N° 03Compliance

The CBOM

Quantum-Safe India Dossier · Grounded on the DST/NQM Task Force Report 2026

A Cryptographic Bill of Materials becomes a procurement mandate from FY 2027–28. It is the single deliverable the rest of the quantum-safe programme is built on — and a flat list won't satisfy it.

A CBOM IS A GRAPH, NOT A LIST APPLICATIONCERTIFICATEALGORITHMDATA CLASS Payments API KYC Service Net Banking TLS Cert Signing Cert RSA-2048 ECDH-P256 SHA-256 Aadhaar PII Txn Records USES_CERTIFICATE SIGNS_WITH PROTECTS The graph answers: "If RSA-2048 falls, which data is exposed, through which application?"
Typed edges turn an inventory into a risk model. A flat list tells you RSA exists; the graph tells you RSA-2048 protects Aadhaar PII through an internet-facing payments API.

Most institutions already understand a Software Bill of Materials — the SBOM that lists the components and libraries inside an application. The Cryptographic Bill of Materials does the same job for one specific, security-critical layer: it inventories every place cryptography is used, what algorithm is used there, what protects what, and how it all connects.

The DST report makes the CBOM the spine of the national programme. From FY 2026–27, organisations are to begin requesting CBOMs from vendors; from FY 2027–28 CBOM submission becomes a procurement mandate. Every later step — risk analysis, prioritisation, migration tracking, vendor governance — consumes the CBOM as input.

Why a list is not enough

A naive CBOM is a spreadsheet: "these systems use RSA-2048, those use ECDH-P256." That is necessary but nowhere near sufficient, because it cannot answer the only question a migration programme actually needs answered: if this algorithm falls, what is the blast radius?

Answering that requires a dependency graph — a typed map of relationships. An application uses a certificate; a certificate signs with an algorithm; an algorithm protects a class of data. Only with those edges in place can you trace from a single weak algorithm to the regulated data it ultimately exposes, and to the internet-facing application that makes it reachable. The diagram above shows the shape: the value is in the lines, not the boxes.

A flat CBOM tells you what you own. A graph CBOM tells you what you'll lose, and in what order to fix it.

The CycloneDX 1.6 standard

India's framework does not invent a proprietary format. The recognised standard is CycloneDX 1.6, which extended the SBOM specification with native cryptographic-asset modelling — algorithms, certificates, protocols, keys, and their relationships. Anchoring to CycloneDX matters for two reasons: it keeps Indian CBOMs interoperable with global tooling and supply chains, and it gives regulators a machine-readable artefact they can ingest, compare and audit at scale rather than reading PDFs.

What a credible BFSI CBOM must capture

  • Every cryptographic asset across network (TLS), application (JWTs, API auth), data-at-rest (database and field encryption), key management (KMS, HSM root keys) and signing (transactions, firmware, certificates).
  • A quantum-risk classification per asset, distinguishing quantum-vulnerable public-key crypto from quantum-weakened symmetric/hash usage that needs strengthening.
  • The typed dependency graph linking applications → certificates → algorithms → data classes.
  • HNDL exposure flags marking which paths are internet-facing and therefore harvestable today.
  • Data-class mapping so a finding reads "RSA protecting KYC records," not just "RSA."

The discovery problem underneath it

A CBOM is only as honest as the discovery that feeds it. Cryptography hides in TLS configurations, in dependency trees three libraries deep, in legacy systems no one has audited in years, in hardware modules and in certificates issued by teams that have since reorganised. A CBOM assembled from architecture diagrams and tribal knowledge will be confidently incomplete — and an incomplete CBOM is worse than none, because it manufactures false assurance. (We take discovery up directly in N° 05.)

Why banks should start before the mandate bites

FY 2027–28 sounds distant, but two forces pull the work forward. First, the report tells organisations to begin requesting CBOMs from vendors in FY 2026–27 — which means banks must understand their own estate well enough to know what to ask for. Second, building a first CBOM surfaces exactly the legacy and supply-chain gaps that take longest to close. The institutions that treat CBOM as a 2027 box-tick will discover their hardest problems in the year they have the least time to solve them.

Where KavachQ fits · SCORE · 02

KavachQ generates a CycloneDX 1.6 CBOM with a typed cryptographic dependency graph — application → certificate → algorithm → data class — rather than a flat asset list, with HNDL exposure flagged per path and each asset mapped to its quantum-risk tier and the data it protects. That graph structure is precisely what turns an inventory into the risk model the report's later milestones depend on. → A representative CBOM can be produced against a single bank system as a starting artefact.