1. You are here:
  2. Homepage
  3. News & Insights Search
  4. FDA premarket cybersecurity guidance clarifies SBOM requirements

rf-fullcolor.png

 

Regulatory News
September 28, 2023
by Ferdous Al-Faruque

FDA premarket cybersecurity guidance clarifies SBOM requirements

The US Food and Drug Administration (FDA) has published a premarket cybersecurity guidance almost a decade in the making. The document adds requirements based on new authorities granted to the agency by Congress in 2022 along with details on what to include in a software bill of materials (SBOM).
 
The last time the FDA’s Center for Devices and Radiological Health (CDRH) finalized a premarket cybersecurity guidance was in 2014, and it was just nine pages long. Since then, the center has learned much more about how sponsors develop connected products with the potential for cybersecurity vulnerabilities, which it used to finalize a 57-page guidance on 27 September 2023.
 
“As you can imagine, there was much evolution in cybersecurity generally, as well as medical device cybersecurity, specifically from 2014 to 2023,” Jessica Wilkerson, senior cyber policy advisor in CDRH’s Office of Strategic Partnerships and Technology Innovation, told Focus. “What we did is, we took our experience of doing medical device cybersecurity reviews and looked at what the 2014 guidance would benefit from, and the manufacturers and agencies that would benefit from it, in terms of additional detail and additional clarity.”
 
The 2014 guidance took a high-level and overarching view of medical device cybersecurity but lacked details on issues such as threat modeling, SBOMs, and cybersecurity risk management plans that the new guidance addresses, she added.
 
Clarity on SBOM
 
FDA initially published a cybersecurity premarket draft guidance in 2018, which got significant pushback from industry. Stakeholders argued its cybersecurity bill of materials (CBOM) requirements were too burdensome because they would not only require sponsors to detail software specifications but also hardware specifications.
 
With that in mind, the agency republished the draft guidance in April 2022, notably replacing its CBOM requirements with SBOM requirements. Stakeholders responded by asking the agency for additional details on what the agency would like to see when documenting SBOMs (RELATED: Third time’s a charm: US FDA reissues cybersecurity draft guidance, Regulatory Focus 7 April 2022; RELATED: FDA cybersecurity draft guidance draws concern from patients, industry, Regulatory Focus 13 July 2022).
 
“Many [comments] focused on the software transparency or software bill of materials section, so we put some clarifications in there, as well as adding additional clarity around what kind of documentation is expected,” Wilkerson said. “You can imagine manufacturers are very interested in what documentation and what kind of format to provide it in, so we provided some additional detail there based on comments and feedback that we had received.”
 
Similar to the draft guidance, FDA points sponsors to its “Off-The-Shelf (OTS) Software Use in Medical Devices” and “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” guidances to detail what regulators would like to see in SBOMs. However, in the final guidance, the agency adds that sponsors should include minimum elements in their SBOM listed in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document “Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM).” Based on that document, the agency said sponsors should also ensure their SBOMs are machine-readable.
 
Additionally, FDA asked sponsors to include details about what level of monitoring and maintenance support the software manufacturer plans to offer and its end-of-support date. “When provided, manufacturers may choose to provide these additional elements as part of the SBOM, or they may provide it separately, such as in an addendum,” FDA wrote in the guidance. “Industry-accepted formats of SBOMs are encouraged.”
 
“If a manufacturer is unable to provide the SBOM information to FDA, the manufacturer should provide a justification for why the information cannot be included in the premarket submission,” the agency added.
 
Congressional mandate
 
Another key addition to the final guidance is new authorities given to FDA by Congress under the 2023 Consolidated Appropriations Act, which was enacted in December 2022 and included the Food and Drug Omnibus Reform Act (FDORA).
 
The law solidifies the definition of a cyber device to include medical device combination products with drug and biologic components. More specifically, it updated section 524B of the Food, Drug, and Cosmetics (FD&C) Act to describe cyber devices as products that:
  • include software validated, installed, or authorized by the sponsor as a device (or in a device)
  • have the ability to connect to the Internet
  • contain technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
 
The guidance includes language throughout that details when sponsors have an obligation to fulfill requirements under section 524B to ensure their product meets a minimum threshold for ensuring good cybersecurity.
 
“This guidance applies to all types of devices within the meaning of section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), including devices that meet the definition of a biological product under section 351 of the Public Health Service Act, whether or not they require a premarket submission,” FDA wrote. “Therefore, the recommendations in this guidance also apply to devices for which a premarket submission is not required (e.g., for 510(k)-exempt devices). This guidance also applies to cyber devices, as defined in section 524B of the FD&C Act, which are a subset of devices.”
 
The final guidance stated that sponsors of biologics license applications (BLA) and investigation new drug (IND) applications may be required to provide cybersecurity information about their product under certain circumstances.
 
“Generally, the recommendations in this guidance apply to the device constituent part of a combination product (such as drug-device and biologic-device combination products) when the device constituent part presents cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic,” FDA wrote.  
 
Since Investigational Device Exemption (IDE) submissions have different benefit-risk and marketing authorization requirements, FDA includes an appendix in the guidance that lists different documentation requirements for IDE sponsors.
 
“FDA understands the need to balance innovation and security in designs especially during clinical trials,” the agency wrote. “In order to ensure security is addressed early in the device design, FDA has identified a subset of the documentation recommended throughout this guidance to submit with IDE applications.”
 
Wilkerson noted that based on the mandates under FDORA, the guidance emphasizes the need for sponsors to include vulnerability and other risk management plans in their premarket submissions and ensure products are designed and developed with cybersecurity in mind, including an SBOM and the ability to be patchable.
 
“These are all things that FDA had previously recognized and had already been included in our guidance and our general approach to cybersecurity prior to the passage of the omnibus authorities,” she said.
 
As with the previous cybersecurity guidances, FDA’s takeaway message for sponsors is to take a total product lifecycle (TPLC) approach to cybersecurity of medical products. The agency’s perspective is that it’s not enough to make a product that has good cybersecurity but that sponsors must consider how that product can continue to be protected from vulnerabilities during its usable life.
 
“The way we recommend manufacturers and other stakeholders look at it is that cybersecurity is not a static characteristic of a device. Cybersecurity is not something that you do once and then are done,” Wilkerson said. “Cybersecurity is something that is relevant and will have to be adapted and evolved over the entire lifecycle of the device.”
 
Cybersecurity guidance

Related topics

Biologics/biosimilars/vaccines Combination Products/companion diagnostics Compliance Diagnostics/IVDs Digital health/SaMD/AI Medical Devices Pharmaceuticals Product Lifecycle Regulatory Intelligence/Policy Risk management United States
Return to listing

Recommended content

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.