|
FDA网络安全eSTAR提交要求和相关高频发补点解析:Risk Management - Software Bill of Materials (SBOM) and Related Information紧接网络安全风险评估,SBOM(软件物料清单)及其相关信息已成为eSTAR提交中又一“高频发补雷区”! 如何在首次提交就避开SBOM相关的审评“深坑”,确保高效合规?本文将系统拆解eSTAR对SBOM的核心提交要点,并深度剖析审评中常见的发补问题与避坑策略。助力您一次过关! eSTAR提交要求: An SBOM should include both the device manufacturer-developed components and third-party components, including purchased/licensed software and open-source software, and the upstream software dependencies that are required/depended upon by proprietary, purchased/licensed, and open-source software. 一份软件组件清单应涵盖设备制造商开发的组件以及第三方组件,包括购买/授权的软件和开源软件,以及专有软件、购买/授权软件和开源软件所依赖的上游软件组件。 此处在提交实务中常见的发补项如下: In the eSTAR Software/Firmware & Cybersecurity/nteroperability section, under the Risk Management - Software Bill of Materials (SBOM) and Related Information section under Cybersecurity, in response to the question “List the supported operating system(s) and associated version(s) your device(s)/system uses. Be aware that ifyou list any operating systems that are no longer supported (e.g. Windows 7, Mac OS 9) or nearing end of support, this will be considered an .*, you indicated that your system uses iOS 10.00+ (including iOS 10.0) or inaccurate response...Android 5.0+ (including Android 5.0) operating systems (OS). However, the Android 5.0 through Android 1 1.0 OS are no longer supported and hence are not receiving security updates. Additionally, the i0S 10.00 through 14.00 are no longer supported and hence are not receiving security updates. Unsupported OS can be exposed to a cybersecurity vulnerability which could result in unacceptable risks to the device and their connected network Adequate support for the OS is important to comply with the requirement specified in section 524B(b)(2) ofthe Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with recommendations in the FDA Guidance “Of-The-ShelfSoftware Use in Medical Devices” (https://www.fda.gov/media/71794/download) for manufacturers to demonstrate the existence of appropriate mechanisms for assuring the continued maintenance and support of the OTS Sofiware should the original O'TS Software developer terminate their support. Therefore, please address these risks to the system by updating the all the software, cybersecurity and labeling documentation to a supported OS platform which can receive security updates throughout expected life ofthe device. 发补项说明: in response to the question “List the supported operating system(s) and associated version(s) your device(s)/system uses. Be aware that ifyou list any operating systems that are no longer supported (e.g. Windows 7, Mac OS 9) or nearing end of support, this will be considered an .*, you indicated that your system uses iOS 10.00+ (including iOS 10.0) or inaccurate response...Android 5.0+ (including Android 5.0) operating systems (OS). However, the Android 5.0 through Android 1 1.0 OS are no longer supported and hence are not receiving security updates. Additionally, the i0S 10.00 through 14.00 are no longer supported and hence are not receiving security updates. 针对“请列出您的设备/系统所支持的操作系统及其相关版本”的问题,您回答说您的系统使用的是 iOS 10.00 及以上版本(包括 iOS 10.0), 或者给出了不准确的回答……您的系统使用的是安卓 5.0 及以上版本(包括安卓 5.0)的操作系统(OS)。然而,安卓 5.0 至安卓 11.0 的操作系统不再受支持,因此不再接收安全更新。 此外,iOS 10.00 至 14.00 版本也不再受支持,因此也不再接收安全更新。 发补原因: 使用了不再维护的开源软件或操作系统,不支持的操作系统可能会暴露于网络安全漏洞中,从而对设备及其连接的网络造成不可接受的风险。 整改措施: ① 升级操作系统\开源组件\软件版本至最新版本或相关厂商仍然在维护的版本,并做好变更记录和相关测试验证的证据, 更新相关软件文档包括但不限于需求文档、网络安全风险评估文件、网络安全测试报告等。 ② 无法升级的情况下,针对当前的版本,检索NVD、CVE、EXP等漏洞库信息查询,针对每个漏洞进行风险评估(推荐采用CVSS v4进行打分), 并提出缓解措施,保证剩余风险符合要求,并更新未解决异常报告和用户手册。 SBOM提交文档和填报内容尤为重要,一但出现错误信息,发补工作量巨大。 提交建议: 1. 使用SBOM工具生成机器可读的文件,工具导出的内容需覆盖最低元素,最好能支持漏洞的扫描。 2. 应包含三部分操作系统、开源组件、开源软件。 我们团队深度参与数十个医疗器械FDA申报项目,熟悉最新网络安全指南与eSTAR提交要求,提供:
立即联系:思倍科技汪老师 电话:18128029974 邮箱:haley@sibeiwa.cn 让您的产品少走弯路,加速获批! #医疗器械注册 #FDA咨询 #网络安全合规 |