Unlocking transparency: why SBOM and SOUP are essential for medical device cybersecurity

In today’s evolving regulatory landscape, software transparency isn’t just a best practice—it’s becoming a compliance imperative. Medical device manufacturers must now adopt strategic approaches to documenting, securing, and maintaining visibility over their software components. The second whitepaper in Coauthor’s medical device cybersecurity series shines a spotlight on two foundational concepts: SBOM (Software Bill of Materials) and SOUP (Software of Unknown

Provenance).

Why it matters:

The US FDA now explicitly mandates machine-readable SBOMs in its cybersecurity guidance, whileinternational frameworks such as those from the International Medical Device Regulators Forum (IMDRF) and cybersecurity authorities like the US Cybersecurity and Infrastructure Security Agency (CISA) promote global alignment on software supply chain security. An SBOM provides a comprehensive inventory of all software components—commercial, open-source, or bespoke—making it easier to trace vulnerabilities, manage dependencies, and stay compliant with

best practices such as IEC 81001-5-1.

This whitepaper also unpacks the complexities of SOUP—software of unknown provenance—which often lacks full development traceability but still plays a critical role in many medical technologies.

What you’ll learn:

• Key differences between FDA and MDR expectations for SBOMs

• How to evaluate and select SCA (software composition analysis) tools for SBOM generation

• Best-practice formats (SPDX and CycloneDX) for SBOM documentation

• Post-market SBOM surveillance strategies

• How to safely manage SOUP in accordance with IEC 62304

Whether you're preparing a regulatory submission or strengthening your cybersecurity framework, this whitepaper delivers practical, actionable guidance.

Access the full PDF below to ensure your approach to software transparency is both compliant and future ready.