As the industry begins the long and necessary journey toward quantum-safe cryptography (QSC), the telecom environment presents a uniquely complex challenge. Unlike traditional IT systems, telecom infrastructure, particularly in the 5G era, is highly disaggregated, spans multi-vendor ecosystems, and is increasingly distributed across cloud-native platforms.
From the core to the edge, from base stations to hyperscalers, cryptographic operations are embedded in every layer of the network. But how many telecom providers today can confidently answer: Where are we using cryptography? What algorithms are in use? Which are vulnerable?
Knowing What You Have
The first step in any security transformation, especially one as consequential as migrating to QSC, is understanding your inventory of cryptographic assets. Without that visibility, it’s impossible to evaluate risk, plan migrations, or ensure compliance with emerging national and international mandates.
That’s where the Cryptographic Bill of Materials (CBOM) comes in.
CBOM is becoming an essential tool in the IT industry, allowing organizations to document and manage cryptographic algorithms, protocols, keys, and certificates embedded in their systems. By providing a machine-readable, standardized inventory of cryptographic usage, CBOM helps teams understand complex environments, identify weak cryptography, and plan for future transitions.
Why Telecom Needs Its Own CBOM Standard
However, telecom security differs from general IT.
Telecom networks use a range of domain-specific cryptographic protocols, specifically within the Mobile 5G network. Protocols such as 5G-AKA, PRINS, MILENAGE, and EAP-AKA, that are not captured in general-purpose CBOM schemas. Furthermore, 5G network functions communicate over standardized interfaces (such as N1–N32 in 5G), each with unique trust and encryption requirements. Many cryptographic operations are offloaded to hardware (HSMs, TPMs, or embedded elements), making it more challenging to capture the cryptographic inventory of telecom networks.
To truly support telecom providers in their transition towards implementing QSC, CBOM definitions must be extended to reflect the operational and architectural realities of the telecom domain.
The ATIS Telecom CBOM Initiative
To address this need, ATIS is working closely with leading telecom providers and ecosystem partners to define a Telecom-specific CBOM standard, one that builds on existing CycloneDX foundations while introducing the schema, context, and tooling necessary for 5G and beyond.
This Telecom CBOM effort will enable the industry to:
- Achieve meaningful cryptographic visibility across multi-vendor, multi-cloud, and multi-interface deployments
- Support crypto-agility by making it easier to identify and plan upgrades of quantum-vulnerable algorithms
- Align vendor practices and regulatory reporting through a common inventory and compliance framework
By establishing a Telecom CBOM standard now, we lay the foundation for automated risk management, consistent cryptographic assurance, and confident migration planning is laid before quantum disruption becomes a reality.
Get Involved
This work is open, collaborative, and essential. If you or your organization is are interested in contributing to the development of the Telecom CBOM standard or participating in pilot implementations, we invite you to contact ATIS and get involved.
The path to quantum-safe telecom begins with understanding your cryptography. CBOM is how we achieve that goal together.
