The FDA’s heightened cybersecurity standards, implemented in October 2023, have changed submission requirements for medical devices. In this blog post, we’ll explore the key updates and detail key information about effective Bill of Materials (BOM) management, specifically the software bill of materials or SBOM.
What is a Software Bill of Materials (SBOM)?
An SBOM is a complete inventory of the code used in your solution, including the open source components, the license and version information for those open source components, and whether there are any known vulnerabilities in those components. And before you make the assumption that you don’t use any open source components in your software, let’s look at some facts surrounding some vulnerabilities that surprised many companies in the past few years. According to the 2022 “Open Source Security Risk and Analysis” (OSSRA) report, 97% of the codebases scanned contained open source.
Log4j served as another lesson that highlighted the importance of having an SBOM, when it was announced as exploitable at the end of December of 2021, making the holiday season a tough one for many software and IT engineers. Once the vulnerability was disclosed, it was a race to implement patches before malicious actors could exploit them. Because these incidents can have massive implications, having an SBOM can help you quickly identify and assess risks in your codebase.
Why Start an SBOM?
Assuming you don’t have an SBOM, the question our clients ask first is “where do I start?” Let’s first ask a few questions that may help uncover some opportunities for creating an SBOM and how it can quickly provide value.
- Do you know whether the licenses for the open source components of your applications are permissive or viral?
- Are you using one of the top open source licenses or a one-off variant?
- Do you know whether the open source components in your codebase are being maintained?
- Do you know whether the open source components you’re using have any known vulnerabilities?
Now that you know you have some risk to address (which the answers to the above normally show a potential risk area), what do you do about it? Making the business case for having an SBOM (regardless of being in the medical device industry and having regulatory guidelines or not), can still be a tough one. Here are several reasons why implementing an SBOM is beneficial, and will help build the foundation for business cases.
Enhanced Security and Vulnerability Management
An SBOM provides a detailed inventory of all software components, libraries, and dependencies used in your applications. This comprehensive visibility allows your security teams to quickly identify and respond to vulnerabilities within the software components. By knowing exactly what software you’re using, you can monitor known vulnerabilities and patches more effectively, reducing the risk of security breaches.
Compliance and Licensing Management
Many software components come with specific licenses that have compliance requirements. An SBOM helps ensure your company is in compliance with these licenses by tracking the usage of open-source and third-party components. This reduces the risk of legal issues related to software licensing.
Supply Chain Risk Management
Software is often built using components from a variety of sources (Log4J for example). An SBOM helps you understand the provenance of these components, allowing you to assess the security and reliability of your supply chain. You can identify dependencies on potentially risky software or vendors and take steps to mitigate these risks.
Efficient Patch Management
When vulnerabilities are discovered, it’s critical to patch them quickly. An SBOM enables your team to identify which applications are affected by a given vulnerability and prioritize patching efforts accordingly. This is especially important for vulnerabilities that pose a significant risk to your organization.
Software Assurance and Quality Control
By maintaining an SBOM, you can ensure that only approved software components are used in development, which improves the overall quality and security of your software. This practice supports software assurance initiatives by providing a clear view of the software composition.
Regulatory and Customer Requirements
Increasingly, regulations and customer contracts require transparency about the software components included in products. An SBOM can help meet these requirements, making it easier to do business in regulated industries or with customers who prioritize security.
Facilitates Software Updates and Upgrades
Understanding the components of your software ecosystem makes it easier to manage updates and upgrades. An SBOM helps you track which versions of components you’re using, making it easier to plan and implement updates without breaking dependencies.
Improved Incident Response
Even if you’re using a top ITSM system like Jira Service Management, if there is a security incident, having an SBOM allows you to quickly determine if vulnerable components are present in your systems, which can significantly speed up the incident response and remediation process.
FDA Submission Update: Effective From October 2023
As of October 2023, the FDA mandated stricter cybersecurity standards for medical device submissions. Now, submissions must include a comprehensive software bill of materials (SBOM). Additionally, submissions should detail vulnerability assessments and plans for continuous monitoring and risk mitigation. Furthermore, the FDA reserves the right to decline submissions lacking proper cybersecurity information.
