SBOM Automation Platform Vigilant Ops Secures $2 Million in Seed Funding from DataTribe
Fulton, MD, USA Jan. 4, 2024 – DataTribe, a global cyber foundry that invests in and co-builds next-generation cybersecurity and data science companies, today announced a $2 million seed investment in Vigilant Ops, a leading automation platform for the generation, maintenance, and authenticated sharing of certified Software Bill of Materials (SBOM).
Vigilant Ops, winner of the 6th annual DataTribe Challenge in November, performs continuous vulnerability monitoring and alerting, security patch notifications, and the ability to upload SBOMs — lists of the software libraries embedded in products — from alternate sources.
“Software security is the next domain in cyber, and government policies are increasingly placing significant development regulations that require software manufacturers to be responsible for the cybersecurity of their products,” said Tony Surak, chief marketing officer for DataTribe. “Vigilant Ops is meeting an urgent market need, automating the production of SBOMs to provide a system of record for software buyers to manage SBOMs and bolster resiliency through identifying and mitigating component vulnerabilities.”
Federal government policymakers and regulators are keenly focused on software security and have highlighted SBOMs’ role in creating a secure and resilient software ecosystem.
In 2021, the Biden Administration’s National Security Strategy and Executive Order 14028 required SBOMs from organizations to secure the components of software products used to manage our nation’s most vital interests. In the past two-plus years, SBOM mandates and guidance have been issued by the Federal Drug Administration (FDA), Federal Energy Regulatory Commission (FERC), Cybersecurity Infrastructure Security Agency (CISA), National Security Agency (NSA), and Office of the Director of National Intelligence (ODNI), just to name a few.
Vigilant Ops will use the funding to expand the capabilities of its InSight platform across multiple critical infrastructure industries. Vigilant Ops, which has focused primarily on the healthcare sector, will continue to build a complete inventory of software components recognized by legislation and regulatory requirements to expand into the energy, telecom, manufacturing, information technology, financial services, and communications industries.
Leo Scott, DataTribe CTO, will join the Vigilant Ops Board.
“The DataTribe funding, coupled with its foundry model, will enable us to quickly scale our technology and business development operations to meet the software cybersecurity challenges that threaten our national and economic security,” said Ken Zalevsky, Vigilant Ops CEO. “Securing the products that enable the critical infrastructure every citizen and company rely on daily will help unleash the innovative uses of new technologies and services.”
The most recent release of the InSight Platform now includes automated import of various SBOM formats, supporting industry standards like CycloneDX and SPDX. In addition, the vulnerability dispositioning process now enables justification responses, following prescribed industry standards and mitigation scoring, which can be included in Vulnerability Exploitability eXchange (VEX) reports.
About DataTribe
DataTribe is a startup foundry that invests in and co-builds world-class startups focused on generational leaps in cybersecurity and data science. Founded by leading investors, startup veterans, and alumni of the U.S. intelligence community, DataTribe commits capital, in-kind services, access to an unparalleled network, and decades of professional expertise to give their companies an unfair advantage. DataTribe is headquartered in the Washington-Baltimore metro area in Fulton, Maryland. For more information, visit https://datatribe.com.
About Vigilant Ops
Founded in 2019 by cybersecurity veterans, Vigilant Ops is the leading SBOM management, intelligence, and exchange platform used by regulated organizations that buy and build software. Vigilant Ops simplifies the SBOM journey with real-world experience forged in the most rigorously regulated industries. For more information, visit https://vigilant-ops.com.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
Alicia Bond
Chief Revenue Officer
alicia.bond@vigilant-ops.com
412-704-4585
FDA Issues Premarket Guidance
Recommendations to Address Cybersecurity in Medical Devices
PITTSBURGH, PA, USA, September 27, 2023
The United States Food and Drug Administration (US FDA) issued the final version of their guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Guidance for Industry and Food and Drug Administration Staff” on September 27, 2023 (referred to as Premarket Guidance or the guidance in this summary). This important guidance document has been revised multiple times over the last several years, starting with the initial release in 2014 through draft releases in both 2018 and 2022. Given the rash of ransomware attacks in healthcare, and the very real threat to patient safety, the need to strengthen the cybersecurity profile of medical devices has never been greater. With legislative authority to enforce these premarket requirements, as per the recent modifications to the Federal Food, Drug, and Cosmetic Act (FD&C Act), FDA is moving quickly to encourage device makers to adopt the recommendations in this guidance document.
