Vigilant Ops Wins Cybersecurity Challenge

Category

Press Releases

SBOM Automation Platform Vigilant Ops Secures $2 Million in Seed Funding from DataTribe

Fulton, MD, USA Jan. 4, 2024 – DataTribe, a global cyber foundry that invests in and co-builds next-generation cybersecurity and data science companies, today announced a $2 million seed investment in Vigilant Ops, a leading automation platform for the generation, maintenance, and authenticated sharing of certified Software Bill of Materials (SBOM).

Vigilant Ops, winner of the 6th annual DataTribe Challenge in November, performs continuous vulnerability monitoring and alerting, security patch notifications, and the ability to upload SBOMs — lists of the software libraries embedded in products — from alternate sources.

“Software security is the next domain in cyber, and government policies are increasingly placing significant development regulations that require software manufacturers to be responsible for the cybersecurity of their products,” said Tony Surak, chief marketing officer for DataTribe. “Vigilant Ops is meeting an urgent market need, automating the production of SBOMs to provide a system of record for software buyers to manage SBOMs and bolster resiliency through identifying and mitigating component vulnerabilities.”

Federal government policymakers and regulators are keenly focused on software security and have highlighted SBOMs’ role in creating a secure and resilient software ecosystem.

In 2021, the Biden Administration’s National Security Strategy and Executive Order 14028 required SBOMs from organizations to secure the components of software products used to manage our nation’s most vital interests. In the past two-plus years, SBOM mandates and guidance have been issued by the Federal Drug Administration (FDA), Federal Energy Regulatory Commission (FERC), Cybersecurity Infrastructure Security Agency (CISA), National Security Agency (NSA), and Office of the Director of National Intelligence (ODNI), just to name a few.

Vigilant Ops will use the funding to expand the capabilities of its InSight platform across multiple critical infrastructure industries. Vigilant Ops, which has focused primarily on the healthcare sector, will continue to build a complete inventory of software components recognized by legislation and regulatory requirements to expand into the energy, telecom, manufacturing, information technology, financial services, and communications industries.

Leo Scott, DataTribe CTO, will join the Vigilant Ops Board.

“The DataTribe funding, coupled with its foundry model, will enable us to quickly scale our technology and business development operations to meet the software cybersecurity challenges that threaten our national and economic security,” said Ken Zalevsky, Vigilant Ops CEO. “Securing the products that enable the critical infrastructure every citizen and company rely on daily will help unleash the innovative uses of new technologies and services.”

The most recent release of the InSight Platform now includes automated import of various SBOM formats, supporting industry standards like CycloneDX and SPDX. In addition, the vulnerability dispositioning process now enables justification responses, following prescribed industry standards and mitigation scoring, which can be included in Vulnerability Exploitability eXchange (VEX) reports.

About DataTribe
DataTribe is a startup foundry that invests in and co-builds world-class startups focused on generational leaps in cybersecurity and data science. Founded by leading investors, startup veterans, and alumni of the U.S. intelligence community, DataTribe commits capital, in-kind services, access to an unparalleled network, and decades of professional expertise to give their companies an unfair advantage. DataTribe is headquartered in the Washington-Baltimore metro area in Fulton, Maryland. For more information, visit https://datatribe.com.

About Vigilant Ops

Founded in 2019 by cybersecurity veterans, Vigilant Ops is the leading SBOM management, intelligence, and exchange platform used by regulated organizations that buy and build software. Vigilant Ops simplifies the SBOM journey with real-world experience forged in the most rigorously regulated industries. For more information, visit https://vigilant-ops.com.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com

Alicia Bond
Chief Revenue Officer

alicia.bond@vigilant-ops.com
412-704-4585

FDA Issues Premarket Guidance

Recommendations to Address Cybersecurity in Medical Devices

PITTSBURGH, PA, USA, September 27, 2023
The United States Food and Drug Administration (US FDA) issued the final version of their guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Guidance for Industry and Food and Drug Administration Staff” on September 27, 2023 (referred to as Premarket Guidance or the guidance in this summary). This important guidance document has been revised multiple times over the last several years, starting with the initial release in 2014 through draft releases in both 2018 and 2022.  Given the rash of ransomware attacks in healthcare, and the very real threat to patient safety, the need to strengthen the cybersecurity profile of medical devices has never been greater. With legislative authority to enforce these premarket requirements, as per the recent modifications to the Federal Food, Drug, and Cosmetic Act (FD&C Act), FDA is moving quickly to encourage device makers to adopt the recommendations in this guidance document.

