THE DEFINITIVE CBOM OPERATING MODEL
- Brian Couzens
- Jun 19
- 8 min read
From "Dark Matter" Liability to Defensible Fiduciary Asset
1. Executive Summary: The Fiduciary Imperative
In a $100T digital economy, cryptography is the invisible keel holding the ship of state and commerce upright. It secures identity, privacy, and value transfer. Yet 95% of enterprises operate with near-zero visibility into where this cryptography lives, how it behaves, or whether it remains fit for purpose (NIST).
This hidden exposure has evolved into Cryptographic Dark Matter: an invisible, unmeasured, and compounding operational risk—exposed in breaches like SolarWinds (supply chain) and Log4Shell (runtime drift).
Regulators (NIST, CISA, DORA), insurers, and global financial institutions have now recognised that cryptographic opacity is not a technical inconvenience—it is a fiduciary failure. In response, the industry has converged on a new governance instrument: the Cryptographic Bill of Materials (CBOM).
A CBOM is not a technical inventory. It is a Fiduciary Control System. It empowers Boards and Risk Committees to answer three existential questions with empirical precision:
Exposure: Where is our weak, obsolete, or non-compliant cryptography hiding?
Agility: What is our "Mean Time to Remediation" (MTTR) for a systemic failure?
Compliance: Are we mathematically ready for the post-Quantum era?
The Mathematical Driver: Mosca’s Inequality The urgency of this Operating Model is defined by a simple, ruthless inequality:
Article content
X (Migration Time): The years required to discover, inventory, and replace critical cryptography.
Y (Data Shelf Life): The number of years data must remain confidential (e.g., 7 years for tax, 25+ for health/national security).
Z (Collapse Time): The years until a Cryptographically Relevant Quantum Computer (CRQC) breaks today’s encryption standard.
The Reality: If (X+Y)>Z, the organisation has already failed. Data intercepted today is liable to "Harvest Now, Decrypt Later" attacks. The CBOM Operating Model is the only industrial mechanism capable of compressing X (Migration Time) to ensure survival.
2. The Operational Reality: "The Dirty Dozen" Secrets
Traditional scanning tools fail because they search for libraries, not usage. They operate on the dangerous assumption that cryptography is static, visible, and documented. The empirical reality of a modern, hybrid estate is the opposite—scans miss 70% of runtime crypto.
These 12 Secrets explain why most legacy inventories are effectively hallucinations:
Vendor Boundaries are where your CBOM dies. Most suppliers treat embedded crypto as a trade secret. If you cannot see their firmware signing chains, key-handling processes, or upstream dependencies, you hit a "Trust Wall." If you can't see their crypto, you can't validate your own.
Cloud HSMs hide the parts that matter. Cloud providers give you APIs, not truth. You rarely see the firmware provenance, entropy validation, cluster failover behavior, or key-usage telemetry of the HSM backing your keys. A CBOM without HSM internals is a CBOM without a trust anchor.
On-prem HSMs drift silently. Without constant measurement, on-prem estates cannot produce firmware attestation logs, operator access histories, or evidence of dual-control. "Secure hardware" inevitably drifts into insecurity.
Off-prem services mutate your crypto without telling you. CDNs, API gateways, and identity brokers routinely terminate TLS, rewrap keys, regenerate certs, and downgrade cipher suites. Your CBOM must account for every off-prem mutation.
Hybrid estates break integrity by default. A single transaction spans cloud workloads, on-prem workloads, off-prem services, legacy appliances, and shadow IT. Each has a different trust anchor. A single CBOM must span all of it—or it is incomplete.
Agility creates crypto drift faster than you can document it. Containers and serverless functions spin up and down in seconds. Crypto objects appear, mutate, and disappear faster than governance can track. If your CBOM is a static document, it is obsolete the moment it is printed.
Data-in-motion is negotiated, not configured. Your config file might say "TLS 1.3," but a middlebox might force a downgrade to TLS 1.2 on the wire. Only runtime telemetry reveals the truth of negotiation outcomes and middlebox interference.
Data-at-rest encryption is meaningless without custody. "AES-256" tells you nothing. What matters is who holds the Key Encryption Key (KEK), where it lives, how it rotates, and whether the HSM boundary is shared-tenant. Encryption without lifecycle governance is theatre.
Data-in-use is the blind spot. Secrets live unencrypted in memory, buffers, and enclaves. If you ignore the execution environment (e.g., RAM vs. Trusted Enclave), you miss the point of vulnerability.
