Assess
Software Bill of Materials as a regulatory security artefact. The FDA Cybersecurity Guidance (2023) requires a SBOM for medical device submissions. A SBOM lists every third-party component in the software — enabling vulnerability management, supply chain transparency, and coordinated disclosure.
Not yet in place. Planned for Layer 13 (Security Architecture). Tooling to be selected (Syft, FOSSA, and GitHub's dependency graph are all candidates). The SBOM format (SPDX or CycloneDX) should align with FDA submission requirements.