Software Bill of Materials
A machine-readable inventory of all software components, including open-source and third-party libraries, used to build a medical device.
Definition
A Software Bill of Materials (SBOM) is a formal, machine-readable record of every software component - including third-party, open-source, and commercial dependencies - that ships in a medical device, together with the supply-chain relationships between those components. An SBOM typically lists each component's name, version, supplier, license, and a cryptographic identifier so vulnerabilities disclosed against any component can be matched back to the devices that contain it. The two industry-standard formats are CycloneDX (OWASP) and SPDX (Linux Foundation, ISO/IEC 5962:2021).What this means in practice
An SBOM is not a one-time artifact - it must be regenerated and reviewed whenever software changes and made available to operators (typically hospital security teams) who use it to assess the device's exposure to newly disclosed CVEs. In practice, MedTech teams generate SBOMs from their CI/CD pipeline (Syft, CycloneDX-Maven, SPDX tooling), pair each SBOM with a VEX document that explains which CVEs are not exploitable in their product, and store both with the Design History File. Hospital procurement increasingly requires an MDS2 form plus a current SBOM before purchase.Use cases
2 scenariosPremarket cybersecurity submission for a connected infusion pump
Product security engineerEngineering produces a CycloneDX SBOM from the CI pipeline covering firmware, OS, and third-party libraries. They map each component to known CVEs, attach a VEX document marking unaffected vulnerabilities, and include the SBOM in the 524B section of the 510(k).
Hospital responding to a new OpenSSL CVE
Healthcare delivery org (HDO)A hospital biomed team queries vendor SBOMs for OpenSSL versions affected by a newly published critical CVE. They cross-reference vendor VEX statements to filter out devices where the vulnerable code path isn't reachable.
- •Generating an SBOM only at submission rather than continuously through the build pipeline.
- •Omitting transitive dependencies, firmware blobs, or commercial third-party components such as RTOS or DRM libraries.
- •Shipping an SBOM without a VEX (Vulnerability Exploitability eXchange) document - leaving operators to triage every CVE themselves.
- •Treating SBOM generation as a regulatory checkbox rather than feeding it into a real vulnerability-monitoring workflow.
Frequently asked questions
Cross-references
Related terms
Shared paths + categoryThe federal statute that gives FDA explicit premarket authority over cybersecurity for cyber devices.
A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.
A globally unique identifier for a publicly disclosed cybersecurity vulnerability.
The bundle of cybersecurity artifacts a sponsor includes in a 510(k), De Novo, PMA, or HDE submission for a cyber device.
A machine-readable statement that explains whether a known vulnerability is actually exploitable in a specific product.
An open SBOM and license-data format published as ISO/IEC 5962:2021.
Latest in MedTech
Primary references
5 sources- 1Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Sept 2023)VerifiedFDAfda.gov
- 2Section 524B of the FD&C ActVerifiedFDAfda.gov
- 3CISA SBOM Resources & Minimum ElementsVerifiedCISAcisa.gov
- 4CycloneDX SpecificationVerifiedOWASPcyclonedx.org
- 5SPDX Specification (ISO/IEC 5962:2021)VerifiedLinux Foundationspdx.dev
Inline markers like [1] jump to the matching reference above.