Blue Goat CyberSMMedical Device Cybersecurity
    K
    Guide · Standards

    SBOM Vulnerability Management for Medical Devices

    Master SBOM vulnerability management for medical devices. Learn to track, triage, and mitigate software risks to meet FDA premarket and postmarket requirements.

    Hero illustration for the Standards article: SBOM Vulnerability Management for Medical Devices
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Trevor Slattery, COO at Blue Goat Cyber

    Reviewed by Trevor Slattery

    COO · Blue Goat Cyber

    Last reviewed: May 1, 2026

    A working SBOM is not a deliverable you ship once with your 510(k); it is the input to a continuous vulnerability-management loop that FDA expects to run for the entire supported life of the device. This guide is the loop, end to end.

    Last reviewed: May 2026 against FDA's February 2026 final premarket guidance and the NTIA SBOM minimum elements.

    1. Generate the SBOM at Build Time, Not at Submission Time

    A trustworthy SBOM is produced by your build system, not reconstructed from a spreadsheet. Wire SBOM generation into CI using tools such as Syft, CycloneDX CLI, SPDX sbom-tool, or language-native generators (cyclonedx-npm, cyclonedx-py, cyclonedx-gomod). Output CycloneDX 1.5+ JSON or SPDX 2.3+ — both are accepted by the FDA. See our CycloneDX vs SPDX comparison for choosing between them.

    2. Include the NTIA Minimum Elements (Plus the Useful Extras)

    NTIA's seven required fields — supplier, component name, version, unique identifier, dependency relationship, author, and timestamp — are table stakes. Add: PURL (package URL), CPE (for NVD matching), license, hash, and scope (required vs optional). PURL is the single most useful enrichment because most modern matchers key off it.

    3. Match Against Authoritative Feeds

    Match SBOM components against:

    • NVD (NIST National Vulnerability Database) — primary CVE source
    • CISA KEV (Known Exploited Vulnerabilities) — the exploitation reality check
    • GitHub Advisory Database / OSV.dev — broader ecosystem coverage, often earlier than NVD
    • EPSS (Exploit Prediction Scoring System) — probability of exploitation in the next 30 days

    Tools that automate this matching include Dependency-Track, Grype, Trivy, Snyk, and Mend. For medical device fleets, Dependency-Track is the most common open-source choice because it speaks CycloneDX natively and supports VEX round-tripping.

    4. Triage With CVSS Plus Context, Not CVSS Alone

    CVSS v3.1 / v4.0 base score is the starting point, not the verdict. A reviewer-grade triage record includes:

    • CVSS base + temporal + environmental score
    • EPSS score
    • KEV status (yes/no)
    • Exploitability in the device's actual configuration (is the vulnerable function reachable?)
    • Patient-harm linkage from the security risk file (AAMI SW96)

    A CVE that is CVSS 9.8 but unreachable in your configuration is a VEX not_affected with justification. A CVE that is CVSS 5.4 but on the KEV list and reachable is a P1.

    5. Publish VEX Statements for Unaffected and Mitigated CVEs

    VEX (Vulnerability Exploitability eXchange) tells operators which CVEs in your SBOM do not require action, and why. Without VEX, every hospital security team will open a ticket against every CVE that hits your SBOM. Publish VEX in CycloneDX VEX or CSAF 2.0 format. See our VEX document guide.

    6. Set and Honor a Patch SLA by Severity

    FDA reviewers expect a documented SLA. A defensible baseline:

    Severity Triage Patch developed Patch deployed (or compensating control)
    Critical / KEV 24 hours 14 days 30 days
    High 5 business days 30 days 60 days
    Medium 15 business days 90 days Next planned release
    Low 30 business days Next planned release Next planned release

    Adjust the cells for your device class and patient-harm profile — but write them down and meet them. Missed SLAs without documented rationale are a postmarket finding.

    7. Close the Loop Through Your QMS

    Every triage outcome — patch, mitigate, accept, VEX-as-not-affected — must flow back into the QMS:

    • Patch → design change → V&V → release → labeling update
    • Mitigate (compensating control) → labeling and customer notification
    • Accept → risk file update and management sign-off
    • VEX not_affected → VEX publication, no further action

    If your CAPA system never sees vulnerability records, your SBOM program is not closing the loop and reviewers will say so.

    8. Refresh the SBOM on Every Build

    The SBOM is a build artifact. Treat it like one: regenerate on every CI run, store with the binary, sign it (cosign / Sigstore), and version-control it alongside the release notes. Submission SBOMs should match the release the FDA is reviewing — not a snapshot taken six months earlier.

    9. Premarket Submission Packaging

    In the premarket submission, include:

    • The SBOM file (CycloneDX or SPDX, machine-readable)
    • A human-readable summary table for reviewers
    • The known-vulnerability assessment as of the submission date
    • VEX statements for any CVEs you are calling out as not-affected
    • The vulnerability management plan that describes items 1–8 above

    10. Postmarket Monitoring Cadence

    Run the matcher daily; publish a customer-facing vulnerability bulletin at least quarterly and immediately for any KEV or CVSS ≥ 9.0 issue affecting your device. Tie monitoring outputs to your CVD intake so external researcher reports converge with internal scanning.

    Frequently asked questions

    Is SBOM required for FDA submissions?

    Yes. Section 524B(b)(3) requires sponsors to provide an SBOM with the premarket submission and to maintain it postmarket for every cyber device.

    What SBOM format does the FDA accept?

    CycloneDX (1.4+) and SPDX (2.2+) in machine-readable form (JSON or XML for CycloneDX, tag-value or JSON for SPDX).

    How often should I update the SBOM?

    Regenerate on every build. Republish externally on every release and whenever a material vulnerability disposition changes.

    Do I need VEX?

    The FDA does not mandate VEX, but without it your customers cannot distinguish exploitable CVEs from background noise. In practice, omitting VEX produces a flood of customer escalations that look like a postmarket finding.

    What tools should I use?

    For generation: Syft, CycloneDX CLI, SPDX sbom-tool. For matching and triage: Dependency-Track, Grype, Trivy. For VEX: CycloneDX VEX or CSAF 2.0 tooling. Blue Goat Cyber runs this stack as a managed service for clients who do not want to build it in-house.

    How Blue Goat Cyber helps

    Blue Goat Cyber operates FDA-compliant SBOM services and postmarket SBOM/VEX monitoring as managed offerings — we generate, enrich, monitor, and publish VEX, and feed remediations into your QMS.

    Sources & primary references

    • FDA, Cybersecurity in Medical Devices (final guidance, February 2026)
    • Section 524B of the Federal Food, Drug, and Cosmetic Act
    • NTIA, The Minimum Elements For a Software Bill of Materials (SBOM)
    • CISA, Known Exploited Vulnerabilities Catalog
    • CycloneDX specification 1.5; SPDX specification 2.3
    • FIRST, Exploit Prediction Scoring System (EPSS)
    Related - SBOM

    Continue exploring this topic

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.