Adequate directions for use from section 502(f) of the FD&C Act and human factors requirements — cybersecurity labeling applies these to security-specific user tasks including network configuration, update acceptance, and incident response.
FDA section VI.A requires SBOM availability to users in machine-readable format, end-of-support information with pre-communicated risk transfer, secure decommissioning instructions, and integration of cybersecurity user tasks into human factors testing to validate user capability.
Port list completeness, SBOM user access instructions, end-of-support disclosures, and cybersecurity user tasks in human factors test protocols — missing port lists and absence of SBOM access instructions are the most common cybersecurity labeling gaps.
Maps to
FDA Cybersecurity: §VI.A Labeling Recommendations for Devices with Cybersecurity Risks
Requirement text
FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026) recommends that manufacturers of devices with cybersecurity risks provide relevant security information to users through labeling as part of design and development activities to help mitigate cybersecurity risks and ensure continued safety and effectiveness. Labeling for devices with cybersecurity risks should communicate device security information that enables users to maintain their own ongoing security posture. Any risks transferred to the user should be detailed and considered for inclusion as tasks during usability testing. Labeling content should be understandable to the intended audience, which may include patients or caregivers with limited technical knowledge.
Why this clause exists
Labeling is both a regulatory compliance mechanism and a practical risk mitigation tool for cybersecurity: unlike safety hazards that can be fully controlled through device design, cybersecurity risks evolve continuously as new vulnerabilities are discovered in device software and the surrounding IT environment. Device users — hospitals, clinics, patients — must be equipped to manage cybersecurity risks on their side of the trust boundary, including network configuration, credential management, update acceptance, and incident response. FDA guidance VI.A reflects the regulatory finding that cybersecurity risks were frequently not communicated to device users through labeling, leaving users unable to take appropriate protective actions even when those actions were within their capability. The requirement that risks transferred to users be evaluated through usability testing (human factors) addresses a specific failure mode: instructions requiring users to take complex security actions (e.g., firewall configuration) that users with limited technical knowledge cannot perform create a gap between intended and actual security posture. The guidance's emphasis on depth of detail appropriate to the intended user — acknowledging that some information should be restricted to qualified users via controlled portals — reflects the dual-audience nature of medical device cybersecurity labeling (patients vs. healthcare facility IT).
What changed
FDA's September 2023 final guidance (updated February 2026) section VI.A significantly expands cybersecurity labeling recommendations beyond the 2014 draft. New requirements include SBOM availability to users in machine-readable format, end-of-support and end-of-life information with pre-communicated risk transfer processes, secure decommissioning instructions, and explicit integration of cybersecurity user tasks into human factors testing. The guidance also clarifies that cybersecurity information may need to be restricted by audience (facility IT vs. patient/caregiver) and provided through controlled online portals with maintained up-to-date links.
Common gaps (what we see in audits)
- Cybersecurity labeling absent or limited to general network security warnings — Many devices lack device-specific cybersecurity labeling and provide only generic security warnings. FDA guidance VI.A recommends a comprehensive security implementation guide covering port lists, network requirements, update procedures, SBOM access, incident response, backup/recovery, end-of-support timelines, and secure decommissioning — calibrated to the intended user audience. Absence of a port list alone prevents healthcare facilities from implementing appropriate network segmentation.