Thank you for sharing, inclusion of vulnerabilities is interesting, I expect there will be a lot of public feedback on that. Looks like it is scheduled to be published in the Federal Register tomorrow starting a 90-day review period: https://www.federalregister.gov/public-inspection/2022-07614/guidance-cybersecurity-in-medical-devices-quality-system-considerations-and-content-of-premarket.
Regards, William Bartholomew (he/him) - Let's chat<https://outlook.office.com/findtime/[email protected]&anonymous&ep=plink> Principal Security Strategist Global Cybersecurity Policy - Microsoft My working day may not be your working day. Please don't feel obliged to reply to this e-mail outside of your normal working hours. From: [email protected] <[email protected]> On Behalf Of Dick Brooks via lists.spdx.org Sent: Thursday, April 7, 2022 9:27 AM To: [email protected]; [email protected] Subject: [EXTERNAL] [spdx-tech] New Guidance today from US FDA re: SBOM and vulnerability reporting FYI https://www.fda.gov/media/119933/download<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.fda.gov%2Fmedia%2F119933%2Fdownload&data=05%7C01%7Cwillbar%40microsoft.com%7C4a3c4696b3074d99cb1208da18b38369%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637849457004735005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HRMtv2JREjP%2FthotONIU1yGBgnaKSsz0qXk%2BzEQlZW8%3D&reserved=0> FDA's guidance documents "Off-The-Shelf (OTS) Software Use in Medical Devices"Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software"30 and 456 "31 457 describe information that should be provided in premarket submissions for software components 458 for which a manufacturer cannot claim complete control of the software lifecycle. In addition to 459 the information recommended in those guidances, for each OTS component, the following 460 should also be provided in a machine-readable format in premarket submissions. 461 462 A. The asset(s) where the software component resides; 463 B. The software component name; 464 C. The software component version; 465 D. The software component manufacturer; 466 E. The software level of support provided through monitoring and maintenance from 467 the software component manufacturer; 468 F. The software component's end-of-support date; and 469 G. Any known vulnerabilities.32 470 471 Industry-accepted formats of SBOMs can be used to provide this information to FDA; however, 472 if any of the above elements are not captured in such an SBOM, we recommend that those items 473 also be provided, typically as an addendum, to FDA for the purposes of supporting premarket 474 submission review. Additional examples of the type of information to include in a SBOM can be 475 found in the Joint Security Plan - Appendix G ("Example Customer Security Documentation")33 476 and Sections 2.3.17 and 2.3.18 of the Manufacturer Disclosure Statement for Medical Device 477 Security (referred to as MDS2 or MDS2)34. [32] Known vulnerabilities are vulnerabilities that are published in the public National Vulnerability Database (NVD) or similar software vulnerability and/or weakness database. NVD is available at https://nvd.nist.gov/vuln/full-listing Thanks, Dick Brooks [cid:[email protected]] Never trust software, always verify and report!<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Freliableenergyanalytics.com%2Fproducts&data=05%7C01%7Cwillbar%40microsoft.com%7C4a3c4696b3074d99cb1208da18b38369%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637849457004735005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=siYfC0CaV3IJY971mskE2064yLZR%2B6umjOiWatG7J14%3D&reserved=0> (tm) http://www.reliableenergyanalytics.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.reliableenergyanalytics.com%2F&data=05%7C01%7Cwillbar%40microsoft.com%7C4a3c4696b3074d99cb1208da18b38369%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637849457004735005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UQ5DP143AcQqJjj17ZtRsqYu9DWFwLO9B4jh%2BY76Ook%3D&reserved=0> Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4453): https://lists.spdx.org/g/Spdx-tech/message/4453 Mute This Topic: https://lists.spdx.org/mt/90316918/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
