Effective March 29, 2023, the FDA started enforcing cybersecurity requirements for medical devices, including a Cybersecurity Bill of Materials (CBOM). A CBOM requires medical device manufacturers to self-attest to the accuracy of a comprehensive list of software and hardware components used in their medical devices, including third-party software and open source components. A Software Bill of Materials (SBOM) is one aspect of the CBOM. With medical devices, the need for complete and accurate SBOMs is especially important.
The National Telecommunications and Information Administration (NTIA) defines minimum elements for an SBOM, and the FDA requires additional elements including support level, support end date, and known security vulnerabilities. Because open source projects do not have support levels or support end dates, these additional elements largely apply to the third-party/commercial components used within an application.
Companies across all industries are scrambling to create compliant SBOMs, and some turning to third parties for help. Third-party vendors providing SBOMs that meets the FDA requirements will need to completely and accurately identify both open source and third-party/commercial components.