Software Bill of Materials (SBOM) for Tidepool Software

Owned by Ben Derr
Last updated: Jul 11, 2024
2 min read

“Achieving software supply chain transparency can increase trust and trustworthiness while
lowering costs of our digital infrastructure. Individual pockets of people, policy, process, and
technology are solving parts of the problem, but not in a systematic and scalable way that
crosses development environments, product lines, vendors, sectors, and nations. A more
systematic and collaborative approach can help.”

Section 524B(a) of the FD&C Act provides that the sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in section 524B(b) of the FD&C Act. The requirements in section 524B(b) of the FD&C Act are:

  • Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;

  • Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and

  • Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components

Software Bill of Materials (SBOM) for Tidepool software/services

Tidepool Uploader

  • Readable json format SBOM

Tidepool Data Platform (Tidepool Web)

  • Readable json format SBOM

Tidepool Loop

  • SBOM for Tidepool Loop has been provided to the FDA and FDA auditors for review, but is not available publicly for security and intellectual properly reasons due to inclusion of some non-Open Source code.

Verification and additional info

Anyone can generate an SBOM for public Tidepool source code repositories in Github.

  1. Got to the github.com url for the software repository

    1. examples

      1. Tidepool Uploader

      2. Tidepool Platform

  2. Select the tag or version you are generating an SBOM for, typically the most recent release

  3. Select Insights , then Dependency Graph

  4. Click the button to Export SBOM

  5. Download the .json file for ingestion or review in an automated tool

 

The content of the Tidepool Technical Documentation is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.