Alan Parkinson, MD, Threat Detective
The medical device industry has been producing mandatory SBOMs for two and a half years now. I won’t pretend the problem is solved. C/C++ component inventories are still assembled partly by hand. Identifier matching still produces false negatives that are invisible until someone gets bitten. Quality across the industry is uneven.
But it’s getting better, and the reason is worth paying attention to. The FDA doesn’t just review SBOMs. It runs automated tooling that assists human reviewers by checking dependency completeness, flagging missing fields, and cross-referencing components against vulnerability databases. That tooling created a feedback loop. Manufacturers whose submissions failed automated checks fixed the gaps and resubmitted. Over time, the bar rose. Not because the guidance changed, but because the enforcement became machine-driven.
This talk covers five observations from the medical device dry run relevant to the EU CRA: the persistent challenges of C/C++ SBOM generation; why shipping SBOMs without VEX (Vulnerability Exploitability eXchange) documents creates a support problem you don’t want; the notified body expertise gap; and how pairing SBOMs with software architecture diagrams and contextual vulnerability scoring makes the CRA’s reporting clock survivable.
The dry run is over. Here are the results.
This session is part of SBOM Focus
Explore the conference agenda
