In the wake of increasing software supply chain security concerns—and on the heels of the Biden Administration’s Cybersecurity Executive Order 14028—the FDA published a series of new regulations and recommendations for medical device  manufacturers.

These include providing a software bill of materials (SBOM) and SBOM-related information in premarket submissions, as well as ensuring device lifecycle management through comprehensive trust and security measures like DigiCert Device Trust Manager.

The high stakes involved in managing these requirements—the FDA has right-of- refusal authority for incomplete or inaccurate submissions—has forced many device manufacturers to rethink certain cybersecurity and software transparency tools and processes.

DigiCert, a leader in digital trust, and Software Composition Analysis/SBOM management platform FOSSA have come together to make managing FDA cybersecurity compliance much faster, easier, and more scalable. Our joint offering gives device manufacturers the capabilities they need to meet FDA requirements, from SBOM and vulnerability management to device trust and authentication.

“We’re excited to partner with DigiCert,” said FOSSA VP of Technology Partnerships and Founding Team Member Carlos Cheung. “This collaboration enhances organizations’ ability to maintain trust across their software supply chains. By integrating DigiCert’s verification and trust solutions with FOSSA’s solutions, developers can address vulnerabilities in real time, ensuring faster responses to security threats and more efficient communication with end customers. This partnership allows teams to streamline FDA compliance and align with the latest security expectations.”

“At DigiCert, we’re committed to helping manufacturers build trusted medical devices. By joining forces with FOSSA, we’re giving organizations a powerful way to meet FDA requirements, strengthen supply chain security, and deliver safer patient outcomes,” said Tranel Hawkins, Director of Tech and Strategic Partnerships at DigiCert.

A global medical device manufacturer’s use of DigiCert Device Trust Manager

A leading global manufacturer of connected medical devices has chosen DigiCert Device Trust Manager to manage the trust, security, and lifecycle of their devices. This includes ensuring that each device is properly authenticated, secured, and continuously monitored, helping the manufacturer meet FDA regulations while delivering critical healthcare services. According to the manufacturer’s head of product security, “DigiCert’s commitment to healthcare security and flexibility helps us create Digital Trust that harmonizes our different solutions, ensuring the highest levels of security and compliance.”

Managing the FDA’s SBOM requirements

In addition to producing SBOMs in specified formats and with specified data fields, device manufacturers must provide end-of-life (EOL) and end-of-support (EOS) information for each software component as part of their premarket submissions.

Additionally, device manufacturers are required to disclose vulnerabilities associated with the components in their SBOMs—plus mitigations to fix those vulnerabilities, such as what one might find in a VEX document.

The FDA’s new requirements pose significant challenges, as multiple product teams must create SBOMs that conform to a unified data schema. The diverse range of tools, programming languages, software artifacts, and formats complicates data normalization for both internal product security teams and FDA review boards.

FOSSA’s SBOM Management platform enables organizations to generate, ingest, combine, monitor, and share SBOMs to satisfy FDA requirements. The platform also has capabilities for enriching SBOMs with level-of-support/end-of-life information and producing vulnerability/VEX assessments along with post-market monitoring.

A representative from one of the world’s leading medical device manufacturers who is using DigiCert and FOSSA commented, “We were thrilled when we learned about the combined offering from DigiCert and FOSSA. It not only helped us meet FDA review and compliance requirements but also provided long-term visibility into how our devices are operating. We can confidently assure hospitals that our software is authenticated, secure, and continuously monitored for vulnerabilities.”

A comprehensive solution for secure, compliant medical devices

As cybersecurity risks continue to rise, the demand for trusted and secure medical devices has never been greater. The combined solution from DigiCert and FOSSA not only addresses FDA compliance but also empowers device manufacturers to strengthen their entire device lifecycle management process. From ensuring the authenticity and security of devices to managing SBOMs and vulnerabilities, this solution provides manufacturers with the tools they need to protect patient safety and maintain trust with healthcare providers.

Get started today

Don’t let the complexities of FDA compliance and device security slow your progress. With DigiCert and FOSSA, you can streamline your compliance processes, enhance the security of your connected devices, and ensure continued trust across your entire supply chain.

Get in touch with our team today to learn how DigiCert and FOSSA can help you achieve FDA compliance, protect your devices, and secure your future in healthcare. Together, we can help you innovate with confidence, secure patient data, and maintain the trust of your customers.

The latest developments in digital trust

Want to learn more about topics like device trust, software security, and compliance? Subscribe to the DigiCert blog to ensure you never miss a story.