CycloneDX 1.6.1 errata clarifies VEX status semantics

1.6.1 errata clarifies how to express 'not_affected' justifications and how VEX statements should reference SBOM components by bom-ref or PURL.

What changed

Justification vocabulary tightened to reduce ambiguous 'not_affected' rows.
Examples added for medical-device style submissions.

Action for manufacturers

Update your VEX generator to emit explicit justifications and stable bom-refs; FDA reviewers increasingly cite missing justifications as deficiencies.

Primary sources

CycloneDX specification overview

Related Blue Goat Cyber resources

CycloneDX vs SPDX for medical devices

Entry metadata

Date: Jan 8, 2026
Agency: CycloneDX
Type: Specification errata
Status: Active
Impact: Medium
Last reviewed: Jun 5, 2026

Applies to

SBOM / VEX producers

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services