MEDev.AI0
Back to Knowledge Center

Software Bill of Materials (SBOM) Creation & Management Guide

How to generate, validate, and maintain a compliant SBOM for FDA premarket submissions and post-market cybersecurity management

Section 524B (FD&C Act)FDA Cybersecurity GuidanceIEC 81001-5-1

Overview

Purpose

This guide provides a complete workflow for creating, validating, and maintaining a Software Bill of Materials (SBOM) for medical devices. An SBOM is a formal, machine-readable inventory of all software components that make up a device — including first-party code, open-source libraries, commercial off-the-shelf (COTS) software, and firmware. With the enactment of Section 524B of the FD&C Act, SBOM submission is a statutory requirement for cyber devices. This guide covers format selection (SPDX vs. CycloneDX), automated generation tooling, NTIA minimum element compliance, vulnerability monitoring, and post-market SBOM maintenance.

Target Audience

Software engineers, DevOps/build engineers, cybersecurity engineers, and regulatory affairs professionals who need to generate and maintain an FDA-compliant SBOM.

Prerequisites

  • Access to your device software source code and build system
  • Understanding of your software architecture and component dependencies
  • Familiarity with package managers used in your project (npm, pip, Maven, Conan, etc.)
  • Basic understanding of cybersecurity vulnerability databases (NVD, CVE)

Estimated Implementation Time: 2-4 weeks for initial SBOM generation and validation; ongoing maintenance

Process Flow

SBOM Lifecycle for Medical DevicesSource Code & Build System• First-party source code• Package manifests (package.json, etc.)• Build configuration• Container images / firmwareAutomated SBOM Generation• Syft, FOSSA, Snyk, Trivy• CI/CD pipeline integration• Format: SPDX or CycloneDX• NTIA minimum elementsSBOM Validation• NTIA minimum elements check• Format compliance (JSON/XML)• Component completeness audit• Version accuracy verificationFDA Submission• Machine-readable format• Included in 510(k)/PMA• Cross-referenced in eSTAR• Known vulnerability listPost-Market SBOM ManagementCVE MonitoringNVD → SBOM matchingAutomated alertsRisk AssessmentCVSS scoringImpact evaluationPatch & UpdateComponent updateSBOM regenerationContinuous cycleNTIA Minimum Elements for SBOM✓ Supplier Name✓ Component Name✓ Version String✓ Other Unique Identifiers✓ Dependency Relationship✓ Author of SBOM Data✓ Timestamp✓ Known Unknowns documentedPer NTIA "The Minimum Elements for a Software Bill of Materials" (July 2021)Format ComparisonSPDX (ISO/IEC 5962)• ISO standard, broad adoption• Strong license compliance• JSON, RDF, Tag-Value, YAMLCycloneDX (OWASP)• Security-focused design• VEX support built-in• JSON, XML, ProtobufBoth formats accepted by FDA — choose based on your tooling ecosystem
1

Phase 1: SBOM Strategy and Tooling

Select SBOM format, tooling, and establish your SBOM generation workflow before integrating into the build pipeline.

1

Choose SBOM Format

Select between SPDX (ISO/IEC 5962) and CycloneDX (OWASP). Both are accepted by FDA. SPDX is an ISO standard with strong license compliance features. CycloneDX is security-focused with built-in Vulnerability Exploitability eXchange (VEX) support. For medical device cybersecurity, CycloneDX is often preferred due to its native vulnerability correlation capabilities.

Deliverables:

  • SBOM format selection rationale document
  • Format specification version (e.g., CycloneDX 1.5)

💡 Tips:

  • CycloneDX is better for security use cases — it has native VEX and vulnerability tracking
  • SPDX is better if you also need comprehensive license compliance tracking
  • Choose JSON output over XML for easier processing and smaller file sizes
  • Document your format choice rationale for your SPDF documentation
2

Select SBOM Generation Tooling

Choose automated SBOM generation tools appropriate for your technology stack. Key tools: Syft (Anchore) — excellent multi-language support, CycloneDX CLI — official CycloneDX tool, FOSSA — commercial with license analysis, Snyk — commercial with vulnerability database, Trivy (Aqua Security) — container and filesystem scanning. Most projects need multiple tools to cover all component types.

