Key insight

Cryptography hides in six places: your code, your certificates/keys, live network protocols, data at rest, bought products, and the supply chain/firmware. You hunt it with code scanning, certificate inventories, passive network monitoring, cloud-config queries, and vendor questionnaires. The output is a Cryptographic Bill of Materials (CBOM) — a living ingredient label for crypto that anchors every later decision.

In one sentence

The CBOM is the single most valuable artefact of the whole assessment — without it you’re flying blind into the migration.

Where cryptography hides

Six places cryptography hides Source code, certificates and keys, network protocols, data at rest, bought products, and supply chain/firmware. 1 · Source code & appshard-coded, old libraries 2 · Certificates & keysTLS, code-signing, PKI 3 · Network protocolsTLS/VPN/SSH negotiated 4 · Data at restdatabases, backups, files 5 · Bought productsvendor's choice — ask 6 · Supply chainfirmware, chips → all recorded in the CBOM
Six hiding places feed one living inventory.

Discovery techniques

TechniqueFinds
Source-code & dependency scanningHard-coded algorithms, vulnerable crypto libraries
Certificate & key inventoryPKI estate: TLS certs, code-signing keys, expiry, algorithms
Passive network monitoringWhat TLS/VPN/SSH actually negotiate in production
Cloud-configuration queriesKey Vault/KMS keys, TLS policies, managed-service crypto
Vendor questionnairesBought products’ PQC roadmaps and current algorithms

No single technique is complete — you triangulate. What’s documented often differs from what’s negotiated live, so passive monitoring is invaluable ground truth.

When a vendor won’t say: if a supplier can’t (or won’t) disclose their algorithms and PQC roadmap, don’t leave a blank — record it as an unknown in the CBOM and raise it as a risk-register item. Ask for their answer in writing (ideally their own CBOM or a CycloneDX export), and treat contract renewal as your leverage point: make a PQC-roadmap commitment a procurement requirement. An undisclosed dependency is a risk you own, not one you can wish away.

The CBOM: what to record

A Cryptographic Bill of Materials (CBOM) is like a food ingredient label, but for cryptography. For every place crypto is used, record:

FieldWhy it matters
Algorithm & key sizeIs it quantum-vulnerable (RSA/ECC) or safe (AES-256)?
PurposeKey exchange, signature, data-at-rest — drives which fix
System & ownerWho must act
Data sensitivityFeeds classification
Data shelf lifeThe X in Mosca’s X+Y>Z — urgency
Dependency / sourceOwn code vs vendor vs firmware
Migration statusNot started / hybrid / done

There’s an emerging standard: CycloneDX extends the software-bill-of-materials (SBOM) format with a CBOM schema, so tools can generate and exchange these automatically.

Why it must be living

Systems change constantly — certificates rotate, apps ship, vendors update. A CBOM filed away is stale within weeks. Treat it as a living inventory, generated automatically wherever possible and refreshed on every deploy. This is where crypto-agility and CBOM reinforce each other: an agile system is easier to inventory and easier to change.

“Automated wherever possible” splits by where the crypto lives. Your own code and cloud services can be scanned in CI on every build (dependency scanners and CycloneDX generators emit CBOM fragments automatically). Certificates and live protocols refresh from your certificate inventory and passive monitoring on a schedule. But firmware, vendor products, and embedded devices rarely self-report — those entries are captured manually from questionnaires and re-attested periodically (say, quarterly or at each contract review). The practical shape is: auto-generate what you can, flag the rest as manually-maintained, and record a last-verified date on every entry so stale rows are visible rather than silently trusted.

Common pitfalls

What to do about the un-updatable: devices that can’t take a PQC firmware update don’t get scoped out of the CBOM — that just hides the risk. List them explicitly in a “hard-to-migrate” segment of the inventory, open the vendor conversation early (their lead time is your critical path), and for each one decide a path: compensating controls (network isolation, shorter-lived data), planned early retirement, or accepted long-term debt with a review date. The goal is a named, owned decision, not an omission.
Cryptographic discovery
The hunt to find every place cryptography is used.
CBOM
Cryptographic Bill of Materials — a living inventory of cryptographic usage.
SBOM
Software Bill of Materials — the component inventory the CBOM extends.
CycloneDX
An open BOM standard with a schema for expressing CBOM data.
Data shelf life
How long protected data must stay secret — the urgency driver.
TLS / VPN / SSH
The network protocols to inventory: TLS (Transport Layer Security), VPN (Virtual Private Network) and SSH (Secure Shell) — each negotiates cryptography live on the wire.
PKI (Public-Key Infrastructure)
The certificate-and-key estate — TLS certs, code-signing keys and their algorithms and expiry.
RSA / ECC / AES
Algorithms you flag in the CBOM: RSA (Rivest–Shamir–Adleman) and ECC (Elliptic-Curve Cryptography) are quantum-vulnerable; AES (Advanced Encryption Standard, e.g. AES-256) stays safe.
KMS (Key Management Service)
A cloud key store (e.g. Azure Key Vault, AWS KMS) whose keys and TLS policies you query during discovery.
PQC (Post-Quantum Cryptography)
The quantum-resistant algorithms a vendor’s roadmap should commit to.
IoT (Internet of Things)
Embedded devices that often can’t be updated easily — flag them explicitly rather than scoping them out.

What to carry forward

Next: Crypto-Agility → — building systems that can swap algorithms without a rebuild.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning cryptographic discovery and the CBOM. Quiz me one question at
a time, correcting me gently:

1. Name the six places cryptography hides, with one example each.
2. Why is passive network monitoring valuable when I already have docs?
3. What fields should a CBOM record, and which one captures urgency?
4. What is CycloneDX and how does the CBOM relate to an SBOM?
5. Why must the CBOM be a living document rather than a one-time snapshot?

References & further reading

  1. CISA, NSA & NIST, Quantum-Readiness: Migration to PQC — inventory guidance. cisa.gov/quantum
  2. OWASP CycloneDX, Cryptography Bill of Materials (CBOM). cyclonedx.org/capabilities/cbom
  3. NIST NCCoE, Migration to Post-Quantum Cryptography — discovery tools. nccoe.nist.gov
  4. NIST, SP 1800-38: Migration to Post-Quantum Cryptography (practice guide). csrc.nist.gov/pubs/sp/1800/38