00106 Cybersecurity in Medical Devices- Software Bill of Materials
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
- a) Software Bill of Materials431
432
A Software Bill of Materials (SBOM) can aid in the management of cybersecurity risks that exist throughout the software stack.
A robust SBOM includes both the device manufacturer
developed components and third-party components (including purchased/licensed software and open-source software), and the upstream software dependencies that are required/depended upon by proprietary, purchased/licensed, and open-source software. An SBOM helps facilitate risk437
management processes by providing a mechanism to identify devices that might be affected by438
vulnerabilities in the software components, both during development (when software is being439
chosen as a component) and after it has been placed into the market throughout all other phases440
of a product’s life.29
441
442
Because vulnerability management is a critical part of a device’s security risk management443
processes, an SBOM or an equivalent capability should be maintained as part of the device’s444
configuration management, be regularly updated to reflect any changes to the software in marketed devices, and should support 21 CFR 820.30(j) (Design History File) and 820.181446
(Design Master Record) documentation.447
448
To assist FDA’s assessment of the device risks and associated impacts on safety and449
effectiveness related to cybersecurity, FDA recommends that premarket submissions include450
SBOM documentation as outlined below. SBOMs can also be an important tool for transparency451
with users of potential risks as part of labeling as addressed later in Section V
Recent Comments