Scope of Guidance
In terms of applicability and the devices covered under the guidance, there are multiple categories referenced. The opening sentence of the Scope section notes that the guidance applies to “devices with cybersecurity considerations” but is not limited to devices that have software or to devices that are network-enabled. It then continues with a reference to section 201(h) of the FD&C Act and states that the guidance is applicable to “all types of devices within the meaning…” of that section of the FD&C Act. This includes biological products and devices for which a premarket submission is not required. Combination products are mentioned with FDA directing stakeholders to contact the FDA division that will have the lead reviewer of the combination product. IDE (Investigation Device Exemptions) are covered in detail in Appendix 3 of the guidance.
Software Bill of Materials (SBOM) as a Requirement
The SBOM provides transparency to consumers by detailing the software components included in a medical device. Some liken the SBOM to a list of ingredients on a food label. FDA, and others, have been advocating for the adoption of the SBOM, and the Premarket Guidance refers to SBOMs in several places. To begin with, SBOMs are no longer optional. The guidance notes that “For cyber devices, an SBOM is required (see section 524B(b)(3) of the FD&C Act).”
For the contents of an SBOM, FDA references the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document. In this document, the minimum elements (baseline elements) are listed as:
- Author Name
- Timestamp
- Supplier Name
- Component name
- Version string
- Component hash
- Unique Identifier
- Relationship
In addition to the minimum elements, for each component, manufacturers should include (as part of the SBOM or in an addendum):
- The software level of support provided through monitoring and maintenance from the software component manufacturer (e.g., the software is actively maintained, no longer maintained, abandoned)
- The software component’s end-of-support date.
Vulnerabilities and Monitoring
By continuously monitoring vulnerabilities associated with device components, the current reactive cybersecurity strategies should evolve to be more proactive. The Premarket Guidance references vulnerabilities and states that “As part of the premarket submission, manufacturers should also identify all known vulnerabilities associated with the device and the software components”
- Should include vulnerabilities identified in CISA’s Known Exploited Vulnerabilities Catalog
- For each vulnerability, manufacturers should describe how the vulnerabilities were discovered to demonstrate whether the assessment methods were sufficiently robust
- For components with known vulnerabilities, MDMs should provide:
- A safety and risk assessment of each known vulnerability (including device and system impacts)
- Details of applicable safety and security risk controls to address the vulnerability
Metrics Required with Submissions
To “demonstrate the effectiveness of a manufacturer’s processes”, FDA recommends the tracking and reporting of specific metrics. The following metrics should be provided in both premarket submissions and PMA annual reports:
- Percentage of identified vulnerabilities that are updated or patched (defect density)
- Duration from vulnerability identification to when it is updated or patched
- Duration from when an update or patch is available to complete implementation in devices deployed in the field, to the extent known
- Averages of the above measures should be provided if multiple vulnerabilities are identified and addressed. These averages may be provided over multiple time frames based on volume or in response to process or procedure changes to increase efficiencies of these measures over time
Cybersecurity Management Plan
Cybersecurity is impactful throughout a device’s lifecycle, and FDA recommends that manufacturers “establish a plan for how they will identify and communicate to users vulnerabilities that are identified after releasing the device in accordance with 21 CFR 820.100”. Manufacturers should note that FDA recommends that this plan be part of the manufacturer’s premarket submissions so that “FDA can assess whether the manufacturer has sufficiently addressed how to maintain the safety and effectiveness of the device after marketing authorization is achieved.”
