Encryption & Key Management
,
Next-Generation Technologies & Secure Development
,
Regulation
US Government Is Working on CBOMs But Discovery and Inventories Are a Local Problem

In the journey to quantum computing readiness, enterprises and software vendors worldwide are making plans for cryptographic inventories. But unlike a software bill of materials, which tells auditors and customers what software components you’re using, a cryptography bill of materials, or CBOM, tells you what cryptographic algorithms those components use – and whether they comply with post-quantum requirements.
See Also: Beat the Breach: Outsmart Attackers and Secure the Cloud
President Donald Trump issued an executive order on June 22 requiring U.S. federal agencies to outline the minimum components of a CBOM, and many enterprises wonder if the U.S. deadline will become the default global standard for inventories, much like GDPR became the default framework for privacy across most countries in 2018. Practitioners on the ground say that’s unlikely, but the tech industry eventually will need to agree on a common language for CBOMs.
The executive order gives two federal agencies – the Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology – until March 2027 to define those elements and what a complete inventory of an organization’s cryptographic assets should contain. The order also directs the Secretary of State, working with NIST and other federal agencies, to engage foreign governments and industry groups in key countries to encourage their adoption of NIST-standardized post-quantum cryptography algorithms.
Every enterprise must prepare for Q-Day, the anticipated point when quantum computers will become capable of breaking today’s public-key cryptography. But two considerations have come up consistently in conversations with practitioners running post-quantum cryptography algorithms. First, no two environments are the same, so a cookie cutter approach is likely to fail. Secondly, the “what” and the “how” may never be completely spelled out by regulators.
“The CBOM standard simply tells what you need to have. It does not talk about how to get it,” said Steve Vaile, consulting director for the EMEA region at Applied Quantum.
The “what” – the data fields and the components of a complete cryptographic inventory – will be easy to standardize. In fact, this necessary first step in quantum readiness is why businesses in other parts of the world will evaluate the U.S. SBOM approach and adopt it. But won’t be because Washington told them to. It’s because reinventing a data model when security budgets are tight doesn’t make much sense.
The “how” – which involves discovering every certificate, legacy algorithms sitting in codes that have not been touched in years – could be very expensive to get wrong. No single document can solve discovery for an enterprise bank running decades-old infrastructure. Matous Vambersky, a post-quantum cryptography consultant, has a different view. His EMEA clients are already aligning to NIST guidance and are ahead of the March deadline.
Early alignment with NIST isn’t the same as long-term alignment, and nothing guarantees this. The main reason enterprises are adopting NIST standards now is “because NIST’s post-quantum algorithms are the most mature reference guide available in the market,” Vambersky said.
Many lessons can be learned from SBOM compliance, which offers a preview of what the challenges actually look like when scaled up to the enterprise. In the European Union, ENISA’s 2026 adoption survey found that 78% of organizations have started SBOM programs, but only 9% report a mature, automated implementation. Almost 40% of organizations say they never receive SBOMs from their software suppliers at all, and 60% flag ongoing data quality issues such as incomplete or inconsistent component information. Hopefully, adoption of CBOMs will go more smoothly.
Enterprises outside the United States don’t need to wait for CISA and NIST to start discovery. Begin now and keep the data model flexible enough to map to the common schema later. Trump’s 270-day deadline only covers the easy part of the problem.
Without a doubt, Washington will give the world a solid checklist for CBOMs. But the audit itself must still be built locally, country by country. And that work squarely belongs to whoever owns the infrastructure.