Scope of Guidance

In terms of applicability and the devices covered under the guidance, there are multiple categories referenced. The opening sentence of the Scope section notes that the guidance applies to “devices with cybersecurity considerations” but is not limited to devices that have software or to devices that are network-enabled. It then continues with a reference to section 201(h) of the FD&C Act and states that the guidance is applicable to “all types of devices within the meaning…” of that section of the FD&C Act. This includes biological products and devices for which a premarket submission is not required. Combination products are mentioned with FDA directing stakeholders to contact the FDA division that will have the lead reviewer of the combination product.  IDE (Investigation Device Exemptions) are covered in detail in Appendix 3 of the guidance.

Software Bill of Materials (SBOM) as a Requirement

The SBOM provides transparency to consumers by detailing the software components included in a medical device. Some liken the SBOM to a list of ingredients on a food label. FDA, and others, have been advocating for the adoption of the SBOM, and the Premarket Guidance refers to SBOMs in several places. To begin with, SBOMs are no longer optional. The guidance notes that “For cyber devices, an SBOM is required (see section 524B(b)(3) of the FD&C Act).”

For the contents of an SBOM, FDA references the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document. In this document, the minimum elements (baseline elements) are listed as:

  • Author Name
  • Timestamp
  • Supplier Name
  • Component name
  • Version string
  • Component hash
  • Unique Identifier
  • Relationship

In addition to the minimum elements, for each component, manufacturers should include (as part of the SBOM or in an addendum):

  • The software level of support provided through monitoring and maintenance from the software component manufacturer (e.g., the software is actively maintained, no longer maintained, abandoned)
  • The software component’s end-of-support date.

Vulnerabilities and Monitoring

By continuously monitoring vulnerabilities associated with device components, the current reactive cybersecurity strategies should evolve to be more proactive.  The Premarket Guidance references vulnerabilities and states that “As part of the premarket submission, manufacturers should also identify all known vulnerabilities associated with the device and the software components”

  • Should include vulnerabilities identified in CISA’s Known Exploited Vulnerabilities Catalog
  • For each vulnerability, manufacturers should describe how the vulnerabilities were discovered to demonstrate whether the assessment methods were sufficiently robust
  • For components with known vulnerabilities, MDMs should provide:
    • A safety and risk assessment of each known vulnerability (including device and system impacts)
    • Details of applicable safety and security risk controls to address the vulnerability

Metrics Required with Submissions

To “demonstrate the effectiveness of a manufacturer’s processes”, FDA recommends the tracking and reporting of specific metrics. The following metrics should be provided in both premarket submissions and PMA annual reports:

  • Percentage of identified vulnerabilities that are updated or patched (defect density)
  • Duration from vulnerability identification to when it is updated or patched
  • Duration from when an update or patch is available to complete implementation in devices deployed in the field, to the extent known
  • Averages of the above measures should be provided if multiple vulnerabilities are identified and addressed. These averages may be provided over multiple time frames based on volume or in response to process or procedure changes to increase efficiencies of these measures over time

Cybersecurity Management Plan

Cybersecurity is impactful throughout a device’s lifecycle, and FDA recommends that manufacturers “establish a plan for how they will identify and communicate to users vulnerabilities that are identified after releasing the device in accordance with 21 CFR 820.100”. Manufacturers should note that FDA recommends that this plan be part of the manufacturer’s premarket submissions so that “FDA can assess whether the manufacturer has sufficiently addressed how to maintain the safety and effectiveness of the device after marketing authorization is achieved.”

Cybersecurity management plans should include:

  • Personnel responsible
  • Sources, methods, and frequency for monitoring and identifying vulnerabilities
  • Identify and address vulnerabilities identified in CISA Known Exploited Vulnerabilities Catalog
  • Periodic security testing
  • Timeline to develop and release patches
  • Update processes
  • Patching capability
  • Description of their coordinated vulnerability disclosure process
  • Description of how the manufacturer intends to communicate forthcoming updates and patches

Labeling

The Premarket Guidance references device labeling as an important consideration and a way to communicate cyber risk effectively to end users. This is an important consideration for manufacturers as they begin to integrate cybersecurity processes into their existing risk frameworks. Here are a few important references in the guidance that should be considered:

