Build a submission-ready SBOM. Keep its risk current.Premarket through end of life.
GoatWatch is Blue Goat's SBOM risk management platform for medical device software, used on both sides of clearance. Premarket, it produces the FDA-aligned SBOM and vulnerability baseline your submission needs. Postmarket, it keeps that SBOM current, watches every component for new vulnerabilities, and tells you which ones actually matter for your device, judged against your architecture and the patient-harm pathway, not a raw severity score.
250+ FDA submissions supported · 0 cybersecurity rejections · Live and in use today.
- Senior engineer owns your account
- Standalone or bundled with postmarket
- Fixed-fee per device, no hourly billing
- SDVOSB, US-based, MedTech-only
The MedTech SBOM Compliance Playbook
What FDA actually expects for SBOMs, vulnerability monitoring, and postmarket cybersecurity, in plain English, with templates you can use this week.
- Section 524B and the Feb 2026 FDA guidance, decoded
- Five SBOM artifacts every submission needs
- Continuous monitoring without the noise
- A 90-day compliance roadmap
Aligned to FDA Feb 2026 guidance · v1.1
MedTech compliance standards we follow
What GoatWatch does for you
Whether you need premarket SBOM creation or postmarket continuous monitoring, GoatWatch covers both - standalone or as part of our full postmarket service.
SBOM Ingestion & Maintenance
Import a CycloneDX or SPDX bill of materials, or have us build one. Components are normalized, version-resolved, and maintained against FDA's three-tier support taxonomy: actively maintained, no longer maintained, and abandoned.
Continuous Vulnerability Correlation
Every component is matched against the NIST NVD and upstream supplier advisories, so a new disclosure against your dependency tree surfaces without you going looking for it.
CISA KEV Tracking
Known Exploited Vulnerabilities are treated as a separate, higher-priority signal because FDA treats them that way. A KEV match on one of your components becomes an explicit action item.
Device-Context Triage
Not every vulnerability matters equally. GoatWatch prioritizes by exploitability in your specific architecture and the patient-harm pathway, cutting the noise raw CVE feeds produce.
VEX & Exportable Evidence
Vulnerabilities that do not apply are documented as not affected, with a justification. Findings, decisions, and SBOM change history are exportable as evidence for FDA postmarket and audits.
End-of-Life (EOL) Tracking
Every component is tracked against its published end-of-life date. Components approaching EOL are flagged early so you can plan a replacement before the vendor stops shipping the product entirely.
End-of-Support (EOS) Tracking
EOS dates are monitored per component, because a product that is still installed but no longer receiving security patches is a postmarket cyber risk regardless of whether a CVE exists today.
Level-of-Support (LOS) Tracking
Each component is classified against the FDA's three-tier taxonomy: actively maintained, limited support, or unsupported. Level-of-support changes trigger alerts so triage and lifecycle plans stay accurate.
Three forces converging on your device
SBOM rigor stopped being optional the moment regulators, buyers, and attackers started asking the same question at the same time: what is actually running inside this device?
FDA enforcement
Cybersecurity is a Refuse-to-Accept criterion, not a recommendation. The Feb 2026 guidance gave reviewers a sharper checklist and stricter cross-reference rules.
No SBOM, no submission. Reviewers screen for it before the 180-day clock starts.
Health-system procurement
Hospitals increasingly require current SBOMs and MDS2 forms as a condition of purchase, often as RFP-gating items before contracts move forward.
Buyers now ask for the SBOM alongside the price sheet.
Threat reality
Ripple20, Log4Shell, Curl CVE-2023-38545, and the XZ Utils backdoor each touched hundreds of device models. Manufacturers without SBOMs spent weeks just checking exposure.
When the next CVE lands, an SBOM turns weeks of scrambling into hours of triage.
Everything the FDA expects, in one workspace
The submission artifacts reviewers look for, a live checklist to score your readiness, and a component inventory view that mirrors what ships in every GoatWatch account.
Five artifacts every premarket submission needs
The FDA's Feb 2026 guidance maps each artifact to an eSTAR v7.0 cybersecurity slot. Missing or contradictory ones are the most common cause of AI-letter delays.
Machine-readable SBOM
CycloneDX 1.5+ / SPDX 2.3+
Supplier, component, version, PURL/CPE, hash, dependency graph, author, timestamp
Hand-edited JSON; missing hashes or transitive deps.
Component support status
Table or appendix
Level of Support (LOS), End of Support (EOS), End of Life (EOL) per component
No LOS / EOS / EOL dates for OSS or COTS dependencies.
Known-vulnerability list + VEX
VEX (CycloneDX VEX or CSAF)
CVE ID, CVSS, affected component + version range, VEX status, justification
Stale CVE lookup; no VEX status at submission.
