- The Biden administration is making a Software Bill of Materials, an electronically readable format designed to provide an inventory of third-party components in devices, a requirement amid efforts to improve cybersecurity across the federal government and private sector.
- SBOM was included in an executive order signed last week by President Joe Biden to bolster the nation’s cybersecurity posture by, among other actions, enhancing software supply chain security, according to the FDA’s new medical device cyber chief. “That highlights the degree to which [SBOM] has reached the administration,” Kevin Fu, acting director of device cybersecurity at the Center for Devices and Radiological Health, told the Food & Drug Law Institute annual conference Thursday.
- Zach Rothstein, AdvaMed’s vice president for technology and regulatory affairs, told the conference that the industry has become “very supportive” of the concept of SBOM. At the same time, Rothstein said the lobbying group wants to see uniform standards to ensure, for example, that device manufacturers “don’t have to create 10 different versions of the same document.”
The concept of an SBOM has been under discussion for years within the federal government. FDA in 2018 issued a Medical Device Safety Action Plan noting the agency was considering requiring firms to develop SBOMs as part of premarket submissions and make them available to customers and users “so that they can better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities.”
AdvaMed in formal comments to that plan said it was worried about the lack of proper controls around the sharing and maintenance of SBOMs, warning that if the documents were stored in a publicly available central database it could allow cybercriminals to learn which software is operating within a device and expose patients to potential harm. AdvaMed’s Rothstein did not raise these concerns on Thursday at the FDLI conference.
Biden’s executive order last week made the case that understanding the software supply chain and using SBOMs to analyze known cybersecurity vulnerabilities are crucial to managing the growing risk from sophisticated and malicious hackers.
Cyber experts contend that once a vulnerability is discovered the widespread availability of SBOMs will make it easier for government and the private sector to know if they are affected. Currently, mitigating cybersecurity vulnerabilities and determining who is impacted is particularly difficult due to the lack of visibility into who is using the affected software components.
SBOM is “kind of like an ingredient label for the software components that are in the medical device,” AdvaMed’s Rothstein said. “The industry will obviously be working with FDA in terms of how it submits or produces an SBOM during the premarket phase of the product review process.”
Rothstein noted that currently most of the medical device industry’s customers require SBOMs and manufacturers are producing the documents so that hospitals and healthcare providers can make them a part of their cybersecurity strategies.
However, Rothstein said Biden’s executive order does raise some issues related to SBOM standardization.
The medical device lobbying group wants to see uniform standards for the electronically readable format “to ensure that we create a single type of SBOM,” according to Rothstein. “While it’s good news that the administration and the federal government at large is moving in the direction of requiring SBOMs, we as an industry are focused on right now making sure that it’s done so in a ‘least burdensome’ type manner so we’re more consistent and harmonized across the government and within the ecosystem.”
AdvaMed has been working with the Department of Commerce’s National Telecommunications and Information Administration, which in 2018 launched a multi-stakeholder initiative to improve software component transparency across several industries, including medtech, by standardizing the process for sharing the data so users can better understand what exactly is running on their networks.
“As the Department of Commerce implements the executive order and looks at creating criteria and requirements around the provisions of SBOMs,” Rothstein said the agency should “do so in a way that doesn’t conflict or create friction with the processes that FDA would expect of the medical device industry that we’re otherwise already working on.