← All guide chapters
Chapter 6: eSTAR Submission Documentation · Section 6.8
SBOM Analysis and Documentation for eSTAR Submission
6.8.1 From Component Management to FDA Documentation
Your Software Bill of Materials (SBOM) and component analysis (developed through Chapter 4.4 processes) serves multiple purposes: supply chain risk management, vulnerability tracking, and regulatory compliance. This section focuses on transforming your component management work into submission-ready documentation that meets FDA's legal requirements and review expectations.
The SBOM Documentation Challenge:
During development (Chapter 4.4), you:
- Identified and cataloged all software components
- Established vulnerability monitoring processes
- Created initial SBOM in machine-readable format
- Performed basic vulnerability assessments
For FDA submission, enhance this foundation by:
- Ensuring complete compliance with Section 524B requirements
- Adding comprehensive vulnerability analysis and risk assessment
- Providing detailed support status documentation
- Demonstrating systematic component lifecycle management
Legal vs. Practical Requirements:
| Legal Requirement (Section 524B) | FDA Practical Expectation |
|---|---|
| Machine-readable SBOM with NTIA minimum elements | Complete vulnerability analysis and risk assessment |
| Software support status documentation | Detailed end-of-life planning and mitigation strategies |
| Known vulnerability identification | Comprehensive impact analysis and remediation plans |
| Component supplier information | Supply chain risk management demonstration |
6.8.2 SBOM Completeness and Quality Review
Before submission, conduct a comprehensive SBOM review to ensure regulatory compliance.
SBOM Completeness Assessment
Component Coverage Verification:
- All commercial software components included
- All open-source software components included
- All firmware components included
- All libraries and frameworks included
- All transitive dependencies mapped
- Development tools (if shipped with device) included
- Operating system components included
NTIA Minimum Elements Verification: For each component, verify inclusion of:
- Supplier Name: Component creator/supplier
- Component Name: Official designation
- Version String: Specific version identifier
- Component Hash: Unique identifier (SHA-256 or stronger)
- Unique Identifier: CPE, PURL, or SWID
- Relationship: Dependency relationships
FDA Additional Elements Verification:
- Support Status: Current maintenance status
- End-of-Support Date: When support terminates
- License Information: License type and obligations
- Known Vulnerabilities: CVEs at time of submission
SBOM Quality Standards
Machine-Readable Format Requirements:
// Example SBOM Entry - CycloneDX Format
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:device-sbom-2024-001",
"version": 1,
"metadata": {
"timestamp": "2024-01-15T10:00:00Z",
"component": {
"name": "InsulinDeliverySystem",
"version": "2.1.0"
}
},
"components": [
{
"type": "library",
"name": "OpenSSL",
"version": "1.1.1w",
"supplier": {
"name": "OpenSSL Software Foundation"
},
"cpe": "cpe:2.3:a:openssl:openssl:1.1.1w:*:*:*:*:*:*:*",
"purl": "pkg:generic/openssl@1.1.1w",
"hashes": [
{
"alg": "SHA-256",
"content": "cf21544a5f35792e..."
}
],
"licenses": [
{
"license": {
"id": "OpenSSL"
}
}
],
"externalReferences": [
{
"type": "website",
"url": "https://www.openssl.org/"
}
]
}
],
"vulnerabilities": [
{
"id": "CVE-2023-3446",
"source": {
"name": "NVD"
},
"ratings": [
{
"score": 5.3,
"severity": "medium",
"method": "CVSSv3"
}
],
"affects": [
{
"ref": "OpenSSL"
}
],
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable",
"response": ["will_not_fix"],
"detail": "Vulnerable function not used in our implementation"
}
}
]
}
6.8.3 Comprehensive Vulnerability Analysis Documentation
Transform your vulnerability tracking into detailed risk analysis for FDA review.
