OMB CSV Format - TYCHON Quantum Readiness Documentation

Supported in both local and remote mode

Use -outputformat csv to produce CSV as the primary output, or use -csv-output <path> to write a CSV file alongside another format (e.g., JSON + CSV in one run). The two options cannot be combined with each other. Local mode requires -cipherscanquick (on by default). Remote mode works with or without -cipherscanquick — omitting it will populate limited cipher data in the CSV.

Overview

The CSV output format produces a federal cryptographic inventory spreadsheet aligned to the data fields required by OMB Memorandum M-23-02 (Migrating to Post-Quantum Cryptography) and NSM-10 (National Security Memorandum on Quantum Computing). The report covers every cryptographic dataset the scanner collects — TLS, SSH, non-TLS wire protocols, VPN and IPSec clients, filesystem certificates, WiFi, and MACsec — each mapped into the same 34-column structure. Fields not covered by the fixed columns are serialised into the Additional Notes column (col 13).

Format Characteristics

• 34 columns matching OMB data field names exactly
• One row per asset (port, protocol instance, certificate, or network config)
• Applications with no detected crypto emit a single summary row
• UTF-8 encoded, RFC 4180 compliant CSV
• Header row included automatically
• File extension: .csv (auto-added if omitted)

Requirements

• Local mode: requires -cipherscanquick (enabled by default)
• Remote mode: works without -cipherscanquick; add it for full cipher detail
• Standalone: -outputformat csv cannot combine with other formats; use -csv-output for dual output
• Remote OS column: shows scanning host OS — remote target OS is not available over the network

Local Mode

# Minimal — writes crypto-inventory.csv
.\certscanner-windows-amd64.exe -outputformat csv -output crypto-inventory.csv

# Full local scan with all datasets
.\certscanner-windows-amd64.exe -outputformat csv -output crypto-inventory.csv `
  -scan-installed-apps -detect-vpn-clients -detect-ipsec `
  -tags "Agency-XYZ,FY2026-Q1,OMB-M-23-02"

# Minimal — writes crypto-inventory.csv
./certscanner-linux-x64 -outputformat csv -output crypto-inventory.csv

# Full local scan with all datasets
./certscanner-linux-x64 -outputformat csv -output crypto-inventory.csv \
  -scan-installed-apps -detect-vpn-clients -detect-ipsec \
  -tags "Agency-XYZ,FY2026-Q1,OMB-M-23-02"

# Intel Mac
./certscanner-darwin-amd64 -outputformat csv -output crypto-inventory.csv

# Apple Silicon Mac
./certscanner-darwin-arm64 -outputformat csv -output crypto-inventory.csv \
  -scan-installed-apps -detect-vpn-clients \
  -tags "Agency-XYZ,FY2026-Q1,OMB-M-23-02"

Remote Mode

Remote mode scans network hosts and generates an OMB-compliant CSV from the port-level TLS, SSH, and non-TLS cipher findings. Add -cipherscanquick for full cipher suite enumeration per port. The Operating System column (col 12) reflects the scanning host's OS — the remote target's OS is not available over the network.

# Single host — full cipher enumeration
./certscanner -mode remote -hosts 192.168.1.0/24 -ports 443,8443,22 \
  -cipherscanquick -outputformat csv -output remote-inventory.csv \
  -tags "Agency-XYZ,FY2026-Q1,OMB-M-23-02"

# Dual output: JSON for SIEM + CSV for OMB submission in one run
./certscanner -mode remote -hosts 10.0.0.0/8 -ports 443,8443,22,8080 \
  -cipherscanquick -output scan-results.json \
  -csv-output remote-inventory.csv

Dataset Coverage

Every cryptographic dataset detected by the scanner produces one or more rows in the CSV. Each dataset type maps its specific fields to the 34 OMB columns; fields with no direct column equivalent are written to Additional Notes (col 13).

