FDA Cybersecurity Requirements and SBOMs

On March 13, 2024 the FDA released “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act”, which includes clarification on several areas in the September 27, 2023 draft guidance document “Cybersecurity in Medical Devices: Quality System Consideration and Content of Premarket Submission.” In addition, recommendations for cybersecurity documentation in device premarket submissions are provided.

One of the areas covered in the Select Updates guidance covers requirements for the Software Bill of Materials, or SBOM. Under section 524B of the U.S. Omnibus law, the sponsor of a medical device premarket submission shall “…provide to the Secretary, a software bill of materials, including commercial, open-source, and off-the-shelf software components”.  People involved in manufacturing of hard goods will recognize that a bill of materials is essentially a list of all physical parts, their respective suppliers, and relative quantities of each that make up the finished assembly. This type of list doesn’t translate well to software. So format should an SBOM take? Until now, FDA has left it to individual manufacturers to decide.  Fortunately, we now have additional clarity.

For reference, The National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document “Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)” defines an SBOM as “a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships” with the primary purpose to uniquely and unambiguously identify software components and their relationships to one another.” The SBOM should include all commercial, open source, off-the-shelf (OTS), and custom software components.

For SBOM documentation, the FDA Select Updates guidance points back to the original September 27 draft guidance, which makes several recommendations.

1) As a starting point, the manufacturer can list software elements in the manner described in two FDA guidance documents for OTS Software:

• OTS Software Use in Medical Devices
• Cybersecurity for Networked Medical Devices Containing OTS Software

At a minimum, this includes:

• Title and Manufacturer of the software.
• Version Level, Release Date, Patch Number, and Upgrade Designation, as appropriate.
• Any software documentation that will be provided to the end user.
• Why is this software appropriate for this medical device?
• What are the expected design limitations of the software?
• Computer system (hardware/software) specifications for the software.
• Steps to install and configure the software, including any required changes over time.
• Function of the software, including links with other software elements.

2) Furthermore, FDA states that SBOMs should be machine-readable, which is consistent with the baseline attributes in the NTIA reference document above. Acceptable formats for attributes such as Component Name, Version String, and Unique Identifier are described in detail in the NTIA document, which also contains examples of SBOM tables.

3) For each software component in the SBOM, premarket submissions should also contain (a) the level of support provided through monitoring and maintenance from the software component manufacturer and (b) the software component’s end-of-support date. FDA allows the submitter to decide whether to provide these elements as part of the SBOM itself, or separately as an addendum.

Generating an SBOM may sound relatively straightforward, but in most cases, it’s not. As software developers likely know, modern software projects use a long list of third-party open-source packages, each of which often calls on many other packages as dependencies. This can create an extensive tree of dependencies used by your software (direct dependencies, dependencies of dependencies, and so on).  Trying to create and manage an SBOM using a spreadsheet can get out of hand very quickly. There are many third-party solutions for creating SBOMs, which we recommend investigating before embarking on this task.