FDA medical device cybersecurity: security is now a regulatory requirement
Section 524B of the FD&C Act requires cybersecurity documentation in every premarket submission. SBOM, Secure Product Development Framework, vulnerability monitoring, and coordinated disclosure are no longer optional. BlackSheep tracks every requirement across premarket, postmarket, and patient safety domains.
$249/month · All frameworks included · No credit card to start
9
Controls tracked
3
Security domains
524B
Section (March 2023)
SBOM
Required in submissions
Three domains of FDA device cybersecurity
FDA organizes medical device cybersecurity requirements across premarket, postmarket, and patient safety domains.
Premarket Cybersecurity
4 controls tracked
- Secure Product Development Framework (SPDF)
- Software Bill of Materials (SBOM)
- Security risk assessment & threat modeling
- Security architecture & design documentation
Postmarket Cybersecurity
3 controls tracked
- Vulnerability monitoring & response
- Patch management & update mechanisms
- Coordinated vulnerability disclosure (CVD)
- End-of-life planning & communication
Patient Safety Integration
2 controls tracked
- Safety-security risk integration
- FDA adverse event reporting
- Clinical impact assessment
- Healthcare delivery organization communication
Does FDA device cybersecurity apply to your organization?
Medical Device Manufacturers
Any company that designs, manufactures, or distributes medical devices with software components or network connectivity. Section 524B requires cybersecurity documentation in all new premarket submissions.
- Class II & III device manufacturers
- Implantable device companies
- Diagnostic equipment makers
- Infusion pump manufacturers
- Patient monitoring systems
Software as Medical Device (SaMD)
Software intended to be used for medical purposes without being part of a hardware device. SaMD is subject to the same FDA cybersecurity requirements and must demonstrate security throughout the software lifecycle.
- Clinical decision support software
- Diagnostic algorithms & AI/ML
- Remote patient monitoring apps
- Digital therapeutics platforms
- Medical imaging software
Connected Device Developers
Organizations building IoT, wireless, or network-connected devices used in healthcare settings. Connectivity expands the attack surface and triggers FDA cybersecurity requirements.
- IoMT device developers
- Wearable health tech companies
- Hospital network device makers
- Wireless sensor manufacturers
- Cloud-connected device platforms
Common questions about FDA device cybersecurity
What is Section 524B?
Section 524B of the FD&C Act was enacted through the Consolidated Appropriations Act of 2023, effective March 29, 2023. It requires medical device manufacturers to include cybersecurity information in premarket submissions to the FDA. This includes a plan to monitor, identify, and address postmarket vulnerabilities and exploits, a Software Bill of Materials (SBOM), evidence that the device and related systems are secure, and a coordinated vulnerability disclosure process.
What are the SBOM requirements for medical devices?
FDA requires a Software Bill of Materials listing all commercial, open-source, and off-the-shelf software components in a medical device. The SBOM must be machine-readable (typically in SPDX or CycloneDX format), include component names, versions, and dependency relationships, and be maintained throughout the device's lifecycle. This allows healthcare delivery organizations and FDA to assess risk from known vulnerabilities like those tracked in the National Vulnerability Database.
What is the Secure Product Development Framework (SPDF)?
SPDF is FDA's recommended approach for integrating security into every phase of the medical device development lifecycle. It covers security risk management during design, secure coding practices and architecture review, security testing including penetration testing and fuzz testing, and vulnerability management processes. FDA expects evidence of SPDF practices in premarket submissions, aligned with standards like NIST CSF and IEC 62443.
How do legacy devices handle these requirements?
Section 524B applies to new premarket submissions after March 29, 2023 — it does not retroactively apply to devices already on the market. However, FDA postmarket cybersecurity guidance still applies to all marketed devices. Manufacturers of legacy devices should maintain vulnerability monitoring, provide patches when feasible, communicate risks transparently to users, and develop end-of-life plans for devices that can no longer be secured.
What is coordinated vulnerability disclosure for medical devices?
FDA requires manufacturers to maintain a coordinated vulnerability disclosure (CVD) policy. This means publishing a clear process for security researchers to report vulnerabilities, assessing and remediating reported issues in a timely manner, coordinating with CISA and other stakeholders on public disclosure timing, and issuing advisories to healthcare organizations and end users. A strong CVD program demonstrates maturity and builds trust with the security research community.
Related frameworks
HIPAA Security Rule
Connected medical devices that handle ePHI must also comply with HIPAA Security Rule requirements.
NIST CSF 2.0
FDA references NIST CSF as a foundational framework for medical device cybersecurity programs.
CIS Controls v8.1
CIS Controls provide actionable implementation guidance for medical device security operations.
FDA cybersecurity compliance, organized
Track premarket requirements, SBOM obligations, postmarket surveillance, and coordinated disclosure. BlackSheep maps every FDA device cybersecurity control so your submission is complete.
$249/month. 30-day money-back guarantee.