Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


What Is a Software Bill of Materials (SBOM)?

3 min read
Featured Image

Have you been staying updated on the latest medical device news? Are you aware of the recently proposed legislation for the healthcare vertical? If so, you've likely come across the term Software Bill of Materials or SBOM (pronounced "S-bomb"). This blog will cover what an SBOM is and its importance in your vendor risk management program.

Understanding What an SBOM Is in Healthcare

A Software Bill of Materials is often described as a "list of ingredients" for all the software components used in creating devices, including medical devices. It lists the types of open-sourced and proprietary code used to create a device's software program and the dependencies that the software needs. An SBOM also details the versions of each of these software components in addition to whether proper software licensing has been applied or if licenses should be applied.

Using SBOMs to Identify Vulnerabilities in Vendor Risk Management

SBOMs are used in conjunction with a vulnerability database (i.e., The National Vulnerability Database or the MITRE CVE Program). In vendor risk management, an SBOM is a useful tool for identifying medical device's type attack risks. By knowing the device's software components and their versions, your vendor risk assessment team can identify their vulnerabilities.

An SBOM helps identify the inherent risk a medical device presents without implementing any controls. Your team can then determine the necessary controls to mitigate vendor risk once the inherent risks have been identified. Once those mitigations have been implemented, you can make informed, risk-based decisions as you continuously monitor and mitigate vendor risk.

Sometimes, mitigation isn't possible. In these instances, your organization needs to know if the specific medical device's vulnerabilities are a deal breaker or not. Especially when considering software supply chain attacks, which are a major threat to healthcare organizations, it’s better to know about any vulnerabilities or unpatched weaknesses before purchasing a product.

software bill of materials

Requesting an SBOM from a Vendor

You should request an SBOM as part of the vendor's medical device risk assessment. Remember that no current regulation requires manufacturers to provide SBOMs and not every manufacturer voluntarily issues an SBOM with their medical devices. Therefore, it’s best to make this request directly. Additionally, the process of creating and documenting SBOMs doesn't have a set standard; however, if the vendor doesn’t have an SBOM for the device, you should ask them to generate one.

Luckily, there are legislative proposals and standardized frameworks in progress. For example, organizations such as the National Telecommunications and Information Administration and the Cybersecurity and Infrastructure Security Agency are working together to establish standards. Other organizations, including MITRE, have been developing ways for SBOMs to be integrated into supply chain initiatives and frameworks. Until set standards and regulations exist for SBOMs, you should be prepared to ask for an SBOM when conducting risk assessments for your medical devices.

PRO TIP: SBOMs can come in three distinct formats – SPDX, CycloneDX, and SWID. None of these formats are particularly user-friendly, so, usually there is a learning curve. However, an SBOM's benefits make the learning process worthwhile for many organizations. And, when requesting an SBOM, you can always ask your manufacturer if their SBOM can be provided in a more accessible format (e.g., HTML, PDF, or CSV file).

SBOMs can be a great tool to provide transparency into the risks associated with your medical devices for your vendor risk management team. Though your manufacturers aren't required to follow any set requirements or standards for SBOMs, the benefits of increased visibility into your medical devices' software are invaluable. In addition, it can help your organization to identify any hidden risks and protect your organization's and your patients' private data.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo