Request a demo

Thank you. We will be in touch with you shortly.
Cybeats announces brand new BCA Marketplace for SBOM generation. Read the announcement.

Charting FDA's Course: SBOM as the North Star in Cybersecurity

Supply chain security has undergone a profound transformation after pivotal events such as the SolarWinds compromise in 2020 and the subsequent Log4j incident.  Central to this evolution is the emergence of the acronym SBOM, Software Bill of Materials, as a key protagonist, permeating the discourse among policymakers and decision-makers alike. What was once a technical term has evolved into a shared language, fostering collaboration across public and private organizations grappling with the escalating risks tied to insufficient insights into their software components.

In response to the transformative shifts in healthcare technology driven by wireless and network capabilities, the FDA took a proactive step in September 2023 by issuing new guidance. This guidance emphasizes the pivotal role of Software Bill of Materials (SBOMs) in advancing medical device cybersecurity—a critical response to the evolving landscape, underlining the need for robust security measures to ensure the safety and effectiveness of medical devices.

As healthcare technology undergoes revolutionary changes, the urgency for heightened cybersecurity measures becomes increasingly apparent. In addressing this need, the FDA's guidance specifically underscores the necessity of a comprehensive security risk management plan, with a focal point on the SBOM. The SBOM is a linchpin, significantly enhancing transparency and traceability within the intricate web of software elements.

In addition to the NTIA minimum element data fields of an SBOM, manufacturers are urged to include detailed information in their premarket submissions regarding the level of support for each software component. This encompasses specifics about ongoing monitoring and maintenance provided by the software component manufacturer, indicating whether the software is actively maintained, no longer maintained, or abandoned. Furthermore, the submission should include the software component's end-of-support date.

Going beyond a mere checklist of requirements, the FDA's guidance serves as a strategic roadmap to fortify the overall security posture of medical devices. It emphasizes that mandating an SBOM is not a standalone solution—manufacturers must also grasp the intricacies of effectively operationalizing it to meet the evolving cybersecurity challenges.

Diving into the specifics, the FDA guidance highlights the crucial need for traceability in the security risk management report. This entails establishing connections among the threat model, cybersecurity risk assessment, SBOM, and testing documentation. Recognizing this interdependence is vital for a thorough cybersecurity risk management approach, and the SBOM takes a lead role in driving this process.

Achieving traceability involves a systematic process and a robust system that leverages the SBOM to identify and list all software components and their versions, including Cybersecurity Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEVs). This information is then integrated into the threat modeling process to pinpoint potential attack vectors and weaknesses in the software system.

In cybersecurity risk assessment, the SBOM serves as a foundational element. Understanding the software composition facilitates a more precise evaluation of potential risks, allowing vulnerabilities in specific components to be correlated with known security threats. This connection between the SBOM and risk assessment empowers organizations to prioritize and address high-risk components effectively.

Turning to testing documentation, the SBOM acts as a guide for targeted testing. By comprehending the software supply chain and the specific components in use, cybersecurity testing efforts can be tailored to concentrate on higher-risk areas. This streamlines testing efficiency and ensures that security assessments align with the actual software composition.

Through this meticulous traceability, stakeholders gain the ability to identify vulnerabilities, enabling them to devise targeted mitigation strategies, whether through patch applications, additional security measures, or rigorous testing. This approach strengthens the resilience of medical devices against known exploits and establishes a vigilant defense against emerging threats, ensuring the continual evolution of robust cybersecurity measures for medical devices. Kudos to the FDA for their foresight and proactive guidance, playing a pivotal role in elevating the standards of cybersecurity.

Minimum Elements

(baseline attributes)

Additional FDA premarket submission guidance

Data Fields

Document baseline information about each component that should be tracked: Supplier, Component Name, Version of the Component, Other Unique Identifiers, Dependency Relationship, Author of SBOM Data, and Timestamp.

• The software level of support provided through monitoring and maintenance from the software component manufacturer (e.g., the software is actively maintained, no longer maintained, abandoned); and 

• The software component’s end-of-support date.

Automation Support

Support automation, including via automatic generation and machine-readability to allow for scaling across the software ecosystem. Data formats used to generate and consume SBOMs include SPDX, CycloneDX, and SWID tags.


Practices and Processes

Define the operations of SBOM requests, generation and use including: Frequency, Depth, Known Unknowns, Distribution and Delivery, Access Control, and Accommodation of Mistakes.



The Importance Of Validation In SBOM Generation

March 19, 2024

Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.

Read More →

The Power of SBOMs: Building Resilience in Our Critical Infrastructure

March 4, 2024

As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain

Read More →

Revolutionizing Healthcare Security: The Power of the Health-ISAC and Cybeats Partnership in SBOM use

December 15, 2023

Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.

Read More →

See Cybeats Security
Platform in Action Today.