๐ Quick Summary
What FDA's 2023 cybersecurity guidance requires in premarket submissions. SBOM, threat modeling, post-market monitoring, and what triggers a refusal to accept.
๐ฌ Get daily updates like this in your inbox. Subscribe to RegWatch Daily โ
What Changed in December 2023
FDA issued final guidance on cybersecurity in medical devices in September 2023, replacing the 2014 premarket guidance. The 2023 guidance is not advisory โ section 524B of the FD&C Act, enacted as part of the Consolidated Appropriations Act of 2023, makes cybersecurity documentation a statutory requirement for premarket submissions.
FDA began refusing to accept 510(k)s and PMAs that did not include cybersecurity documentation in March 2023, immediately upon enactment. If your submission lacks a cybersecurity section, it will receive a Refuse to Accept determination before substantive review begins.
What Must Be in Your Premarket Submission
FDA requires four categories of cybersecurity documentation in premarket submissions. First, a Software Bill of Materials (SBOM): a complete inventory of commercial, open-source, and off-the-shelf software components in your device. FDA expects the SBOM to be in a machine-readable format such as CycloneDX or SPDX.
Second, threat modeling documentation showing identified threats, attack surfaces, and your rationale for security controls. Third, a testing summary covering vulnerability scanning, penetration testing, and fuzz testing results. Fourth, a post-market cybersecurity management plan describing how you will monitor for vulnerabilities and push security updates after clearance.
SBOM Requirements in Practice
The SBOM requirement catches many manufacturers off-guard. Your device software almost certainly includes open-source components โ libraries, frameworks, operating system packages. You are required to enumerate every component, its version, and its license. FDA uses SBOMs to check for known vulnerabilities in components at the time of submission.
Generating an SBOM after development is complete is significantly harder than building SBOM generation into your development pipeline. Tools like Syft, CycloneDX Generator, or SPDX tools can generate SBOMs from container images, package manifests, and compiled binaries. Build this into your CI/CD pipeline before you need it for a submission.
Get this intelligence in your inbox every morning.
Daily regulatory briefings for QA managers, SaMD teams, and startup RA leads โ personalized, actionable, free.
Subscribe Free โFree forever. Unsubscribe anytime.
Post-Market Monitoring Obligations
The 2023 guidance requires manufacturers to have a coordinated vulnerability disclosure policy and a process for monitoring for newly discovered vulnerabilities in your SBOM components after clearance. When a critical vulnerability is discovered in a component in your device, you are expected to assess its exploitability in your device context and either patch it or document your rationale for not patching.
FDA expects manufacturers to be able to push security patches to deployed devices. For devices that cannot receive over-the-air updates, FDA expects documentation of your alternative mitigation strategy. This is a design architecture decision that must be made during development, not after clearance.
๐ Sources & References
Get this intelligence in your inbox every morning.
Daily regulatory briefings for QA managers, SaMD teams, and startup RA leads โ personalized, actionable, free.
Subscribe Free โFree forever. Unsubscribe anytime.
Get the Device Cybersecurity Kit โ 10+ documents covering SBOM, threat modeling, premarket submission checklist, and post-market monitoring for FDA and EU MDR.
Get the SaMD & Software Compliance Bundle โ $347