  • “FDA believes that the cybersecurity information discussed in this guidance is important for the safe and effective use of devices and should be included in device labeling”
  • “Under section 502(a)(1) of the FD&C Act, a medical device is deemed misbranded if its labeling is false or misleading in any particular.”
  • “The device manufacturer should also provide users with whatever information they may need in the device labeling to allow them to manage risks associated with the software components, including known vulnerabilities, configuration specifications, and other relevant security and risk management considerations.”
  • “SBOMs can also be an important tool for transparency with users of potential risks as part of labeling”

Summary

This long-awaited guidance from FDA provides a reference for medical device manufacturers as they continue along their cybersecurity journey. Depending on where you are in this journey some parts of this guidance will be more applicable immediately while others will be future implementations. In any case, there is much more content in the 48-page guidance which you can find here.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com

Alicia Bond
Chief Revenue Officer

alicia.bond@vigilant-ops.com
412-704-4585

Vigilant Ops Distills New SBOM Mandates and Challenges as Medical Device Manufacturers Face Aggressive 90 Day Compliance Deadline

PITTSBURGH, PA, USA, January 5, 2023/EINPresswire.com/
On December 29, 2022, United States President Joe Biden signed into law the $1.7 trillion federal government spending package, officially avoiding a government shutdown. “What this means for the Medical Device Manufacturer community is that FDA now has legal authority to require specific cybersecurity related documentation starting 90 days from the signing of the bill.  By (or before) the end of March 2023, they must be prepared to submit specific documentation.” said Ken Zalevsky, CEO at Vigilant Ops. Specific documents include:

  • Software Bill of Materials including commercial, open-source, and off-the-shelf software components
  • Vulnerability monitoring plans addressing postmarket cybersecurity vulnerabilities and exploits
  • Postmarket cybersecurity updates and patches periodically and on-demand

A particularly burdensome requirement for medical device manufacturers is the secure maintenance and monitoring of devices at customer sites. The continuous monitoring of vulnerabilities and the need to respond with security patches on a “…reasonably justified regular cycle…” and “…as soon as possible out of cycle…” means that informal, manual solutions will not be sufficient to meet the letter of the law.

Vigilant Ops has been at the forefront of these looming requirements, offering a cost-effective solution immediately available to medical device manufacturers of all sizes. “We founded Vigilant Ops with the healthcare industry in mind and have leveraged our collective global medtech experience to develop the InSight Platform, the leading SBOM generation, management, and vulnerability monitoring tool on the market today,” said Zalevsky. “Our InSight Platform is already being utilized at some of the world’s largest medical device manufacturers, and we are continuing our intense focus on solution development and innovation as the SBOM ecosystem continually evolves.”

Vigilant Ops has closely monitored the US Food and Drug Administration lobbying efforts focused on similar requirements since their initial draft of “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” issued on October 18, 2018.  We have followed the progression of FDA requirements to ensure that Vigilant Ops cybersecurity solutions meet or exceed the expected standards. As far back as September 2021, we reviewed FDA’s request for legislative authority to enforce the requirement of a Software Bill of Materials and vulnerability monitoring plan.

Securing the Software Supply Chain

In addition to SBOM generation, continuous vulnerability monitoring, and sophisticated SBOM management, the InSight Platform leverages natural language processing techniques and patent-pending machine learning algorithms to efficiently and effectively find vulnerabilities associated with device components, eliminating false positives, and making an impossible task reliable, scalable, and automatic.

In Summary

The US government has long been concerned with the improvement of the nation’s cybersecurity posture, and this recently passed legislation is the culmination of years of effort and various legislative and guidance documents including the Presidential Executive Order 14028, released in May 2021.  In response to the continuing threats and attacks in healthcare, the bill details the new legal requirements that must be met by all medical device manufacturers to ensure the cybersecurity of their products.  Medical device manufacturers still trying to manage the effort in-house will end up having to divert an enormous quantity of resources to the issue, possibly slowing innovation and product development. The passage of this bill into law, however, will precipitate a sea change in the cybersecurity posture of medical device manufacturers. Complying with the law might be the immediate concern but lacking the ability to deliver on required cybersecurity mandates will quickly lead to further speculation from customers and lost opportunities and revenue.

Press release on EINPressWire can be found here.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com

Alicia Bond
Chief Revenue Officer

alicia.bond@vigilant-ops.com
412-704-4585

Vigilant Ops Announces Partnership with BeanStock Ventures

Vigilant Ops, an innovator in medical device cybersecurity and developer of the Software Bill of Materials (SBOM) automation platform InSight, announced a partnership with BeanStock Ventures of San Diego, California.