Cybersecurity management plans should include:
- Personnel responsible
- Sources, methods, and frequency for monitoring and identifying vulnerabilities
- Identify and address vulnerabilities identified in CISA Known Exploited Vulnerabilities Catalog
- Periodic security testing
- Timeline to develop and release patches
- Update processes
- Patching capability
- Description of their coordinated vulnerability disclosure process
- Description of how the manufacturer intends to communicate forthcoming updates and patches
Labeling
The Premarket Guidance references device labeling as an important consideration and a way to communicate cyber risk effectively to end users. This is an important consideration for manufacturers as they begin to integrate cybersecurity processes into their existing risk frameworks. Here are a few important references in the guidance that should be considered:
- “FDA believes that the cybersecurity information discussed in this guidance is important for the safe and effective use of devices and should be included in device labeling”
- “Under section 502(a)(1) of the FD&C Act, a medical device is deemed misbranded if its labeling is false or misleading in any particular.”
- “The device manufacturer should also provide users with whatever information they may need in the device labeling to allow them to manage risks associated with the software components, including known vulnerabilities, configuration specifications, and other relevant security and risk management considerations.”
- “SBOMs can also be an important tool for transparency with users of potential risks as part of labeling”
Summary
This long-awaited guidance from FDA provides a reference for medical device manufacturers as they continue along their cybersecurity journey. Depending on where you are in this journey some parts of this guidance will be more applicable immediately while others will be future implementations. In any case, there is much more content in the 48-page guidance which you can find here.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
Alicia Bond
Chief Revenue Officer
alicia.bond@vigilant-ops.com
412-704-4585
Vigilant Ops Distills New SBOM Mandates and Challenges as Medical Device Manufacturers Face Aggressive 90 Day Compliance Deadline
PITTSBURGH, PA, USA, January 5, 2023/EINPresswire.com/
On December 29, 2022, United States President Joe Biden signed into law the $1.7 trillion federal government spending package, officially avoiding a government shutdown. “What this means for the Medical Device Manufacturer community is that FDA now has legal authority to require specific cybersecurity related documentation starting 90 days from the signing of the bill. By (or before) the end of March 2023, they must be prepared to submit specific documentation.” said Ken Zalevsky, CEO at Vigilant Ops. Specific documents include:
- Software Bill of Materials including commercial, open-source, and off-the-shelf software components
- Vulnerability monitoring plans addressing postmarket cybersecurity vulnerabilities and exploits
- Postmarket cybersecurity updates and patches periodically and on-demand
A particularly burdensome requirement for medical device manufacturers is the secure maintenance and monitoring of devices at customer sites. The continuous monitoring of vulnerabilities and the need to respond with security patches on a “…reasonably justified regular cycle…” and “…as soon as possible out of cycle…” means that informal, manual solutions will not be sufficient to meet the letter of the law.
Vigilant Ops has been at the forefront of these looming requirements, offering a cost-effective solution immediately available to medical device manufacturers of all sizes. “We founded Vigilant Ops with the healthcare industry in mind and have leveraged our collective global medtech experience to develop the InSight Platform, the leading SBOM generation, management, and vulnerability monitoring tool on the market today,” said Zalevsky. “Our InSight Platform is already being utilized at some of the world’s largest medical device manufacturers, and we are continuing our intense focus on solution development and innovation as the SBOM ecosystem continually evolves.”
Vigilant Ops has closely monitored the US Food and Drug Administration lobbying efforts focused on similar requirements since their initial draft of “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” issued on October 18, 2018. We have followed the progression of FDA requirements to ensure that Vigilant Ops cybersecurity solutions meet or exceed the expected standards. As far back as September 2021, we reviewed FDA’s request for legislative authority to enforce the requirement of a Software Bill of Materials and vulnerability monitoring plan.
Securing the Software Supply Chain
In addition to SBOM generation, continuous vulnerability monitoring, and sophisticated SBOM management, the InSight Platform leverages natural language processing techniques and patent-pending machine learning algorithms to efficiently and effectively find vulnerabilities associated with device components, eliminating false positives, and making an impossible task reliable, scalable, and automatic.
