MITRE Publishes White Paper on SBOM Data Normalization for Medical Device Manufacturers
A new white paper published in April 2026 by The MITRE Corporation addresses challenges in Software Bill of Materials (SBOM) data normalization for medical device manufacturers (MDMs).
The document, titled “Considerations for Managing Challenges in Software Bill of Materials (SBOM) Data Normalization,” was developed under contract with the U.S. Food and Drug Administration (FDA). The paper states that the views presented do not constitute agency guidance, policy, or legally enforceable requirements.
According to the executive summary, the paper builds on a previous MITRE publication from October 2024, providing additional considerations for implementing approaches to address SBOM data normalization challenges, including technologies and processes that can evolve with SBOM tools and organizational changes.
The document describes the evolution of SBOM tools, including capabilities for:
generating SBOMs
ingesting and comparing SBOMs
transforming and merging SBOM data
supporting SBOM management activities
It also highlights that inconsistencies in data across tools contribute to normalization challenges, including differences in naming conventions and data elements.
The paper outlines considerations for SBOM tool selection, including:
handling of version numbers and versioning schemes
transparency of automated decisions
user involvement in normalization decisions
ability to share and migrate data
auditability of data and logic
In addition, the document discusses SBOM management practices, including the concept of maintaining a central “source of truth” (SoT) to support consistent nomenclature across an organization. This includes baseline attributes such as supplier name, component name, version string, and unique identifiers.
The paper also describes different approaches to SBOM management, including:
manual methods (e.g. spreadsheets and scripts)
open-source tools
commercial tools
internally developed solutions
The document notes that automation is an important consideration, including the use of Artificial Intelligence and Machine Learning (AI/ML), while acknowledging the need for manual review due to potential inaccuracies.
Finally, the paper references the FDA guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”, which recommends the inclusion of machine-readable SBOMs in premarket submissions.
