What Is a QBOM? The Quantum Bill of Materials, Explained
What a Quantum Bill of Materials is, how it differs from a CBOM, and why it's the inventory behind every post-quantum migration plan.
- A QBOM is a cryptographic inventory seen through a quantum-risk lens — which of your algorithms break when a quantum computer arrives, and what data is exposed.
- It overlaps heavily with a CBOM. The cleanest way to think of it: a QBOM is a CBOM enriched with quantum-vulnerability and data-lifespan classification.
- QBOM is an emerging term, not a settled standard — there is no CycloneDX or SPDX 'QBOM' format. In practice you build it on a CycloneDX CBOM.
- India's CERT-In is the main body to formalize QBOM, in its July 2025 BOM guidelines (voluntary) alongside SBOM, CBOM, AIBOM, and HBOM.
- The driver is hard dates: NIST deprecates RSA and elliptic-curve crypto after 2030 and disallows them after 2035.
Somewhere in your stack, RSA-2048 is protecting something — a TLS session, a signing key, a VPN tunnel. When a large enough quantum computer arrives, that protection breaks. Simple question: across your whole environment, which systems are sitting on cryptography that won't survive the quantum era, and which of them guard data that still needs to be secret in 2035? A Quantum Bill of Materials is how you answer that.
A QBOM (Quantum Bill of Materials) is an inventory of your cryptographic assets, viewed through a quantum-risk lens. It lists the algorithms, keys, certificates, and protocols you use — and flags which ones are vulnerable to a future quantum attack and which data they protect. Where a normal cryptographic inventory asks "what crypto do we use?", a QBOM adds the question that matters for planning: "and what happens to it when quantum breaks the math?"
Let's be honest about what a QBOM is — and isn't
QBOM is an emerging term, and you deserve a straight answer rather than hype. Unlike the SBOM or the CBOM, there is no CycloneDX or SPDX "QBOM" specification. No standards body has published a dedicated QBOM format. The organization that has done the most to formalize it is India's CERT-In, which named QBOM in its July 2025 Bill of Materials guidelines — and those guidelines are voluntary.
So in practice, a QBOM is not a new file format you generate with a new tool. It's a lens. You build it on the cryptographic inventory you already produce — a CycloneDX CBOM — and enrich it with quantum-risk and data-lifespan classification. The value is in the analysis, not in a new standard.
If a vendor sells you a "QBOM standard," be skeptical. There isn't one yet. What there is: a CBOM you can build today (CycloneDX, ECMA-424), and the quantum-risk classification that turns it into a migration plan.
QBOM vs CBOM: the distinction that actually matters
These two get used interchangeably, and that's understandable — they look at the same assets. A CBOM (Cryptographic Bill of Materials) is the complete inventory: every algorithm, key, certificate, protocol, and crypto library across your systems. It's comprehensive and threat-neutral — it documents what you use, full stop.
A QBOM takes that same inventory and grades it for one specific threat: quantum. It answers which assets are quantum-vulnerable (RSA, elliptic-curve, Diffie-Hellman), which are already quantum-safe, and — crucially — how long the data each one protects needs to stay secret. That last part is what makes a QBOM a planning tool rather than a catalog.
| CBOM | QBOM | |
|---|---|---|
| Question it answers | What cryptography do we use? | What breaks in the quantum era, and what's at risk? |
| Scope | All crypto assets, threat-neutral | The same assets, graded by quantum risk + data lifespan |
| Standard | CycloneDX 1.6+ (ECMA-424) | No formal format — built on a CBOM (CERT-In names it) |
| Primary use | Crypto-agility, full visibility | Prioritizing the post-quantum migration |
“A CBOM tells you what cryptography you have. A QBOM tells you what to fix first — and how much time you've got.”
What goes inside a QBOM?
Drawing on CERT-In's guidance and the practical writeups in the field, a QBOM brings together three layers. The first two are a cryptographic inventory; the third is what makes it a QBOM.
- The cryptographic inventory — algorithms in use, key lengths and configurations, certificates and their trust chains, and the protocols protecting data at rest and in transit. (This is your CBOM.)
- Quantum-vulnerability classification — for each asset, is it quantum-broken (RSA, ECDSA, ECDH, finite-field DH), quantum-weakened (symmetric ciphers needing larger keys), or quantum-safe (ML-KEM, ML-DSA)?
- Data sensitivity and lifespan — how long must the data each asset protects stay confidential? A key guarding data that's worthless next year is a different priority from one guarding a 20-year secret.
Map those three together and you get the thing a migration program actually needs: a ranked list of where to act, not just a flat catalog of cryptography.
Why a QBOM now: the deadlines and 'harvest now, decrypt later'
The urgency isn't abstract — the dates are on the calendar. In NIST IR 8547, the roadmap for post-quantum cryptography, NIST set retirement dates for the public-key algorithms that protect almost all software today.
| Algorithm family | After 2030 | After 2035 |
|---|---|---|
| RSA (all key sizes) | Deprecated | Disallowed |
| ECDH / ECDSA | Deprecated | Disallowed |
| Finite-field DH, DSA | Deprecated | Disallowed |
The NSA's CNSA 2.0 runs a parallel track for national security systems, expecting quantum-resistant algorithms in new acquisitions from 2027. But the deadline that should change your behavior today is quieter: "harvest now, decrypt later." An attacker can capture your encrypted traffic now and decrypt it the day a capable quantum computer exists. For any data with a long shelf life — health records, state secrets, signing keys — the clock already started.
This is exactly why a QBOM weighs data lifespan, not just algorithm strength. A weak algorithm protecting throwaway data can wait. A weak algorithm protecting a decade-long secret cannot — it's already being harvested.
Where QBOM fits in the BOM family
The Bill of Materials family has grown from one to several, and they nest neatly. Knowing how QBOM relates to its siblings keeps you from buying overlapping tools.
- SBOM — the components your software is built from. The root of the family.
- CBOM — the cryptography inside those components. Threat-neutral, CycloneDX-standardized.
- QBOM — the CBOM graded for quantum risk and data lifespan. A lens, not a separate format.
- AIBOM and HBOM — the AI models and hardware in your systems, for completeness.
India's CERT-In is notable for treating all five as one framework in its July 2025 guidelines — one of the first regulators to put QBOM, CBOM, and AIBOM in the same document. It's voluntary today, but it's a strong signal of where supply-chain transparency is heading.
How to build one
You don't start a QBOM from scratch — you start from cryptographic discovery and add the quantum lens.
- Generate a CBOM. Scan code, dependencies, containers, and infrastructure for every cryptographic asset. This is the inventory layer — and it's the same CycloneDX CBOM you'd build for crypto-agility.
- Classify by quantum risk. Tag each asset quantum-broken, quantum-weakened, or quantum-safe. NIST's quantum-security levels give you the grading scheme.
- Add data lifespan. For each asset, estimate how long its protected data must stay secret. This is the input most inventories skip — and the one that sets your real priority order.
- Rank and migrate. Move first on quantum-broken algorithms guarding long-lived, exposed data. Replace them with FIPS 203/204/205 equivalents, and keep the QBOM current as living evidence.
“You can't prioritize a quantum migration you can't see. The QBOM is how you see it — and how you sequence it.”
The bottom line
A QBOM isn't a new standard to chase — it's the quantum-risk view of the cryptographic inventory you should be building anyway. Generate a CBOM, classify it by quantum vulnerability, weigh it by how long your data must stay secret, and you have the one thing every post-quantum migration plan needs: a ranked list of what to fix and when. The standards may still be settling, but the deadlines aren't. Build the inventory now, while there's still a decade to act on it.