In Summary
The US government has long been concerned with the improvement of the nation’s cybersecurity posture, and this recently passed legislation is the culmination of years of effort and various legislative and guidance documents including the Presidential Executive Order 14028, released in May 2021. In response to the continuing threats and attacks in healthcare, the bill details the new legal requirements that must be met by all medical device manufacturers to ensure the cybersecurity of their products. Medical device manufacturers still trying to manage the effort in-house will end up having to divert an enormous quantity of resources to the issue, possibly slowing innovation and product development. The passage of this bill into law, however, will precipitate a sea change in the cybersecurity posture of medical device manufacturers. Complying with the law might be the immediate concern but lacking the ability to deliver on required cybersecurity mandates will quickly lead to further speculation from customers and lost opportunities and revenue.
Press release on EINPressWire can be found here.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
Alicia Bond
Chief Revenue Officer
alicia.bond@vigilant-ops.com
412-704-4585
Prioritizing Cybersecurity in Supply Chain Operations
It’s a rare day if you don’t see a headline about a data breach or ransomware crippling a business or the supply chain. Websites are defaced, personal and financial information stolen, and even medical information is at risk for theft and improper sharing. Software once thought secure is now at risk more than ever as malicious insiders and state sponsored hacking have taken the forefront of electronic espionage and harmful data dumps. It’s become so prevalent the US government is working with Microsoft and Google to secure free software. To secure financial and confidential contract information, the US government is also enacting new standards that will cost federal suppliers and their secondary suppliers millions of dollars to implement.
The threats are that bad and are getting worse. In 2020, the number of reported spam phishing attacks was at 1.5 million. In 2021, there were over 10 million, a +573% growth, and this number is expected to increase. It’s no wonder that cybersecurity personnel are in such high demand. So much so that colleges and universities are tailoring their cybersecurity degree curriculums to simulate the latest security threats. Using virtual labs, those training to be on the front line in infrastructure security are able to get real world experience. This focus on training is clearly working as the field is expected to grow more than 30% in the next decade. For companies who work in the supply chain this increase can’t come soon enough.
Why Invest in Supply Chain Cybersecurity?
Investing in good cybersecurity practices prevents headaches down the line and is great for customer confidence, but knowing what to safeguard is a must. Focusing on supply chain security lessens the possibility of external attacks through supplier portals, supplier fraud, and data leaks. If you have employees that work from home, chances are their home network is not as secure as your commercial one. Electronic criminals have increasingly targeted home office workers since the pandemic because of the lighter consumer security used. With social engineering and phishing attacks on the rise, cybersecurity education is a solid investment, especially if they are contingent workers. Supplier fraud, or vendor fraud, is another risk a cybersecurity program mitigates. If supplier gateways aren’t secure, or if the supplier has weak cybersecurity practices, your company risks being attacked through the connection to the supplier’s systems. Once a malicious actor has access to your systems, your data is at risk if file protections and access control are not a priority.
How to prioritize cybersecurity in supply chain operations
So, how do you implement supply chain security? A major program of your information security plan should be training and education. Implement phishing tests for your employees that evaluate their ability to recognize suspicious emails and social engineering calls. Your employees are your first line of defense against these types of threats, invest in them. Make sure insider threat is a part of this training and give examples of malicious behavior. Conduct background checks on employees that have access to sensitive or proprietary information, and make sure that they only have access to the information they need to do their jobs. Access control is central to good cybersecurity hygiene; if employees don’t have a business reason to access information, they shouldn’t be able to get to it. VPNs and end to end encryption will provide an added layer of security for those working remotely. Add two factor authentication to that to harden your systems even more.
Prioritize supply chain security holes
Another thing you need to know is where the holes are in your security fabric: where are the vulnerabilities and what is affected? In our article on using a software bill of materials, we outline a way of finding vulnerabilities and automating the search in your deployed devices. Third party vendors may not be timely in their notifications of vulnerabilities, and this is one way to mitigate that threat. Keep suppliers sequestered to only the data they need to conduct business. Suppliers should never have access to your internal data, and if they can’t get to it, they can’t leak it.
In today’s digital centric society the supply chain needs to be a top cybersecurity priority. To not do so will cause mass disruption to companies and their customers.
