Architecture-Derived CBOMs for Cryptographic Migration: A Security-Aware Architecture Tradeoff Method

TL;DR

This paper presents SATAM, a security-aware method for deriving architecture-grounded cryptographic Bills of Materials (CBOMs) that enhance migration planning by capturing security context and architectural decisions.

Contribution

Introduces SATAM, a novel approach combining architecture evaluation techniques to produce security-aware, context-rich CBOMs for cryptographic migration planning.

Findings

Architecture-derived CBOMs include security context and architectural decisions.

SATAM improves cryptographic migration planning by providing richer, more relevant information.

The method demonstrates enhanced cryptographic agility and informed decision-making.

Abstract

Cryptographic migration driven by algorithm deprecation, regulatory change, and post-quantum readiness requires more than an inventory of cryptographic assets. Existing Cryptographic Bills of Materials (CBOMs) are typically tool- or inventory-derived. They lack architectural intent, rationale, and security context, limiting their usefulness for migration planning. This paper introduces Security-Aware Architecture Tradeoff Analysis Method (SATAM), a security-aware adaptation of scenario-based architecture evaluation that derives an architecture-grounded, context-sensitive CBOM. SATAM integrates established approaches: ATAM, arc42, STRIDE, ADR, and CARAF. These are included to identify and analyze security-relevant cryptographic decision points and document them as explicit architectural decisions. These artifacts are used to annotate CBOM entries with architectural context, security intent, and migration-critical metadata using CycloneDX-compatible extensions. Following a Design Science Research approach, the paper presents the method design, a conceptual traceability model, and an illustrative application. The results demonstrate that architecture-derived CBOMs capture migration-relevant context that is typically absent from inventory-based approaches. Thereby, SATAM improves availability of information required for informed cryptographic migration planning and long-term cryptographic agility.