Vulnerability Assessment Enhancement
For Each Identified Vulnerability:
Vulnerability Analysis Template:
Component: OpenSSL v1.1.1w
Vulnerability: CVE-2023-3446
CVSS Score: 5.3 (Medium)
Description: Excessive time spent checking DH q parameter value
Device Context Analysis:
Usage in Device: TLS communications for network connectivity
Affected Functions: Patient data transmission, software updates
Code Path Analysis: DH parameter validation called during TLS handshake
Exploitability Assessment:
Attack Vector: Network-based attack requiring TLS connection
Prerequisites: Ability to initiate TLS handshake with device
Complexity: Medium (requires crafted DH parameters)
Impact in Our Context: Potential denial of service through CPU exhaustion
Clinical Impact Analysis:
Direct Patient Impact: Low (communication slowdown, not therapy disruption)
Clinical Scenario: Device becomes temporarily unresponsive during network attacks
Affected Operations: Data uploads, software updates (not critical therapy functions)
Recovery Time: Automatic recovery after attack cessation
Risk Mitigation:
Immediate Controls:
- Network segmentation limits attack vectors (CTL-NET-001)
- Connection timeouts prevent indefinite resource consumption (CTL-NET-003)
- Device continues core functions during network issues (CTL-RES-001)
Long-term Strategy:
- Monitor for OpenSSL updates addressing this vulnerability
- Evaluate update deployment during next maintenance cycle
- Consider alternative TLS implementations if pattern continues
Risk Assessment:
Pre-Mitigation Risk: Medium (network DOS possible)
Post-Mitigation Risk: Low (limited attack surface, existing controls effective)
Acceptance Rationale: Risk acceptable given controls and limited clinical impact
Monitoring Plan:
- Daily vulnerability scanning of OpenSSL advisories
- Quarterly assessment of OpenSSL update availability
- Annual review of TLS implementation security posture
Component Support Status Documentation
Support Status Analysis:
Component Support Assessment:
Component: Qt Framework v5.15.2
Supplier: The Qt Company
Current Support Status: Long-Term Support (LTS)
End-of-Support Date: May 26, 2025
Support Analysis:
Community Support: Active open-source community
Commercial Support: Available through Qt commercial license
Security Updates: Regular security patches through LTS program
Bug Fixes: Critical and high-priority bugs addressed
Risk Assessment:
Time to End-of-Support: 18 months from submission date
Device Lifecycle Impact: Device intended for 10-year operational life
Post-EOS Risk: Potential security vulnerabilities without patches
Mitigation Strategy:
Short-term (0-2 years):
- Continue with current Qt 5.15 LTS support
- Monitor Qt 6.x migration feasibility
- Maintain commercial support contract
Medium-term (2-5 years):
- Plan migration to Qt 6.x LTS version
- Evaluate alternative UI frameworks
- Develop migration timeline and resource requirements
Long-term (5-10 years):
- Complete migration to supported framework
- Establish ongoing framework evaluation process
- Consider component replacement if necessary
Customer Communication:
- Include support timeline in device labeling
- Notify customers 12 months before end-of-support
- Provide migration guidance and timelines
- Offer extended support options if available
Documentation References:
- Component replacement plan (Document ID: DEV-PLAN-003)
- Migration feasibility study (Document ID: TECH-STUDY-007)
- Customer notification procedures (Document ID: COMM-PROC-002)
6.8.4 Supply Chain Risk Management Documentation
Document your approach to managing third-party component risks.
Supply Chain Risk Assessment
Supplier Risk Analysis:
Supply Chain Risk Assessment Framework
Risk Categories:
1. Supplier Viability Risk
2. Component Security Risk
3. Intellectual Property Risk
4. Compliance Risk
5. Support Continuity Risk
Supplier Assessment Example:
Supplier: ACME Medical Software Inc.
Component: Patient Data Management Library v3.2.1
Risk Assessment Date: January 15, 2024
Supplier Viability Assessment:
Business Continuity: Stable company, 15+ years in medical device software
Financial Health: Privately held, estimated $50M annual revenue
Market Position: Established player in medical device component market
Customer Base: 200+ medical device manufacturers
Component Security Assessment:
Security Track Record: 3 vulnerabilities disclosed in past 2 years
Response Time: Average 45 days from disclosure to patch
Communication: Proactive security bulletins, clear CVE documentation
Development Practices: Claims secure coding standards, no independent audit
Support Assessment:
Current Support Level: Commercial support with SLA
