June 13, 2023 Software Bill of Materials (SBOM) – An essential part of software transparency & trust

How can patients and users be protected from compromised software components in medical products? It is a common saying that we cannot protect what we don’t know about. Which is why a list that identifies the software product contents is essential to managing cybersecurity risks. In the software world, that list is called a Software Bill of Materials or SBOM.

Four medical professionals looking at the computer monitors and tv researching medical data

An SBOM is a list of the ingredients that make up the software in a product and the relationships between them, according to the Cybersecurity and Infrastructure Agency (CISA). You can think of it as the ingredients you’d find on the food label of your breakfast cereal box, which lets you know exactly what you’re consuming.

When a company develops software products they either write their own code or leverage code that’s already available in the market. Typically, no one wants to reinvent the wheel and good external libraries can be reused and are, usually, well vetted with higher quality. For example, cryptographic libraries used to accomplish security encryption are considered safer and higher quality than creating your own code encryption. Although leveraging external code can bring benefit to product design, it can also increase cybersecurity risk of the product when it is released if it has insecure software components. Which is why an ingredient list, or SBOM, that is easy to monitor is key to better understand, prioritize, and address cybersecurity risks.

Historically, software developers have not always kept a detailed record of the components they were bringing into their code. This makes creating SBOMs for older products challenging. However, with the increase of cybersecurity threats in recent years, software development within the medical device industry has been improving best practices to create, monitor, and use product SBOMs to manage those risks.

Going back to food labels. Remember when labels on food were simple? With little or no detail? Now they have more information, including nutrition facts and allergic ingredients. That is how SBOMs are changing as well. SBOMs are evolving to include more detailed information about the included components, to enable those that use them to better understand the risks and appropriately address them.

The time, effort, and cost required to address potential compromised software components, highlights how important it is to deliver software transparency. With this transparency we can find threats quicker and fix them to ensure safe and secure products for patients.

Recently, the Consolidated Appropriations Act, 2023, was signed into U.S. law and includes SBOM expectations for new medical products being created. Going forward, better SBOMs are mandatory in every product submission to the FDA, reflecting that SBOMs are an essential part of software transparency and are needed to keep products safe and secure.