What Is a QBOM (Quantum Bill of Materials)?

This is part of the Quantum Security Reference Deep Dive series. For the full landscape overview, see the capstone article on quantum security.

Introduction

QBOM stands for Quantum Bill of Materials. The term is used in at least two distinct ways across the industry, which creates confusion for security leaders trying to figure out what they actually need. This reference sorts out the terminology and points you to the inventory that matters for PQC migration.

The Terminology Problem

A Bill of Materials (BOM) is a structured inventory of components in a system. The concept originated in manufacturing and was adopted by cybersecurity through the Software Bill of Materials (SBOM), which catalogues software components and dependencies for supply chain transparency. As the quantum threat gained urgency, the BOM concept was extended into quantum and cryptographic contexts, but without consistent naming.

The result is two terms that overlap, diverge, and are frequently conflated.

QBOM (Quantum Bill of Materials) was formalized by India’s CERT-In in their July 2025 Technical Guidelines (Version 2.0) alongside SBOM, CBOM, AIBOM, and HBOM. In the CERT-In framework, a QBOM specifically inventories quantum computing components: quantum algorithms, quantum security protocols, quantum hardware elements, and quantum software dependencies within an organization’s systems. It is designed for organizations that are building, integrating, or consuming quantum computing technology and need to track those components for interoperability, compliance, and risk management.

CBOM (Cryptographic Bill of Materials) inventories cryptographic components: encryption algorithms, key management mechanisms, digital certificates, TLS configurations, hash functions, and their deployment across an organization’s infrastructure. IBM’s research team developed the CBOM concept as an extension of SBOM, and it has become the standard term for the cryptographic inventory that PQC migration requires.

In practice, many organizations and vendors use “QBOM” to mean what is more precisely called a CBOM: a cryptographic inventory viewed through the lens of quantum risk. When a CISO hears “you need a QBOM,” the speaker almost always means “you need to know where your quantum-vulnerable cryptography is deployed.” That is a CBOM.

Which One Do You Need?

For the vast majority of organizations preparing for PQC migration, the answer is a CBOM. You need to know where RSA, ECC, and Diffie-Hellman are deployed across your infrastructure, which systems depend on them, and what the migration priority should be based on HNDL and TNFL exposure.

A QBOM in the CERT-In sense is relevant only if your organization is actively deploying quantum computing technology: running quantum processors, integrating quantum algorithms into workflows, or consuming quantum-as-a-service platforms. Most enterprises are not there yet. When they are, the QBOM will matter for securing quantum computers and managing quantum supply chain risk. For now, the cryptographic inventory is the priority.

I cover both inventories in my detailed analysis of Bills of Materials for Quantum Readiness: SBOM, CBOM, and Beyond, which maps each BOM type to its role in the quantum preparedness lifecycle.

Building a Cryptographic Inventory

Whether you call it a QBOM or a CBOM, the work is the same: discovering and cataloguing every instance of quantum-vulnerable cryptography across your organization. This is the foundation of any PQC migration program. Without it, prioritization is guesswork.

A comprehensive cryptographic inventory should map which algorithms are in use (RSA-2048, ECDSA P-256, ECDH, etc.), where they are deployed (network protocols, application code, certificate hierarchies, key management systems, HSMs, embedded devices), what data or functions they protect, and how long that protection must last.

The scope can feel overwhelming. A large enterprise may have cryptographic dependencies in thousands of systems, many of them undocumented or buried in vendor-supplied components. Risk-driven strategies provide a pragmatic starting point: begin with the systems carrying the highest-exposure data (long-lived confidential information subject to HNDL, and critical signature infrastructure subject to TNFL), then expand the inventory outward.

Several vendor tools can accelerate the discovery process by scanning networks, code repositories, and configurations for cryptographic usage. No single tool finds everything, but automated discovery combined with manual assessment provides a workable baseline.

The Regulatory Context

CERT-In’s July 2025 guidelines are voluntary, but they signal a direction. India’s framework is the first national-level guidance to formalize both QBOM and CBOM as distinct inventory categories. As quantum security regulation matures globally, similar requirements are likely to emerge in other jurisdictions.

In the United States, the emphasis has been on cryptographic inventory rather than quantum component inventory. NIST’s guidance and the CNSA 2.0 requirements both assume organizations will conduct cryptographic discovery as the first step of PQC migration. The US PQC regulatory framework does not use the QBOM term, but the underlying requirement (know your cryptographic exposure) is identical.

The Applied Quantum PQC Migration Framework incorporates cryptographic inventory as a core phase, regardless of which terminology your organization or regulator prefers.

Go Deeper

What Is PQC Migration? — the program that the inventory feeds into

Bills of Materials for Quantum Readiness: SBOM, CBOM, and Beyond — the full BOM landscape

Cryptographic Bill of Materials (CBOM) — what a CBOM contains and how to build one

Cryptographic Inventory for Quantum Readiness — the discovery process

Risk-Driven Quantum Crypto Inventory — starting with the highest-risk systems

Cryptographic Inventory Vendor Tools — automated discovery options