Safety & security rationale
Narrative per finding
Exploitability in device context, patient-harm pathway, residual risk, compensating controls
Generic 'not exploitable' with no device or harm context.
Update mechanism description
SPDF + architecture view
Delivery channel, cadence, authentication, rollback, evidence patches reach fielded devices
No evidence patches actually reach fielded devices.
Premarket help, postmarket peace of mind.
FDA expects SBOM rigor before clearance - and continuous vigilance after launch. GoatWatch covers both sides of the lifecycle.
Vendor stops selling or producing the component. Existing installs may keep running.
Vendor stops issuing security patches or fixes. This is where postmarket risk quietly accumulates.
FDA's Feb 2026 three-tier signal: actively maintained, limited, or unsupported. Regulators key on this.
Submission-Ready SBOMs
Build a complete, FDA-aligned SBOM before you submit. We help you validate component data, resolve unknowns, and produce a baseline cybersecurity risk assessment that holds up under review.
- CycloneDX & SPDX validation
- Known-vulnerability baseline
- Submission documentation pack
Continuous CVE Monitoring
After clearance, your SBOM keeps working. GoatWatch monitors every component daily, prioritizes exploitable risks, and gives you the evidence trail regulators expect.
- Daily CVE & KEV matching
- VEX-ready triage workflow
- Audit logs for postmarket reporting
From SBOM to evidence in four steps
Import Your SBOM
Upload or generate your SBOM - we support CycloneDX, SPDX, and custom formats.
Analyze & Map Risks
GoatWatch maps every component to known CVEs, vendor advisories, and end-of-life status.
Monitor Continuously
Post-launch, receive prioritized alerts when new vulnerabilities affect your device.
Export Evidence
Generate audit-ready reports for FDA postmarket submissions and compliance reviews.
From zero to defensible compliance in 90 days
The sequence we use with clients starting from a blank slate on a single device line.
-
Days 0–15
Phase 1 · Discover
Inventory build systems, identify third-party components and firmware blobs, choose SBOM format (CycloneDX 1.5+ preferred).
Deliverable · Signed inventory of build systems, chosen SBOM format decision memo.
Days 0–15Phase 1 · Discover
Inventory build systems, identify third-party components and firmware blobs, choose SBOM format (CycloneDX 1.5+ preferred).
Deliverable · Signed inventory of build systems, chosen SBOM format decision memo.
-
Days 15–35
Phase 2 · Generate
Integrate SBOM generation into CI/CD. Validate completeness against build artifacts. Produce the first VEX baseline.
Deliverable · Reproducible SBOM emitted per build + first VEX baseline (CycloneDX VEX or CSAF).
Days 15–35Phase 2 · Generate
Integrate SBOM generation into CI/CD. Validate completeness against build artifacts. Produce the first VEX baseline.
Deliverable · Reproducible SBOM emitted per build + first VEX baseline (CycloneDX VEX or CSAF).
-
Days 35–60
Phase 3 · Monitor
Stand up daily CVE ingestion against the SBOM. Define triage criteria, severity thresholds, and named owners.
Deliverable · Daily CVE feed wired to the SBOM, written triage SOP with named owners.
Days 35–60Phase 3 · Monitor
Stand up daily CVE ingestion against the SBOM. Define triage criteria, severity thresholds, and named owners.
Deliverable · Daily CVE feed wired to the SBOM, written triage SOP with named owners.
-
Days 60–80
Phase 4 · Evidence
Implement versioning and retention. Document the process in a Cybersecurity Management Plan (eSTAR v7.0 Slot 8).
Deliverable · Versioned SBOM archive + Cybersecurity Management Plan document (eSTAR v7.0 Slot 8).
Days 60–80Phase 4 · Evidence
Implement versioning and retention. Document the process in a Cybersecurity Management Plan (eSTAR v7.0 Slot 8).
Deliverable · Versioned SBOM archive + Cybersecurity Management Plan document (eSTAR v7.0 Slot 8).
-
Days 80–90
Phase 5 · Operate
Run a tabletop exercise on a simulated CVE. Refine the playbook. You are now defensibly compliant.
Deliverable · Completed tabletop exercise report + refined incident-response playbook.
Days 80–90Phase 5 · Operate
Run a tabletop exercise on a simulated CVE. Refine the playbook. You are now defensibly compliant.
Deliverable · Completed tabletop exercise report + refined incident-response playbook.
