Revised guidance aligns with quality management system regulation changes and provides recommendations for cyber device submissions under section 524B of the FD&C Act.
The US Food and Drug Administration (FDA) has issued updated guidance on cybersecurity considerations for medical device manufacturers, incorporating new federal requirements and aligning recommendations with recent changes to quality management system regulations.
The revised guidance, published Feb 3, supersedes the June 2025 version and addresses cybersecurity requirements under section 524B of the Federal Food, Drug, and Cosmetic Act for “cyber devices.”
The updated document provides recommendations for device design, labeling, and documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risks. The guidance applies to various submission types including 510(k) notifications, premarket approval applications, De Novo requests, investigational device exemptions, and other pathways outlined in the guidance.
New Requirements for Cyber Devices
Section 524B of the FD&C Act, which became effective March 29, 2023, requires the person submitting a marketing application for a cyber device to include specific cybersecurity information in premarket submissions. The law defines cyber devices as those that include software validated, installed, or authorized by the sponsor; have the ability to connect to the internet; and contain technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
Under the new requirements, manufacturers must provide a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities, including coordinated vulnerability disclosure procedures. They must also design and maintain processes to provide reasonable assurance that devices and related systems are cybersecure, and submit a software bill of materials including commercial, open-source, and off-the-shelf software components.
“With the increasing integration of wireless, Internet- and network-connected capabilities, portable media (eg, USB or CD), and the frequent electronic exchange of medical device-related health information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important,” the guidance states.
Quality Management System Integration
The updated guidance emphasizes that cybersecurity is part of device safety and must be integrated into quality management systems. The document aligns with the revised Quality Management System Regulation that incorporates ISO 13485 by reference, which took effect Feb 2, 2026.
FDA recommends manufacturers implement a Secure Product Development Framework, described as “a set of processes that reduces the number and severity of vulnerabilities in products throughout the device lifecycle.” The framework encompasses design, development, release, support, and decommission phases.
The guidance outlines five security objectives that devices should address: authenticity (including integrity), authorization, availability, confidentiality, and secure and timely updatability and patchability.
Documentation Scaling with Risk
Device cybersecurity design and documentation are expected to scale with the cybersecurity risk of each device, according to the guidance. For example, a simple, non-connected thermometer may require limited security architecture, while a thermometer used in a safety-critical control loop or connected to networks would need more substantial design and development activities.
The guidance recommends that premarket submissions include threat modeling documentation, cybersecurity risk assessments, software bills of materials, vulnerability assessments, and security architecture views. These views should include global system views, multi-patient harm views, updateability and patchability views, and security use case views.
Testing and Transparency Requirements
FDA recommends various types of cybersecurity testing, including security requirements verification, threat mitigation testing, vulnerability testing, and penetration testing. The guidance emphasizes that cybersecurity controls require testing beyond standard software verification and validation activities.
For transparency, the guidance recommends that device labeling include cybersecurity information such as network ports and interfaces, specific guidance on supporting infrastructure requirements, software bills of materials, and descriptions of systematic procedures for downloading manufacturer-authorized software updates.
Manufacturers should also establish cybersecurity management plans that include personnel responsible for monitoring vulnerabilities, sources and methods for identifying vulnerabilities, timelines for developing patches, and coordinated vulnerability disclosure processes.
The guidance document is available on FDA’s website and is open for public comment through the federal docket system under FDA-2021-D-1158.
ID 184942870 © Jhvephotos | Dreamstime.com
