PCI DSS 4.0.1 Requirement 12.3.3 has mandated a documented, annually-reviewed inventory of your cryptographic cipher suites and protocols since March 2025. CipherM scans your code, configs, and live TLS and produces it — as a CycloneDX CBOM your QSA accepts.
Future-proof, too: the same inventory flags every RSA/ECDSA asset for the post-quantum migration. See the Threat Clock →
12.3.3 requires you to document every cipher suite and protocol in use, review it at least annually, and track anything deprecated — in effect since 31 March 2025. The usual answer is a stale spreadsheet stitched together by hand before each assessment. CipherM generates the artifact from your actual code, configs, and live endpoints, so the inventory is real and current.
What 12.3.3 requires104 rules across 7 languages and configs detect your TLS versions, cipher suites, certificates, hashing, and key sizes — the exact assets 12.3.3 asks you to document. Classical and post-quantum (ML-KEM, ML-DSA, hybrid TLS) in one pass.
CycloneDX 1.6 — the SBOM industry standard — mapped to PCI DSS 12.3.3, plus NIST SP 800-208, CNSA 2.0, and eIDAS 2.0 for your post-quantum roadmap.
Open-source CLI. Walk a repo and its configs, emit a CycloneDX 1.6 CBOM — your documented cryptographic inventory. 104 rules across 7 languages.
Point cipherm-tls at any host and see exactly which TLS versions and cipher suites it negotiates — the live half of your 12.3.3 inventory.
Export a QSA-ready pack: every cipher suite and protocol mapped to PCI DSS 12.3.3, with deprecation notes and a remediation plan.
Future-proof angle: live CRQC proximity by year (Mosca 2024, Gidney-Ekerå) so your inventory doubles as a post-quantum migration plan.
12.3.3 inventory item
“kms.us-east-1.amazonaws.com negotiates classical X25519 over TLS 1.3 — documented, dated, and flagged for review.”
cipherm-tls live check
Mapped to the standard
“Each finding carries its PCI DSS 12.3.3 reference plus NIST/CNSA mapping — the artifact a QSA signs off.”
CycloneDX 1.6 CBOM
Future-proof
“P(CRQC by 2035) ≈ 0.55 — anchored on the Global Risk Institute Quantum Threat Timeline, Mosca 2024 update.”
docs/threat-clock.json
Our Rapid Assessment is a fixed two-week sprint: we scan your source and config, review your TLS, certificate, and key posture by hand, and hand you a CycloneDX CBOM plus an audit-ready pack mapped to PCI DSS 12.3.3 — the documented inventory your QSA asks for.
Fixed price, from $3,500 · 2-week sprint
Fixed scope · source & config scan + human review
Generate a CycloneDX 1.6 CBOM from your code, configs, and live TLS — the documented cryptographic inventory 12.3.3 requires — and hand it to your assessor. Already future-proofed for the post-quantum migration.