Response Time: 4-hour response for critical issues, 24-hour for high
Update Frequency: Monthly maintenance releases, as-needed security updates
End-of-Life Policy: 5-year support guarantee from release date
Risk Mitigation Measures:
Primary Controls:
- Annual supplier security assessment (PROC-SUPPLY-001)
- Escrow agreement for source code access (CONTRACT-ESC-001)
- Alternative supplier identification (PLAN-ALT-001)
Secondary Controls:
- Component vulnerability scanning (TOOL-SCAN-001)
- Supplier security questionnaire updates (FORM-SEC-001)
- Regular supplier business continuity review (PROC-BCP-001)
Overall Risk Rating: Medium
- Acceptable risk level given controls and supplier track record
- Monitoring required due to component criticality
- Re-assessment scheduled annually or upon significant changes
Component Replacement Planning
Replacement Strategy Documentation:
Component Replacement Planning
High-Risk Component Identification:
Components requiring replacement planning due to:
- End-of-support within device lifecycle
- Repeated security issues
- Supplier viability concerns
- Licensing changes
Example Replacement Plan:
Component: Legacy Encryption Library v2.1
Risk Driver: End-of-support scheduled for 2026
Device Impact: Core cryptographic functions
Replacement Options Analysis:
Option 1: Migrate to OpenSSL 3.0
- Pros: Well-supported, FIPS validated, widely used
- Cons: Significant API changes, testing requirements
- Timeline: 12-month migration project
- Cost: $150K development + $50K testing
Option 2: Commercial cryptographic library
- Pros: Commercial support, medical device focus
- Cons: Licensing costs, vendor dependency
- Timeline: 8-month migration project
- Cost: $75K development + $25K annual licensing
Option 3: Platform cryptographic APIs
- Pros: OS-integrated, maintained by platform vendor
- Cons: Platform-specific, reduced portability
- Timeline: 6-month migration project
- Cost: $50K development, OS dependency risk
Recommended Approach: Option 1 (OpenSSL 3.0)
Rationale: Best long-term security posture, industry standard, manageable migration
Implementation Plan:
Phase 1 (Months 1-3): Architecture design and API mapping
Phase 2 (Months 4-8): Implementation and unit testing
Phase 3 (Months 9-11): Integration testing and validation
Phase 4 (Month 12): Deployment and verification
Risk Management:
Migration Risks: Schedule delays, compatibility issues, security gaps
Mitigation: Parallel development, extensive testing, phased rollout
Contingency: Extend current library support if migration delayed
6.8.5 SBOM Integration with Device Documentation
Show how SBOM connects to other submission documents.
Cross-Document Integration
SBOM Traceability Matrix:
| Component | Architecture View | Risk Assessment | Test Coverage | Support Plan |
|---|---|---|---|---|
| OpenSSL | Global System View Fig. 3 | RSK-SEC-007 | TC-CRYPTO-001 | SUPP-PLAN-001 |
| Qt Framework | Security Use Case View Fig. 7 | RSK-SEC-012 | TC-UI-SEC-005 | SUPP-PLAN-003 |
| Linux Kernel | Multi-Patient View Fig. 4 | RSK-SEC-001 | TC-OS-SEC-001 | SUPP-PLAN-002 |
Component-Specific Security Analysis
For Critical Components:
Component Security Profile
Component: Medical Device Communication Framework (MDCF) v4.1.2
Criticality Level: High (patient data and therapy commands)
Security Requirements: Authentication, encryption, integrity validation
Component Analysis:
Functionality: Handles all device-to-EMR communications
Data Sensitivity: Patient PHI, therapy parameters, diagnostic results
Attack Surface: Network interfaces, message parsing, authentication
Security Features:
Built-in Security:
- TLS 1.2+ for transport encryption
- Message-level authentication using HMAC
- Input validation and sanitization
- Session management with timeouts
Our Security Enhancements:
- Certificate pinning for server connections (CTL-CRYPTO-003)
- Additional message integrity checks (CTL-INT-002)
- Rate limiting for DOS protection (CTL-NET-002)
- Enhanced audit logging (CTL-LOG-003)
Vulnerability History:
Past Vulnerabilities: 2 medium-severity issues in past 3 years
Response Quality: Patches available within 30 days
Communication: Good security advisory process
Current Status: No known unpatched vulnerabilities
Risk Assessment:
Primary Risks: Message injection, authentication bypass, DOS attacks
Control Effectiveness: High (layered security controls)
Residual Risk: Low (acceptable for critical component)
Monitoring Plan:
- Weekly vulnerability scanning
- Quarterly security assessment updates
- Annual penetration testing focus area
- Continuous monitoring of component security advisories
6.8.6 SBOM Maintenance and Lifecycle Management
Document your ongoing SBOM management processes.
