From medical devices in the US to laptops in the EU, SBOM (software bill of materials) requirements are popping up everywhere. Software inventories are now a requirement for compliance with the FDA, PCI DSS 4.0, and, soon, the CRA (Cyber Resilience Act). The stakes are high, as companies that don’t meet requirements may be kept from bringing their products to market and face steep fines.

IT, compliance, and security teams need to be able to supply SBOMs in order to meet these new compliance requirements. But, typically, the work to produce SBOMs ends up on a developer’s desk. And the last thing developers need is another time-sink that slows them down and creates more headaches. 

Here's what it often looks like:

  • Developers spending hours wrangling spreadsheets
  • Manual updates for each new version of your product
  • SBOMs that are outdated almost as soon as they're created

Sound familiar? Manual SBOM creation, spreadsheet acrobatics, and constant updates to keep up with your ever-changing codebase are nobody's idea of a good time.

Companies need a way to meet SBOM requirements without bogging down developers or wasting days on data wrangling. That's why we're excited to introduce FOSSA’s new SBOM Management add-on — a simple, painless way to create, update, and share SBOMs that meet regulatory requirements.

SBOM Compliance on Autopilot

FOSSA's SBOM Management makes it easy to meet new and emerging requirements for software inventory reporting without tying up your developers. Here's what that means for you:

  • Reduce your risk of go-to-market delays due to compliance hiccups
  • Avoid those nasty unexpected fines
  • Free up your developers to do what they do best: build amazing software

There are three key features of FOSSA’s SBOM Management add-on that help to simplify SBOM compliance: 

  1. Application-Level SBOM Generation: No more piecing together information from multiple repositories. Create comprehensive SBOMs that represent your entire application with just a few clicks.
  2. Automatic VEX (Vulnerability Exploitability Exchange) Annotation: Keep vulnerability information up-to-date without manual intervention. Our system automatically enriches your SBOMs with the latest vulnerability data, saving you countless hours of research and updates.
  3. Secure SBOM Sharing: Our white-labeled distribution portal lets you control access to SBOMs and vulnerability information that is always up to date.

Together, these features help you easily meet FDA, CRA, PCI DSS 4.0, and NTIA requirements. You’ll be able to reduce time spent on compliance tasks, enhance the accuracy and completeness of your SBOMs, maintain continuous audit readiness, and keep your development process streamlined with fewer compliance bottlenecks.

Here’s how FOSSA’s SBOM Management makes compliance straightforward and efficient.

Generate Application-Level SBOMs

Most tools used today for software composition analysis and SBOM generation only provide software inventories at the repository level. However, a single product typically spans multiple repositories. This often leads to incomplete or cobbled-together SBOMs that fail to provide a comprehensive view of the entire application, complicating compliance efforts. 

FOSSA addresses this challenge by allowing you to consolidate multiple repositories into release groups, ensuring you capture a complete picture of your software’s open source components, dependencies, and vulnerabilities. 

From the projects screen, simply select the projects that make up your application and add them to a release group. Now you can easily create an application-level SBOM and surface any vulnerabilities associated with your product.

Automatic VEX Annotations

Vulnerability information is constantly evolving, making it a challenge to maintain up-to-date reports on your software's affected status. Manually tracking and reporting on hundreds of potential vulnerabilities can be incredibly time-consuming and error-prone.

FOSSA simplifies this process with automatic VEX annotations. When you triage your security issues, any decisions you make — such as ignoring a vulnerability because you’ve already made in-line mitigations — are automatically recorded and stored.

From the issues screen, select a vulnerability, then click ‘ignore.’ Here you will be able to select from a list of NTIA-compliant affected statuses to communicate why this vulnerability does not impact your product. Once complete, this information will automatically populate to your application-level SBOM.

Private Distribution Portal

Sharing SBOMs today is often done via email or cloud drives, which means the information is typically out of date as soon as it's received. Additionally, the sensitive nature of SBOMs demands stringent security controls to protect your data.

