White Paper · July 2026

Cryptographic Bill of Materials for Executive Order 14412

Producing verifiable evidence of cryptographic posture before the standard that will grade it exists.

A practical framework for federal contractors, security teams, and compliance leaders. 13 pages. Every regulatory claim cited to the Federal Register.

Protocol NGR-TEC-CBM-002 · Ruleset NGR-CBOM-QRS-2026.07.2
Read the paper Download PDF 13 pages · no email required

The clock nobody is talking about

Most published summaries of EO 14412 get the near-term deadlines wrong. These are drawn from the text as published at 91 FR 38483.

30 days

Name a PQC migration lead

§4(a). This is a naming requirement — no inventory is due at 30 days, whatever a vendor selling inventory tooling may tell you.

120 days

Agency migration plans due

OMB M-26-15, issued two days after the order. Plans are due around late October 2026 — and they have to describe a supply chain.

~March 2027

The CBOM standard arrives

§5(d). CISA and NIST publish the minimum CBOM elements. Until then, nothing on earth can be certified against them.

The full timeline:

DeadlineSectionRequirement
30 days§4(a)Each agency head names a PQC migration lead and reports it to OMB and the National Cyber Director.
90 days§4(b)OMB issues guidance requiring agencies to review their HVA inventory and submit a transition plan.
180 days§5(c)The FAR Council publishes a proposed rule requiring covered contractors to comply with PQC FIPS by 31 Dec 2030.
270 days§5(d)CISA and NIST publish the minimum elements for a Cryptographic Bill of Materials.
31 Dec 2030§4(b)(ii)HVAs and high-impact systems use PQC for key establishment.
31 Dec 2031§4(b)(iii)HVAs and high-impact systems use PQC for digital signatures.

What this platform does not do

Section 6 of the paper is a full page of it. Here is the short version, because you should know before you read the rest.

Claims we do not make

  • It does not certify EO 14412 compliance. The minimum CBOM elements don't exist yet. Nothing can be certified against an unpublished specification — not by us, not by anyone.
  • It does not prove you own the software. A receipt attests that a manifest was submitted and graded. Anyone can submit any manifest.
  • The signing keys are not HSM-backed. They're held in encrypted cloud storage. This is stated in the public keyset endpoint.
  • No receipt is anchored to a blockchain. A receipt's integrity rests on its two signatures and the published key history. That's sufficient, and we'd rather say so plainly.
  • It does not scan your code. It reads the manifest you give it. If your SBOM omits a dependency, the receipt faithfully records an inventory that omits it.

The paper also discloses two defects in our own platform, including one in our signing path. If that seems like a strange thing for a vendor to publish, that is rather the point.

Read the paper

Thirteen pages. No email, no form, no account.

Cover: Cryptographic Bill of Materials for Executive Order 14412

Cryptographic Bill of Materials for Executive Order 14412

The full timeline, the NIST IR 8547 transition table, how the CycloneDX 1.7 Cryptography Registry makes EO 14412 deadlines mechanizable — and a full page on what this tool does not do.

13 pages · PDF · July 2026 · CycloneDX 1.6 / 1.7
1. What EO 14412 actually requires  ·  2. Verifiable CBOM receipts  ·  3. How it works  ·  4. The ruleset & the Cryptography Registry  ·  5. Who this is for  ·  6. What this does not do  ·  7. Access and pricing

The check is free, and it always will be

Upload a CycloneDX or SPDX manifest. Get every cryptographic asset graded against NIST guidance and mapped to the EO 14412 deadline that actually applies to it. No account. No limit.

Run a free check