Is your SBOM
FDA-ready?
12 questions every medical device team should answer before attaching an SBOM to a 510(k) submission. The same questions FDA reviewers will ask first.
- Two pages. Read it before your next stand-up.
- Reviewer-grade. Mapped to FDA premarket cybersecurity guidance and Section 524B.
- Hand-written. By a team that works on medical device SBOMs every day.
Get the checklist
Send it to my inbox.
The PDF lands in your inbox in under a minute.
12 questions. Two pages. That's it.
Every question is one a reviewer might ask before clearing your submission. If your answer is “not yet” on more than two, your SBOM probably isn't ready.
Question 1.Is your SBOM in a standard machine-readable format (CycloneDX or SPDX) the FDA can ingest?
Question 2.Have you included transitive dependencies, not just top-level packages?
Question 3.Does every component have a supplier name, exact version, and unique identifier?
Question 4.Have you cross-referenced each component against more than one vulnerability database (such as NVD or OSV)?
Question 5.Is the SBOM dated and tied to a specific build of the firmware you are submitting?
Question 6.Have you justified the inclusion of any unsupported or end-of-life components?
Question 7.Does each Critical and High finding have a documented decision and rationale?
Question 8.Have you mapped known-exploited vulnerabilities (CISA KEV) to your components?
Question 9.Have you described how the SBOM will be maintained post-market under Section 524B?
Question 10.Is there a continuous process for monitoring and disclosing new vulnerabilities?
Question 11.Have you addressed cryptographic posture and licence compliance per component?
Question 12.Is the SBOM internally consistent with your threat model and risk assessment?
“These are the questions I run through whenever I review a customer’s SBOM, or get on a call with one. Same ones come up every time.”
Alan Parkinson Founder, Threat Detective
Written for the people who actually file the 510(k).
Regulatory leads assembling the cybersecurity sections of an eSTAR. Use the checklist to pressure-test what your engineering team handed you before it reaches a reviewer.
Software and security engineers generating SBOMs from CI. Know which fields and processes an FDA submission expects, beyond what your scanner outputs by default.
QA, RA, and consultancy teams reviewing client submissions. Use it as an interview script that surfaces gaps faster than a 60-page guidance document.
Find the gaps before a reviewer does.
The checklist lands in your inbox in under a minute. Forward it to the rest of your submission team.