Software Bill of Materials requirements
Software Bill of Materials requirements are reshaping cybersecurity obligations for Healthcare & Life Sciences companies at the device and software layer, driven primarily by the U.S. Food and Drug Administration's cybersecurity guidance under the 2022 Consolidated Appropriations Act and the U.S. Department of Health and Human Services' HIPAA Security Rule enforcement priorities. The Food and Drug Administration now requires SBOM submissions as part of premarket device submissions, and the European Medicines Agency is watching parallel EU Cyber Resilience Act obligations that will pull medical device software into scope by 2027. Compliance teams at manufacturers, hospital systems, and health IT vendors are actively mapping third-party component inventories against FDA's published SBOM format expectations before renewal cycles force the issue.
Watch
- FDA premarket submission SBOM requirements: format and completeness standards under active review
- EU Cyber Resilience Act Article 13 obligations hitting medical device software by 2027
- HHS Office for Civil Rights signaling SBOM as a HIPAA Security Rule audit consideration
- NTIA minimum elements standard: whether FDA will formally adopt or diverge in final guidance
- State-level procurement rules requiring SBOM disclosure from health IT vendors
Recent material activity in Healthcare & Life Sciences
Active monitoring in place across Healthcare & Life Sciences. Material developments related to software bill of materials requirements will appear here as they are published.