Regulatory Open Forum

------------------------------
Barry Folan
Senior Program Lead, Regulatory Affairs
Inverness
United Kingdom
------------------------------

Hello Barry,

I believe the comment period is concluded for the draft guidance document, so to answer the question about clarification - would be nice, but unless already provided might end up wit the same text.  In my interpretation, point in being in machine readable format is to allow quick review, but can be available in human readable format to review at other times.  The machine readable format is to allow other applications to quickly determine how the software application is structured and more importantly what other systems or applications it interacts with - thus increasing any cybersecurity concerns.  There are some standardised SBOM structures out there which can be used including third party/external applications which can scour through a SBOM looking for vulnerabilities.  Also a reason the guidance states in machine readable format, which is commonly expected, because an external application can go through a SBOM quickly looking for use cases, dependabilities, capabilities, compliance, etc.  There are some good sources and structures out there which can be used (do not want to provide any names because have not used them personally myself). 

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 25-Jul-2023 04:56
From: Barry Folan
Subject: FDA Draft Cyber Guidance - machine readable SBOM

Hi All,

I have a question about the current FDA Draft Guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, issued April 8, 2022.

In Section VI (Cybersecurity Transparency), Subsection A (Labelling Recommendations for Devices with Cyber Security Risks), Point 5 (Lines 950-956) states:

A SBOM as specified in Section V.A.2.b or in accordance with an industry accepted format to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device's safety and effectiveness. Manufacturers should provide or make available SBOM information  to users on a continuous basis. If an online portal is used, an up-to-date link should be provided. The SBOM should be in a machine readable format.

My question pertains to the last sentences highlighted above - "The SBOM should be in a machine readable format": Should a human readable format also be provided? It would seem that a machine readable format SBOM would be of little use to the average lay user of a home-use device, and so would a human readable format be more meaningful?

Might this point be clarified in the future Final Guidance?

 

How is everyone interpreting/planning for this?

Thanks! 

------------------------------
Barry Folan
Senior Program Lead, Regulatory Affairs
Inverness
United Kingdom
------------------------------

A machine-readable format, such as JSON, XML, or SPDX, is designed for automated processing by software tools, allowing quick analysis, vulnerability assessment, and integration with other systems for security and compliance purposes. This format is valuable for developers, IT professionals, and security experts.

In contrast, a human-readable format uses natural language or simple graphics, making it easily understandable for non-technical users like end-users or regulatory authorities. It empowers end-users to comprehend the software components in home-use devices, understand potential risks, and ensure transparency in the device's software supply chain.

Both formats serve different purposes, with machine-readable SBOMs aiding automated analysis, while human-readable SBOMs facilitate transparency and informed decision-making for end-users.

------------------------------
Raje Devanathan
Amerisource Bergen
TPIreg, Innomar Strategies
Senior Manager - Regulatory Affairs, Medical Devices
rdevanathan@tpireg.com
3470 Superior Court
Oakville ON L6L0C4
Canada
------------------------------

Original Message:
Sent: 25-Jul-2023 04:56
From: Barry Folan
Subject: FDA Draft Cyber Guidance - machine readable SBOM

Hi All,

I have a question about the current FDA Draft Guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, issued April 8, 2022.

In Section VI (Cybersecurity Transparency), Subsection A (Labelling Recommendations for Devices with Cyber Security Risks), Point 5 (Lines 950-956) states:

A SBOM as specified in Section V.A.2.b or in accordance with an industry accepted format to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device's safety and effectiveness. Manufacturers should provide or make available SBOM information  to users on a continuous basis. If an online portal is used, an up-to-date link should be provided. The SBOM should be in a machine readable format.

My question pertains to the last sentences highlighted above - "The SBOM should be in a machine readable format": Should a human readable format also be provided? It would seem that a machine readable format SBOM would be of little use to the average lay user of a home-use device, and so would a human readable format be more meaningful?

Might this point be clarified in the future Final Guidance?

 

How is everyone interpreting/planning for this?

Thanks! 

------------------------------
Barry Folan
Senior Program Lead, Regulatory Affairs
Inverness
United Kingdom
------------------------------

This message was posted by a user wishing to remain anonymous

I think that a human readable format could post a security and/or confidentiality risk. IMDRF recently issued a guidance on SBOMs that in Table 1, has the advantages and disadvantages of different SBOM formats. They also talk about SBOMs being confidential in the document.

 https://www.imdrf.org/sites/default/files/2023-04/Principles%20and%20Practices%20for%20Software%20Bill%20of%20Materials%20for%20Medical%20Device%20Cybersecurity%20%28N73%29.pdf

To the point others said, it's a lot of information and so machine-readable would be preferred so identifying any compromised software components can be easily identified.

Original Message:
Sent: 25-Jul-2023 04:56
From: Barry Folan
Subject: FDA Draft Cyber Guidance - machine readable SBOM

Hi All,

I have a question about the current FDA Draft Guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, issued April 8, 2022.

In Section VI (Cybersecurity Transparency), Subsection A (Labelling Recommendations for Devices with Cyber Security Risks), Point 5 (Lines 950-956) states:

A SBOM as specified in Section V.A.2.b or in accordance with an industry accepted format to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device's safety and effectiveness. Manufacturers should provide or make available SBOM information  to users on a continuous basis. If an online portal is used, an up-to-date link should be provided. The SBOM should be in a machine readable format.

My question pertains to the last sentences highlighted above - "The SBOM should be in a machine readable format": Should a human readable format also be provided? It would seem that a machine readable format SBOM would be of little use to the average lay user of a home-use device, and so would a human readable format be more meaningful?

Might this point be clarified in the future Final Guidance?

 

How is everyone interpreting/planning for this?

Thanks! 

------------------------------
Barry Folan
Senior Program Lead, Regulatory Affairs
Inverness
United Kingdom
------------------------------