This document specifies IMDRF guidance on creating, managing, and sharing Software Bill of Materials (SBOM) for medical devices. It defines minimum SBOM elements, acceptable formats, and lifecycle management approaches necessary for effective cybersecurity management. Manufacturers should develop and maintain accurate SBOMs documenting all software components and dependencies throughout product lifecycle. The document provides the practical foundation for FDA 2023 final guidance SBOM submission requirements and supports implementation of Japan's vulnerability management notification requirements from the Ministry of Health, Labour and Welfare. SBOMs enable manufacturers, regulators, and healthcare organizations to identify and respond rapidly to software vulnerabilities affecting medical devices.

This document provides IMDRF guidance on managing cybersecurity risks in legacy medical devices that are end-of-life (EOL) or difficult to maintain. It clarifies responsibilities and practical mitigation strategies for both manufacturers and healthcare facilities. The document establishes frameworks for EOL management planning, identifying alternative solutions, and making informed risk acceptance decisions. As a complementary document to N60, it addresses the specific challenges posed by legacy systems that cannot be readily updated with security patches or improvements. Manufacturers and healthcare organizations should use this guidance to systematically assess legacy device risks and implement appropriate risk mitigation measures aligned with current cybersecurity standards.