TLS TLS/HTTPS Ports

One row per listening TLS port per application. Full cipher suite detail from live handshake.

• KEX algorithm and named group (col 15–17)
• Full cipher suite name (col 16)
• Server certificate signature algorithm (col 23–25)
• Block cipher, key length, and mode (col 26–28)
• Hash and MAC algorithms (col 29–32)
• Notes: preferred protocol, cert/key counts, stream ciphers

SSH SSH / SFTP Ports

One row per SSH port. Prefers sshd_config / sshd -T data over wire-negotiated algorithms.

• KEX algorithm families and named groups (col 15–17)
• PQC KEX detection (sntrup761, mlkem768x25519) (col 5, 21–22)
• Host-key signature algorithm and parameters (col 23–25)
• Bulk cipher and mode (col 26–28)
• MAC algorithms (col 31–32)
• Notes: banner version, config source, PQC readiness, auth methods, host key fingerprint

SMB3 SMB3 / CIFS (port 445)

Live SMB2 NEGOTIATE probe. Cipher IDs extracted from NegotiateContextList in server response.

• Block ciphers from wire: AES-128-GCM, AES-256-GCM, AES-128-CCM (col 26–28)
• Notes: data source ("wire" or "protocol_spec"), dialect, PQC readiness

KRB5 Kerberos (port 88)

Live AS-REQ probe. KDC's supported etype list extracted from KRB-ERROR(PREAUTH_REQUIRED).

• Encryption types from wire: AES256, AES128, RC4-HMAC, DES (col 26–28)
• Notes: etype list, RC4/DES presence flags, HMAC algorithms

NFS NFS (port 2049)

Live RPC NULL probe confirms NFS presence. Crypto from published NFSv4.2 + Kerberos profile.

• Block cipher and mode (col 26–28)
• Notes: NFS version, GSS Kerberos, PQC readiness

IBMMQ IBM MQ (port 1414)

Live MQCONN probe. Cipher spec from IBM MQ TLS cipher suites.

• Block cipher and mode (col 26–28)
• Notes: queue manager name, cipher spec, channel name

AirPlay AirPlay (port 7000)

mDNS TXT record query + RTSP OPTIONS probe. mDNS et= and pk= fields parsed for live crypto data.

• KEX from mDNS when available: Ed25519/P-256 (col 15–17)
• Cipher: AES-128-CBC (col 26–28)
• Notes: mDNS data source flag, encryption type bitmask

OPC-UA OPC-UA (port 4840)

Live HELLO/ACK probe confirms OPC-UA server. Crypto from OPC-UA Security Policy specification.

• KEX: RSA-OAEP (col 15–17)
• Block cipher: AES-128-CBC / AES-256-CBC (col 26–28)
• Notes: data source "protocol_spec", security policy names

Tor Tor (port 9001)

Live VERSIONS cell probe confirms Tor relay. Crypto from Tor protocol specification.

• KEX: Curve25519 ntor (col 15–17)
• Stream cipher: AES-128-CTR (col 26–28)
• Notes: data source "protocol_spec", Tor version cell

VPN VPN Clients

One row per detected VPN client (Cisco AnyConnect, GlobalProtect, WireGuard, OpenVPN, WARP, etc.). Cipher data from config files and process inspection.

• Protocol and KEX (col 15–17)
• Block cipher (col 26–28)
• Notes: server address, PQC readiness (IsPQCReady / QuantumResistance), VPN version

IPSec IPSec Tunnels

One row per detected IPSec tunnel or IKE profile. Cipher data from strongSwan, Libreswan, Windows IKE, or platform config.

• IKE version and DH group (col 15–17)
• ESP cipher and mode (col 26–28)
• Notes: PRF algorithm, PFS status, PQC readiness, FIPS mode

CERT Filesystem Certificates

One row per certificate found on the filesystem (.pem, .crt, .p12, etc.). Parsed from on-disk X.509 files.