Deliverables:

  • Tool selection document
  • Tool installation and configuration guide
  • Proof-of-concept SBOM generation run

💡 Tips:

  • Syft + Grype (both from Anchore) is a powerful free combination for generation + vulnerability matching
  • Test tools against your actual codebase — coverage varies by language/ecosystem
  • Many tools miss C/C++ dependencies — you may need manual supplementation for embedded firmware
  • Consider commercial tools if you need support and guaranteed coverage
3

Inventory All Software Components

Before automated generation, manually identify all software component categories in your device: first-party code, open-source libraries, commercial COTS components, RTOS/OS, firmware, and development tools that produce runtime artifacts. This inventory validates completeness of automated SBOM output.

Deliverables:

  • Component category inventory
  • Known component list for validation
  • Component provenance documentation

💡 Tips:

  • Include RTOS, bootloaders, and BSP components — these are often missed by automated tools
  • Track "known unknowns" — components you know exist but cannot fully enumerate (e.g., COTS binary blobs)
  • Document any components that require manual SBOM entries
  • Include development tools that contribute runtime code (code generators, compilers)
2

Phase 2: SBOM Generation and CI/CD Integration

Integrate automated SBOM generation into your software build pipeline so every build produces a current, accurate SBOM.

4

Integrate SBOM Generation into Build Pipeline

Add SBOM generation as a step in your CI/CD pipeline (GitHub Actions, GitLab CI, Jenkins, Azure DevOps). The SBOM should be generated automatically on every tagged release build. Store SBOMs as versioned build artifacts alongside the software release.

Deliverables:

  • CI/CD pipeline configuration with SBOM step
  • SBOM versioning and storage procedure
  • Build pipeline documentation

💡 Tips:

  • Generate SBOM AFTER dependency resolution but BEFORE packaging
  • Version the SBOM with the same version as the software release
  • Store SBOMs in your artifact repository (e.g., Artifactory, S3, Azure Blob)
  • Include SBOM generation in your release checklist
5

Capture Transitive Dependencies

Ensure your SBOM includes not just direct dependencies but all transitive (indirect) dependencies. In modern software, over 80% of code comes from dependencies, and many vulnerabilities occur in transitive dependencies. Verify that your tooling resolves the complete dependency tree.

Deliverables:

  • Validated dependency tree
  • SBOM with transitive dependencies
  • Dependency depth analysis

💡 Tips:

  • Use lock files (package-lock.json, Pipfile.lock, Cargo.lock) for accurate resolution
  • Cross-check automated output against package manager dependency tree commands
  • Log4Shell (CVE-2021-44228) was a transitive dependency in many projects — this is why depth matters
  • Document maximum dependency depth for your project
6

Add Manual Components

Supplement the automated SBOM with manually tracked components that tools cannot detect: hardware abstraction layers, proprietary firmware blobs, COTS libraries distributed as binaries, and custom-built tools that produce runtime artifacts. Document these as manual entries with their provenance.

Deliverables:

  • Manual SBOM supplemental entries
  • Provenance documentation for manual components
  • Process for maintaining manual entries

💡 Tips:

  • Create a separate "manual components" file that merges with the automated SBOM
  • For binary-only components, record supplier, version, SHA256 hash, and license
  • Set calendar reminders to check for updates to manually tracked components
  • Document why each manual entry cannot be automated
3

Phase 3: SBOM Validation and Compliance

Validate that the generated SBOM meets NTIA minimum elements, format specifications, and FDA submission requirements.

7

Validate NTIA Minimum Elements

Check that every component entry in the SBOM includes all NTIA minimum elements: Supplier Name, Component Name, Version String, Other Unique Identifiers (CPE, PURL), Dependency Relationship, Author of SBOM Data, and Timestamp. Document any "known unknowns" where information is unavailable.

Deliverables:

  • NTIA compliance validation report
  • Known unknowns documentation
  • Gap remediation plan

💡 Tips:

  • Use automated validation tools: sbom-tool, ntia-checker, or CycloneDX CLI validate
  • Every component MUST have supplier, name, and version — no exceptions
  • Document "known unknowns" explicitly — this shows thoroughness, not weakness
  • Use Package URL (PURL) as the unique identifier when possible
8

Cross-Reference Against Vulnerability Databases

Run the SBOM against NVD, OSV, and other vulnerability databases to identify known CVEs in your components. Tools: Grype, OSV-Scanner, Snyk. Generate a vulnerability report listing all known CVEs, their severity (CVSS), and your assessment/remediation plan.

