FYI
https://www.fda.gov/media/119933/download FDA's guidance documents "Off-The-Shelf (OTS) Software Use in Medical Devices"Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software"30 and 456 "31 457 describe information that should be provided in premarket submissions for software components 458 for which a manufacturer cannot claim complete control of the software lifecycle. In addition to 459 the information recommended in those guidances, for each OTS component, the following 460 should also be provided in a machine-readable format in premarket submissions. 461 462 A. The asset(s) where the software component resides; 463 B. The software component name; 464 C. The software component version; 465 D. The software component manufacturer; 466 E. The software level of support provided through monitoring and maintenance from 467 the software component manufacturer; 468 F. The software component's end-of-support date; and 469 G. Any known vulnerabilities.32 470 471 Industry-accepted formats of SBOMs can be used to provide this information to FDA; however, 472 if any of the above elements are not captured in such an SBOM, we recommend that those items 473 also be provided, typically as an addendum, to FDA for the purposes of supporting premarket 474 submission review. Additional examples of the type of information to include in a SBOM can be 475 found in the Joint Security Plan - Appendix G ("Example Customer Security Documentation")33 476 and Sections 2.3.17 and 2.3.18 of the Manufacturer Disclosure Statement for Medical Device 477 Security (referred to as MDS2 or MDS2)34. [32] Known vulnerabilities are vulnerabilities that are published in the public National Vulnerability Database (NVD) or similar software vulnerability and/or weakness database. NVD is available at https://nvd.nist.gov/vuln/full-listing Thanks, Dick Brooks <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4452): https://lists.spdx.org/g/Spdx-tech/message/4452 Mute This Topic: https://lists.spdx.org/mt/90316918/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