Orchestration layers mutate crypto behind your back. CI/CD pipelines and Service Meshes routinely regenerate keys and rotate secrets without governance oversight. Automation without cryptographic awareness destroys CBOM integrity.
Monitoring is the only thing that keeps a CBOM alive. Static inventories rot. Real governance requires active drift detection to alert when a compliant system regresses (e.g., signature-path deviations or entropy collapse).
A 100% CBOM is impossible. Shadow IT, legacy fragmentation, and multi-cloud complexity guarantee you will never see everything. The goal is not perfection; it is governable visibility and continuous correction.
3. The Discovery Architecture: Triangulation
To overcome the "Dirty Dozen," we reject single-source scanning. The Operating Model mandates a Triangulated Discovery Architecture—synthesizing three independent sources of truth into a single, defensible reality.
Layer 1: Source Code ("The Intent")
Scope: Repositories, Build Pipelines, Libraries (Open Source & Proprietary).
Mechanism: Static Analysis (SAST) and specialized scanners (e.g., IBM CBOMkit).
Discovery: Scans for declared libraries (import javax.crypto, OpenSSL), hardcoded seeds, and entropy strings.
The Nuance: Distinguishes between what a library provides (e.g., AES-GCM) and what the application actually uses.
Strategic Value: Captures developer intent and "Technical Debt" before it reaches production.
Article content
Layer 2: Infrastructure Configuration ("The Deployment")
Scope: Hardware Security Modules (HSMs), Cloud KMS, Kubernetes Secrets, Terraform.
Mechanism: Control Plane Scanning and Certificate Lifecycle Management (CLM) platforms.
Discovery: Validates Key Encryption Key (KEK) ownership, HSM partitioning, and certificate store content.
The "Certificate" Subset: This layer includes the "Certificate BOM" (PKI, Expiry, CA Trust Chains) but integrates it into the broader cryptographic context.
Strategic Value: Validates Data-at-Rest custody and certificate expiry status.
Layer 3: Runtime Telemetry ("The Reality")
Scope: Network Interfaces, Endpoints, Load Balancers, API Gateways.
Mechanism: Dynamic analysis using eBPF (Extended Berkeley Packet Filter) or network probes.
Discovery: Observes actual TLS handshakes on the wire, cipher suite negotiation, and ephemeral key exchanges.
Strategic Value: Validates Data-in-Motion. It exposes the "Lie of Configuration"—where a secure server is downgraded by legacy infrastructure.
4. The Data Standard: OWASP CycloneDX v1.6
A CBOM is not a spreadsheet; it is a structured, machine-readable graph. The Operating Model standardizes on OWASP CycloneDX v1.6+.
Article content
Key Governance Fields
The standard enforces specific fields that transform raw data into governance intelligence:
nistQuantumSecurityLevel: An integer (0-5) defining if an asset is Quantum-Safe. This is the primary metric for PQC readiness.
executionEnvironment: Defines where the crypto runs (e.g., software-plain-ram vs. hardware-hsm).
BOM-Link: A mechanism to reference external vendor attestations without needing to ingest their raw proprietary data, explicitly solving Secret #1 (Vendor Boundaries).
5. Strategic Applications: PQC & VEX
The CBOM transforms raw inventory data into strategic intelligence for the Board.
A. The PQC Migration Engine
The CBOM acts as the roadmap for the Post-Quantum transition.
The Query: Organisations can query their entire estate: "Show me every asset where nistQuantumSecurityLevel is 0 (Classical/Vulnerable)."
The Action: This turns an existential threat into a prioritized worklist, focusing remediation on High Value Assets (HVAs) first.
B. VEX Integration (Vulnerability Exploitability eXchange)
CBOMs reduce "Alert Fatigue" by validating usage, not just presence.
The Scenario: A vulnerability is announced in the OpenSSL RSA implementation.
The CBOM Defence: "We have OpenSSL, but our CBOM confirms we only use ECDSA keys. We are NOT affected."
Result: Precise, evidence-based non-impact statements
6. Governance & Operations: The RAIDS Log
Technology without governance is chaos. The Operating Model mandates the establishment of a RAIDS Log (Risks, Assumptions, Issues, Dependencies, Safeguards) prior to deployment.
Assumption: We assume vendor APIs return truthful HSM data.
Safeguard: We mandate vendors provide a PQC roadmap. If they cannot provide a date for PQC support, the risk is formally logged as a Supply Chain Dependency.
Risk: Legacy IoT devices with hardcoded crypto that cannot be patched.
Safeguard: A physical replacement plan is logged, budgeted, and tracked as a critical path dependency.
