Add Software Level of Support property to Software Package

[goneall]

The Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions section 4b states:

In addition to the minimum elements identified by NTIA, for each software component
contained within the SBOM, manufacturers should include in the premarket submission:
• The software level of support provided through monitoring and maintenance from the
software component manufacturer (e.g., the software is actively maintained, no longer
maintained, abandoned); and
• The software component’s end-of-support date

We currently do not have a field to map the software level of support provided.

[goneall]

Thanks to the participants of the Asia team for point this out. See the minutes from 2023-11-27 for context.

[goneall]

One issue with adding this to the model is it is time dependent whereas other SBOM package information is static. We currently have an end of life date which provides the information to generate this "on the fly".

Ideally, we could change the FDA requirements to allow the end of life date.

[rnjudge]

We discussed this issue in the December 5th tech call and agree this should be high priority to include. The EU CRA is coming soon and will also require suppliers to declare support times.

There are a few ways this might be implemented:

1. We could represent the support date as a current state/status where it is a statement about the current lifecycle state (supported/unsupported, etc). We would need to use relationships to update the current state (like we do for VEX status updates).

2. We could represent the support date as a forward looking statement -- an element that says this is supported until X date (with some kind of endSupportDate property). To change or extend this end date, there would need to be some kind of relationship from the package to the support statement element.

We agreed to start with thisissue at the tech call next week to see if we could model it in a reasonable amount of time. If not, we will host a one-off meeting to get this completed before bringing it back to the tech team for approval.

[goneall]

Since we already have a validUntilTime property, we could implement 2 above and amend the Artifact if it changes.

I would not be in favor of having both a validUntilTime property and a endSupportDate property since the semantics are very similar.

[kestewart]

Working through the following references to align with what the industry expects:
https://healthsectorcouncil.org/wp-content/uploads/2023/03/Health-Industry-Cybersecurity-Managing-Legacy-Technology-Security-HIC-MaLTS.pdf. & https://www.imdrf.org/sites/default/files/2023-04/IMDRF%20Principles%20and%20Practices%20of%20Cybersecurity%20for%20%20Legacy%20Medical%20Devices%20Final%20%28N70%29_1.pdf to figure out best nomenclature for Support vocabulary.

[goneall]

@kestewart - can you lead a discussion on this when you're back? Perhaps on the 19 March call?

[bact]

From the two docs that @kestewart posted above, these are names for stages in tech/device life cycle:

Managing Legacy Technology Security (HIC-MaLTS) (pp. 3-4, 8-9):

• designing
• deploying
• maintaining
• declaring “end of life”
  • EOGS - End of Guaranteed Support
  • EOL - End of Life
  • EOS - End of Support

IMDRF Principles and Practices for the Cybersecurity of Legacy Medical Devices (p. 10):

• Development
• Support
• Limited Support
• End of Support

[kestewart]

This was added in #628

The set that was agreed on is in:
https://github.com/spdx/spdx-3-model/blob/main/model/Core/Properties/supportLevel.md

What is being proposed to be added?

[kestewart]

In the call, Gary noted that deployment should be a specific support type. Gary to create a PR.

[goneall]

I added PR #668 to add deployed as a support type.

@bact - let me know if this resolves your comment above.

[bact]

@goneall they are. Thank you.

[goneall]

Resolved with PR #668