System logging and audit trail requirements from 21 CFR Part 11 and QMSR design controls — security event logging extends these to cover cybersecurity-specific events with forensic evidence quality requirements.
FDA Appendix 1.F requires off-device log storage for forensic evidence, documented log retention and SIEM integration, user notification upon suspected security events, and design-level specification of security event parameters including anti-malware appropriate to OS type.
Off-device log storage implementation, security event enumeration and timestamping, user notification for security events, and anti-malware qualification — absence of forensic log storage is a common deficiency in devices that otherwise implement user access controls.
Maps to
FDA Cybersecurity: §Appendix 1.F Event Detection and Logging
Requirement text
FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026) recommends that devices implement event detection and logging capabilities to ensure that suspected and successful attempts to compromise a medical device may be identified and tracked. Event detection and logging capabilities should include storage capabilities, if possible, so that forensic discovery may later be performed. Devices should implement design features that allow security compromises and suspected compromise attempts to be detected, recognized, logged, timed, and acted upon during normal use.
Why this clause exists
Event detection and logging are the operational foundation for both real-time security response and post-incident forensic investigation — without them, a security incident in a deployed medical device may go entirely undetected, or may be recognized only after patient harm has occurred and the causal chain cannot be reconstructed. FDA Appendix 1.F was prompted by the regulatory finding that many medical devices had no mechanism for detecting or recording security events, meaning that an attacker who gained access to a device left no trace that could support either incident response or future forensic investigation. The requirement for off-device log storage reflects the practical reality that an attacker who has compromised a device may also be able to destroy on-device logs, eliminating forensic evidence. The guidance references NIST SP 800-86's definition of digital forensics, signaling that FDA expects device logging to meet a forensic evidence standard — not merely operational logging. The requirement to notify users when anomalous device behavior is detected links logging to patient safety: a device that detects a potential compromise without notifying the clinical user leaves the user operating under potentially unsafe conditions.
What changed
FDA's September 2023 final guidance (updated February 2026) Appendix 1.F establishes event detection and logging as explicit design requirements rather than operational recommendations. The requirement for off-device log storage to support forensic evidence capture, the specific enumeration of security event types, and the user notification requirement upon detection of potential security breaches are new in the current guidance. The reference to NIST SP 800-86 digital forensics standards signals FDA's expectation that device logging meets an evidentiary standard.
Common gaps (what we see in audits)
- No off-device log storage or forensic-quality event logging — Many medical devices implement on-device operational logs but lack security event logging with off-device storage. Without forensic-quality logging, a security compromise leaves no evidence trail and the impact cannot be reconstructed. FDA Appendix 1.F recommends that devices include mechanisms to securely create and store log files off the device to support forensic discovery.