Regulatory Open Forum

Hi everyone,

May I please have some feedback from anyone who is working towards meeting FDA's recently finalised (Sept. 2023) Guidance - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions? Specifically to ask how/if you are planning to make the SBOM available to users per Section VI.A Labelling Recommendations which states "Manufacturers should provide or make available SBOM information to users on a continuous basis."?

An SBOM will contain proprietary information, which if widely available via labelling or online (or directly on the device) could lead to increased cyber/hacking risks (as well as giving competitors visibility of our software), so we are wrestling with how to best meet this part of the guidance. Our device is primarily intended for patient home use, meaning the SBOM information is likely not useable/meaningful to the majority of our users.

Any feedback is much appreciated!

Thank You and Kind Regards,

Barry   

------------------------------
Barry Folan
Senior Program Lead, Regulatory Affairs
Lifescan Scotland Ltd
Inverness
United Kingdom
------------------------------

Good day Barry,

I know companies are struggling with this activity, same as you and your organisation.  The items I could offer from experience in working in this area is not just one way to manage or handle dissemination of the Software Bill of Materials (SBOM).  While the FDA Q&A guidance provides some helpful information, there is no specific example because as can expected there is such differences of software not only one way can suffice; but there are examples out there which could be reviewed.  What I have been involved in is creating multiple "versions" of the SBOM which are seen internally and externally.  Often there is proprietary information which should not be published publicly, though there are ways information can be provided without divulging those confidential information.  As this can be related to cybersecurity activities, we usually concentrate on providing information about an vulnerabilities, such as using components which are not under our full control or which may need to be installed by the user.  I would also be interested to hear how different organisations are managing the SBOM providing this in the labelling for users.

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
Oriel STAT A MATRIX - ENTERPRISE
------------------------------

Original Message:
Sent: 05-Dec-2023 03:59
From: Barry Folan
Subject: SBOM - FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

Hi everyone,

May I please have some feedback from anyone who is working towards meeting FDA's recently finalised (Sept. 2023) Guidance - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions? Specifically to ask how/if you are planning to make the SBOM available to users per Section VI.A Labelling Recommendations which states "Manufacturers should provide or make available SBOM information to users on a continuous basis."?

An SBOM will contain proprietary information, which if widely available via labelling or online (or directly on the device) could lead to increased cyber/hacking risks (as well as giving competitors visibility of our software), so we are wrestling with how to best meet this part of the guidance. Our device is primarily intended for patient home use, meaning the SBOM information is likely not useable/meaningful to the majority of our users.

Any feedback is much appreciated!

Thank You and Kind Regards,

Barry   

------------------------------
Barry Folan
Senior Program Lead, Regulatory Affairs
Lifescan Scotland Ltd
Inverness
United Kingdom
------------------------------