Experts offer tips on assembling SBOMs for medical devices

SAN DIEGO — While medical device makers are required to provide a software bill of materials (SBOMs) for their products, experts who spoke at the 2025 Medtech Conference said that the available tools for assembling them are still in their infancy and that the US Food and Drug Administration (FDA) is understanding of the challenge SBOMs pose for manufacturers.

When asked what tools manufacturers have to ensure they can list all the software components of their products and monitor potential vulnerabilities, Chris Reed, senior director of cybersecurity policy at Medtronic, said there is no good answer. He noted that there are several tools available to manufacturers, but they are still very immature.

“I think the key is to just start doing it and I say that on purpose because also even the quality of the data in SBOMs is still really lacking,” said Reed. “I wish I had a better answer.

“The good news is that regulators understand this and there's some minimum requirements that if you get them, you'll be able to [comply],” he added.

Andrew Sargent, senior director for IT and product security at SpaceLabs, echoed the sentiment, and said that the important thing is to just start working on developing SBOMs and ensuring that key partners are part of the process.

“Every SBOM I've looked at the first time is, it's really ugly,” said Sargent. “I can't tell you how bad it is.

“But work with your development teams, work with your team that does the integration of a software list into the SBOM, they'll get it,” he added.

Sargent also recommended simplifying what components go into the product in the first place. When it comes to security, he said simplification is always the rule he uses.

“The fewer components you have, the cleaner your SBOM is, the easier it's going to be,” said Sargent. “The electronic version is relatively simple because the tools, once you ingest it, is clean … They're getting better too, as far as what they're reporting because they're meeting the broader standards.”

Sargent cautioned that the human readable format required by FDA has a lot of fields that must be input manually and if there are thousands of components in an SBOM, the manufacturers will have to weigh the risks of those components to the intended use.

“That's what I always go back to is what is important to meet the intended use, focus on that area,” he added. “Without that, the software bill of materials is going to take you years to complete or get the complete information.”

The panelists mentioned several available tools, such as OWASP, SNYK, Rapid 7, and Manifest, though Joel Cardella, director of product security at Stryker, said it's difficult to define what a good tool is because there are so many legacy products on the market that don't conform to current cybersecurity standards.

"We have products that were developed 30 years ago that we're still selling today," he noted. "They're developed under completely different standards ... Our architectures were different."

Regardless of the tool, Sargent reminded manufacturers that they need to first ask what they want to tool to do and need to be very granular in terms of the information they provide to regulators. Despite the challenges, he said that SBOMs have helped manufacturers stay abreast of cybersecurity threats and the tools have been an important part of that effort.

“We've got products and have had products before that have thousands of software components, so you've got to look through those to see how many of those have vulnerabilities but most of the tools today will report on those vulnerabilities, so it automates it a lot,” he added.

Experts offer tips on assembling SBOMs for medical devices

Related topics

Recommended content

Welcome to the new RAPS Digital Experience