Join the GRF Business Resilience Council for a briefing with Dr. George Shea of The Foundation for Defense of Democracies.
As software and hardware supply chains grow more complex and interconnected, the inability to see inside the components that make up critical systems has become a defining national security vulnerability, one with a known and closing deadline.
NIST finalized its first post-quantum cryptography (PQC) standards in 2024, and the U.S. government has set expectations that federal systems complete the migration away from quantum-vulnerable algorithms well before a cryptographically relevant quantum computer (CRQC) is estimated to emerge, with most timelines placing that window between 2030 and 2035.
Cryptography Bills of Materials (CBOMs) are the prerequisite for meeting that deadline. An organization that cannot enumerate every instance of RSA, ECC, and other vulnerable algorithms across its systems, libraries, and dependencies cannot prioritize, sequence, or execute a migration at enterprise scale, and without a CBOM that inventory does not exist.
Software Bills of Materials (SBOMs) address the parallel challenge at the component level, providing the dependency visibility needed to identify where vulnerable cryptographic libraries are embedded several layers deep in a supply chain, precisely the exposure that is hardest to find and slowest to remediate.
Together, SBOMs and CBOMs represent the foundational transparency layer that makes the PQC transition tractable rather than chaotic, and federal procurement policy that fails to require both at machine-readable, continuously updated standards is not just lagging behind best practice, it is shortening the effective runway for one of the most consequential infrastructure modernization efforts in the history of U.S. national security.