Tuesday, July 11, 2023

Excuse me if I don’t get excited about the FDA’s new SBOM “regulation”

The phrase that seemed to be on everybody’s lips when the FDA finally received authority to regulate cybersecurity in medical devices, which was granted in the Omnibus spending bill at the end of 2022 but had been specified in an earlier targeted bill called the PATCH Act, was “game changer”. This was because one of the likely consequences of the FDA’s new authority (it wasn’t directly mandated by the bill itself) is that they will require medical device makers (MDMs, in industry parlance) to provide a software bill of materials (SBOM) with their “pre-market submissions”.

The latter refers to a package of documentation that – if the MDM has done their homework correctly – will assure the FDA that the device the MDM seeks permission to market to hospitals or other end users is both safe (which has always been a criterion for approval) and cybersecure (which is a new criterion, due to passage of the Omnibus Bill). This provision (for a cybersecurity review, not just an SBOM) came into effect at the end of March (I believe), but the FDA said they won’t enforce it until October 1 – although they’re requiring submission of an SBOM now, and they’ll have a discussion with the MDM about any shortcomings they find.

What will actually be required come October 1? The MDM will be required to submit a single SBOM for their device. It will be scrutinized as part of the review of the entire submission, although no criteria have yet been stated for what will be considered an acceptable SBOM. Most importantly, the SBOM will never be shown to any person or organization outside of the FDA, including any customers or potential customers of the device.

Folks, this is the big “first SBOM regulation” that everybody is so excited about! Of course, it’s hard to see how anybody would get excited about just that. The reason people even use the phrase “game changer” is because the FDA hasn’t released any guidelines for what should be in an SBOM, how often it should be released, who should receive it, etc. A lot of people, most of whom have an economic stake in MDMs being forced to utilize (insert name of startup services vendor or startup cybersecurity tool vendor here) to help them produce and distribute SBOMs, have worked mightily at convincing themselves that this one small step will inevitably lead within months (or at least before their seed funding runs out) to industries of all stripes facing onerous regulations that will cause them to start banging on their door, open checkbooks in hand, begging to be allowed to buy their product or services. A true “game changer”.

I don’t deny that these people have achieved a lot of success – in convincing themselves of this quite dubious proposition. However, I have no idea what game they’re talking about changing, unless it’s TiddlyWinks. I’ve been working in the cyber regulation field – specifically in NERC CIP, which is no game at all – for a long time, and I’ve noticed one funny thing about regulation: The organizations that are being regulated and face onerous fines for violations don’t take kindly to being told to comply with a list of “requirements” that are poorly worded, based on ambiguous terms, make assumptions that appear to be taken from The Chronicles of Narnia, etc.[i] They tend to push back and demand clarification or wholesale rewriting of any requirement that’s ambiguous or misconceived. And if the agency that imposed the requirements pushes forward and implements the objectionable regulations, any penalties they levy are likely to be immediately reversed by highly skeptical judges, who will issue strongly worded opinions suggesting that perhaps whoever drafted those regulations should consider a career change to shoe sales.

In other words, if any game at all is going to be changed on October 1, whatever additional “requirements” are imposed by the FDA’s guidelines to be issued in September will need to be clear, practical and based on an understanding of what is in fact possible as of October 1, 2023. And they cannot be based on what some person wishes were in place, without being very concerned with whether that’s actually the case.

Moreover, the fact that the September guidelines won’t be requirements raises the question whether they will have any impact at all. However, I don’t deny that an agency with as much power over MDMs as the FDA has will probably meet with a remarkable “compliance” rate with these “guidelines”. After all, the executives of MDMs are (presumably) well paid to develop a keen understanding regarding on which side their bread is buttered.

What about other industries? Will they immediately start to require SBOMs from their suppliers? Perhaps. As long as there’s a federal agency that has the authority today to impose mandatory cybersecurity (not just safety) requirements on vendors to the industry. And how many industries are blessed (?) with such an agency today? As I discussed in this blog post, the only industries that I know of in which a federal agency very likely has that power now are nuclear power and the military. For any other industry, “changing the game” will first require putting in place an agency that will be staffed by experts (both in cybersecurity in general and in the specific circumstances of the industry in question), that will be granted all the authority required to enforce whatever regulations they determine to be necessary, and will act without any hint of partisan game-playing, as well as…hello, did somebody just cut the connection?

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] Note that I’m not inferring here that the NERC CIP requirements are overly ambiguous, unrealistic, or anything like that. The fact that the CIP standards, like all NERC reliability standards, are drafted over a period of literally years by teams composed of subject matter experts from the utilities and other entities being regulated, that they’re submitted to a series of votes – almost always at least four - by all NERC members (which can include the general public and other non-participants in the industry), and that they’re reviewed scrupulously by the Federal Energy Regulatory Commission (FERC) before they’re approved and implemented, means they will never be poorly thought out, whatever other problems they may have.

No comments:

Post a Comment