CRYPTOGRAPHIC BILL OF MATERIALS  ·  CBOM ≠ SBOM  ·  AN SBOM IS A CLAIM · A CBOM IS PROOF  ·  SHA-384 · RS256 · MERKLE COMMITMENT  ·  EU CRA SEPTEMBER 2026  ·  CMMC 2.0 NOVEMBER 2026  ·  DORA · NIS2 · SEC CYBERSECURITY RULES  ·  ZERO RETENTION · INDEPENDENTLY VERIFIABLE  ·  BITCOIN-ANCHORED PROVENANCE  ·  CRYPTOGRAPHIC BILL OF MATERIALS  ·  CBOM ≠ SBOM  ·  AN SBOM IS A CLAIM · A CBOM IS PROOF  ·  SHA-384 · RS256 · MERKLE COMMITMENT  ·  EU CRA SEPTEMBER 2026  ·  CMMC 2.0 NOVEMBER 2026  ·  DORA · NIS2 · SEC CYBERSECURITY RULES  ·  ZERO RETENTION · INDEPENDENTLY VERIFIABLE
The Definitive Resource
CBOMdirectory.com · NextGenRails™ · NGR-TEC-CBM-002

What is a CBOM?

Cryptographic Bill of Materials — Explained

Your software has dependencies. You can list them — or you can prove them. A CBOM is the cryptographic proof that your software supply chain was in a known state at a specific point in time. An SBOM tells you what's there. A CBOM proves it.

Understand CBOM → Get a Signed Receipt →
SCROLL
Definition
Cryptographic Bill of Materials / CBOM /
A CBOM is a tamper-evident, cryptographically signed record of a software artifact's components — dependencies, packages, libraries, and versions — committed to a Merkle tree, hashed with SHA-384, and signed with an RS256 JWS receipt at a specific, verifiable point in time. Unlike a Software Bill of Materials (SBOM), which is a self-reported inventory, a CBOM receipt is issued by an independent authority and is independently verifiable offline — forever — without contacting the issuing authority again.
The distinction that matters:
An SBOM is a claim — a document you produced about yourself.
A CBOM receipt is evidence — a signed record produced by an independent authority that anyone can verify.
Comparison
SBOM vs CBOM
📄 SBOM Claim
  • Self-reported inventory. You listed your own dependencies.
  • No independent verification. No third party signed it.
  • No timestamp proof. You say when it was generated — but that cannot be verified.
  • Cannot prove the artifact you shipped matches what the SBOM describes.
  • If a dependency was compromised after generation, the SBOM still says it was clean.
  • Accepted as a compliance checkbox. Not accepted as forensic evidence.
  • No cryptographic binding between the manifest and the artifact.
🔐 CBOM Receipt Proof
  • Issued by an independent cryptographic authority. Not self-reported.
  • RS256-signed JWS receipt. Tamper-evident. Any modification invalidates the signature.
  • SHA-384 Merkle-committed timestamp. The manifest state at that exact moment is permanently encoded.
  • Independently verifiable offline forever. No callback to the issuing authority required.
  • If a dependency is later compromised, the receipt proves your manifest was clean before the attack window.
  • Admissible as forensic evidence of known-good state at a specific timestamp.
  • Cryptographic binding between the manifest hash and the signed receipt.
Inside a CBOM Receipt
What the receipt actually contains

Every CBOM receipt issued by CBOMcompliance.com contains the following fields, encoded in a signed JWS token. This is a real receipt structure from a live issuance during the Mini Shai-Hulud supply chain attack on May 12, 2026.

