# Frequently Asked Questions

## What are "used dependencies"?

Used Dependencies are for managing Software of Unknown Provenance (SOUP) in the Ketryx Dependencies Module. IEC 62304 Section 8.1.2 states

*“For each SOUP Configuration Item being used, including standard libraries, the manufacturer shall document:*  
1. *The title*  
2. *The manufacturer, and*  
3. *The unique soup designator...*  
*Of each Soup Configuration item being used.”*

Additionally, the FDA has released cybersecurity best practices & SBOM guidance for medical devices.

The “used dependencies" field in Jira allows you to trace identified software items to dependencies used in your code. If a dependency shows an unacceptable vulnerability, this field may assist with identifying which software item specifications are affected by the dependency during your dependencies review process.

See [this article](/content/blog/fda-drops-an-sbom/index.html) for more information concerning cyber security and SBOM compliance.
