Select Page

Software Bill of Materials (SBOM)

What is a Software Bill of Materials?

A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. An SBOM provides those who produce, purchase and operate software with information that enhances their understanding of the supply chain. Maintaining SBOMs has critical importance for software inventory, license tracking and vulnerability management.

Why is a Software Bill of Materials necessary?

SBOMs are becoming a mandatory requirement for new medical devices and across multiple industry verticals as of Executive Order EO 14028 from May 12, 2021. In response to it, the National Telecommunications and Information Administration (NTIA) created a list of minimum requirements.

SBOMs are supposed to bring transparency to the software components and connections within and across supply chains, so that any weak links – both known and newly emerged – can be discovered and addressed. SBOMs are a critical step toward securing the software supply chain and reducing the risk of cyberattacks.

How do you create an SBOM?

The first step of creating an SBOM is capturing a complete list of all included software components. Their component metadata is tracked, enabling them to be mapped to other sources of information. The metadata is tied to the software components as it moves down the supply chain toward deployment. The dependencies that make up the bulk of the SBOM, detail each of the software components used within the medical device, as they approach deployment to the Health Delivery Organizations (HDOs).

Software Bill of Materials in MedTech

A Software Bill of Materials (SBOM) functions as a formal record containing the details and supply chain relationships for all components used in a codebase.

A Software Bill of Materials (SBOM) functions as a formal record containing the details and supply chain relationships for all components used in a codebase (dependencies, components, medical device and health delivery organizations).

What are the minimum requirements for an SBOM?

Data fields

Document baseline information about each component that should be tracked: Supplier, Component Name, Version of the Component, Other Unique Identifiers, Dependency Relationship, Author of SBOM Data and Timestamp.

Automation support

Support automation, including via automatic generation and machine-readability to allow for scaling across the software ecosystem. Data formats used to generate and consume SBOMs include SPDX, CycloneDX and SWID tags.

Practices and processes

Define the operations of SBOM requests, generation and use, including Frequency, Depth, Known Unknowns, Distribution and Delivery, Access Control and Accommodation of Mistakes.

How can Irdeto help you to meet the SBOM requirements?

  • We can help you make sure your SBOM meets the requirements set by the NTIA. Regardless of your build process we can recommend the right tools to ensure you are building an SBOM to pass the bar and get approval.
  • We will help you enrich your SBOM with the right information to get the most value out of it – bear in mind that an SBOM is a complex record and requires expertise to be built correctly.
  • We have tools for an ongoing, proactive risk management based on the information contained within SBOMs.

Want to learn more about how Irdeto can help you protect your medical device from attacks?