Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request – Example #3: Missing Software Bill of Materials (SBOM)
Based on the information provided in your submission, your device meets the definition of a cyber device under section 524B(c) of the Federal Food, Drug, and Cosmetic (FD&C) Act.
However, you did not provide a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf software components as required by section 524B(b)(3) of the FD&C Act.
Therefore, please provide an SBOM. When responding, please be sure it is consistent with an industry accepted format or best practice, such as those described in the minimum elements (also referred to as “baseline attributes”) identified in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document, “https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf”.
In this example, the FDA discovered that a Software Bill of Materials (SBOM) was not included in the submission.
SBOMs are a critical part of the cybersecurity documentation and FDA will not approve a submission without it.
FDA provides guidance to be consistent with NTIA’s minimum elements in creating the SBOM. The NTIA document outlines the structure and minimum contents of an SBOM.
Please follow us to see more examples of AI Requests – a new one is released every week.
Should you receive an Additional Information Request from the FDA, CriTech is here to help. Please give us a call to discuss and we’ll help you craft what you need to do going forward.
