Cybersecurity
The Omnibus Consolidated Appropriations Act of 2023 added Section 524B to the FD&C Act, making cybersecurity a mandatory premarket submission requirement for connected medical devices. FDA will now refuse to accept 510(k), De Novo, or PMA submissions for cyber devices that don't include a cybersecurity plan, SBOM, and vulnerability management program.
Build Your Cybersecurity ProgramFDA Cybersecurity Requirements
Section 524B of the FD&C Act, effective March 29, 2023, requires sponsors of cyber devices — defined as devices that include software validated, installed, or authorized by the sponsor, or that are intended to connect to the internet — to include in their premarket submissions: a cybersecurity plan specifying monitoring, identification, and addressing post-market cybersecurity vulnerabilities; a SBOM (software bill of materials) identifying all commercial, open source, and off-the-shelf software components; and evidence that the device and related systems are reasonably secure. FDA's updated 2023 cybersecurity guidance provides detailed content requirements for each of these elements.
FDA reviewers evaluate cybersecurity submissions based on the NIST Cybersecurity Framework and FDA's own guidance. Submissions that describe cybersecurity measures at a general level without supporting documentation — threat models, security testing results, vulnerability assessment methodology — receive Additional Information requests that delay clearance. We build cybersecurity packages to the documentation depth that FDA reviewers actually require, not to the minimum content the guidance describes.
A Software Bill of Materials is an inventory of all software components in the device — including the operating system, middleware, third-party libraries, open-source components, and the manufacturer's own software. FDA requires the SBOM to be in a machine-readable format (NTIA minimum elements: supplier, component name, version, unique identifier, dependency relationship, author, timestamp) and to be updated when the software changes. The SBOM is used by FDA, healthcare providers, and the device manufacturer itself to identify known vulnerabilities in component software when they are disclosed — enabling faster response to Common Vulnerabilities and Exposures (CVEs) that affect the device's components.
SBOM generation requires tooling and process integration into the software development lifecycle. For most medical device manufacturers, SBOM generation is a new capability that must be built into existing software development and release processes. We work with device development teams to implement SBOM generation tools, establish component tracking processes, and produce the SBOM in the format FDA's review process requires.
FDA's cybersecurity guidance references a Secure Development Lifecycle (SDL) as the framework within which cybersecurity requirements are implemented throughout product development. An SDL includes: security requirements defined at design phase, threat modeling conducted at design and architecture review, secure coding practices, security testing integrated into verification and validation, and vulnerability assessment during and after development. The evidence of an SDL is documented in the design history file alongside other design control artifacts. We implement SDL frameworks matched to the scale and complexity of the device's software components.
Get Started
Section 524B has made cybersecurity a hard gate in the FDA submission process. We build the cybersecurity plan, SBOM, and supporting documentation that FDA reviewers need to complete their assessment.