GoatWatch vs generic SBOM scanners & DIY tracking
A side-by-side look at what you actually get with med-device-specific SBOM risk management.
| Capability |
GoatWatch★ Recommended
|
Generic Scanner / DIY(industry average)
|
|---|---|---|
|
1
SBOM Coverage
How completely your software supply chain is mapped.
|
||
|
SPDX & CycloneDX Ingestion
|
|
|
|
SBOM Generation if You Don't Have One
Most scanners assume you already have a clean SBOM
|
|
|
|
Component Normalization & Version Resolution
Raw SBOMs are noisy. We clean them before monitoring.
|
|
|
|
Firmware & Embedded Component Tracking
DIY trackers and IT-focused scanners miss firmware components
|
|
|
|
2
Vulnerability Triage
Turning raw CVE noise into decisions your team can act on.
|
||
|
Continuous CVE & Advisory Monitoring
|
|
|
|
Device-Context Impact Triage
We factor in network exposure, exploitability, and clinical risk - not just CVSS
|
|
|
|
Patient-Safety Linked (ISO 14971)
Cyber risk tied to patient harm, not just data confidentiality
|
|
|
|
End-of-Life (EOL) Tracking
Per-component EOL dates surfaced before they become a postmarket risk
|
|
|
|
End-of-Support (EOS) Tracking
Alerts when vendors stop shipping security patches, even if EOL is years away
|
|
|
|
Level-of-Support (LOS) Tracking
FDA three-tier taxonomy: actively maintained, limited support, unsupported
|
|
|
|
Vendor Advisory Ingestion
|
|
|
|
Expert-Led Triage (Not Just a Dashboard)
A senior med-device cyber expert reviews findings with you
|
|
|
|
3
Regulatory & Audit Readiness
What FDA reviewers and notified bodies actually expect.
|
||
|
FDA Postmarket Cyber Guidance Aligned
Section 524B, RTA-ready evidence
|
|
|
|
IEC 62304 / IEC 81001-5-1 Mapping
|
|
|
|
EU MDR Postmarket Surveillance Support
|
|
|
|
Audit-Ready Vulnerability Timelines
Triage decisions, remediation actions, SBOM change history
|
|
|
|
Exportable Evidence Packs
|
|
|
|
4
Service & Terms
How we work - built for med-device teams, not enterprise IT.
|
||
|
Senior MedTech Cyber Expert Leads
Senior MedTech expert owns your account, not a generic SOC tier-1
|
|
|
|
Fixed-Fee Pricing per Device
No hourly billing, no scope creep
|
|
|
|
Onboarding in 1-2 Weeks
Enterprise SBOM platforms typically take months
|
|
|
|
SDVOSB Certified Vendor
Federally certified, advantageous for federal MedTech contracts
|
|
|
|
Standalone or Bundled with Postmarket Service
|
|
|
The postmarket workload, minus the postmarket panic.
What SBOM ownership looks like when the monitoring, triage, and evidence layer is doing the work for you.
Every component re-checked every day against NVD, CISA KEV, and vendor advisories. No quarterly gaps.
Triage that used to take a security engineer weeks of spreadsheet work is ready the same shift.
Postmarket reporting artifacts assembled continuously. Pull the pack when the FDA, an auditor, or a customer asks.
LOS, EOS, and EOL changes flag the day the vendor publishes them, not the day a reviewer spots them.
From first call to continuous monitoring in 2 weeks
Most SBOM platforms put you in a multi-month onboarding queue. We start this week.
Discovery Call
Talk directly with a senior medical device cyber expert. We learn your device, SBOM status, and postmarket risk profile - no sales reps.
SBOM Onboarding
We ingest your existing SBOM (SPDX/CycloneDX) or generate one. Components are normalized, version-resolved, and mapped to your device context.
Continuous Monitoring Live
GoatWatch goes live, tracking CVEs, vendor advisories, and EOL/EOS/LOS notices. Triage rules tuned to your risk profile, alerts routed to your team.
Audit-Ready Evidence
Vulnerability timelines, triage decisions, remediation actions, and SBOM change history - exportable for FDA, notified bodies, and internal QMS.
Trusted by MedTech security teams
"GoatWatch gave us visibility into our SBOM risks that we simply didn't have before. When the FDA asked about our postmarket surveillance process, we had audit-ready evidence on day one."
VP of Regulatory Affairs
Class III Medical Device Manufacturer
"We used to track CVEs in spreadsheets, and it was a nightmare. GoatWatch's device-context triage means we focus on real threats, not noise. It has been a game-changer for our team."
Director of Product Security
Connected Health Platform
"Blue Goat handled our premarket SBOM analysis and transitioned us seamlessly into GoatWatch for postmarket monitoring. The continuity from submission to surveillance is exactly what we needed."
Head of Quality & Compliance
Surgical Robotics Company
GoatWatch questions
Need more than monitoring?
GoatWatch is one piece of our full medical device cybersecurity offering.
Already have an SBOM? Let's monitor it.
30 minutes with a senior medical device cybersecurity expert. We'll review your SBOM, scope ongoing monitoring, and send a fixed-fee quote in 24 hours.