On Sharing SBOMs

 April 14, 2025
  J. David Giese
SHARE ON

Cybersecurity

Why Companies Resist Sharing Their SBOMs 🔗

"I don’t want to share my SBOM—it’s giving away IP!"

Many medical device companies voice this concern. Cybersecurity professionals typically respond, "An SBOM is just an ingredient list—it can't reveal intellectual property." But is that always true? Let’s dive deeper.

Background 🔗

What Is an SBOM? 🔗

Most modern software solutions An SBOM, or Software Bill of Materials, is essentially a structured list detailing the software packages and their versions used in your product. Think of it as the ingredients listed on a cereal box—just for software.

Regulations vs. FDA Guidance 🔗

The FDA has two kinds of expectations: statutory requirements and guidance. Statutory requirements are mandatory by law, while guidance represents the FDA’s recommended practices. The recent cybersecurity guidance makes the FDA’s expectations clear: SBOMs are highly recommended but not legally mandated for public disclosure.

According to the 2023 FDA cybersecurity guidance:

“Manufacturers should provide or make available SBOM information to users on a continuous basis. If an online portal is used, manufacturers should ensure that users have up-to-date links that contain accurate information. The SBOM should be in a machine-readable format.”

In practice, FDA is increasingly pushing manufacturers to share SBOMs without restrictions like NDAs or other access barriers.

Defining Intellectual Property (IP) 🔗

Understanding IP is crucial here. Generally speaking, IP is anything proprietary to your company. Legally, IP refers to patents, copyrights, trade secrets, and other recognized protections.

  • Patents protect specific inventions or methods.
  • Copyrights protect specific expressions or code.
  • Trade Secrets protect proprietary methods, recipes, or business practices.

The debate often arises because, while SBOMs themselves aren't generally patentable or copyrightable, they can occasionally reveal trade secrets—information valuable precisely because it's not widely known.

Why Does the FDA Want Your SBOM Shared? 🔗

The primary purpose is transparency. SBOMs help end-users identify and manage cybersecurity vulnerabilities. Knowing precisely what software packages a device uses allows users to swiftly identify risks when new vulnerabilities are disclosed. Without this transparency, users (often hospitals or medical facilities) are exposed to hidden risks, making patient safety more precarious.

A Real-World Example: Unexpected Utility Reveals Sensitive IP 🔗

Imagine you're developing an AI-enabled medical device and discover your competitor's SBOM. You notice they use a package called Total Segmentator for an FDA-cleared function you thought impossible. This knowledge alone—realizing such a package can achieve specific performance—is itself strategically valuable IP.

Admittedly, this scenario is rare. Typically, SBOM entries like Django or NumPy don't disclose anything sensitive. Most are as revealing as learning Cheerios contain oats—interesting, but not exactly groundbreaking.

The Common Wisdom: “SBOMs Are Just Ingredient Lists” 🔗

Cybersecurity professionals routinely emphasize:

  • SBOMs usually reveal little about actual implementation.
  • Attackers can reverse-engineer your product anyway.
  • The software components themselves aren't your IP; your use of them is.

This argument aligns closely with the ingredient metaphor: knowing ingredients doesn't tell you how to recreate the recipe.

But Is That Always True? 🔗

Consider these nuanced exceptions:

  • Reverse Engineering: Yes, attackers can reverse-engineer products. However, if a component is hidden deep in a cloud service, reverse engineering becomes expensive, impractical, and possibly illegal. Disclosing it explicitly via an SBOM makes this knowledge legal, easy, and accessible.
  • Unexpected Utility: Occasionally, simply knowing an ingredient is present is valuable because its specific use or utility is non-obvious and strategically significant.
  • Ownership and IP: True, the package itself isn’t your IP—but discovering that a package can meet specific FDA performance criteria could be considered valuable proprietary information.

A More Nuanced Approach to Sharing Your SBOM 🔗

Given these considerations, most companies can safely—and should—share their full SBOM. But in exceptional cases where an SBOM reveals genuinely sensitive details, consider this strategy:

  • Provide FDA with Two Versions:
    1. A complete SBOM.
    2. A redacted SBOM that removes highly sensitive components, clearly marking their exclusion with a “known unknowns” label.
  • Justify Redactions Clearly: Explain explicitly why certain dependencies are sensitive, demonstrating their strategic importance and the risks associated with disclosure.

Here’s a simple example (CycloneDX JSON snippet):

{
  "bomFormat": "CycloneDX",
  "components": [
    {"name": "Django", "version": "3.2.6"},
    {"name": "numpy", "version": "1.23.1"},
    {"name": "known unknown", "version": "unknown"}
  ]
}

This balanced approach aligns with the 2024 CISA SBOM FAQ, which acknowledges that while most third-party components don’t reveal IP, using “known unknowns” can be appropriate for sensitive redactions.

Is This Effort Worth It? 🔗

Arguing a special case to the FDA means extra scrutiny and additional effort. Unless your situation is truly exceptional—like the innovative AI use-case above—it's easier and safer just to share your full SBOM.

Balancing Transparency and Proprietary Interests 🔗

The FDA and manufacturers have inherently different incentives. FDA seeks transparency to ensure patient safety and industry-wide cybersecurity. Manufacturers, meanwhile, must protect their innovations to remain profitable.

This balance resembles debates over FDA 510(k) Summaries—transparency benefits the industry overall, but companies legitimately resist sharing sensitive details.

Ultimately, patients benefit from a marketplace where companies have incentives to innovate and invest. Without IP protections, investment—and thus medical innovation—would decline.

Conclusion 🔗

Legally, you aren't forced to publicly disclose your SBOM—but FDA guidance strongly encourages it. In most cases, disclosing your SBOM promotes transparency, cybersecurity, and ultimately patient safety. Only in rare, justified circumstances should companies selectively redact sensitive details.

So, next time your company debates sharing an SBOM, ask yourself: Is this really IP worth guarding? If not, embrace transparency. If yes—make your case clearly and carefully.

SHARE ON
×

Get To Market Faster

Medtech Insider Insights

Our Medtech tips will help you get safe and effective Medtech software on the market faster. We cover regulatory process, AI/ML, software, cybersecurity, interoperability and more.