The enactment of the US Consolidated Appropriations Act, 2023 (“Omnibus”) on December 29 2022, underscored the imperative need for a Software Bill of Materials (SBOM) in the healthcare industry. This legislation, specifically Section 3305 of the Omnibus, known as “Ensuring Cybersecurity of Medical Devices,” amended the Federal Food, Drug, and Cosmetic Act (“FD&C Act”) to address pressing cybersecurity concerns in medical devices. In response, the newly added Section 524B emphasizes the mandatory submission of information to ensure that cyber devices meet specific cybersecurity requirements.  

 Under the FD&C Act, a “cyber device” is defined as a device that incorporates validated or authorized software, is Internet-enabled, and has technological characteristics that are vulnerable to cybersecurity threats. Manufacturers unsure of the classification of their devices are encouraged to contact the FDA for clarification.  

The inclusion of Section 524B requires manufacturers submitting premarket applications or submissions to provide evidence of compliance with the cybersecurity requirements outlined in Section 524B(b). These requirements mandate the submission of a comprehensive plan for monitoring, identifying, and addressing cybersecurity vulnerabilities in a timely manner. In addition, manufacturers must design, develop, and maintain robust processes and procedures to ensure the cybersecurity of the device and its associated systems. The law also mandates the provision of a detailed SBOM that includes commercial, open source, and off-the-shelf software components.  

However, it is important to understand that the Omnibus provided a grace period, exempting applications submitted before March 29, 2023, from these cybersecurity requirements. Nevertheless, any subsequent modifications to previously cleared cyber devices that require premarket review will be subject to these newly enacted regulations. As of October 1, 2023, the FDA anticipates that cyber device manufacturers will have had sufficient time to incorporate the necessary cybersecurity measures into their premarket submissions in accordance with the standards set forth in Section 524B of the FD&C Act, and we can therefore consider this date to be the full effective date of this legislation.  

The introduction of this legislation underscores the criticality of cybersecurity in medical devices. As the healthcare sector becomes increasingly digitized, the security of medical devices becomes critical to ensuring patient safety and privacy. The implementation of SBOMs in accordance with the new regulations will increase transparency, facilitate rapid identification of vulnerabilities, and enable timely intervention to ensure the overall integrity and security of medical devices in the healthcare landscape. 

Experience open-source auditing like never before with Fossity. Harness the trifecta of confidentiality, speed, and cost-effectiveness to create precise Software Bill of Materials (SBOMs). Upgrade your compliance game effortlessly. Choose Fossity for the future of open-source auditing!