OPENREGULATORY
Sign in Get started
Ask a question
Technical Documentation 2 answers

FDA requirements for SBOM submission: summary, machine-readable formats, and PDF attachments

Anonymous · Published March 09, 2026 · 1 comment
Our company recently submitted a 510(k) and received questions from the FDA about our Software Bill of Materials (SBOM). Specifically, the FDA is asking for a "summary" of the SBOM and requests the SBOM in PDF format.
I understand that SBOMs must be provided in machine-readable, industry standard formats (such as SPDX). However, I could not find any mention of an SBOM "summary" in FDA guidance documents.
Has anyone submitted SBOMs as PDF to the FDA? What does an SBOM summary typically look like? Are auditors expecting all required information in a list or spreadsheet format?

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

Anonymous 3 months ago
I'm also interested in whether eSTAR attachments are required to be PDFs, or if other formats are accepted.
 Reply to this comment

Discussion

2 Answers

Accepted answer Dr. Oliver Eidel · Founder & CEO, OpenRegulatory ·
Yes, submitting SBOMs as PDF is common practice for FDA submissions, even though the guidance mentions machine-readable formats like SPDX or JSON. In practice, many auditors expect a human-readable summary (such as a table or spreadsheet) in PDF format alongside the machine-readable file. A typical SBOM summary includes columns like Component Name, Version, Unique Identifiers, Dependency Relationships, Known Vulnerabilities, and sometimes additional fields like support level or end-of-support date.
It's also helpful to add a brief introduction explaining your SBOM process, how you manage vulnerabilities, and how the summary ties into your broader submission. This makes it easier for the reviewer to understand and reduces the chance of additional questions.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
A
Anonymous ·
eSTAR does technically accept a variety of attachment formats, including Excel and mp4 files, not just PDFs. However, in practice, auditors may prefer PDFs, and some may not be familiar with opening other file types like JSON. It's usually safest to provide key documents as PDFs to avoid confusion or delays.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
Want to add your answer to this question?
Write an answer under your name by logging in or signing up, or post anonymously.

Keep reading

All questions
A

Is it necessary to include device classification and intended use in every section of DHF and TD documentation?

Anonymous · 1 comment
6 months ago
Is it required to always include sections with device classification, device description, intended use, contraindications, and indications at the beginning of every document in the Design History File
Accepted 3 answers

You don't need to include those sections in every document. Both the Technical Documentation and DHF can either contain or reference documents that de

FDA Compliance

Design History File (DHF) for SaMD: Your Software's Design Story

Updated 9 months ago
S

Sebastian Skorka

Post-Market Clinical Follow-Up Plan (PMCFP)

Post-Market Clinical Follow-Up Plan (PMCFP)

Sven Piechottka

updated about 2 years ago

Still have a question? Ask a question here publicly — for free.

Or talk to one of our consultants — first calls are free. Check out our services and prices.

Looking to automate your regulatory work? Check out our eQMS, Formwork. Built for lean, founder-led companies. There’s a free version too.