A machine-readable format, such as JSON, XML, or SPDX, is designed for automated processing by software tools, allowing quick analysis, vulnerability assessment, and integration with other systems for security and compliance purposes. This format is valuable for developers, IT professionals, and security experts.
In contrast, a human-readable format uses natural language or simple graphics, making it easily understandable for non-technical users like end-users or regulatory authorities. It empowers end-users to comprehend the software components in home-use devices, understand potential risks, and ensure transparency in the device's software supply chain.
Both formats serve different purposes, with machine-readable SBOMs aiding automated analysis, while human-readable SBOMs facilitate transparency and informed decision-making for end-users.
------------------------------
Raje Devanathan
Amerisource Bergen
TPIreg, Innomar Strategies
Senior Manager - Regulatory Affairs, Medical Devices
rdevanathan@tpireg.com3470 Superior Court
Oakville ON L6L0C4
Canada
------------------------------
Original Message:
Sent: 25-Jul-2023 04:56
From: Barry Folan
Subject: FDA Draft Cyber Guidance - machine readable SBOM
Hi All,
I have a question about the current FDA Draft Guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, issued April 8, 2022.
In Section VI (Cybersecurity Transparency), Subsection A (Labelling Recommendations for Devices with Cyber Security Risks), Point 5 (Lines 950-956) states:
A SBOM as specified in Section V.A.2.b or in accordance with an industry accepted format to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device's safety and effectiveness. Manufacturers should provide or make available SBOM information to users on a continuous basis. If an online portal is used, an up-to-date link should be provided. The SBOM should be in a machine readable format.
My question pertains to the last sentences highlighted above - "The SBOM should be in a machine readable format": Should a human readable format also be provided? It would seem that a machine readable format SBOM would be of little use to the average lay user of a home-use device, and so would a human readable format be more meaningful?
Might this point be clarified in the future Final Guidance?
How is everyone interpreting/planning for this?
Thanks!
------------------------------
Barry Folan
Senior Program Lead, Regulatory Affairs
Inverness
United Kingdom
------------------------------