On September 27, the FDA released
their eagerly anticipated document
titled, “Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions”. This was the first official update (after a
couple of drafts in previous years) of a document originally published in 2014.
While there’s a lot that can be
said about this document (mostly quite good), and I intend to say a lot more in
the future (mainly about how it compares with the closest “equivalent” in Europe),
I want to discuss what was the foremost question in the minds of a lot of
people I know: What would the document “require” a medical device maker to
provide to customers regarding SBOMs?
Spoiler alert, the answer to that question
is clear: The document describes no requirement to deliver SBOMs to customers,
although of course that is recommended. In fact, it seems that the one requirement
for SBOMs that seemed to be set in stone – the “requirement” to submit an SBOM to
the FDA with the “premarket submission” necessary for the FDA to allow the
device to be marketed in the first place – isn’t in fact set in stone but is
also simply a strong recommendation.
For those who haven’t been keeping
score at home, this is how we got to this point[i]:
1.
At the end of 2022,
due to the (seemingly perennial) inability of the US Congress (and specifically
the House of Representatives) to pass legislation based on the merits of each
individual bill, the requirement to fund the government for this year was met
at close to the end of the session in December by passing an Omnibus Bill. This
included a wide-ranging set of bills that hadn’t passed – or were never even
brought up because of lack of time – during the regular session.
2.
One of the bills included
in the Omnibus was the proposed Patch Act (or at least parts of that bill). One
of the provisions of the Patch Act gave the FDA, for the first time, explicit
authority to regulate cybersecurity of medical devices, although only in premarket
submissions. In January of 2023, the FDA said that the requirements for
premarket submissions from the Patch Act would come into effect in March 2023,
although they would refrain from penalizing medical device makers (MDMs) for
violating those requirements until October 2023.
3.
The FDA also said in
January that they would release more comprehensive cybersecurity guidelines
for MDMs in September. Of course, this document provides those guidelines.
What does the new document say
about SBOMs, both the single SBOM “required” for a premarket submission (which
will never be distributed to users of a product after the FDA has received it,
unless the MDM itself decides to do that) and the SBOMs that should be
distributed to customers with every new version of the device?
Regarding SBOMs distributed to
customers, this is definitely recommended in the FDA document. In fact, I think
the single paragraph that makes this recommendation is just about the best
statement of the need for this that I have ever seen:
An SBOM as specified in Section V.A.4. or in
accordance with an industry accepted format to effectively manage their assets,
to understand the potential impact of identified vulnerabilities to the medical
device system, and to deploy countermeasures to maintain the device’s safety
and effectiveness. Manufacturers should provide or make available SBOM
information to users on a continuous basis. If an online portal is used,
manufacturers should ensure that users have up-to-date links that contain
accurate information. The SBOM should be in a machine-readable format.
I italicized the most important sentence
in this section. I hear so much talk about a software supplier or device
manufacturer supplying “an SBOM” for one of their products, yet a single SBOM
will be close to worthless as soon as the user has upgraded their software in
any way, or even applied a patch. SBOMs age like milk, not fine wine.
However, a number of people have
believed all year that this regular distribution of SBOMs to customers would be
“required” by these guidelines. Setting aside the fact that guidelines are
never requirements (no matter how much authority the entity publishing those
guidelines may possess), the question of whether the FDA document requires regular
distribution of SBOMs can be answered quickly by looking at the top of any page
in the document, where it reads “Contains Nonbinding Recommendations”. ‘Nuff
said?
While I didn’t expect regular
distribution of SBOMs to be required, I certainly expected that one SBOM would
be required with every premarket submission – since the FDA had said as much
last January. Technically, an SBOM is still “required”, but (as Chris Gates of
Velentium pointed out to me) the FDA also made clear in the document that, if an
MDM can’t submit an SBOM with their premarket submission, they just need to
explain why.
Of course, the FDA doesn’t have to
accept the MDM’s excuse for not submitting an SBOM (especially if it’s “My dog
ate my copy of the SPDX spec, and I couldn’t find another copy anywhere”). Even
if they do, the MDM can be sure the FDA will always feel better about their submission
if it includes an SBOM. However, the fact that the FDA doesn’t specify any
penalty if they receive a submittal without an SBOM effectively means an SBOM
isn’t required.
I want to note that people always
point to the FDA as the pioneer in requiring SBOMs; yet the fact is that they
aren’t doing that. I hope this finally makes these people – including probably
a number of startups that have included the likelihood of regulations requiring
SBOMs in their business plans – realize that waiting any longer for SBOM
regulations will be like the great play Waiting for Godot: Two men are waiting
in a field for someone named Godot, who they obviously think is going to
provide them some great benefit when he comes. Every evening, a boy comes to them
and says Godot is sorry he wasn’t able to come that day, but he will for sure
to come the next day. In the final scene, the two men have agreed they won’t
wait any longer – yet neither of them moves before the curtain falls,
indicating they will be there waiting the next day as well…
At some point, you need to stop
waiting for SBOM regulations. It is impossible to regulate a new technology,
with very little usage outside of the software developer community, into widespread
use. Regulations are designed to prevent abuses in technologies that are already
being widely used. Let’s get SBOMs widely used outside the developer community.
Then we can worry about regulating their use.
P.S. Robert Smigielski, Product Security Manager at B. Braun Medical, emailed me soon after the post appeared to point out that another act that was packaged with the 2022 Omnibus bill, a revision of the Food, Drug and Cosmetics Act (kind of the charter of the FDA), requires SBOMs for medical devices (I'm assuming this means in the premarket submission).
I didn't know this, but that doesn't change my opinion that SBOMs aren't required in any real sense, since the FDA has now said the MDM may not include an SBOM as long as the MDM has a good excuse for not doing so. If you think my opinion is wrong, consider what will happen to you if you get a speeding ticket and you give the officer the excuse that you were headed to the hospital to see a friend who had just had a serious relapse. The officer would extend his sympathies - along with the completed speeding ticket. In other words, speeding tickets are "required", whereas SBOMs are "required, unless you have a really good reason for not being able to provide one". There's a big difference.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC, or the other members of the OWASP SBOM Forum, which I lead. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] I
can’t vouch for the complete accuracy of everything listed below, since I don’t
have time to research the details of what happened and when. I’m relying on my
memory in some cases.
No comments:
Post a Comment