SPDX or CycloneDX - which format should I use?

Both SPDX 2.3+ and CycloneDX 1.4+ are accepted by the FDA and explicitly endorsed in the 2026 final premarket cybersecurity guidance. CycloneDX has stronger native support for vulnerability data (VEX) and component pedigree, which is why most MedTech teams ship CycloneDX 1.5 today and why we default to it. SPDX is more common in upstream open-source projects and remains a perfectly valid submission format. Pick one, be consistent across your portfolio, and make sure the format is genuinely machine-parseable - reviewers do parse it, and a malformed JSON file is one of the fastest ways to trigger a Refuse To Accept.

How granular does my SBOM need to be?

Down to the third-party component level, including version, license, supplier, and a unique identifier (PURL or CPE). Reviewers reject SBOMs that list only top-level dependencies or omit transitive components. For embedded and firmware-based devices that means including the bootloader, RTOS, embedded OS, statically-linked libraries discovered through binary analysis, kernel modules, device-tree blobs, and any vendor-specific drivers. For SaMD and connected ecosystems include the companion mobile app SBOM and the cloud back-end SBOM as separate documents tied together by a top-level assembly SBOM with cryptographic hashes for tamper evidence.

Do I need a postmarket SBOM monitoring program?

Yes. Section 524B and the 2026 premarket guidance, together with the 2025 postmarket guidance, require ongoing vulnerability monitoring tied to your SBOM. Mapping SBOM components to CVE feeds (NVD, GHSA, vendor PSIRTs) and CISA KEV in real time is now part of postmarket compliance, not a 'nice to have'. The triage layer matters as much as the scanning: every hit needs a VEX statement declaring whether the vulnerability is exploitable in the device's intended-use context, fixed, under investigation, or not affected - with technical justification. Without VEX triage, continuous scanning generates an unbounded list of CVEs that nobody has time to action.

Topic hub

SBOMs for Medical Devices

An SBOM is now table-stakes for FDA cybersecurity review - and the most common reason packages get rejected at Technical Screening. This hub covers our SBOM service, format guidance (SPDX 2.3 and CycloneDX 1.4+), the rejection patterns we see most often in deficiency letters, and how SBOMs feed into postmarket vulnerability management with VEX. Every artifact we ship is machine-readable, cryptographically hashed for tamper evidence, and structured to drop directly into the eSTAR cybersecurity sections without translation. We cover first-party code, third-party libraries, embedded OS and bootloader components, companion mobile apps, and cloud back-end services as a single linked assembly.

Services

In-depth guides

Standards & guidance

Defined entries from our MedTech Cybersecurity Standards Glossary.

From the blog

Best Practices for Medical Device CybersecurityMedical device cybersecurity best practices for 2025: threat modeling, SBOM, penetration testing, secure updates, and FDA 524B/SPDF readiness.

Related FDA deficiencies

The deficiency letters reviewers most often write on submissions in this topic area. Each links to the full response playbook.

Browse all deficiency topics

Topic FAQ

SBOMs for Medical Devices - frequently asked questions

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services