In recent years, more and more medical device manufacturers (MDMs) have come to rely on software bill of materials, or SBOMs. Some do this to help track licensing while others do so as part of a product vulnerability management process. In all cases, organizations who utilize SBOMs may have a leg up when it comes to the recently announced Refuse to Accept Policy (RTA) that was signed into law under section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act).
This new guidance was created in response to executive order 14028, Improving the Nation’s Cybersecurity. In short, the policy states that applications for medical devices filed after October 1, 2023, that qualify as cyber devices will be subject to a new process that gives the FDA the ability to issue RTA decisions based on cybersecurity-related elements of the submission filing. Although the act went into effect March 29, 2023, the FDA intends to work collaboratively with sponsors submitting before the October date rather than issue RTA decisions at this time.
Achieving Transparency with SBOMs
For the uninitiated, SBOMs are machine-readable inventories of software components akin to an ingredients list….