This white paper is directed to medical-device-sector stakeholders, discussing data normalization challenges and recommended mitigations for producing software bills of materials (SBOMs), ingesting SBOMs at scale, and related issues.
Data Normalization Challenges and Mitigations in Software Bill of Materials Processing
SBOMs—essentially a list of the ingredients that make up software components and the relationships between them—have emerged as key building blocks in software security and software supply chain risk management. SBOMs enable taking proactive actions to mitigate risks in the device during development and reactive actions to expeditiously control emerging risks in fielded devices. The U.S. Food and Drug Administration has long recognized the importance of SBOMs in managing post-market software vulnerabilities in medical devices and providing transparency to the users of these devices. The Consolidated Appropriations Act, 2023, amended the Food, Drug, and Cosmetic Act to require SBOMs [Section 524B(b)(3)] as part of premarket submissions for cyber devices.
This white paper is directed to medical-device-sector stakeholders who will now generate SBOMs at scale from various data sources. It discusses normalization challenges and mitigations for generating and digesting SBOMs, using a standard nomenclature and formats to ensure data from various sources is consistent.