SBOMs for medical devices: navigating FDA premarket cybersecurity
As of October 2023, the FDA expects an SBOM with every premarket submission for cyber devices. The agency's guidance ("Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions") spells out what's required, and submissions without it have been put on hold.
What the FDA wants in an SBOM
The guidance is format-agnostic but content-strict. Your SBOM must include, at minimum:
- Every commercial, open-source, and off-the-shelf component
- The version (or commit SHA) of each component
- The relationship between components (transitive dependencies count)
- Component author/supplier
- A unique identifier per component (PURL or CPE works)
CycloneDX 1.5+ and SPDX 2.3+ both satisfy these requirements. SBOMVault.ai outputs either.
What gets submissions bounced
The most common premarket SBOM failures we see:
- Stale SBOMs. The SBOM was generated six months before submission and doesn't match what the device actually runs.
- Missing transitive dependencies. A flat list of direct dependencies isn't enough — you need the full graph.
- No vulnerability posture. The FDA wants to see what known CVEs apply and how you've addressed them.
- No update mechanism documented. How will you push a patch when a CVE drops post-launch?
How SBOMVault.ai fits
The Compliance module has an FDA Premarket Cybersecurity preset that runs the same checks the FDA reviewers run. Upload your SBOM, attach a CVE remediation log and an update plan, and you get a ready-to-submit packet — including a signed attestation.
For Class II and Class III devices, this typically replaces 40+ hours of manual document assembly.