The Anatomy of Cryptography Bills of Materials: Standardization and Practice in CycloneDX

The migration to post-quantum cryptography (PQC) and increasing regulatory requirements such as the EU Cyber Resilience Act and DORA, increase the demand for comprehensive visibility into cryptographic assets across software systems. A Cryptography Bill of Materials (CBOM) provides a standardized inventory of cryptographic algorithms, protocols, certificates, and related material used within software components and services. This paper presents the anatomy of CBOMs as standardized in OWASP CycloneDX (ECMA-424), examining the object model for cryptographic assets, dependency relationships, and evidence capture. We analyze how CBOMs integrate with the broader xBOM ecosystem, including Software (SBOM), Operations (OBOM), Hardware (HBOM), and SaaS BOMs, to provide full-stack cryptographic transparency. Through practical use cases, we demonstrate how CBOMs enable policy-based compliance evaluation, support hybrid PQC migration strategies, and facilitate cryptographic agility. We discuss challenges in CBOM generation including naming ambiguities, configuration-driven cryptography, and the distinction between provision of cryptography and consumption. Finally, we outline evolution toward future CBOM revisions.