close search bar

Sorry, not available in this language yet

close language selection

FDA: SBOMs requirement for connected medical devices

Julie Courtnay

Jun 23, 2023 / 1 min read

Table of Contents

In today’s world of Internet of Things (IoT), the possibility for connection is endless: cars, watches, light bulbs, HVAC, refrigerators—even humans and the devices monitoring and controlling their health can be connected. Medical devices such as insulin pumps and continuous glucose monitors, for example, are increasingly connected to smartphones via Bluetooth. During the pandemic, lockdowns heightened the need to treat people at home, so the number of internet-connected medical devices grew dramatically.

But this increased connectivity can present risks as well as benefits. Connected insulin pumps require online accounts that use the patient’s personal information, which could be compromised. Insulin pumps also have the potential of hackers gaining unauthorized access. Because medical devices are connected through a network, there is even a risk of malware. Because of such risks, cybersecurity for connected medical devices has become extremely important.

New FDA requirement for a CBOM

Effective March 29, 2023, the FDA started enforcing cybersecurity requirements for medical devices, including a Cybersecurity Bill of Materials (CBOM). A CBOM requires medical device manufacturers to self-attest to the accuracy of a comprehensive list of software and hardware components used in their medical devices, including third-party software and open source components. A Software Bill of Materials (SBOM) is one aspect of the CBOM. With medical devices, the need for complete and accurate SBOMs is especially important.

The National Telecommunications and Information Administration (NTIA) defines minimum elements for an SBOM, and the FDA requires additional elements including support level, support end date, and known security vulnerabilities. Because open source projects do not have support levels or support end dates, these additional elements largely apply to the third-party/commercial components used within an application.

Companies across all industries are scrambling to create compliant SBOMs, and some turning to third parties for help. Third-party vendors providing SBOMs that meets the FDA requirements will need to completely and accurately identify both open source and third-party/commercial components.

Partner with an SBOM expert

Synopsys has provided robust and accurate SBOMs for its customers for over 16 years. Its sophisticated tools allow for snippet-level identification of components, and its sophisticated string search algorithms can identify all third-party/commercial components.

Synopsys also offers a SBOM-as-a-service solution that delivers a complete and accurate SBOM in standard formats (SPDX, CDX) that meet the FDA’s requirements. Synopsys can also validate that an SBOM generated internally or by one of its software supply chain partners meets FDA requirements.

Learn more about our SBOM offerings

Continue Reading

Mergers and acquisitions insurance

Mergers and acquisitions insurance

Steven Power
By Steven Power

Jan 16, 2024 / 3 min read

Tags: M&A, Software Integrity
Making intelligent tradeoffs in software due diligence

Making intelligent tradeoffs in software due diligence

Phil Odence
By Phil Odence

Dec 13, 2023 / 4 min read

Tags: SCA, M&A, Software Integrity, Compliance, Manage Security Risks, OSS License Compliance
Audited vs. automated: What your automated open source tool isn't seeing

Audited vs. automated: What your automated open source tool isn't seeing

Susan Miller
Don Mulrenan
Rich Kosinski
By Susan Miller, Don Mulrenan, Rich Kosinski

Nov 21, 2023 / 5 min read

Tags: SCA, M&A, Software Integrity, Build Security into DevOps, OSS License Compliance
SBOMs and SPDX: Now and in the future

SBOMs and SPDX: Now and in the future

Gary O’Neall
By Gary O’Neall

Oct 27, 2023 / 3 min read

Tags: M&A, Software Integrity, Secure the Software Supply Chain, OSS License Compliance
The hidden business risks of technical debt in mergers and acquisitions

The hidden business risks of technical debt in mergers and acquisitions

Phil Odence
By Phil Odence

Oct 13, 2023 / 3 min read

Tags: M&A, Software Integrity, Manage Security Risks, OSS License Compliance
From diligence to integration: How software audits inform post-close M&A strategies

From diligence to integration: How software audits inform post-close M&A strategies

Phil Odence
By Phil Odence

Sep 21, 2023 / 3 min read

Tags: M&A, Software Integrity, OSS License Compliance

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security