CipherM Learn

CBOM as QSA evidence

A cryptographic bill of materials turns "trust us, we documented it" into a machine-readable artifact a QSA can read, diff, and verify. Here is what a CycloneDX CBOM is and why it is the evidence that holds up in an audit.

What a CBOM is

A CBOM — cryptographic bill of materials — is a structured inventory of the cryptography in a system: the algorithms, protocols, cipher suites, keys, and certificates, plus where each one is used and how the pieces depend on one another. It is the cryptography-specific sibling of the software bill of materials (SBOM) that supply-chain teams already produce.

The widely-adopted format is CycloneDX, an OWASP-stewarded standard. CycloneDX added first-class cryptographic-asset support (the crypto-assets component type) so a CBOM can describe an algorithm or protocol as a real, referenceable object — not a free-text note in a document.

Why a QSA accepts it

PCI DSS 12.3.3 asks for a documented, maintained inventory. A QSA's job is to verify that the inventory is real, complete, and current. A CycloneDX CBOM is the artifact that lets them do that, because it is:

  • Machine-readable. A standard JSON/XML schema, not a bespoke spreadsheet an assessor has to interpret. Tools can validate and parse it.
  • Diffable. Because it is structured, you can compare this year's CBOM to last year's and show exactly what changed — direct evidence that the annual review actually happened.
  • Located. Each crypto asset carries an evidence reference back to the file, config, or endpoint it came from, so claims are traceable rather than asserted.
  • Vendor-neutral. An open standard outlives any one tool. A QSA does not have to trust a proprietary report format, and you are not locked in.

In short: a CBOM converts an inventory from a narrative you have to defend into data an assessor can independently check.

CBOM versus a spreadsheet

The default 12.3.3 inventory is a hand-maintained spreadsheet. It is exactly what assessors increasingly distrust, because it has no link to production, no change history, and no way to prove it is current. A CBOM fixes each of those gaps:

Hand-built spreadsheet
CycloneDX CBOM
Rebuilt manually before each audit
Re-generated from the live environment
No proof it matches production
Each entry traced to a file or endpoint
No reliable change history
Diffable year over year
Format unique to your team
Open, parseable, tool-validated

How CipherM produces it

CipherM scans your source code, configuration, and live TLS, then emits a CycloneDX 1.6 CBOM with every cipher suite and protocol mapped to its 12.3.3 reference and a deprecation note. That single artifact is the documented inventory the requirement asks for — and the evidence pack your assessor signs off.

Building the inventory in the first place is covered in how to build a PCI cipher suite inventory. To see what early-TLS findings look like in a CBOM, read TLS 1.0 and PCI in 2025.

See your own CBOM

Run the free scan to check your live TLS posture, or book a Rapid Assessment for the full CycloneDX CBOM and a hand-reviewed, QSA-ready 12.3.3 evidence pack.

Run the free scan Book a Rapid Assessment