October 20 2025 -- On October 28th, the Linux Foundation’s Post-Quantum Cryptography Alliance (PQCA) will host a dedicated workshop on Cryptography Bill of Materials (CBOMs) during the PKIC 2025 event in Kuala Lumpur, Malaysia. The session will bring together experts from IBM Research, SCANOSS, and the Linux Foundation community to explore how CBOMs are transforming cryptographic governance and post-quantum readiness. As organizations worldwide prepare for the transition to quantum-safe cryptography, visibility into cryptographic assets is becoming just as critical as software transparency. Building on the foundation laid by Software Bills of Materials (SBOMs), CBOMs enable enterprises to identify, manage, and modernize their cryptographic dependencies across products, supply chains, and open-source ecosystems.

Setting the Stage: Linux Foundation and PQCA Vision

The workshop will open with Hart Montgomery, CTO of Linux Foundation Decentralized Trust and representative of the Linux Foundation PQCA, who will introduce the foundation’s mission to accelerate quantum-safe readiness through open collaboration. He will outline how PQCA is fostering interoperable frameworks, shared standards, and open tooling to help organizations move from awareness to measurable cryptographic assurance.

CBOM Fundamentals: From Concept to Standard

The morning session, led by Mike Osborne and Basil Hess from IBM Research, will explore the fundamentals of CBOMs and provide an update on ongoing standardization efforts. Osborne will describe the relationship between SBOMs and CBOMs, emphasizing how these complementary inventories enable full-stack visibility — from software dependencies to the underlying cryptographic primitives they rely on. Hess will then present an update on the CycloneDX standard and its new capabilities for representing cryptographic assets, including PKI information and key lifecycle tracking. These enhancements will help bridge the gap between software inventories and cryptographic assurance frameworks.

Real-World Use Cases: Telco, Products, and Open Source

The second block will showcase practical CBOM use cases. Osborne and Lory Thorpe will discuss how the telecommunications sector, through initiatives like the GSMA, is defining CBOMs to enhance supply-chain visibility and regulatory compliance with frameworks such as DORA, CRA, and NIS2. Sean Egan from SCANOSS will then highlight how CBOMs can be applied in the open-source ecosystem, enabling developers and maintainers to map cryptographic usage across large codebases, identify outdated components, and automate inventory creation using open tooling.

Open-Source Tooling and Demonstrations

After a short break, Egan will present the SCANOSS Crypto Intelligence Framework (CIF) offering a live demonstration of how open-source scanning and dependency mapping can support cryptographic discovery and license analysis in large software environments. Following this, IBM Research will present the Linux Foundation CBOM Toolkit — an open-source project that integrates cryptographic discovery and analysis directly into CI/CD pipelines. The toolkit will demonstrate how continuous cryptographic monitoring can be achieved through modular components for source code and endpoint analysis, aligning with the transparency and automation principles central to PQCA’s mission.

Discussion and Next Steps

The session will conclude with a community discussion led by Hart Montgomery, focusing on how participants and organizations can contribute to the CBOM initiative within the Linux Foundation ecosystem.

Key discussion points will include:

• Alignment with SPDX, ensuring interoperability across transparency frameworks
• Pathways for vendor and community contributions
• Expanding open collaboration on CBOM tooling and datasets

The workshop aims to accelerate the development of cryptographic transparency frameworks essential for the post-quantum transition — ensuring that organizations can manage their cryptographic dependencies with the same rigor that SBOMs have brought to software supply chains.

Explore the Linux Foundation CBOMkit

The Linux Foundation CBOMkit is an open-source toolkit developed under the PQCA to help organizations build, analyze, and maintain Cryptography Bills of Materials.

CBOMkit provides:

• Automated discovery of cryptographic assets in source code, binaries, and endpoints
• Integration with CI/CD pipelines for continuous monitoring
• Compatibility with CycloneDX 1.6+ and alignment with SPDX metadata
• Extensible modules for PKI analysis, key lifecycle tracking, and post-quantum readiness assessments

CBOMkit is designed to help open-source projects, and government organizations gain cryptographic observability — a crucial step toward managing and mitigating quantum-era risks.