Skip to content
QCecuring

Compliance

Compliance

Section titled “Compliance”

The Compliance page evaluates your crypto inventory against policy templates and manages attestations for audit readiness.

hidden Compliance overview showing policy evaluation results with pass/fail counts

Policy Templates

Section titled “Policy Templates”

CBOM includes built-in policy templates aligned with major cryptographic standards:

CNSA 2.0 (NSA Commercial National Security Algorithm Suite)

Section titled “CNSA 2.0 (NSA Commercial National Security Algorithm Suite)”

Evaluates assets against NSA’s approved algorithm list for national security systems:

  • RSA ≥ 3072 bits (transitional, moving to PQC)
  • ECDSA/ECDH with P-384 curve
  • AES-256
  • SHA-384 or SHA-512
  • ML-KEM, ML-DSA, SLH-DSA (target state)

NIST PQC (Post-Quantum Cryptography)

Section titled “NIST PQC (Post-Quantum Cryptography)”

Checks readiness for NIST’s post-quantum standards:

  • Flags all quantum-vulnerable algorithms (RSA, ECDSA, ECDH, DH, DSA)
  • Validates presence of PQC algorithm adoption
  • Tracks migration progress

FIPS 140-3

Section titled “FIPS 140-3”

Validates use of FIPS-approved algorithms and key sizes:

  • AES (128, 192, 256)
  • SHA-2 family (SHA-256, SHA-384, SHA-512)
  • RSA ≥ 2048 bits
  • ECDSA with approved curves (P-256, P-384, P-521)
  • Flags non-approved algorithms (MD5, SHA-1, DES, RC4)

Policy Evaluation

Section titled “Policy Evaluation”

When you run a policy evaluation:

  1. Select one or more policy templates
  2. Choose scope (all assets, specific types, specific scanners)
  3. Run evaluation

Results show:

StatusMeaning
PassAsset meets all policy requirements
FailAsset violates one or more rules
N/APolicy doesn’t apply to this asset type

hidden Policy evaluation results table showing assets with pass/fail status per policy

Attestations

Section titled “Attestations”

Attestations are formal records that a policy evaluation was performed and reviewed. They serve as audit evidence.

Creating an Attestation

Section titled “Creating an Attestation”
  1. Run a policy evaluation
  2. Review results
  3. Click “Create Attestation”
  4. Add notes and reviewer information
  5. Submit

The attestation records:

  • Policy template used
  • Evaluation timestamp
  • Pass/fail counts
  • Reviewer name and notes
  • Asset scope

Viewing Attestations

Section titled “Viewing Attestations”

The attestation history shows all past evaluations with their results, providing an audit trail of compliance checks over time.

hidden Attestation history showing past evaluations with dates and results

Custom Policies

Section titled “Custom Policies”

Create custom policy rules beyond the built-in templates:

  • Minimum key size requirements
  • Allowed/disallowed algorithm lists
  • Required lifecycle states
  • Maximum certificate validity periods
  • Required curve types for EC keys

Compliance in CycloneDX Export

Section titled “Compliance in CycloneDX Export”

Policy evaluation results are reflected in the CycloneDX export through the nistQuantumSecurityLevel field on each component’s algorithmProperties:

{
  "cryptoProperties": {
    "algorithmProperties": {
      "primitive": "pke",
      "nistQuantumSecurityLevel": 0
    }
  }
}

A nistQuantumSecurityLevel of 0 indicates the algorithm provides no quantum security.

Section titled “Related”