3-minute SBOM score

Is your SBOM program FDA-ready?

Eleven questions mapped to FDA §524B and the current premarket cybersecurity guidance - now covering build provenance (SLSA), signing (Sigstore), AI-generated code, and dependency-confusion defenses. Get a score and a prioritized gap list.

Reviewed by

Christian Espinosa

Founder & CEO, Blue Goat Cyber

Last reviewed May 21, 2026

Question 1 of 110% complete

What SBOM format do you generate today?

What you'll see after you submit

Your answers become a 0–100 readiness score and category breakdown

RingScore infographic: overall SBOM readiness as a percentage with tone (green/amber/red).
Radial breakdown across format, depth, VEX, monitoring, and update cadence - see exactly which lever is dragging the score.
Gap-by-gap remediation list mapped to FDA's premarket and postmarket expectations.
Print/PDF view formatted for handing to a CTO or auditor.

Common misconceptions

What teams usually get wrong

Myth: A top-level dependency list is an SBOM.

Reality: FDA expects transitive depth. The SBOM must include components your components depend on, down to the smallest unit you can practically resolve (NTIA 'minimum elements').
Myth: SPDX and CycloneDX are interchangeable for FDA.

Reality: Both are accepted, but each has different VEX maturity, hashing conventions, and tooling support. Pick one, document why, and stay consistent across premarket and postmarket.
Myth: Once we ship the SBOM, we're done.

Reality: §524B requires a maintained SBOM with monitoring and updates for the supported lifetime of the device. A static PDF in your submission is a postmarket deficiency in waiting.
Myth: VEX is optional.

Reality: It's not statutorily required, but without VEX every new CVE in your SBOM looks like an open issue. FDA reviewers and customers now expect VEX to disposition non-exploitable findings.