Compliance ValidationManual Guided SBOM Generation github.com/DEMCON/cmake-sbomSBOMs generation include(sbom) sbom_generate( OUTPUT ${CMAKE_INSTALL_PREFIX}/sbom-${GIT_VERSION_PATH}.spdx LICENSE MIT TARGETS app EXPORT "${targets_export_name}" RUNTIME DESTINATION "bin" ) sbom_add(TARGET app) sbom_finalize()Automatic SBOM Generation for your dependencies github.com/tipi-build/cmake-tipi-providerBuild

Difficult to track or report on all dependencies Solution 8: Produce a Software Bill of Materials (SBOM) •Organize and list 3rd party dependencies as individual, named packages •Produce Software Bill Bill of Materials (SBOMs) •Two common formats: SPDX and CycloneDXA Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in or proprietary, free or paid, and the data can be widely available or access-restricted. Source: SBOM FAQ (Cybersecurity and Infrastructure Security Agency)Benefits of SBOMs accrue to both software suppliers

• Software Bill of Materials (SBOM) o Vulnerability management o Compliance and reporting o Supply chain transparency • Cybersecurity Bill of Materials (CBOM) o SBOM + Cybersecurity items o Usually Usually interchangeable with SBOM www.chpk.medium.comIs regulatory compliance enough? Software Development in Medical Devices 18 ❖ Standards are generic, high level, no specificity and prescriptiveness ❖

modules transition ○ Cannot declare dependencies anyway! 36CPS and software bills of materials (SBOM) ● SBOM is a hot topic ○ Ensuring software transparency ○ Managing open-source software and third-party security vulnerabilities ○ Complying with legal and regulatory requirements ● CPS would enable easier SBOM creation 37Problem: Not in scope for ISO C++ standard ● Lots of people don’t understand that ●

Further, it has excellent capabilities such as RPM software package retrieval, metadata analysis, SBOM and supply chain analysis, and security and compliance risk analysis, providing one-stop access