Deliverables:

  • Vulnerability scan report
  • CVE-to-component mapping
  • Risk assessment for known vulnerabilities
  • Remediation plan for actionable CVEs

💡 Tips:

  • Not all CVEs are exploitable in your context — document your assessment for each
  • Critical/High CVEs should be remediated before submission
  • Use VEX (Vulnerability Exploitability eXchange) to document "not affected" justifications
  • Include this vulnerability analysis in your premarket submission package
9

Prepare SBOM for FDA Submission

Package the SBOM for inclusion in the premarket submission. The SBOM must be machine-readable (JSON or XML, not a PDF table). Include the SBOM file, a summary document explaining the SBOM contents, the vulnerability analysis, and cross-references to the eSTAR cybersecurity section.

Deliverables:

  • Machine-readable SBOM file (JSON/XML)
  • SBOM summary document for reviewers
  • Vulnerability analysis report
  • eSTAR cross-reference (if 510(k))

💡 Tips:

  • Include BOTH a machine-readable file AND a human-readable summary
  • The summary should include total component count, languages, licenses, and known vulnerability status
  • FDA reviewers will check for common components with known CVEs — address them proactively
  • Include the SBOM generation date and the software build version it represents
4

Phase 4: Post-Market SBOM Maintenance

Establish ongoing processes to keep the SBOM current, monitor for new vulnerabilities, and respond to security events.

10

Set Up Continuous Vulnerability Monitoring

Configure automated monitoring that continuously matches your SBOM components against vulnerability databases. Set up alerts by severity: Critical (immediate notification), High (daily digest), Medium/Low (weekly report). Define response procedures and timelines for each severity level.

Deliverables:

  • Monitoring tool configuration
  • Alert routing and escalation procedures
  • Response SLAs by severity level

💡 Tips:

  • Grype + your SBOM gives you free, continuous vulnerability monitoring
  • Subscribe to vendor security advisories for COTS components
  • Set up a security inbox (security@company.com) for monitoring alert notifications
  • Review monitoring coverage quarterly — new vulnerability sources emerge regularly
11

Manage Component Updates

Establish a process for evaluating and incorporating component updates. When a CVE is identified, assess impact on your device, determine if the component can be updated, test the update, and regenerate the SBOM. Track all component changes in your change control system.

Deliverables:

  • Component update procedure
  • Change control records for component updates
  • Updated SBOM after each component change
  • Regression test results

💡 Tips:

  • Every component update triggers a new SBOM generation
  • Run full regression testing after dependency updates
  • Security patches may qualify as minor changes under FDA software guidance — consult regulatory
  • Keep a change log linking CVEs to component updates to SBOM versions
12

Maintain SBOM Version History

Archive all SBOM versions alongside their corresponding software releases. This version history is critical for post-market analysis: when a new CVE is published, you need to quickly determine which deployed software versions contain the affected component and at what version.

Deliverables:

  • SBOM version archive
  • Software version-to-SBOM mapping
  • Rapid CVE impact assessment procedure

💡 Tips:

  • Store SBOMs in your artifact repository with the same retention policy as software releases
  • Tag SBOMs with the software version, build number, and date
  • When a new CVE drops, you should be able to query "which deployed versions are affected?" within minutes
  • This archive is valuable evidence of ongoing cybersecurity management for FDA

Implementation Checklists

SBOM Generation Checklist

NTIA Compliance Checklist

Submission Readiness Checklist

Post-Market Maintenance Checklist

Common Pitfalls & Solutions

PDF-Only SBOM Submission

Submitting the SBOM only as a PDF table fails the machine-readable requirement. FDA expects JSON or XML format files. Generate SBOM in CycloneDX JSON or SPDX JSON format, include the machine-readable file as a submission attachment, and create a separate human-readable summary for reviewers.

Missing Transitive Dependencies

Only tracking direct (first-level) dependencies misses the transitive dependency tree where many critical vulnerabilities (like Log4Shell) appear. Use lock files for accurate resolution, verify SBOM component count against package manager output, and run multiple tools to cross-check coverage.

One-Time SBOM Generation

Generating the SBOM only at submission time and never updating it violates Section 524B requirements. Integrate SBOM generation into your CI/CD pipeline, regenerate with every release build, and set up continuous vulnerability monitoring against the current SBOM.

Related Resources