• Signature algorithm and key size (col 23–25)
• Issuer organization as Vendor/Developer (col 11)
• Notes: file path, expiry date, subject CN, SAN entries, key type

WiFi WiFi / Wireless

One row when WiFi is detected. Security mode and cipher suite from OS wireless configuration APIs.

• Block cipher: AES-CCMP / TKIP (col 26–28)
• Notes: SSID, BSSID, security mode (WPA2/WPA3), authentication type

MACsec MACsec (IEEE 802.1AE)

One row per MACsec interface detected. Cipher suite from kernel and network driver configuration.

• Block cipher: AES-128-GCM / AES-256-GCM (col 26–28)
• Notes: interface name, SCI, cipher suite name, key management (CAK/MKA)

Column Reference

All 34 column names match the OMB cryptographic inventory data field names exactly. The "Populated by" column lists which dataset types fill each field.

#	Column Name	Description	Example Value
1	System Name	Hostname of the scanned system. All rows.	WORKSTATION-01
2	Reported System Vulnerability	Whether CRQC-vulnerable algorithms (RSA, EC, DH, DSA) were detected. Values: `Vulnerable`, `Not Vulnerable`, `Unknown/Not Yet Assessed`.	Not Vulnerable
3	Associated Cryptographic Module Name or Description	Application or protocol name and port, e.g. "nginx (port 443)" for TLS rows, "SSH-2.0-OpenSSH_9.6" for SSH rows, "Filesystem Certificate" for on-disk certs.	nginx (port 443)
4	Associated CRQC-Vulnerable Asymmetric Algorithms	RSA, EC, DH, or DSA algorithms detected; "None known at this time" when only PQC or symmetric algorithms are observed.	ECDH / ECDHE
5	Associated Post-Quantum Asymmetric Algorithms	ML-KEM, ML-DSA, SLH-DSA, or PQC hybrids detected. For SSH, populated when `sntrup761x25519` or `mlkem768x25519` is in the KEX list.	ML-KEM / CRYSTALS-Kyber
6	Associated Symmetric Algorithms	Block and stream ciphers detected (AES, ChaCha20, 3DES). For non-TLS protocols, derived from negotiated or spec-defined cipher.	AES
7	Associated Other Cryptographic Techniques	Additional techniques not covered by other columns (post-quantum signatures, hash-based MACs). Set to "None known at this time" when nothing additional applies.	None known at this time
8	System Composition	Fixed value: `Software` (the scanner inventories software-based cryptographic assets).	Software
9	Software Package Name	Cryptographic library name(s) linked by the application (e.g. OpenSSL, libssl, CryptoKit). For SSH rows: detected SSH daemon libraries. For certs: Filesystem Certificate.	OpenSSL; libcrypto
10	Software Package Version	Application version from PE/ELF metadata or SSH banner. Unknown when not discoverable.	1.25.4
11	Vendor/Developer	Software publisher from PE metadata. For filesystem certificates: the issuer organisation field from the X.509 certificate. Unknown when not available.	DigiCert, Inc.
12	Operating System	OS name and version of the scanned host (e.g. Windows 11 Pro 23H2, RHEL 9.4, darwin 26.4.1).	RHEL 9.4
13	Additional Notes	Semicolon-delimited overflow field capturing protocol-specific details not covered by the 33 other columns. Content varies by dataset: TLS: preferred protocol, cert/key counts, library paths, stream ciphers SSH: banner version, config source (sshd -T / file_parse), auth methods, host key fingerprint, PQC readiness, missing PQC KEX candidates SMB/Kerberos: cipher IDs from wire, etype list, insecure algorithm flags NFS/IBM MQ: service version, GSS mechanism, queue manager name VPN/IPSec: server address, PFS status, IKE version, FIPS mode Filesystem Cert: file path, expiry date, subject CN, SAN entries, key type WiFi: SSID, BSSID, security mode, authentication type MACsec: interface name, SCI, cipher suite, key management method	Config: sshd -T; KEX: mlkem768x25519; PasswordAuth: no
14	Overall Status	Asset lifecycle status. Set to `In use` for all active assets detected on the running host.	In use
15	Key Exchange / Key Agreement / Key Establishment Protocols Used	KEX protocol family in use. For TLS: TLS 1.3 ML-KEM, ECDHE, DHE. For SSH: ECDH / ECDHE, DH / DHE. For IPSec: IKEv2 ECDH. For VPN: per-tunnel protocol.	TLS 1.3 ML-KEM
