Cryptographic Asset Discovery and Inventory : A market survey and fit-gap analysis

This document is the result of study into commercially available tooling for cryptographic asset discovery & inventory (CADI). CADI is aimed at creating an overview of all cryptography used within an organisation. Such an overview is important from a security perspective and, in particular, with an eye to the upcoming migration to post-quantum cryptography (PQC). Input has been collected via a workshop involving technical and policy stakeholders within the government, as well as via desk research and structured interviews with product providers. Based on the results, requirements have been drafted for a
minimum viable product (MVP) and the ideal CADI tool. This study was funded by the Ministry of the Interior and Kingdom Relations, the National Cybersecurity Centre, and the Ministry of Economic Affairs. As such, the results of this study are relevant to government bodies, but may also provide insights for a broader scope of public and private organisations. During the study, it was found that there are many differences between the various CADI tools, both on a technical level and in terms of product maturity. The ideal for IT environments is not fully reached at this time, but some tools do approximate it. We
conclude that the deployment of CADI tooling is a trade-off, with higher precision scaling with greater efforts. Existing full-stack solutions for CADI are generally expensive and not European-made. IT asset management in a broad sense is already seen as complex in many organisations; as such, it is important that CADI is properly aligned with existing solutions. CADI tooling providers are aware of this fact and integration with existing, more generic cybersecurity and asset management products is an ongoing focus. In addition, we find that CADI tooling is less mature in the field of operational technology (OT) than in the field of information technology (IT). For example, there is few existing OT tooling to tie into, and some providers indicate having no interest in expanding their product range with OT support. OT does play an increasingly important role within the government, e.g. for vital infrastructures, and is increasingly often linked to the internet. As a result, we do see CADI as highly relevant for OT. Accordingly, we recommend increasing cooperation with other stakeholders in terms of OT in CADI and to push forward with legislation and regulations surrounding cryptographic inventory within the government. Also refer to
'Strategische Kennisagenda BZK en VRO 2025-2030' (Strategic Knowledge Agenda for the Ministry of the Interior Affairs and Kingdom Relations and the Ministry of Housing and Spatial Planning 2025-2030). In order to concretely com pare the perform a nee of various CADI tools, the tools must be tested in a controlled environment. In this respect, we see opportunities for the government bodies involved: they may be able to expand on their knowledge and understanding of this topic by facilitating the establishment of a ground truth, which can serve as a baseline for measuring the quality of different CADI products. In addition, they can strengthen their knowledge and leadership position around CADI through smart government tendering around CADI tooling, PQC migration and related services. Finally, we recommend not to wait for the ideal tool or external best practices around CADI. It is important to start accruing knowledge and expertise around cryptographic assets as soon as possible. To this end, information can be gathered via existing, running tools. In addition, the government bodies can incentivise (market) parties - through influence and tenders - to bridge the present gaps, i.e. the present shortcomings.