Charting FDA’s Course: SBOM as the North Star in Cybersecurity

Supply chain security has undergone a profound transformation after pivotal events such as the SolarWinds compromise in 2020 and the subsequent Log4j incident.  Central to this evolution is the emergence of the acronym SBOM, Software Bill of Materials, as a key protagonist, permeating the discourse among policymakers and decision-makers alike. What was once a technical term has evolved into a shared language, fostering collaboration across public and private organizations grappling with the escalating risks tied to insufficient insights into their software components.

In response to the transformative shifts in healthcare technology driven by wireless and network capabilities, the FDA took a proactive step in September 2023 by issuing new guidance. This guidance emphasizes the pivotal role of Software Bill of Materials (SBOMs) in advancing medical device cybersecurity—a critical response to the evolving landscape, underlining the need for robust security measures to ensure the safety and effectiveness of medical devices.

As healthcare technology undergoes revolutionary changes, the urgency for heightened cybersecurity measures becomes increasingly apparent. In addressing this need, the FDA’s guidance specifically underscores the necessity of a comprehensive security risk management plan, with a focal point on the SBOM. The SBOM is a linchpin, significantly enhancing transparency and traceability within the intricate web of software elements.

In addition to the NTIA minimum element data fields of an SBOM, manufacturers are urged to include detailed information in their premarket submissions regarding the level of support for each software component. This encompasses specifics about ongoing monitoring and maintenance provided by the software component manufacturer, indicating whether the software is actively maintained, no longer maintained, or abandoned. Furthermore, the submission should include the software component’s end-of-support date.

Going beyond a mere checklist of requirements, the FDA’s guidance serves as a strategic roadmap to fortify the overall security posture of medical devices. It emphasizes that mandating an SBOM is not a standalone solution—manufacturers must also grasp the intricacies of effectively operationalizing it to meet the evolving cybersecurity challenges.

Diving into the specifics, the FDA guidance highlights the crucial need for traceability in the security risk management report. This entails establishing connections among the threat model, cybersecurity risk assessment, SBOM, and testing documentation. Recognizing this interdependence is vital for a thorough cybersecurity risk management approach, and the SBOM takes a lead role in driving this process.

Achieving traceability involves a systematic process and a robust system that leverages the SBOM to identify and list all software components and their versions, including Cybersecurity Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEVs). This information is then integrated into the threat modeling process to pinpoint potential attack vectors and weaknesses in the software system.

In cybersecurity risk assessment, the SBOM serves as a foundational element. Understanding the software composition facilitates a more precise evaluation of potential risks, allowing vulnerabilities in specific components to be correlated with known security threats. This connection between the SBOM and risk assessment empowers organizations to prioritize and address high-risk components effectively.

Turning to testing documentation, the SBOM acts as a guide for targeted testing. By comprehending the software supply chain and the specific components in use, cybersecurity testing efforts can be tailored to concentrate on higher-risk areas. This streamlines testing efficiency and ensures that security assessments align with the actual software composition.

Through this meticulous traceability, stakeholders gain the ability to identify vulnerabilities, enabling them to devise targeted mitigation strategies, whether through patch applications, additional security measures, or rigorous testing. This approach strengthens the resilience of medical devices against known exploits and establishes a vigilant defense against emerging threats, ensuring the continual evolution of robust cybersecurity measures for medical devices. Kudos to the FDA for their foresight and proactive guidance, playing a pivotal role in elevating the standards of cybersecurity.

Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.