IEC 81001-5-1 §9 problem resolution process and complaint handling practices — CVD channels external reporters into the existing vulnerability investigation workflow.
FDA §524B(b)(1) requires published CVD policy with live secure intake, 48-hour acknowledgment, safe harbor, and 90-day coordinated disclosure window before market clearance.
CVD intake channel monitored with triage procedure and named roles — draft policies draw immediate deficiency findings.
Maps to
FDA Cybersecurity: §VI.B Cybersecurity Management Plans, §VII.C.1 Plans and Procedures (Section 524B(b)(1))
Pre-QMSR Part 820 (legacy QSR): §820.198 Complaint files.
IEC 81001-5-1: §9 Software problem resolution PROCESS
Requirement text
FDA's Premarket Cybersecurity Guidance recommends that the manufacturer establish and publish a coordinated vulnerability disclosure (CVD) policy that provides a mechanism for security researchers, customers, and other third parties to report potential vulnerabilities. The policy should define how reports are received, acknowledged, investigated, and how the manufacturer coordinates with reporters through remediation and public disclosure.
Why this clause exists
Security researchers who discover vulnerabilities in medical devices face a structurally adversarial situation when manufacturers have no published disclosure channel: reporting through general complaint processes signals nothing about how the report will be handled, researchers have no assurance they will receive acknowledgment or a remediation timeline, and the absence of a safe harbor statement creates genuine legal uncertainty about whether good-faith research will be met with litigation rather than collaboration. The predictable result — researchers either silently shelving findings or publicly disclosing without coordination — is worse for patient safety than a formal CVD program would produce. FDA guidance codified the CVD requirement in §524B(b)(1) because the absence of structured disclosure channels was a systemic gap: vulnerabilities known to security researchers were not reaching device manufacturers in time for pre-disclosure remediation. The requirement that the CVD policy be operational before market clearance (not merely drafted as a submission document) addresses the failure mode where policies existed on paper but no intake channel was live, the documented process was not trained, and the first real report arrived to an organization that had no practiced response.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- CVD policy not published or operational before clearance — FDA expects an operational CVD policy (published, with working intake channels) before market clearance. Most manufacturers create the policy document for submission but do not actually publish it, set up secure reporting channels, or establish internal triage procedures until after clearance — if at all.