Summary: The FDA now mandates that medical device manufacturers include a Software Bill of Materials (SBOM) for cybersecurity compliance under FD&C Act section 524B. Manufacturers must also establish robust cybersecurity processes and maintain detailed software records to get market approval.

Key Takeaways:

  • SBOM inclusion is now mandatory for device approval.
  • The FDA can refuse device approvals if they don’t comply with new cybersecurity regulations.

In a recent regulatory update, the U.S. Food and Drug Administration (FDA) has enhanced its oversight of medical device cybersecurity. The FDA now has the ability to approve or reject premarket submissions for medical devices based on their compliance with section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act).

This critical section requires that Medical Device Manufacturers (MDM) include a Software Bill of Materials (SBOM) in their devices.

FDA SBOM Mandate

The FDA now mandates that all medical devices should have a detailed SBOM that lists commercial, open-source, and off-the-shelf software components used in these devices. The aim is to better manage cybersecurity risks associated with medical devices.

To comply, MDMs must also maintain an accurate inventory of their device software components. They are required to develop comprehensive vulnerability management and risk assessment processes. Additionally, manufacturers must be proactive in providing patches for their devices and keep detailed records of any changes to device software.

Enhanced Scrutiny by FDA

The FDA’s Refuse-to-Accept (RTA) authority underlines the increasing importance of robust SBOM management solutions.