Submitted by Danielle Gregory for vigilant-ops.com
Vigilant Ops Announces Partnership with BeanStock Ventures
Vigilant Ops, an innovator in medical device cybersecurity and developer of the Software Bill of Materials (SBOM) automation platform InSight, announced a partnership with BeanStock Ventures of San Diego, California.
BeanStock Ventures is a medical device software product development organization with regulatory expertise. It is one of only nine FDA-Recognized 510(k) Third Party Review Organizations (3P510K), enabling the fast-track of medical devices for 510(k) clearance, which is a premarket submission made to FDA to demonstrate medical device safety and effectiveness. BeanStock’s designation provides medical device manufacturers with an alternative review process which can significantly reduce the average FDA wait time.
“Partnering with BeanStock Ventures enables one-stop shopping for medical device manufacturers looking for both pre and post market regulatory compliance support,” said Ken Zalevsky, CEO at Vigilant Ops. “Our InSight Platform automates the generation of the device Software Bill of Materials (SBOM) and the documentation to submit with the 510(k) application to FDA. Our InSight Platform also provides continuous monitoring and maintenance of the SBOM, enabling medical device manufacturers to adhere to FDA postmarket surveillance requirements.”
“BeanStock Venture’s Software Product Development expertise allows us to approach execution strategically with our regulatory and product development expertise infused. Our team holds expertise in working with legacy software and creating new software to ensure a product platform can be built for cybersecurity.” said Shawnnah Monterrey, CEO at BeanStock Ventures.
The Vigilant Ops InSight Platform uses various techniques to interrogate medical devices and automatically generate SBOMs, which are then continuously monitored and updated. By leveraging natural language processing techniques and patented machine learning algorithms, vulnerabilities associated with device components are found and communicated in near real-time.
Press release on EINPressWire can be found here.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
Matt Lentine
matt.lentine@vigilant-ops.com
412-704-4602
Using SBOM to Identify Vulnerabilities and Impacted Devices
Last week, CISA (the U.S. Cybersecurity and Infrastructure Security Agency) issued an advisory about critical vulnerabilities in embedded software that opens the door to possible security breaches. No breaches have been reported to date, but the potential impact spans multiple industries, including healthcare. This short summary discusses how SBOM can help manufacturers respond and take action.
SBOM Can Help with Vulnerability Discovery
The Software Bill of Materials (SBOM) has been getting a lot of publicity as of late, and it is a critical piece of the cybersecurity puzzle. Generating an SBOM for a specific device is the first step in deployment. Next, those discovered components in the SBOM must be researched and all associated vulnerabilities found. This process of discovery must be continuous so that the SBOM remains updated and evergreen. One of the benefits of a continuously maintained SBOM is the ability to find newly released vulnerabilities more quickly, such as CVE-2021-31886 relating to this current vulnerability in embedded software.
SBOM Can Help Identify Impacted Devices
Organizations with the ability to generate SBOMs for their fielded products have a decided advantage because they can immediately identify impacted systems and deploy critical security patches targeted at only those systems that are impacted. This saves a tremendous amount of time spent sifting through customer records or calling customers trying to determine fielded system profiles.
SBOM Automation is Effective and Efficient
While SBOM is a critical security document, organizations should not make the common mistake of assuming the effort involved to generate and maintain is similar to existing security documentation, such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2). The SBOM is much more involved, and if the manufacturer is responsible for multiple versions of multiple systems, the effort involved to generate and maintain SBOMs could easily require a full-time engineering resource, or substantial effort from several resources. Small manufacturers simply can’t afford it, while larger manufacturers are discovering that the opportunity cost of dedicating development resources to a maintenance task is just too high.
Summary
If you have not started to dig into the SBOM yet, you should. You can start with a search on SBOM or Executive Order 14028 or National Telecommunications and Information Administration (NTIA) Software Transparency. There are lots of great resources and good information is readily available.
If you have started down the SBOM path and are concluding that your effort won’t scale, check out automated SBOM solutions. Be on the lookout for SBOM generation functionality and continuous vulnerability monitoring. Automated alerts and sharing with authorized end users are also helpful features.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
Matt Lentine
matt.lentine@vigilant-ops.com
412-704-4602