7. The Execution Engine: The Toxic Asset Register
The pilot phase must output a Toxic Asset Register—a prioritised, risk-ranked list of immediate remediation targets. This is the first actionable output of the program.
Category A (Critical): Hardcoded Seeds, Secrets, or API Keys (Immediate Revocation).
Category B (High): Deprecated Algorithms (MD5, SHA-1, RC4, RSA-1024).
Category C (Medium): Approaching Expiry (Certificates < 30 days).
Category D (Strategic): Hardcoded IoT/Legacy: Devices with baked-in algorithms that cannot be patched. These require physical replacement (e.g., legacy smart meters or industrial controllers).
Article content
8. The Governance Spine (The Assurance Chain)
This is the structural layer that transforms the CBOM from a technical artifact into a fiduciary control system.
8.1 The Accountability Model (RACI)
Accountable (The "Neck on the Line"): Chief Risk Officer (CRO). Owns the Fiduciary Risk of cryptographic failure.
Responsible (The Execution): CISO / Head of Cryptography. Owns the CBOM Operating Model, toolchain, and accuracy of the data.
Consulted: Application Owners. Must provide context on "Business Criticality" of assets found in the CBOM.
Informed: The Board/Audit Committee. Receives the quarterly "Toxic Asset Burn-Down" report.
8.2 The "Kill Chain" (Remediation Workflow)
Discovery is useless without action. The Operating Model enforces a standardized "Kill Chain":
Ingest & Triage: Data enters via CycloneDX v1.6. The Toxic Asset Register auto-classifies findings.
Contextualize: The finding is mapped to a Business Process (e.g., "This weak cert sits on the SWIFT payment gateway").
Remediate (The "Fix"):
Verify: The Drift Detection engine confirms the fix in Layer 3 (Runtime) telemetry.
Article content
8.3 Key Lifecycle Governance (NIST Alignment)
A CBOM entry is invalid without a State. We strictly adhere to NIST SP 800-57 key states:
Active: In use.
Suspended: Temporarily disabled.
Compromised: The "Kill Switch." If a key is marked Compromised in the CBOM, the governance engine must automatically trigger revocation for all dependent artifacts.
9. The Benchmarking Framework: The Maturity Model
This allows the Board to measure progress against industry peers.
Article content
10. Conclusion: The Board Assurance Statement
The CBOM Operating Model is not a "security project." It is a Strategic Balance Sheet Restructuring.
It moves the organisation from a position of Unquantifiable Liability (Dark Matter) to Defensible Asset Management. By implementing this model, the organization does not just "fix crypto"—it establishes the governance rails required to survive the Post-Quantum transition.
The output is not a list. The output is Trust.
About the Author
Brian Couzens is the Founder and CEO of SITG-Consulting and a globally recognized authority on cryptographic governance, Post-Quantum Risk, and enterprise-scale transformation. He operates at the critical intersection of forensic security, regulatory compliance, and fiduciary accountability—helping boards and executive leadership replace "Cryptographic Dark Matter" with measurable, defensible visibility.
Widely regarded as the architect of modern cryptographic governance, Brian is the creator of the CBOM Operating Model and the Quantum-Cryptographic Stress Ledger (QCSL). These first-to-market methodologies have rapidly evolved into reference standards for regulators, Global System Integrators (GSIs), and multinational enterprises preparing for the Post-Quantum era. His work is defined by forensic clarity, empirical grounding, and a relentless focus on operational truth.
Through SITG-Consulting, Brian serves as the Delivery Authority for end-to-end discovery, governance transformation, and PQC readiness programs. He advises national-scale institutions and partners with major cloud providers and technology vendors to embed cryptographic governance into large-scale transformation initiatives—ensuring cryptography becomes a managed fiduciary asset rather than an inherited liability.
Brian continues to shape the global conversation on supply-chain integrity and quantum resilience. His mission is singular: to ensure enterprises move beyond "hoping they are secure" to proving they are compliant—building quantum-resilient trust fabrics capable of withstanding the next decade of regulatory, technological, and adversarial pressure.
Copyright Notice
© 2025 SITG‑Consulting. This work may be shared, quoted, and used for non‑commercial or commercial purposes provided clear attribution is given to SITG‑Consulting as the original author. No modifications may be represented as the original work. All derivative uses must retain this attribution notice.
#CBOM #CryptographicGovernance #PostQuantum #PQC #DigitalTrust #OperationalResilience #SupplyChainSecurity #SITGConsulting
See content credentials
Article content


Comments