16	Key Exchange …: Associated Parameters and Ciphersuites	Full cipher suite name(s) observed. For TLS: IANA cipher suite strings. For SSH: comma-separated KEX algorithm names from `sshd_config` / `sshd -T`.	TLS: TLS_AES_256_GCM_SHA384
17	Key Exchange …: Associated Options and Protocol Extensions	Named groups and extensions used. For TLS: supported_groups values. For SSH: named groups extracted from KEX algorithm list (e.g. X25519, P-256).	TLS: X25519MLKEM768
18	Other Cryptographic Protocols Used	Secondary protocol identifiers. For TLS and SSH rows this is None (covered by col 15). For non-TLS rows this holds the protocol name and version (e.g. SMB3, NFSv4.2).	None
19	Other Cryptographic Protocols …: Associated Parameters and Ciphersuites	Parameters for any protocol named in col 18. Empty for TLS/SSH primary rows.	None
20	Other Cryptographic Protocols …: Associated Options and Protocol Extensions	Additional extensions for the protocol in col 18. Empty for most rows.	None
21	Key Encapsulation Algorithms (KEMs) Used	Post-quantum KEM algorithms detected. Populated for TLS rows when ML-KEM is in the hybrid KEX (e.g. X25519MLKEM768) and for SSH rows when `mlkem768x25519` or `sntrup761x25519` is configured.	ML-KEM / CRYSTALS-Kyber
22	KEMs: Associated Parameters	Security level and parameter set for detected KEMs (e.g. ML-KEM: 768 for ML-KEM-768, NTRU Prime: 761 for sntrup761).	ML-KEM: 768
23	Digital Signature Algorithms Used	Signature algorithms from TLS certificate, SSH host key, or X.509 file. Values: RSA, ECDSA, EdDSA, ML-DSA, or derived from host key type for SSH (e.g. Ed25519, RSA).	ECDSA
24	Digital Signature Algorithms Used: Associated Parameters	Key sizes and curve names for detected signature algorithms (e.g. ECDSA: P-256, RSA: 2048, Ed25519: 255).	ECDSA: P-384
25	Digital Signature Algorithms Used: Associated Hash Algorithms	Hash functions paired with detected signature algorithms (e.g. ECDSA: SHA-384, RSA: SHA-256). For SSH host key types that do not use a separate hash (Ed25519), set to None.	ECDSA: SHA-384
26	Block Ciphers Used	Block cipher families detected across all cipher suites (AES, 3DES, Camellia). For non-TLS protocols, mapped from the negotiated or spec-defined cipher (e.g. SMB3 AES-GCM → AES).	AES
27	Block Ciphers Used: Associated Key Length Parameters	Key sizes in bits for each detected block cipher (e.g. AES: 128, 256). Derived from cipher suite names or protocol spec.	AES: 128, 256
28	Block Ciphers Used: Associated Modes of Operation	Authenticated encryption and cipher modes (GCM, CCM, CBC, CTR). For SMB3 the mode is read from the NegotiateContextList cipher ID; for AES-GCM suites it is always GCM.	AES: GCM
29	Hash Algorithms Used	Hash functions across all cipher suites and certificates (SHA-256, SHA-384, SHA-512, SHA-1). For SSH rows, derived from MAC algorithm names and host key type.	SHA-256
30	Hash Algorithms Used: Associated Parameters	Digest size in bits for each detected hash (e.g. SHA: SHA-256, SHA: SHA-384).	SHA: SHA-256
31	Message Authentication Algorithms Used	MAC algorithms detected. For TLS 1.3 AEAD suites: AEAD/GCM or AEAD/ChaCha20-Poly1305. For SSH: MAC algorithm names from config (e.g. hmac-sha2-256, umac-128-etm). For SMB/MACsec: GMAC.	HMAC
32	Message Authentication Algorithms Used: Associated Parameters	Hash function and tag length for each MAC (e.g. HMAC: SHA-256, HMAC: SHA-384). For AEAD modes the tag is implicit in the cipher mode.	HMAC: SHA-256
33	Other Cryptographic Details	Stream ciphers (ChaCha20-Poly1305), crypto library PQC capability flags, and the crypto_source qualifier for non-TLS protocols (`wire` = observed on network, `protocol_spec` = from published specification).	No additional details.
34	Cryptographic Certifications	FIPS 140 mode status detected on the host (e.g. FIPS 140-2 Enabled). Set to Unknown when FIPS status cannot be determined.	FIPS 140-2 Enabled

