Comparison guide
SBOM vs CBOM
SBOM is the statutory requirement under §524B. CBOM is a legacy term from the 2018 FDA draft guidance.
Side-by-side breakdown
| Dimension | SBOM | CBOM |
|---|---|---|
| Full name | Software Bill of Materials | Cybersecurity Bill of Materials |
| Coverage | Software components only (libraries, OS, frameworks). | Software + hardware + runtime libraries affecting security posture. |
| Statutory status | Required by FD&C Act §524B for every cyber device. | Not statutory; a draft-guidance concept that was not carried into final guidance. |
| Standard formats | SPDX or CycloneDX, machine-readable. | Free-form; no adopted standard. |
| FDA expectation (2026) | Required deliverable; reviewers run it through NVD lookups. | Largely absorbed into SBOM + HBOM; no longer requested as a separate artifact. |
| Today's equivalent | Continues as the primary inventory artifact. | Split into SBOM (software) and emerging HBOM (hardware). |
When to use which
Generate an SBOM in SPDX or CycloneDX format and keep it machine-readable - reviewers feed it through CVE lookup automation. A PDF SBOM no longer passes review.
If your device includes commercial hardware modules (radios, SoCs, sensors) with their own firmware, capture them in an HBOM and cross-reference them to the SBOM. This satisfies what reviewers used to ask for under the CBOM label.
Frequently asked questions
Keep exploring
Ready when you are
Get FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.