FOSSA provides a private distribution portal to address these challenges. From the SBOM screen, you can publish your SBOM directly to this secure portal, ensuring that your counterparties always have access to the latest information.

You can create time-based access tokens to control how long your downstream counterparties can view the SBOM, adding an extra layer of security. Additionally, you can customize the portal to match your company's branding, maintaining a professional and cohesive look.

Meeting Regulatory Requirements

FOSSA's SBOM Management is designed to help you meet specific regulatory requirements from the FDA, PCI DSS, and others. Let’s explore the specific regulatory requirements that FOSSA supports.

FDA Cybersecurity Requirements for Medical Devices

The FDA mandates medical device manufacturers to provide an SBOM that inventories commercial, open source, and off-the-shelf software components. This requirement applies for submissions — including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for any device that includes software, connects to the internet, and could be vulnerable to cybersecurity threats.

Here’s how FOSSA’s SBOM management add-on supports several key FDA SBOM requirements:

FDA SBOM Requirement

FOSSA Solution

An NTIA-compliant SBOM 

Comprehensive SBOMs with NTIA minimum elements covering all open source software components

Vulnerability assessment

Vulnerability information, along with automated VEX annotations to communicate the current status of associated vulnerabilities

Component end-of-life and level-of-support information

Support information showing whether projects are actively maintained

PCI DSS 4.0 Software Inventory Requirement

PCI DSS 4.0 (and the new PCI DSS 4.0.1) require an inventory of custom and third-party software components to facilitate vulnerability management and remediation. These requirements take effect on March 31, 2025.

Here’s how FOSSA supports the key software inventory requirements of PCI DSS 4.0: 

PCI DSS 4.0 Requirement

FOSSA Solution

Inventory of all custom and third-party software components

Application-level SBOMs that include all third-party libraries

Identification of software components that are subject to vulnerabilities

Real-time vulnerability updates with VEX annotations

Facilitation of vulnerability management and remediation

Continuous vulnerability monitoring and guided remediation

Regular updates to maintain an accurate inventory

Continuous monitoring to ensure the software inventory remains current and accurate

EU Cyber Resilience Act (CRA)

The CRA SBOM requirements are expected to come into effect in 2027. While the final details are still being determined, the current draft proposes manufacturers draw up an SBOM in a commonly used format covering at the very least the top-level dependencies of the product.

Here’s how FOSSA supports the expected CRA SBOM requirements:

CRA SBOM Requirement

FOSSA Solution

SBOM in a commonly used format (e.g., SPDX, CycloneDX)

Application-level SBOMs in industry-standard formats (CycloneDX and SPDX)

Coverage of top-level dependencies at minimum

Comprehensive coverage of all dependencies, including top-level ones

Provision of SBOM upon request to authorities

Private distribution portal to securely share SBOMs with authorities

U.S. Government Cybersecurity Executive Order 14028

The Executive Order requires vendors selling to federal government agencies to provide an SBOM for each product directly or by publishing it on a public website.

Here’s how FOSSA supports the SBOM requirements for vendors selling to federal government agencies:

EO 14028 Requirement

FOSSA Solution

SBOM with NTIA minimum elements for each software product

Application-level SBOMs that include NTIA minimum elements

Use of one of three SBOM data formats: SPDX, CycloneDX, or SWID

Support for both CycloneDX and SPDX

Ability to generate and provide SBOMs to federal purchasers

Continuous updates to ensure the most current information is always available

Mechanism for sharing SBOMs securely with relevant parties

Private distribution portal for sharing SBOMs with government purchasers

The Bottom Line: SBOM Compliance Without the Headache

Whether you're bringing medical devices to market, securing payment systems, or selling software to government agencies, FOSSA simplifies your SBOM compliance process. Request a demo to see SBOM Management in action, and learn how you can automate compliance while reducing development bottlenecks.