The consensus report is now on FDA’s recognized standards list, giving manufacturers a clearer reference point and hospitals another document to ask about during purchase and support discussions.
By Alyx Arnett
The US Food and Drug Administration’s (FDA) latest update to its list of recognized consensus standards includes a new entry likely to draw attention from healthcare technology management (HTM) teams: AAMI CR515, “Cybersecurity Consideration Unique to Machine-Learning Enabled Medical Devices.” The update appears in the Federal Register under “Recognition List Number: 065,” effective Feb 19, 2026.
The FDA updates the list periodically, and the February update added dozens of new or revised entries across device categories.
For HTM leaders, the addition of AAMI CR515 may influence how manufacturers document and justify cybersecurity controls for AI- and machine-learning-enabled devices. It also gives hospitals another reference point when evaluating vendor claims about software updates, threat modeling, and other security practices.
“FDA-recognized consensus standards for medical devices play an important role in making the regulatory approval process faster, simpler, and more consistent,” says Matt Williams, vice president of standards at the Association for the Advancement of Medical Instrumentation (AAMI). When manufacturers follow recognized standards, he says, “it helps show the FDA that their devices are safe and effective.”
What FDA Recognition Does, and Doesn’t, Mean
The FDA’s recognized consensus standards program allows device makers to declare conformity to certain technical documents as part of premarket submissions, rather than reinventing test methods and expectations device by device. Recognition does not automatically make a document mandatory, but it can shape what reviewers expect to see and how manufacturers organize evidence.
Eric Henry, senior advisor and head of quality compliance at Brooke & Associates, describes CR515 as a list of cybersecurity considerations that manufacturers may increasingly reference in submissions and documentation. “With FDA’s recognition, I…expect that firms will be obligated to show that they have incorporated these considerations into their quality management system (QMS) and design and development file for applicable products,” he says.
Henry adds a real-world caution for anyone treating “optional” as “unlikely to matter.” “Although FDA officially considers recognized consensus standards as optional, I have personally seen direct citations and/or copy/paste from recognized standards into submission deficiency letters and facility inspection observations,” he says.
As manufacturers begin referencing CR515 in submissions, HTM teams may encounter the document more often in vendor cybersecurity discussions. Henry recommends asking what those references mean for controls, documentation, and support.
Why CR515 Is a Consensus Report, Not a Full Standard
AAMI published CR515 as a consensus report (CR), which sits alongside other AAMI document types such as standards and technical information reports (TIRs). Williams describes the consensus report format as intentionally faster and more targeted.
“An AAMI CR is a rapid, expert-driven guidance document addressing urgent, emerging, or highly focused issues in health technology,” Williams says, pointing to topics such as AI and emergency-use technologies where practices evolve quickly and evidence can lag behind.
The faster format can help give manufacturers and hospitals a common starting point. Henry agrees CR515 contains “a valuable list of considerations,” but he also stresses that the format matters when teams try to operationalize it.
In Henry’s view, the lower review and approval bar for a CR compared with a standard or TIR can leave more room for interpretation and mismatches with other documents teams already use to structure work. He points to IEC 62304 and IEC 81001-5-1 as examples of standards that map cybersecurity activities onto established software life cycle and QMS practices. “AAMI CR515:2025 does not make clear how it would integrate into existing design and development controls for medical device software, which leaves significant room for varying interpretations of how its considerations will be applied,” he says.
Williams says there are no immediate plans to turn CR515 into a TIR or full standard, but he leaves the door open. “The rapid evolution of change in this area may necessitate evolving the CR or using it as a basis for new TIRs or standards,” he says.
What HTM Should Look for in Vendor Documentation
For HTM teams, CR515 may affect the questions worth asking during procurement, cybersecurity reviews, and incident follow-up, especially when devices include AI/ML features tied to network connectivity and software updates, Henry says.
Henry suggests focusing on documentation that is already part of FDA expectations and common cybersecurity practice. “My recommendation for HTM teams is to review threat models and [software bill of materials] (currently required by FDA by pre-existing statute and guidance) to see if these considerations are addressed,” he says. He also recommends asking manufacturers to complete the Medical Device Security for Manufacturers Disclosure Statement, a document many HTM programs use to compare security posture across vendors.
However, he says, “Don’t expect explicit citation of the CR in any particular design and development file document or summary delivered to the HTM team.”
Henry also suggests HTM teams follow up on statements that vendors have considered CR515 by asking questions such as: What threats were modeled? What assumptions were made about data inputs? What logging exists? How are updates tested and delivered? What happens if the model behavior changes after an update?
How It May Show Up in Risk Reviews and Incident Response
Henry does not expect FDA recognition of CR515 to create new inspection pressure on hospitals. “FDA does not typically inspect healthcare delivery organizations, so I don’t see any impact to HTM from this perspective unless the organization chooses to incorporate these considerations into their own policies and processes,” he says.
In investigations involving AI/ML-enabled devices, HTM teams may need to review documentation related to threat modeling, software configuration, update history, and cybersecurity controls in addition to traditional service logs.
Williams says the goal is to give manufacturers a clearer way to show how they addressed cybersecurity expectations. In practice, that may give hospitals a stronger basis to ask for evidence and clarity, especially as more connected devices incorporate AI and ML in ways that are not always visible to end users.
From Henry’s perspective, he says CR515 can be a useful supplement to existing cybersecurity frameworks. “I would use standards such as IEC 81001-5-1 as the basis for cybersecurity activities, and incorporate AAMI CR515:2025 considerations, where applicable,” he says.
Alyx Arnett is chief editor of 24×7 Magazine. Questions or comments? Email [email protected]
ID 432284225 | Ai Cybersecurity © Wrightstudio | Dreamstime.com