Row Mapping Logic

The scanner emits one row per cryptographic asset instance. The priority order within each application's port list is: TLS → SSH → SMB3 → Kerberos → NFS → IBM MQ → AirPlay → OPC-UA → Tor. Non-port datasets (VPN clients, IPSec tunnels, filesystem certificates, WiFi, MACsec) are appended after all port rows.

No Crypto Detected

Application observed in memory with no TLS, SSH, or other protocol. One summary row with empty cipher columns and Unknown/Not Yet Assessed vulnerability.

TLS Port

One row per TLS-enabled port. All cipher suite and certificate fields populated from the live TLS handshake.

SSH Port

One row per SSH port. Algorithm data preferentially sourced from sshd -T -f <config> (authoritative), falling back to wire-negotiated algorithms.

Non-TLS Protocol Port

One row per detected protocol (SMB3, Kerberos, NFS, IBM MQ, AirPlay, OPC-UA, Tor). Live probes extract wire crypto where available; otherwise falls back to published spec values.

VPN / IPSec

One row per VPN client or IPSec tunnel detected. Cipher details enriched from config files and running process inspection beyond what the application-centric model exposes alone.

Filesystem Certs / WiFi / MACsec

One row per item appended at the end of the file. These datasets have no parent application entry and are emitted directly from their respective scan results.

Vulnerability Assessment (Column 2)

Column 2 (Reported System Vulnerability) is set as follows for each row type:

Vulnerable

RSA, EC, DH, or DSA algorithms detected — vulnerable to a CRQC. Applies to TLS rows with classical KEX, SSH with DH/ECDH-only KEX, and non-TLS protocols using RSA-based or DH-based key exchange.

Not Vulnerable

Only post-quantum or symmetric algorithms detected. Applies to TLS with ML-KEM hybrid KEX and SSH with mlkem768x25519 or sntrup761x25519 as top KEX.

Unknown/Not Yet Assessed

No cipher suite data available — application detected without a probe-able port, or probe timed out.

Crypto Source Qualifier (Column 33)

Non-TLS protocol rows include a crypto_source qualifier in column 33 to indicate data confidence:

wire — cipher data observed in a live network handshake (SMB3, Kerberos, AirPlay/mDNS). Highest fidelity.

protocol_spec — cipher data from the published protocol specification (OPC-UA, Tor, NFS). Accurate at spec version; server policy may vary.

