White paper highlights SBOM challenges for medical devices

The Mitre Corporation says stakeholders should work together to normalize how software bill of materials (SBOMs) are implemented in a newly published white paper, which also offers mitigations that need buy-in from stakeholders across the medtech industry.

The white paper was produced on behalf of the US Food and Drug Administration (FDA) and comes a year after the agency published guidance on what medical device makers should include in their SBOMs as part of their premarket submissions. (RELATED: FDA premarket cybersecurity guidance clarifies SBOM requirements, Regulatory Focus 28 September 2023)

SBOMs are used to catalogue and track the software components of various products and programs, including medical devices. These tools are seen as a critical component of software supply chain risk management and help ensure companies can respond adequately to any software issues that may affect their products.

While FDA asked for minimum elements to include in the SBOM and ensure they are machine-readable, Mitre said there are significant hurdles that make it a challenge for companies to effectively provide that information. The group noted that the main challenge is a lack of normalization which prevents the effective generation and use of SBOMs. The paper details factors that hinder data normalization and provides technical, and process and policy recommendations to mitigate the challenges.

Based on its research, Mitre says there are non-technical and technical content-creation challenges when implementing SBOMs. Non-technical challenges include process and governance hurdles, such as developing processes to receive SBOMs from third-party components, managing SBOMs throughout the software's lifecycle, and picking the right tools to generate and exchange SBOMs. Technical challenges include interoperability between SBOM standards, addressing missing data in the SBOM, using the same definition for SBOM elements, formatting differences between SBOMs, and properly managing data when producing SBOM elements.

“Generating SBOMs at scale requires automation, which in turn requires the ability to ingest information from build systems, SBOM-generation tools, and SBOMs delivered by component vendors and open source projects,” said Mitre. “A major challenge in ingesting this information is data normalization, using a standard nomenclature and formats to ensure that data from various sources is consistent.”

"To be used effectively, SBOM data, especially the baseline attributes and additional data recommended in the FDA premarket cybersecurity guidance, needs to be normalized using a consistent nomenclature and data formats," it added.

Mitre said SBOMs need to evolve by improving their tooling and SBOM standards, and that manufacturers and software developers should play an active role in influencing industry organizations to provide information sources and services that can help individual companies address data normalization challenges.

Mitre said there is no single identifier that companies can use to cover all the components in an SBOM. This has led to identifier gaps and normalization challenges since some components may not have the identifiers necessary to complete an SBOM.

"[Medical device manufacturers] do not have to bear the burden of addressing identifier gaps alone," said the organization. "Industry-led organizations or services could stand up their own shareable repository that covers industry-wide gaps in identifier schemes such as [Common Platform Enumeration]."

"Such industry-wide repositories could be used by the MDM and other healthcare stakeholders and tool providers, thus helping solve normalization challenges," it added.

White paper

White paper highlights SBOM challenges for medical devices

Related topics

Recommended content

Welcome to the new RAPS Digital Experience