Thursday, October 5, 2023

Did the FDA’s new guidelines require any SBOM at all? No.


On September 27, the FDA released their eagerly anticipated document titled, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”. This was the first official update (after a couple of drafts in previous years) of a document originally published in 2014.

While there’s a lot that can be said about this document (mostly quite good), and I intend to say a lot more in the future (mainly about how it compares with the closest “equivalent” in Europe), I want to discuss what was the foremost question in the minds of a lot of people I know: What would the document “require” a medical device maker to provide to customers regarding SBOMs?

Spoiler alert, the answer to that question is clear: The document describes no requirement to deliver SBOMs to customers, although of course that is recommended. In fact, it seems that the one requirement for SBOMs that seemed to be set in stone – the “requirement” to submit an SBOM to the FDA with the “premarket submission” necessary for the FDA to allow the device to be marketed in the first place – isn’t in fact set in stone but is also simply a strong recommendation.

For those who haven’t been keeping score at home, this is how we got to this point[i]:

1.      At the end of 2022, due to the (seemingly perennial) inability of the US Congress (and specifically the House of Representatives) to pass legislation based on the merits of each individual bill, the requirement to fund the government for this year was met at close to the end of the session in December by passing an Omnibus Bill. This included a wide-ranging set of bills that hadn’t passed – or were never even brought up because of lack of time – during the regular session.

2.      One of the bills included in the Omnibus was the proposed Patch Act (or at least parts of that bill). One of the provisions of the Patch Act gave the FDA, for the first time, explicit authority to regulate cybersecurity of medical devices, although only in premarket submissions. In January of 2023, the FDA said that the requirements for premarket submissions from the Patch Act would come into effect in March 2023, although they would refrain from penalizing medical device makers (MDMs) for violating those requirements until October 2023.

3.      The FDA also said in January that they would release more comprehensive cybersecurity guidelines for MDMs in September. Of course, this document provides those guidelines.

What does the new document say about SBOMs, both the single SBOM “required” for a premarket submission (which will never be distributed to users of a product after the FDA has received it, unless the MDM itself decides to do that) and the SBOMs that should be distributed to customers with every new version of the device?

Regarding SBOMs distributed to customers, this is definitely recommended in the FDA document. In fact, I think the single paragraph that makes this recommendation is just about the best statement of the need for this that I have ever seen:

 An SBOM as specified in Section V.A.4. or in accordance with an industry accepted format to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the medical device system, and to deploy countermeasures to maintain the device’s safety and effectiveness. Manufacturers should provide or make available SBOM information to users on a continuous basis. If an online portal is used, manufacturers should ensure that users have up-to-date links that contain accurate information. The SBOM should be in a machine-readable format.

I italicized the most important sentence in this section. I hear so much talk about a software supplier or device manufacturer supplying “an SBOM” for one of their products, yet a single SBOM will be close to worthless as soon as the user has upgraded their software in any way, or even applied a patch. SBOMs age like milk, not fine wine.

However, a number of people have believed all year that this regular distribution of SBOMs to customers would be “required” by these guidelines. Setting aside the fact that guidelines are never requirements (no matter how much authority the entity publishing those guidelines may possess), the question of whether the FDA document requires regular distribution of SBOMs can be answered quickly by looking at the top of any page in the document, where it reads “Contains Nonbinding Recommendations”. ‘Nuff said?

While I didn’t expect regular distribution of SBOMs to be required, I certainly expected that one SBOM would be required with every premarket submission – since the FDA had said as much last January. Technically, an SBOM is still “required”, but (as Chris Gates of Velentium pointed out to me) the FDA also made clear in the document that, if an MDM can’t submit an SBOM with their premarket submission, they just need to explain why.

Of course, the FDA doesn’t have to accept the MDM’s excuse for not submitting an SBOM (especially if it’s “My dog ate my copy of the SPDX spec, and I couldn’t find another copy anywhere”). Even if they do, the MDM can be sure the FDA will always feel better about their submission if it includes an SBOM. However, the fact that the FDA doesn’t specify any penalty if they receive a submittal without an SBOM effectively means an SBOM isn’t required.

I want to note that people always point to the FDA as the pioneer in requiring SBOMs; yet the fact is that they aren’t doing that. I hope this finally makes these people – including probably a number of startups that have included the likelihood of regulations requiring SBOMs in their business plans – realize that waiting any longer for SBOM regulations will be like the great play Waiting for Godot: Two men are waiting in a field for someone named Godot, who they obviously think is going to provide them some great benefit when he comes. Every evening, a boy comes to them and says Godot is sorry he wasn’t able to come that day, but he will for sure to come the next day. In the final scene, the two men have agreed they won’t wait any longer – yet neither of them moves before the curtain falls, indicating they will be there waiting the next day as well…

At some point, you need to stop waiting for SBOM regulations. It is impossible to regulate a new technology, with very little usage outside of the software developer community, into widespread use. Regulations are designed to prevent abuses in technologies that are already being widely used. Let’s get SBOMs widely used outside the developer community. Then we can worry about regulating their use.

P.S. Robert Smigielski, Product Security Manager at B. Braun Medical, emailed me soon after the post appeared to point out that another act that was packaged with the 2022 Omnibus bill, a revision of the Food, Drug and Cosmetics Act (kind of the charter of the FDA), requires SBOMs for medical devices (I'm assuming this means in the premarket submission). 

I didn't know this, but that doesn't change my opinion that SBOMs aren't required in any real sense, since the FDA has now said the MDM may not include an SBOM as long as the MDM has a good excuse for not doing so. If you think my opinion is wrong, consider what will happen to you if you get a speeding ticket and you give the officer the excuse that you were headed to the hospital to see a friend who had just had a serious relapse. The officer would extend his sympathies - along with the completed speeding ticket. In other words, speeding tickets are "required", whereas SBOMs are "required, unless you have a really good reason for not being able to provide one". There's a big difference.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC, or the other members of the OWASP SBOM Forum, which I lead. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] I can’t vouch for the complete accuracy of everything listed below, since I don’t have time to research the details of what happened and when. I’m relying on my memory in some cases.

No comments:

Post a Comment