Skip to content
Cybersecurity

What a 'Good' SBOM Actually Looks Like — And What Reviewers Reject

June 20, 2026·2 min read

An SBOM isn't a deliverable. It's a build artifact you keep current.

The Software Bill of Materials has become the most misunderstood requirement in medical device submissions.

Teams treat it as a one-time spreadsheet exercise. Reviewers treat it as a window into the maturity of your software supply chain. The gap between those two readings is where most SBOM-related deficiencies live.

Here's what a defensible SBOM looks like in 2026:

Generated, not authored. A spreadsheet someone typed is not an SBOM. The SBOM is produced by your build pipeline — CycloneDX or SPDX format, generated automatically, regenerated on every release. If a human is maintaining it by hand, it's already wrong.

Complete to the transitive dependency level. Direct dependencies are the easy part. Transitive dependencies are where the vulnerabilities hide. Your SBOM has to include both — and it has to be honest about components you couldn't fully resolve.

Accurately versioned. Vague versions ("OpenSSL 3.x") are a reviewer's first red flag. Exact versions, including patch level. If you're using a fork, say so and identify the fork commit. The reject line we see most often looks like openssl, 3.x, MIT. The line that passes looks like pkg:generic/openssl@3.0.13?download_url=... with a SHA-256 hash, an SPDX license ID, and a supplier field that names a human-readable upstream — not "open source community."

Tied to a Software of Unknown Provenance (SOUP) analysis. Every third-party component is SOUP unless you can prove otherwise. Your SBOM should map to a SOUP list that documents what each component does in your device, what risks it introduces, and how you're managing them.

Paired with a vulnerability management plan. The SBOM is the input. The vulnerability monitoring process — how you watch CVEs, how you triage, how you respond — is what the reviewer is actually trying to evaluate.

Updated postmarket. An SBOM frozen at submission time is a postmarket deficiency waiting to happen. Reviewers increasingly want to see the operational process that keeps the SBOM accurate for the life of the device.

The SBOM is small. The discipline behind it is large. Reviewers read both at once.

A spreadsheet someone typed is not an SBOM. If a human is maintaining it by hand, it's already wrong.

Related reading

Christian Espinosa, headshot

About the author

Christian Espinosa · Founder & CEO, Blue Goat Cyber

Christian is the founder and CEO of Blue Goat Cyber, a medical device cybersecurity firm. He's an Air Force Academy graduate, 24x Ironman, climber of two of the Seven Summits, and the author of The Smartest Person in the Room and The In-Between.