Enterprise Deployment Workflows

Automated Inventory Collection (Intune / SCCM)

# Deploy via Intune Win32 app — collect OMB CSV per device, upload to SharePoint
$hostname = $env:COMPUTERNAME
$outfile  = "C:\ProgramData\TYCHON\inventory-$hostname.csv"
.\certscanner-windows-amd64.exe `
  -outputformat csv `
  -output $outfile `
  -scan-installed-apps `
  -detect-vpn-clients -detect-ipsec `
  -tags "Agency-XYZ,FY2026-Q1,OMB-M-23-02"

# Upload to SharePoint or S3 via separate script
if (Test-Path $outfile) {
    # ... upload logic ...
}

#!/bin/bash
# Collect OMB CSV and ship to central aggregation bucket
HOSTNAME=$(hostname)
OUTFILE="/var/log/tychon/inventory-${HOSTNAME}.csv"

./certscanner-linux-x64 \
  -outputformat csv \
  -output "$OUTFILE" \
  -scan-installed-apps \
  -detect-vpn-clients -detect-ipsec \
  -tags "Agency-XYZ,FY2026-Q1,OMB-M-23-02"

# Upload to S3 / GCS / central store
aws s3 cp "$OUTFILE" s3://agency-crypto-inventory/ --region us-east-1

Aggregating Results Across a Fleet

# Combine per-host CSV files into a single agency inventory
# The header from the first file is retained; subsequent files are appended without header
head -1 inventory-HOST1.csv > agency-inventory-combined.csv
for f in inventory-*.csv; do
    tail -n +2 "$f" >> agency-inventory-combined.csv
done

Each per-host CSV has identical column ordering, making naive concatenation safe for Excel, Power BI, and most CISA tooling.

Regulatory Context

OMB M-23-02 Migrating to Post-Quantum Cryptography

Requires all federal agencies to inventory cryptographic systems by fiscal year deadlines. Specifies the data fields that must be collected for each cryptographic asset — the 34 CSV columns map directly to those requirements.

NSM-10 National Security Memorandum on Quantum Computing

Directs NSS owners to prioritize CRQC-vulnerable system identification, particularly for systems using RSA, ECC, and DH-based key exchange — the primary targets of this inventory format. SSH, VPN, and IPSec rows directly address NSM-10 network protocol requirements.

CNSA 2.0 Commercial National Security Algorithm Suite

CNSA 2.0 requires ML-KEM and ML-DSA adoption on defined schedules. The Associated Post-Quantum Asymmetric Algorithms column (col 5) and KEMs columns (col 21–22) directly surface compliance status against these requirements across TLS, SSH, and IPSec rows.

FIPS 140 Cryptographic Module Validation

The Cryptographic Certifications column (col 34) captures FIPS 140 mode status detected on the host, supporting FISMA and FedRAMP reporting requirements.

Limitations & Scope

Local mode only. The CSV format reflects the crypto profile of the host running the scanner. Remote network scans (cipher suite sweeps) are documented in FlatNDJSON or Tychon NDJSON format, which are better suited for SIEM ingestion.
Non-TLS crypto source fidelity. For protocols where a live handshake does not expose cipher negotiation (OPC-UA, Tor, NFS), cipher data is sourced from the published protocol specification rather than the running server's actual configuration. The crypto_source qualifier in column 33 indicates whether data came from the wire (wire) or the spec (protocol_spec).
One format at a time. If you also need JSON for a SIEM, run the scanner twice: once with -outputformat csv and once with -outputformat flatndjson (or use -splitoutputs with a non-CSV format).
Cipher data reflects observed negotiations. If a port's cipher suites could not be probed (firewall, timeout, protocol mismatch), that application's columns will be empty and status will be Unknown/Not Yet Assessed.
Multi-value cells use semicolons as delimiters. When importing into Excel, use the Text Import Wizard or Power Query to split semicolon-delimited values into separate columns if needed for pivot analysis.
WiFi and MACsec require elevated privileges. On Linux, reading WiFi security mode and MACsec interface configuration may require root or CAP_NET_ADMIN. Rows for these datasets will be absent if the scanner lacks the necessary permissions.