BeanStock Ventures is a medical device software product development organization with regulatory expertise. It is one of only nine FDA-Recognized 510(k) Third Party Review Organizations (3P510K), enabling the fast-track of medical devices for 510(k) clearance, which is a premarket submission made to FDA to demonstrate medical device safety and effectiveness. BeanStock’s designation provides medical device manufacturers with an alternative review process which can significantly reduce the average FDA wait time.

“Partnering with BeanStock Ventures enables one-stop shopping for medical device manufacturers looking for both pre and post market regulatory compliance support,” said Ken Zalevsky, CEO at Vigilant Ops. “Our InSight Platform automates the generation of the device Software Bill of Materials (SBOM) and the documentation to submit with the 510(k) application to FDA. Our InSight Platform also provides continuous monitoring and maintenance of the SBOM, enabling medical device manufacturers to adhere to FDA postmarket surveillance requirements.”

“BeanStock Venture’s Software Product Development expertise allows us to approach execution strategically with our regulatory and product development expertise infused. Our team holds expertise in working with legacy software and creating new software to ensure a product platform can be built for cybersecurity.” said Shawnnah Monterrey, CEO at BeanStock Ventures.

The Vigilant Ops InSight Platform uses various techniques to interrogate medical devices and automatically generate SBOMs, which are then continuously monitored and updated. By leveraging natural language processing techniques and patented machine learning algorithms, vulnerabilities associated with device components are found and communicated in near real-time.

Press release on EINPressWire can be found here.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com

Matt Lentine
matt.lentine@vigilant-ops.com
412-704-4602

Vigilant Ops Announces Availability of InSight Platform V1 for HDOs

| vigilantops | ,

Healthcare Delivery Organizations Gain Visibility into Risk Profile of Deployed Medical Devices. Today, Vigilant Ops, an innovator in medical device cybersecurity, announced the immediate availability of InSight Platform V1 for Healthcare Delivery Organizations, providing HDOs with an automated solution for monitoring the health of their deployed medical devices.  The InSight Platform V1 for Medical Device Manufacturers (MDMs) was released on May 11 and provided MDMs an automated solution for generating and maintaining device software bills of materials (SBoMs).  With the release of the HDO functionality, these generated SBoMs can be shared with authorized HDOs directly and securely through the platform.

“The Vigilant Ops InSight Platform V1 is the only solution of its kind that brings together both the producer and the consumer of the SBoM on the same platform,” said Ken Zalevsky, CEO at Vigilant Ops and former Head of Medical Device Cybersecurity at Bayer. “Medical device manufacturers generate device SBOMs, and via secure connection, share them with authorized HDOs through the InSight Platform.”

The InSight Platform uses advanced techniques to interrogate medical devices and automatically generate bills of materials. Using artificial intelligence and machine learning, the InSight Platform continuously monitors for vulnerabilities in discovered device components. Thus enabling HDOs and MDMs to gain visibility into risk profile of medical devices and respond proactively to the latest discovered threats.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com

Vigilant Ops Announces Availability of InSight Platform V1

| vigilantops |

On May 11 2020, Vigilant Ops, an innovator in medical device cybersecurity, announced the immediate availability of InSight Platform V1, enabling medical device manufacturers to begin automatically generating, updating, and monitoring device software bills of materials (SBOMs). FDA’s draft version of their premarket guidance refers to these as CBOMs (Cybersecurity Bill of Materials)​1​, given the original desire to include hardware components in device bills of materials. Since the original draft guidance, FDA and others have begun referring to the documents as SBOMs (Software Bill of Materials) and eliminating the hardware component inclusion. Vigilant Ops will also refer to these device software bills of materials as SBOMs.

“The Vigilant Ops InSight Platform V1 is a game-changer in medical device cybersecurity,” said Ken Zalevsky, CEO at Vigilant Ops and former Head of Medical Device Cybersecurity at Bayer. “Medical device manufacturers are under extreme pressure from customers, prospects, and regulatory bodies to prove the safety and security of their devices. SBOMs are an industry-accepted solution but are very labor-intensive to generate and require continuous monitoring and maintenance. The InSight Platform eliminates this manual generation effort, while providing real-time monitoring of various public vulnerability sources and continuous maintenance of device bills of materials.”

The InSight Platform uses advanced techniques to interrogate medical device and automatically generate SBOMs. Using artificial intelligence and machine learning, the InSight Platform continuously monitors for vulnerabilities in discovered device components, enabling device manufacturers to respond proactively to the latest discovered threats.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com

  1. 1.
    Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. FDA. Published online October 2018.