As global telecommunications infrastructure evolves toward highly distributed, software-defined networks such as 5G, the
challenge of managing cryptographic operations in a secure and scalable manner becomes increasingly urgent. The reliance on
legacy cryptographic algorithms, which may be vulnerable to emerging threats like quantum computing, exacerbates the risk
landscape.
Furthermore, as networks modernize and prepare for the upcoming shift to Quantum-Safe Cryptography (QSC), the first and
most essential step for operators is to understand the cryptographic assets currently existing in their systems. Without this
foundational knowledge of understanding where cryptography is applied, which algorithms are in use, and the roles they play in
securing operations, telecoms operators cannot effectively plan or execute a transition to quantum-safe alternatives.
The Cryptographic Bill of Materials (CBOM) emerges as a key enabler of this visibility. A CBOM serves as a structured inventory
that helps telecom operators document their cryptographic footprint across software, hardware, network functions, and
interfaces. It provides the baseline needed to identify weak or outdated algorithms, understand dependencies, and plan for
future-proofed cryptographic upgrades. In essence, a CBOM becomes the “plan of record” for an organization’s cryptographic
infrastructure.
By capturing this information in a machine-readable and standardized form, CBOMs empower telecom operators to feed
cryptographic data into risk assessment frameworks, prioritize remediation activities, and ensure crypto-agility, which is the
ability to adapt cryptographic implementations as new requirements and threats emerge, particularly during the migration to
quantum-safe cryptography.
This paper highlights the critical role CBOM plays in telecom, with a particular focus on 5G networks, and proposes how a
standardized CBOM specification can meet these domain-specific challenges. By demonstrating the tangible benefits of CBOM
for managing the security posture of complex telecom environments, the report concludes with recommendations to promote
CBOM standardization and ensure interoperability across multi-vendor ecosystems.