Regulatory Open Forum

 View Only

  • 1.  Cybersecurity Bill Of Materials

    Posted 12-Nov-2020 08:54

    Can someone provide a general contents list of such an item?

    Thanks in advance,

    Ed



    ------------------------------
    Edward Panek
    VP, QA/RA
    Med Device
    Research into Neural Nets - https://www.twitch.tv/edosani
    ------------------------------


  • 2.  RE: Cybersecurity Bill Of Materials

    Posted 13-Nov-2020 08:34
    Edited by Colin Morgan 13-Nov-2020 08:37

    Hi Ed,

    Great question and here are a couple of references for you to consider:

    • The SBOM typically consists of the software package name and version, such as "Apache httpd 2.4"

    • For cybersecurity, regulators are now looking to ensure the SBOM has been properly evaluated against a national vulnerability database, such as NVD (https://nvd.nist.gov/.  This type evaluation compares the software package name and version against a database of known vulnerabilities, providing you with details on potentially vulnerable packages you may be using
      • The output typically includes the software package name, version, CVE ID, CVSS Score, CVSS Vector string

    • There are a number of commercial options out there to automate this process.  These commercial tools are typically referred to as SCA, "Software Composition Analysis".  These tools typically also identify the licenses that go along with the open source components, so you can see if you are using a component with a restricted license, which could cause a legal issue.

    When developing software for a product, evaluating the SBOM against an NVD is just one element to the overall testing strategy.  The following should also be executed:

    • Source code security scanning, using Static Application Security Testing (SAST) tools.  Many solutions out there will provide SAST and SCA scanning
    • SCA evaluation
    • Vulnerability scanning of any devices that have a network interface
    • Web application scanning of any solution that has a web interface
    • Fuzz testing of ports, protocols and custom applications
    • Penetration testing of a finished solution


    Happy to answer any additional questions you may have or point you towards several commercial solutions as options.



    ------------------------------
    Colin Morgan
    Managing Director
    colinmorgan@apraciti.com

    Apraciti, LLC | Medical Device Cybersecurity

    United States
    ------------------------------

    Original Message


  • 3.  RE: Cybersecurity Bill Of Materials

    Posted 14-Nov-2020 14:02
    "For cybersecurity, regulators are now looking to ensure the SBOM has been properly evaluated against a national vulnerability database"

    Sounds like an excellent idea, but the Spanish have a saying, "A que hora?" and "now" is a bit of a vague timeframe.  Given all the many decades I've been hearing that "But NOW they are requiring" and still wondering when "now' is going to get here, I'm not anticipating that the "now" in which CDRH, much less "regulators," reliably require anything will arrive any time soon, if ever.  On the contrary, recent developments suggests things may be headed the other way.

    Are you referring specifically to CDRH?

    ------------------------------
    Julie Omohundro, ex-RAC (US, GS), still an MBA
    Principal Consultant
    Class Three, LLC
    Mebane, North Carolina, USA
    919-544-3366 (T)
    434-964-1614 (C)
    julie@class3devices.com
    ------------------------------

    Original Message


  • 4.  RE: Cybersecurity Bill Of Materials

    This message was posted by a user wishing to remain anonymous
    Posted 13-Nov-2020 09:02
    This message was posted by a user wishing to remain anonymous

    Hi Ed,
       This answer is based on previous engagements for Class A/B and Class III devices. 
    there are currently multiple Frameworks that are applicable for Cybersecurity/Wireless and Portable devices notably IEC-80001 and such. 

    The MDR regulation lists MDR 745 having a clear break up of the bill of items listing the software supply chain- including the compilers, version control tools and environments needed to create the Product. The Software component of the DHF file needs to provide a trace to the SPMP(Software Process Management Plan) along with applicable Usability (62366) assessments for the User interface of the device software.

    In addition all open-source/COTS/ libraries used in the software need to be listed which would need the reported CVE/Vulnerability data listed for applicable risk mitigation.

    The Periodic PMCF also needs to have a list of software vulnerabilities listed that would be taken into the design cycle for risk mitigation/recall/redesign as applicable.






    Original Message


  • 5.  RE: Cybersecurity Bill Of Materials

    Posted 13-Nov-2020 09:36
    Thanks, everyone. We are being reviewed under MDD at the moment but the reviewer is asking for a CBOM so we assumed perhaps GDPR is being actioned?

    ------------------------------
    Edward Panek
    VP, QA/RA
    Med Device

    DOD/DARPA/Dept Veterans Affairs Design Controls in Research

    Research into Neural Nets - https://www.twitch.tv/edosani
    ------------------------------

    Original Message


Related Content