CycloneDX · bhess · Jun 3, 2026 · Jun 5, 2026 · Jun 12, 2026 · stevespringett
@@ -264,6 +264,9 @@
           "$ref": "cyclonedx-cryptography-2.0.schema.json#/$defs/cryptoProperties",
           "title": "Cryptographic Properties"
         },
+        "agility": {
+          "$ref": "#/$defs/agility"
+        },
         "tags": {
           "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags",
           "title": "Tags"
@@ -733,6 +736,74 @@
           "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataGovernance"
         }
       }
+    },
+    "agility": {
+      "type": "object",
+      "title": "Agility",
+      "description": "Properties describing how this component's configuration was determined and how a change to it can be applied. These properties support change management and, for cryptographic assets, cryptographic-agility.",
+      "additionalProperties": false,
+      "properties": {
+        "configurationSource": {
+          "type": "string",
+          "title": "Configuration Source",
+          "description": "Describes how this component's configuration was determined. Values are roughly ordered from least to most agile, the ordering is approximate.",
+          "enum": [
+            "hardcoded",
+            "product-default",
+            "administrator-configured",
+            "policy-managed",
+            "other",
+            "unknown"
+          ],
+          "meta:enum": {
+            "hardcoded": "The configuration is fixed in code or firmware and is not intended to be changed.",
+            "product-default": "The configuration is inherited from product or vendor defaults and can typically be overridden.",
+            "administrator-configured": "The configuration is explicitly set by an administrator through external configuration.",
+            "policy-managed": "The configuration is determined by a policy or governance engine.",
+            "other": "Another configuration source applies.",
+            "unknown": "The configuration source is not known."
+          }
+        },
+        "negotiated": {
+          "type": "boolean",
+          "title": "Negotiated",
+          "description": "Indicates whether the effective configuration is selected at runtime through negotiation with one or multiple peers, such as a protocol handshake, rather than being statically fixed. This is orthogonal to `configurationSource`, which describes how the permitted configuration was determined."
+        },
+        "configurationRef": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType",
+          "title": "Configuration Reference",
+          "description": "The bom-ref of the configuration that determines this component's configuration. Typically points to a component of type 'data' whose data type is 'configuration'."
+        },
+        "changeMechanism": {
+          "type": "array",
+          "title": "Change Mechanism",
+          "description": "The step or steps required to apply a change to this component's configuration. When more than one value is present, all are required (for example, a software update followed by a restart). Values are roughly ordered from least to most disruptive. Use a single value of 'not-possible' when the configuration cannot be changed.",
+          "uniqueItems": true,
+          "items": {
+            "type": "string",
+            "enum": [
+              "not-possible",
+              "hardware-replacement",
+              "firmware-update",
+              "software-update",
+              "restart-required",
+              "runtime-config",
+              "other",
+              "unknown"
+            ],
+            "meta:enum": {
+              "not-possible": "The configuration cannot be changed through any supported means.",
+              "hardware-replacement": "The change requires replacing or adding hardware.",
+              "firmware-update": "The change requires a firmware update.",
+              "software-update": "The change requires a software or package update.",
+              "restart-required": "The change requires restarting software or service processes.",
+              "runtime-config": "The change can be applied at runtime without a restart.",
+              "other": "Another change mechanism applies.",
+              "unknown": "The change mechanism is not known."
+            }
+          }
+        }
+      }
     }
   }
 }
@@ -521,6 +521,11 @@
               "title": "Destruction Date",
               "description": "The date and time (timestamp) when the certificate was destroyed."
             },
+            "renewal": {
+              "$ref": "#/$defs/lifecycleControl",
+              "title": "Certificate Renewal",
+              "description": "How this certificate is renewed or re-enrolled."
+            },
             "certificateExtensions": {
               "type": "array",
               "title": "Certificate Extensions",
@@ -673,6 +678,11 @@
                 "destroyed"
               ]
             },
+            "rotation": {
+              "$ref": "#/$defs/lifecycleControl",
+              "title": "Key Rotation",
+              "description": "How this cryptographic material is rotated under the same algorithm."
+            },
             "creationDate": {
               "type": "string",
               "format": "date-time",
@@ -1088,6 +1098,51 @@
         "unknown": "The cryptographic function is not known."
       }
     },
+    "lifecycleControl": {
+      "type": "object",
+      "title": "Lifecycle Control",
+      "description": "How a cryptographic lifecycle operation, such as key rotation or certificate renewal, is performed. The `automation` property captures the degree of automation and `mechanism` captures the concrete method, for example automatic renewal via the ACME protocol, automatic rotation managed by a KMS, or a manual M-of-N key ceremony.",
+      "additionalProperties": false,
+      "properties": {
+        "automation": {
+          "type": "string",
+          "title": "Automation",
+          "description": "The degree of automation with which the operation is performed, ordered from least to most agile.",
+          "enum": [
+            "not-supported",
+            "manual",
+            "on-demand",
+            "automatic",
+            "other",
+            "unknown"
+          ],
+          "meta:enum": {
+            "not-supported": "The operation is not supported.",
+            "manual": "The operation is initiated and executed manually.",
+            "on-demand": "The operation can be triggered on demand, for example through an API call.",
+            "automatic": "The operation is performed automatically based on policy or schedule.",
+            "other": "Another mechanism applies.",
+            "unknown": "The mechanism is not known."
+          }
+        },
+        "mechanism": {
+          "type": "string",
+          "title": "Lifecycle Mechanism",
+          "description": "The concrete protocol, system, interface, or process used to perform the operation, such as the ACME (RFC 8555), EST (RFC 7030), SCEP (RFC 8894), CMP (RFC 4210), or CMC (RFC 5272) certificate protocols, KMIP, PKCS#11, and cloud key-management services for key rotation, or a manual M-of-N key ceremony.",
+          "examples": [
+            "ACME",
+            "EST",
+            "SCEP",
+            "CMP",
+            "CMC",
+            "KMIP",
+            "PKCS#11",
+            "HashiCorp Vault Transit",
+            "M-of-N key ceremony"
+          ]
+        }
+      }
+    },
     "relatedCryptographicAssets": {
       "type": "array",
       "title": "Related Cryptographic Assets",