" " indicates required fields
A Software Bill of Materials (SBOM) is a foundational cybersecurity and compliance artifact that provides a machine-readable inventory of all software components and dependencies, including open-source libraries, packages, licenses, proprietary code, and metadata.
Think of an SBOM as a label of ingredients for software, where each component is listed with specific attributes such as version, origin, author name, and hierarchical relationships to support secure development.

Gartner predicts that over 60% of organizations will adopt SBOMs by the end of this year, up from under 20% in 2022, highlighting their critical role in securing the software supply chain.
SBOMs are no longer a consideration; they are mandatory. Executive Order 14028 requires all vendors to provide SBOM documentation when working with federal agencies, ensuring transparency into software components, third-party dependencies, and potential vulnerabilities to enhance supply chain management security.
For connected medical devices, the widespread use of third-party and open-source software introduces hidden and often unmanaged risks that can directly impact patient safety, system availability, and the confidentiality of sensitive health data. SBOMs provide essential visibility into these components, enabling manufacturers to proactively identify, track, and mitigate security vulnerabilities across the device software supply chain. In regulated healthcare environments, this transparency is not just a best practice—it is becoming a compliance mandate.
An SBOM can provide comprehensive visibility into all software components used within a device, enabling manufacturers to map dependencies between modules that may affect device performance and proactively manage risks to patient data confidentiality.
The FDA now requires all medical device manufacturers (MDMs) to include a Software Bill of Materials (SBOM) in their premarket submissions for cyber devices. This requirement is formalized under Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act, which defines a cyber device as one that includes software, connects to the Internet, and poses potential cybersecurity risks [download the Bill, PDF].
Under this regulation, manufacturers must provide the FDA with a comprehensive and up-to-date SBOM that includes all commercial, open-source, and off-the-shelf software components used in the device. The SBOM must be:
Additionally, manufacturers must disclose any software modifications or updates that impact cybersecurity. This includes patching procedures, component replacements, license changes, or the mitigation of newly discovered vulnerabilities.
Beyond regulatory pressure, the business case is clear: 73% of healthcare organizations report that new FDA cybersecurity requirements and evolving EU regulations influence their procurement decisions. 78% now view SBOM availability as a key factor in vendor selection.
Surmodics, a global leader in surface modification technologies for intravascular medical devices, was recovering from a cyber attack in June 2025, when an unauthorized third party accessed critical IT systems and data.
Research showed that 14% of connected medical devices also run an unsupported or end-of-life operating system (OS). An SBOM can help mitigate these risks by providing visibility into all underlying software components, including outdated OS versions, unpatched third-party libraries, and embedded firmware dependencies.
Here are other use cases for medical devices:
SBOMs are essential for code reviews to detect risky libraries, deprecated packages, or components with restrictive licenses before they reach production.
SBOMs can also be integrated into CI/CD pipelines to automatically detect transitive dependencies, identify known vulnerabilities, and ensure license compliance, especially when working with open-source software (OSS) repositories, which often contain malicious packages that may be unintentionally installed and remain undetected post-production.
An SBOM provides the needed visibility into every component and its origin, helping developers verify the authenticity of packages.
Here are several best practices of SBOM implementation:
Medical device manufacturers face growing cybersecurity and compliance obligations, especially under FDA Section 524B, ISO 14971, and EU MDR. C2A Security’s EVSec Platform delivers an end-to-end solution to automate, validate, and manage software bill of materials (SBOMs), hardware BOMs (HBOMs), and component BOMs (CBOMs) throughout the device lifecycle – from design to postmarket surveillance:
With C2A Security, medical device manufacturers can shift from reactive compliance to proactive, context-based cybersecurity, backed by deep supply chain visibility, automation, and traceability. EVSec simplifies complex SBOM management, reduces the risk of regulatory delays, and empowers organizations to deliver secure, compliant, and trusted medical technologies to market.
Schedule a demo to learn how C2A Security can help streamline SBOM processes and risk prioritization for medical device manufacturers.
CRO
C2A Security
VP and GM, Medical Technology
C2A Security
Ken Zalevsky brings over 20 years of medical device cybersecurity experience to his role at C2A Security, where he serves as VP and GM, Medical Technology, following the acquisition of Vigilant Ops in October 2025. A former Bayer executive, Ken founded Vigilant Ops in 2019 after witnessing the consequences of inadequate technical preparation in the healthcare industry. He is an active contributor to CISA’s SBOM working groups and a frequent speaker on software supply chain security. Ken’s mission: transform SBOM from a compliance checkbox into operational intelligence that keeps patients safe while streamlining regulatory processes.