Software Bill of Materials (SBOM) management is more than just generating a list of components in your medical device software. The FDA expects medical device manufacturers (MDMs) to use their SBOMs as a foundation for ongoing vulnerability management. This guide provides a structured approach to ensure your SBOM is effectively utilized to enhance product security and regulatory compliance.

Step 1: Understand FDA Expectations

• The FDA’s cybersecurity guidance requires an SBOM as part of regulatory submissions.
• An SBOM is not just a list but a tool to track vulnerabilities and manage risks over time.
• Compliance requires MDMs to demonstrate an ability to track and mitigate vulnerabilities in their products, both pre- and post-market.

Step 2: Ensure Your SBOM is Complete and Accurate

To be useful, an SBOM must contain the following essential data:

• Component Name: The exact software component name.
• Supplier Name: The entity providing the software.
• Version Number: The specific version of the software used.
• Unique Identifiers: Common identifiers such as CPE (Common Platform Enumeration) or PURL (Package URL) to cross-reference vulnerabilities.
• Dependency Relationships: Identifying dependencies in your software architecture.
• End-of-Life Information: Knowing when components will no longer be supported is crucial.

Use an automated tool to verify SBOM completeness and correct inconsistencies before submission.

Step 3: Match SBOM Components to Vulnerability Databases

• Utilize the National Vulnerability Database (NVD) or similar resources to identify vulnerabilities associated with your SBOM components.
• Be aware of false positives — ensure accurate matching by refining data inputs (e.g., ensuring proper software names and versions).
• If no CPE exists in the NVD for a component, document your findings and alternative tracking measures.

Step 4: Prioritize Identified Vulnerabilities

Not all vulnerabilities pose equal risk. Use a structured approach to prioritize them:

1. Severity Ratings: Use CVSS (Common Vulnerability Scoring System) scores.
2. Exploitability (EPSS Scores): Prioritize vulnerabilities with known exploits.
3. FDA/CISA KEV List: Address vulnerabilities listed on known exploited vulnerability (KEV) catalogs.
4. Impact Analysis: Evaluate the potential patient safety risk.

If a vulnerability exists but does not pose a critical risk, document mitigation strategies and compensating controls.

Step 5: Establish a Continuous Monitoring Process

• SBOM management is an ongoing process, not a one-time task.
• Implement continuous monitoring tools that alert you to new vulnerabilities in your components.
• Update your vulnerability assessment and risk management documentation regularly.
• The FDA expects MDMs to demonstrate a dynamic vulnerability management process, not just a static snapshot at the time of submission.

Step 6: Document and Communicate Findings

Regulators and customers will request SBOM-based reports. Maintain clear documentation:

• Regulatory Submissions: Ensure SBOM and vulnerability analysis reports meet FDA expectations.
• Customer Inquiries: Be prepared to respond to hospitals and HDOs requesting security assurances.
• Internal Audits: Maintain a well-documented audit trail to demonstrate due diligence in cybersecurity risk management.

Step 7: Plan for Patch Management and Updates

• Have a process to determine when security patches are necessary.
• Ensure software updates align with regulatory compliance (e.g., 510(k) post-market surveillance).
• Consider developing a vulnerability disclosure policy to manage communication with end users.

Conclusion

An SBOM is not the end goal — it is a crucial input to an ongoing cybersecurity risk management process. By following these steps, medical device manufacturers can meet FDA expectations, reduce cybersecurity risks, and proactively protect patients and healthcare systems. Implementing robust SBOM management today will prepare your organization for future regulatory and industry security demands.

Looking for an in depth look at the topics in this guide? Watch the recording of the webinar from Seth Carmody and Mike Kijewski at Medcrypt.

Managing SBOMs and vulnerabilities doesn’t have to be a compliance headache. Helm automates SBOM generation, validation, and vulnerability tracking, making FDA submissions effortless while strengthening security posture. Instead of struggling with spreadsheets and manual processes, medical device manufacturers get real-time insights and streamlined compliance — so they can focus on delivering safe, innovative technology to market faster. Request a Helm demo to get started.

‍