ISO 13485 §7.3.9 design change control and IEC 81001-5-1 maintenance processes — EOL planning extends total product lifecycle (TPLC) security management to device retirement.
FDA V.A.6 and VII.E require defined support duration, multi-milestone notification timeline, data sanitization guidance, and residual safety risk assessment.
Committed support lifecycle duration, documented notification milestones (24/12/6 months pre-EOL), and data sanitization procedure — undefined support windows are a common gap flagged in 510(k) cybersecurity sections.
Maps to
FDA Cybersecurity: §V.A.6 TPLC Security Risk Management, §VI.B Cybersecurity Management Plans, §VII.E Reasonable Assurance of Cybersecurity of Cyber Devices
ISO 13485: §7.3.9 Control of design and development changes
Pre-QMSR Part 820 (legacy QSR): §820.30(b) Design and development planning.
IEC 81001-5-1: §5.8.7 SECURE decommissioning guidelines for HEALTH SOFTWARE, §6 SOFTWARE MAINTENANCE PROCESS
Requirement text
FDA's Premarket Cybersecurity Guidance recommends that the manufacturer define an end-of-life (EOL) cybersecurity plan that describes how security will be managed as the device approaches and reaches end of support. The plan should define the supported lifecycle duration, how customers will be notified of end-of-support dates, what security measures will remain in place after end of support, and recommendations for transitioning to replacement devices.
Why this clause exists
A medical device without a defined security support window creates an open-ended patching obligation the manufacturer has not resourced and the customer cannot plan around — and the patient who continues using the device long after security support has effectively ended does so without being informed that newly discovered vulnerabilities will no longer receive remediation. The principal failure mode regulators observed was devices with unpatched operating systems and firmware continuing in clinical use years beyond any reasonable security support window, often because the clinical operator had no awareness that support had ended and no transition plan. FDA V.A.6 and VII.E codified the EOL planning requirement to force manufacturers to commit, at premarket, to a finite and disclosed support duration so customers can build device replacement into their capital planning cycles with adequate lead time. The residual safety risk assessment for devices remaining in use after end of support is not a formality — a device on an unpatched OS accumulating CVEs over years poses materially different cybersecurity risk than the same device did at market clearance, and manufacturers must account for that degradation in their risk management file rather than treating the risk as frozen at the time of original market clearance.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- No defined support lifecycle or decommissioning guidance — Manufacturers do not specify a supported lifecycle duration, do not define customer notification milestones for end-of-support, and provide no data sanitization or secure decommissioning guidance. The FBI reported that over 40% of devices at end-of-life had few or no security patches.