Compliance v. Completeness: Rethinking SBOMs Under FDA Premarket Cybersecurity Guidance

Whitepaper: Dr. Rushanan explains Best Practices for Ensuring Secure… Read Now

Cybersecurity Testing
- - - Cybersecurity Testing
      
      We test medical technologies for resilience, applying deep expertise, advanced tools, and regulatory insight to strengthen systems.
      
      Overview
  - - Cybersecurity Testing Solutions
      
      Hardware Testing
      
      Software & Firmware Testing
      
      Vulnerability Testing
      
      Healthcare IT Systems
Regulatory Support
- - - Regulatory Support
      
      We bring scientific rigor to support FDA and global medical device requirements—on your timeline.
      
      Overview
  - - Regulatory Support Solutions
      
      Compliance Assessment & Submission
      
      Persistent Vulnerability Monitoring
Cyber Engineering
- - - Cyber Engineering
      
      We design resilient, secure software and embedded systems that power connected medical technologies.
      
      Overview
  - - Cyber Engineering Solutions
      
      Security Data & Privacy
      
      Software Design & Development
Proven Success
- - - Featured Case Study
      
      Automated External Defibrillator
      
      Resolving an FDA hold for an AED manufacturer by fixing firmware update vulnerabilities—enabling regulatory approval, renewed sales, and improved postmarket cybersecurity.
      
      Learn More
  - - Proven Success
      
      Our Methodology
      
      Case Studies
- - - Our Methodology
    - Case Studies
Resources
- - - Thought Leadership
    - Whitepapers
Company
Contact Us

Thought Leadership

Compliance v. Completeness: Rethinking SBOMs Under FDA Premarket Cybersecurity Guidance

Dr. Mike Rushanan explores how an FDA-compliant SBOM may still omit critical software and hardware dependencies, exposing hidden cybersecurity risks in medical devices.

Harbor Labs Chief Scientist Dr. Mike Rushanan served as the Principal Investigator for the paper Compliance v. Completeness: A Case Study on SBOMs in Consideration of FDA Premarket Cybersecurity Guidance, to be presented at the upcoming HealthSec 2025 Conference this December in Honolulu, HI.

The paper examines the FDA’s premarket cybersecurity guidance on the use of a Software Bill of Materials (SBOM) in medical device submissions, and how it is possible for a SBOM to be compliant but still incomplete. This assertion is supported by a recent Harbor Labs case study highlighting an anonymized medical device SBOM that met regulatory submission standards, but omitted deeply embedded third-party components and dependencies hidden by software development tooling. The extended SBOM revealed additional vulnerabilities, exposing the blind spots of the original SBOM. The study also found that excluding hardware components, or the HBOM, introduced additional unseen vulnerabilities, leaving devices exposed to risks such as microarchitectural attacks.

The findings reinforce an important distinction: building a SBOM solely for regulatory compliance does not always guarantee effective cybersecurity risk management. Manufacturers are encouraged to build BOMs that incorporate both transitive software dependencies and hardware components in order to maximize the effectiveness of vulnerability monitoring and postmarket surveillance.

About the Author

Nick Yuran
CEO

Nick Yuran is the CEO of Harbor Labs. After a career in US intelligence, Nick entered private industry and today applies those experiences in national security to the cyber disciplines he manages at Harbor Labs. As a serial entrepreneur, Nick has led several companies to successful exits, including companies in the satellite, enterprise networking, and cybersecurity markets. His most recent exit was the merger of a medical Internet of Things cybersecurity technology company, and he remains a strong advocate in the medical and healthcare IT security industry today. Nick holds a BA in Slavic Languages from the University of Arizona, and a MS in Telecommunication Engineering from George Washington University.