorithms (like LMS and XMSS) for firmware and software signing by 2025.

A CBOM is the most scalable and defensible automated way to demonstrate progress against these timelines. It allows you to audit your entire stack against regulations like CNSA 2.0 to see exactly where you are non-compliant.

Qinsight: Native Support for CycloneDX

At Qinsight, we don't just support standards; we build on them.

We are a CBOM-native platform. Unlike legacy tools that lock your data into proprietary formats, Qinsight’s backend maps natively to the CycloneDX standard.

We fully support the latest CycloneDX specifications, ensuring that when we scan your infrastructure (e.g., from networks and databases to code repositories) we generate a future-proof, PQC-ready inventory. This allows you to leverage features like BOM-Link, decoupling your CBOMs from your SBOMs for modular, scalable security management.

Ready to see your true cryptographic posture? Contact us to see a Qinsight CBOM in action.