From medical devices in the US to laptops in the EU, SBOM (software bill of materials) requirements are popping up everywhere. Software inventories are now a requirement for compliance with the FDA, PCI DSS 4.0, and, soon, the CRA (Cyber Resilience Act). The stakes are high, as companies that don’t meet requirements may be kept from bringing their products to market and face steep fines.
IT, compliance, and security teams need to be able to supply SBOMs in order to meet these new compliance requirements. But, typically, the work to produce SBOMs ends up on a developer’s desk. And the last thing developers need is another time-sink that slows them down and creates more headaches.
Here's what it often looks like:
- Developers spending hours wrangling spreadsheets
- Manual updates for each new version of your product
- SBOMs that are outdated almost as soon as they're created
Sound familiar? Manual SBOM creation, spreadsheet acrobatics, and constant updates to keep up with your ever-changing codebase are nobody's idea of a good time.
Companies need a way to meet SBOM requirements without bogging down developers or wasting days on data wrangling. That's why we're excited to introduce FOSSA’s new SBOM Management add-on — a simple, painless way to create, update, and share SBOMs that meet regulatory requirements.
SBOM Compliance on Autopilot
FOSSA's SBOM Management makes it easy to meet new and emerging requirements for software inventory reporting without tying up your developers. Here's what that means for you:
- Reduce your risk of go-to-market delays due to compliance hiccups
- Avoid those nasty unexpected fines
- Free up your developers to do what they do best: build amazing software
There are three key features of FOSSA’s SBOM Management add-on that help to simplify SBOM compliance:
- Application-Level SBOM Generation: No more piecing together information from multiple repositories. Create comprehensive SBOMs that represent your entire application with just a few clicks.
- Automatic VEX (Vulnerability Exploitability Exchange) Annotation: Keep vulnerability information up-to-date without manual intervention. Our system automatically enriches your SBOMs with the latest vulnerability data, saving you countless hours of research and updates.
- Secure SBOM Sharing: Our white-labeled distribution portal lets you control access to SBOMs and vulnerability information that is always up to date.
Together, these features help you easily meet FDA, CRA, PCI DSS 4.0, and NTIA requirements. You’ll be able to reduce time spent on compliance tasks, enhance the accuracy and completeness of your SBOMs, maintain continuous audit readiness, and keep your development process streamlined with fewer compliance bottlenecks.
Here’s how FOSSA’s SBOM Management makes compliance straightforward and efficient.
Generate Application-Level SBOMs
Most tools used today for software composition analysis and SBOM generation only provide software inventories at the repository level. However, a single product typically spans multiple repositories. This often leads to incomplete or cobbled-together SBOMs that fail to provide a comprehensive view of the entire application, complicating compliance efforts.
FOSSA addresses this challenge by allowing you to consolidate multiple repositories into release groups, ensuring you capture a complete picture of your software’s open source components, dependencies, and vulnerabilities.
From the projects screen, simply select the projects that make up your application and add them to a release group. Now you can easily create an application-level SBOM and surface any vulnerabilities associated with your product.
Automatic VEX Annotations
Vulnerability information is constantly evolving, making it a challenge to maintain up-to-date reports on your software's affected status. Manually tracking and reporting on hundreds of potential vulnerabilities can be incredibly time-consuming and error-prone.
FOSSA simplifies this process with automatic VEX annotations. When you triage your security issues, any decisions you make — such as ignoring a vulnerability because you’ve already made in-line mitigations — are automatically recorded and stored.
From the issues screen, select a vulnerability, then click ‘ignore.’ Here you will be able to select from a list of NTIA-compliant affected statuses to communicate why this vulnerability does not impact your product. Once complete, this information will automatically populate to your application-level SBOM.
Private Distribution Portal
Sharing SBOMs today is often done via email or cloud drives, which means the information is typically out of date as soon as it's received. Additionally, the sensitive nature of SBOMs demands stringent security controls to protect your data.
FOSSA provides a private distribution portal to address these challenges. From the SBOM screen, you can publish your SBOM directly to this secure portal, ensuring that your counterparties always have access to the latest information.
You can create time-based access tokens to control how long your downstream counterparties can view the SBOM, adding an extra layer of security. Additionally, you can customize the portal to match your company's branding, maintaining a professional and cohesive look.
Meeting Regulatory Requirements
FOSSA's SBOM Management is designed to help you meet specific regulatory requirements from the FDA, PCI DSS, and others. Let’s explore the specific regulatory requirements that FOSSA supports.
FDA Cybersecurity Requirements for Medical Devices
The FDA mandates medical device manufacturers to provide an SBOM that inventories commercial, open source, and off-the-shelf software components. This requirement applies for submissions — including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for any device that includes software, connects to the internet, and could be vulnerable to cybersecurity threats.
Here’s how FOSSA’s SBOM management add-on supports several key FDA SBOM requirements:
PCI DSS 4.0 Software Inventory Requirement
PCI DSS 4.0 (and the new PCI DSS 4.0.1) require an inventory of custom and third-party software components to facilitate vulnerability management and remediation. These requirements take effect on March 31, 2025.
Here’s how FOSSA supports the key software inventory requirements of PCI DSS 4.0:
EU Cyber Resilience Act (CRA)
The CRA SBOM requirements are expected to come into effect in 2027. While the final details are still being determined, the current draft proposes manufacturers draw up an SBOM in a commonly used format covering at the very least the top-level dependencies of the product.
Here’s how FOSSA supports the expected CRA SBOM requirements:
U.S. Government Cybersecurity Executive Order 14028
The Executive Order requires vendors selling to federal government agencies to provide an SBOM for each product directly or by publishing it on a public website.
Here’s how FOSSA supports the SBOM requirements for vendors selling to federal government agencies:
The Bottom Line: SBOM Compliance Without the Headache
Whether you're bringing medical devices to market, securing payment systems, or selling software to government agencies, FOSSA simplifies your SBOM compliance process. Request a demo to see SBOM Management in action, and learn how you can automate compliance while reducing development bottlenecks.