Key Points From The FDA For Medical Device Submissions:
- Mandatory Cybersecurity Information: Submissions without proper cybersecurity details may be declined.
- Thorough Monitoring and Threat Identification: Submissions need to detail cybersecurity monitoring, threat modeling, and continuous vulnerability assessments.
- Software Bill of Materials (SBOM): The primary evidence document has to be included, encompassing a comprehensive list of software components with vulnerability assessments.
- Continuous Monitoring Strategies: Submissions must outline strategies for continuous monitoring of software components.
- Risk-Based Cybersecurity Mitigation Tactics: Inclusion of risk-based cybersecurity mitigation tactics within the SBOM.
As you can see the SBOM is more important than ever. So, how do you complete effective BOM management?
Understanding SBOM, eBOM and mBOM
First, we need to be clear that SBOM, eBOM, and mBOM are interconnected elements of the product development process. Each serves a specific purpose within different phases of the product life cycle.
- The Engineering Bill of Materials (eBOM) outlines components during design. Created by the product engineering team, it focuses on specifications. Linked to the Manufacturing BOM (mBOM), the eBOM transitions during manufacturing, incorporating additional details like assembly instructions. Together, eBOM and mBOM ensure a seamless progression from design to production in the product life cycle.
- Then, the Engineering Bill of Materials (eBOM) details components during design, linking to the Software Bill of Materials (SBOM). While eBOM focuses on physical components, SBOM outlines software aspects. Together, they ensure a comprehensive view of both hardware and software elements in the product development process, crucial for meeting regulatory requirements and ensuring cybersecurity in industries like MedTech.
Essentially, while eBOM and mBOM are closely linked, SBOM introduces a specific focus on software components, especially in light of cybersecurity regulations. Understanding and effectively managing these BOMs contribute to streamlined product development and regulatory compliance.
How To Complete SBOM Management
Efficient Bill of Materials (BOM) management requires avoiding spreadsheet silos and embracing integrated systems. Traditional tools can lead to information silos, hindering traceability. That’s why opting for integrated systems connecting BOMs with electronic Quality Management Systems (eQMS), such as MasterControl, and design controls is crucial. So, when selecting systems, prioritize those seamlessly integrating with both QMS and Enterprise Resource Planning (ERP) systems – this will enable efficient information sharing across the product lifecycle.
The Role of Integrated eQMS
An integrated eQMS plays a key role in achieving compliance with the new FDA cybersecurity standards. Particularly relevant for managing quality-related processes. Moreover, an integrated system should provide the following opportunities:
- Document Control: Ensures accuracy and version control for crucial documents, including the SBOM.
- Workflow Automation: Automates quality processes like change control and risk management, ensuring systematic implementation of cybersecurity measures.
- Training Management: Ensures personnel are well-informed on the latest cybersecurity protocols.
- Audit Trails and Compliance Reports: Generates audit trails and compliance reports for a comprehensive view during audits.
- Continuous Improvement Initiatives: Provides data-driven insights to refine cybersecurity measures based on evolving regulatory requirements.
- Trend Analysis: By removing data silos, you have a more comprehensive story. That means, an integrated eQMS is a powerful tool for trend analysis.
At SPK, we advocate for MedTech manufacturers to utilize an integrated eQMS specifically designed for their industry. Greenlight Guru is an industry-leader in this space, and these are 10 reasons we believe you should be using it.
Partner With SPK For Proven MedTech Compliance Support
Navigating the FDA’s new cybersecurity standards requires a strategic approach. By embracing an integrated eQMS and understanding the nuances of eBOM and mBOM, MedTech manufacturers can ensure compliance and streamline their product development processes.
SPK and Associates support manufacturers, providing expertise and fit-for-purpose tools including integrated eQMS systems specifically designed for MedTech. Contact us to learn more on how we can help you.