CBOM RECEIPT · NGR-CBOM-8FDAA67574B4 VALID · SIGNED · BITCOIN-ANCHORED
Receipt ID
NGR-CBOM-8FDAA67574B4
Unique identifier for this issuance. Reference in audit logs and regulatory filings.
Timestamp UTC
2026-05-12T21:22:34Z
The exact moment this manifest was cryptographically committed. Independently verifiable.
Manifest
demo-sbom.cdx.json
The CycloneDX or SPDX manifest submitted. Never stored — zero retention architecture.
SHA-384 Digest
a8f3c2b94e1d7f6a2c85b3e9d4f1a7c3b6e2d8f5a1c4b7e9d2f6a3c8b5e1d7f4
SHA-384 hash of the entire manifest. Any modification produces a different hash.
Merkle Root
b7e1d4a9c3f6b2e8d5a4c1f7b3e9d6a2c8f5b1e4d7a3c9f6b2e8d5a1c4b7e3d9
Binary Merkle tree root of all component field hashes. Proves integrity at the field level.
Components
axios 1.6.7 — VULNERABLE · 19 CVEs · HIGH confidence
@tanstack/query-core 5.28.0 — CLEAN
openssl 3.2.1 — CLEAN
Vulnerability status at time of issuance from OSV and NVD. Frozen in the receipt permanently.
Signature
RS256 JWS · Key ID: ngr-cbom-rs256-2026-001
RS256 signature over the entire receipt payload. Verify offline at any future time using the public key at cbomcompliance.com/public-key.
Provenance
Bitcoin-anchored · Blocks 937832, 938927, 940570
The issuing infrastructure is permanently anchored to the Bitcoin blockchain via OP_RETURN. Predates any competitor.
Status
VALID · SIGNED · INDEPENDENTLY VERIFIABLE OFFLINE
Verify this receipt offline forever using the public key. No network call to NextGenRails™ required after issuance.
Real-World Scenarios
Why a CBOM receipt changes everything
SCENARIO 01
The Supply Chain Attack
A widely-used npm package is compromised via CI credential theft. Malicious code is injected into 84 packages across 205 artifacts. Your build system pulled one of them two weeks ago. Can you prove your production artifact was clean before the attack window?
✗ SBOM: No. It lists the package but proves nothing about when it was clean.
✓ CBOM: Yes. The receipt timestamp predates the attack. The Merkle root proves the manifest state was clean at issuance.
SCENARIO 02
The Regulatory Audit
EU CRA enforcement begins September 11, 2026. An auditor asks for evidence that your software's components were verified before shipping. You provide an SBOM. The auditor asks: who verified this, and when?
✗ SBOM: You did. It's self-reported. The auditor cannot independently verify the timestamp or contents.
✓ CBOM: An independent authority signed it. The timestamp is cryptographically verifiable. No network call required to verify.
SCENARIO 03
The Zero-Day Discovery
A critical zero-day is disclosed in a library you use. Your security team needs to determine whether the vulnerable version was in your production build — and whether it was present before or after your last release.
✗ SBOM: No tamper-evident proof of the exact manifest state at each release point.
✓ CBOM: Each release receipt is immutable. The SHA-384 digest proves exactly what was in the manifest at each point.
How It Works
The cryptographic proof chain
01
Submit Your Manifest
Upload a CycloneDX or SPDX manifest to CBOMcompliance.com. Processed entirely in memory. Zero retention — your manifest data is never written to disk or stored anywhere.
02
SHA-384 Merkle Commitment
Every field of every component is individually hashed. The hashes are assembled into a binary Merkle tree. The root hash cryptographically represents the entire manifest state. Any modification to any field produces a completely different root.
SHA-384(field_1) + SHA-384(field_2) → Merkle node
Merkle nodes → Merkle root → SHA-384 digest
Digest permanently encoded in the signed receipt
03
RS256 JWS Signing
The receipt payload — Merkle root, timestamp, receipt ID, vulnerability status, provenance metadata — is signed using RS256 per RFC 7515. The private key never leaves the signing infrastructure.
header.payload.signature
Signature = RSA_SIGN(SHA256, header + "." + payload)
Verifiable offline using public key at cbomcompliance.com/public-key
04
Vulnerability Intelligence
Every component is cross-referenced against OSV and NVD in real time. The vulnerability status at the moment of issuance is permanently frozen in the receipt. A receipt issued before a CVE disclosure proves the component was clean when verified.
05
Independent Offline Verification — Forever
The signed JWS receipt is yours. Store it in your audit logs, version control, compliance system. Verify it at any future point using the public key — no network call to NextGenRails™ required. The receipt is self-contained cryptographic proof.
// Verify receipt offline — works forever
const pubKey = await fetch("https://cbomcompliance.com/public-key")
jws.verify(receipt, pubKey) → true | false
// No dependency on NextGenRails™ after issuance.
"An SBOM tells you what's in your software.
A CBOM proves what was there — and when."
NextGenRails™ · Trust is not declared. It is computed.
Regulatory Context
Who is requiring this level of proof
EU CRA
EU CYBER RESILIENCE ACT
Requires manufacturers to document and verify software components, report vulnerabilities within 24 hours, and demonstrate integrity of software supply chains. Self-reported SBOMs are insufficient for incident reporting obligations — cryptographic proof of component state is required.
⚡ Mandatory from September 11, 2026
CMMC 2.0
CYBERSECURITY MATURITY MODEL CERTIFICATION
Level 2 requires NIST SP 800-171 compliance across all 110 controls for defense contractors handling CUI. Supply chain risk management controls require demonstrable verification of software components — not just inventory.
⚡ Phase 2 enforcement November 10, 2026
DORA
DIGITAL OPERATIONAL RESILIENCE ACT
Financial entities across the EU must maintain auditable records of ICT third-party dependencies, demonstrate software integrity for critical systems, and provide evidence of supply chain verification in ICT risk assessments.
⚡ Active enforcement across 18+ sectors
NIS2
NETWORK AND INFORMATION SECURITY DIRECTIVE 2
Requires essential and important entities to implement supply chain security measures, maintain evidence of software component verification, and demonstrate due diligence in managing third-party software risk. Incident reporting requires proof of known-good state before an incident.
⚡ Active enforcement across EU member states

Stop claiming.
Start proving.

Submit any CycloneDX or SPDX manifest. Receive a SHA-384 Merkle-committed, RS256-signed JWS receipt in seconds. Independently verifiable offline — forever.

Get a Signed Receipt →
Standard receipts from $49 · Zero retention · No account required · Instant download