Provide a Cryptographic Bill of Materials to Software Users
Software producers must give users a list of all cryptographic components used in the software.
Plain language
Think of this control like an ingredients list but for your software. Software producers need to give you a list of all the cryptographic bits and pieces used in their software. This is important because if you don't know what security measures are used, you can't properly protect your data or fix issues when something goes wrong.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
A cryptographic bill of materials is produced and made available to consumers of software.
Why it matters
Without a cryptographic bill of materials (CBOM), users may unknowingly rely on weak or vulnerable algorithms/libraries, increasing breach risk.
Operational notes
Publish a CBOM per release listing crypto libraries, versions, algorithms/modes and key sizes, and update it when components change or CVEs emerge.
Implementation tips
- The IT team should create a comprehensive list of all cryptographic components used in the software. Begin by reviewing the software's documentation and source code for any mention of encryption or security protocols, and compile this into a document or spreadsheet.
- Software developers need to regularly update the cryptographic bill of materials. They should ensure that each time there's a software update or patch, any changes to cryptographic tools are noted and the bill of materials is refreshed to reflect current usage.
- The software development manager should provide this list to end-users. They can do this by including it as part of the software documentation, or making it available on a user portal where customers can easily access it.
- The procurement team needs to request this document from vendors as part of the purchasing process. They should include it as a requirement in contracts and confirm it's provided before finalising any software purchase.
- An IT supervisor should review the list for completeness and accuracy quarterly. They can compare the company's inventory of software against the provided bills of materials to ensure all necessary documents are accounted for and up-to-date.
Audit / evidence tips
-
Askthe cryptographic bill of materials document: Ensure the document is available for each piece of software your organisation uses
Goodis a comprehensive, dated list detailing cryptographic elements for each software piece your organisation uses
-
Goodis a version-controlled document showing regular updates, especially after new software releases or patches
-
Askevidence of communication with users: This for example could be an email or notice regarding updates to the cryptographic bill of materials
Goodclear, consistent communications scheduled to provide users with crucial security information
-
Askprocurement documentation: Ensure that all new software purchases have a requirement for a cryptographic bill of materials included in the procurement process
Goodis a set of procurement documents showing the requirement prominently and confirming receipt
-
Goodis a regularly updated log with dates, reviewer names, and any changes or findings noted
Cross-framework mappings
How ISM-2083 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.25 | ISM-2083 requires software producers to provide software users with a CBOM of cryptographic components | |
| handshake Supports (2) expand_less | ||
| Annex A 5.21 | ISM-2083 requires software producers to provide a CBOM to software users to increase transparency of cryptographic components | |
| Annex A 8.24 | ISM-2083 requires software producers to produce and make available a cryptographic bill of materials (CBOM) listing cryptographic compone... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.