SBOM Lifecycle Documentation
Version Control and Updates:
SBOM Management Procedures
SBOM Versioning:
- Major version: Significant component additions/removals
- Minor version: Component version updates
- Patch version: Vulnerability status updates, metadata corrections
Update Triggers:
1. Software component updates or changes
2. New vulnerability discoveries
3. Support status changes
4. Supplier changes or acquisitions
5. Licensing changes
Example SBOM Evolution:
SBOM v1.0 (Initial Release): 127 components identified
SBOM v1.1 (Security Update): OpenSSL updated, 2 vulnerabilities addressed
SBOM v1.2 (Feature Addition): New component added for encryption
SBOM v2.0 (Major Update): Linux kernel upgrade, 15 components updated
Maintenance Schedule:
- Weekly: Automated vulnerability scanning and SBOM updates
- Monthly: Manual review and validation of component changes
- Quarterly: Comprehensive SBOM accuracy verification
- Annually: Complete component inventory and supplier review
Documentation Integration:
- Design History File updates for significant changes
- Device Master Record maintenance
- Change control documentation per 21 CFR 820.30(i)
- Configuration management integration
Quality Assurance:
- Automated SBOM validation tools
- Manual cross-checking against build systems
- Third-party SBOM accuracy verification
- Supplier confirmation of component details
6.8.7 Submission Organization and Presentation
File Structure for SBOM Documentation
18-SBOM-Analysis-v2.1.pdf
├── Executive Summary
│ ├── SBOM overview and statistics
│ ├── Key vulnerability findings
│ └── Supply chain risk assessment
├── SBOM Documentation
│ ├── Machine-readable SBOM files (SPDX/CycloneDX)
│ ├── Component inventory summary
│ └── Supplier information compilation
├── Vulnerability Analysis
│ ├── Critical vulnerability assessments
│ ├── Risk evaluation by component
│ └── Mitigation strategies
├── Support Status Analysis
│ ├── End-of-life planning
│ ├── Component replacement strategies
│ └── Long-term support arrangements
├── Supply Chain Risk Management
│ ├── Supplier risk assessments
│ ├── Component sourcing analysis
│ └── Risk mitigation measures
└── Appendices
├── Detailed vulnerability reports
├── Supplier security questionnaires
└── Component replacement plans
6.8.8 Common FDA Review Focus Areas
Key FDA Questions About SBOM
"Is your SBOM complete and accurate?"
- Demonstrate systematic component identification process
- Show validation procedures for SBOM accuracy
- Provide evidence of comprehensive dependency analysis
- Document quality assurance procedures
"How do you manage component vulnerabilities?"
- Show proactive vulnerability monitoring process
- Demonstrate risk-based prioritization approach
- Provide evidence of effective remediation procedures
- Document customer communication processes
"What's your plan for end-of-support components?"
- Show systematic end-of-life planning
- Demonstrate component replacement strategies
- Provide timeline for addressing support gaps
- Document customer impact mitigation
Common SBOM Deficiencies
Incomplete Component Coverage:
❌ FDA Deficiency: "SBOM appears incomplete. Several components
mentioned in architecture documentation are missing from SBOM."
✅ Prevention:
- Cross-reference SBOM against all technical documentation
- Use automated tools to scan build artifacts
- Include all transitive dependencies
- Verify coverage through multiple detection methods
Inadequate Vulnerability Analysis:
❌ FDA Deficiency: "Vulnerability analysis lacks sufficient detail
on clinical impact and risk mitigation strategies."
✅ Prevention:
- Provide detailed clinical impact analysis for each vulnerability
- Show specific mitigation measures and their effectiveness
- Document ongoing monitoring and response procedures
- Include risk assessment supporting acceptance decisions
Missing Support Planning:
❌ FDA Deficiency: "No clear plan provided for components
approaching end-of-support during device lifetime."
✅ Prevention:
- Identify all components with end-of-support dates
- Develop specific replacement or mitigation strategies
- Show timeline alignment with device lifecycle
- Document customer communication and support plans
6.8.9 Final SBOM Quality Review
Pre-Submission Checklist
Completeness Verification:
- All software components identified and included
- NTIA minimum elements provided for every component
- FDA additional requirements (support status, vulnerabilities) included
- Machine-readable format properly structured
- Cross-references to other submission documents accurate
Quality Standards:
- Component information verified with suppliers
- Vulnerability data current as of submission date
- Support status information confirmed and documented
- Risk assessments completed for all significant vulnerabilities
- Professional presentation and clear organization
Integration Verification:
- SBOM aligns with architecture documentation
- Component risks addressed in risk assessment
- Security controls mapped to component vulnerabilities
- Test coverage includes component security validation
Remember: Your SBOM is not just a compliance checkbox—it's a critical tool for demonstrating that you understand and manage the software supply chain risks in your device. FDA reviewers will use it to assess your overall approach to component security and lifecycle management.
Key Success Factor: The most effective SBOM submissions combine comprehensive component identification with thoughtful risk analysis and practical mitigation strategies, showing FDA that you're actively managing software supply chain security throughout the device lifecycle.
See how your device measures up
Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.
Check Your Readiness