Executive Order 14412 · June 22, 2026 Free · Uncapped · No Account

What cryptography in your software breaks by 2030?

Upload a CycloneDX manifest. Every cryptographic asset — algorithms, keys, certificates, protocols — is inventoried and graded against NIST post-quantum guidance, then mapped to its Executive Order 14412 migration deadline.

This check is free, complete, and uncapped. No account, no card, no limit. Nothing you upload is retained. This page issues no receipt — the findings are for you to read and act on. If you need to prove to an auditor that you ran the assessment, that is a signed receipt.
{ }
Drop a manifest, or click to choose a file
CycloneDX 1.6 CBOM preferred · SBOM (CycloneDX / SPDX JSON) also accepted · max 5 MB
Nothing is stored. Nothing is signed.
Assessing cryptographic assets…
NextGenRails™ · CBOM Cryptographic Assessment
UNSIGNED — NOT COMPLIANCE EVIDENCE
This report is an unsigned assessment of the cryptographic assets declared in the named manifest. It carries no signature, no timestamp binding, and no verifiable link to the file it describes. It can be edited by anyone holding it. Do not accept it, or offer it, as compliance, audit, or conformity evidence. A signed receipt is available at cbomcompliance.com/workbench.
What breaks, and when
Deadlines are set by Executive Order 14412: key establishment by December 31, 2030; digital signatures by December 31, 2031. Assets that are already disallowed are listed first.
CBOM conformance
RuleRequirement
Unsigned. For your own records.
You now know. Next: prove it.

A finding you can read is not evidence.

This assessment is unsigned. Anyone can edit the PDF you just downloaded. It proves nothing to anyone but you. A NextGenRails receipt binds these exact findings to this exact manifest at this exact moment — SHA-384 fingerprinted, Merkle-committed, and dual-signed with RS256 and ML-DSA-65 (FIPS 204), so the signature itself survives the threat this report is about. Independently verifiable by any auditor against a public key, without contacting us.

Issue a signed receipt →
Scope. This assessment reads the cryptographic assets declared in your manifest. It does not scan your source code or binaries, and it cannot find cryptography you did not declare. A clean result means nothing quantum-vulnerable was declared — not that none exists. Federal CBOM minimum elements are pending from CISA and NIST under EO 14412 §5(d), expected around March 2027; this check evaluates against CycloneDX 1.6 / ECMA-424 until they are published.