Secure Controls Framework
Download The SCF
Quantum Security

How do I inventory my cryptographic assets?

Direct Answer

A cryptographic asset inventory documents every instance of cryptographic use in your organization - libraries, protocols, certificates, and key management systems. Scan source code for cryptographic library calls, review TLS configurations on all endpoints, catalog PKI certificates, and interview application teams about dependencies. The result should record each algorithm, key length, use case, and data sensitivity.

Automated tools can help with code scanning and network-level TLS enumeration. For certificates, most certificate management platforms can export an inventory of all issued certificates and their algorithms. For applications, static analysis identifies which cryptographic libraries are imported and which algorithms are called.

 

The inventory should also capture third-party and vendor components, since software dependencies are a common source of vulnerable cryptographic algorithms that organizations do not directly control.

 

This inventory is also referred to as a Cryptographic Bill of Materials (CBOM) and is the foundation for PQC migration prioritization. Revisit the inventory annually and whenever significant system changes occur.

Keep Exploring

Relevant Resources

References

Authoritative Sources