IEC 62304 software maintenance and change management processes — patch management formalizes the update lifecycle with security-specific SLAs and integrity requirements.
§524B(b)(2)(A) requires a reasonably justified regular patch cycle; IEC 81001-5-1 §6.1.1 five-factor severity assessment; signed update delivery with rollback capability and 30-day customer notification for critical vulnerabilities.
Severity-tiered SLA timelines, signed update delivery mechanism, and emergency out-of-cycle patch procedure — plans stating intent without process detail consistently trigger deficiency questions.
Maps to
FDA Cybersecurity: §Appendix 1.H Firmware and Software Updates, §VI.B Cybersecurity Management Plans, §VII.D Modifications
Pre-QMSR Part 820 (legacy QSR): §820.90 Nonconforming product.
IEC 62304: §6.2 Problem and modification analysis
IEC 81001-5-1: §6 SOFTWARE MAINTENANCE PROCESS
Requirement text
Per §524B(b)(2)(A) of the FD&C Act, manufacturers of cyber devices shall make available postmarket updates and patches on a reasonably justified regular cycle. FDA's Premarket Cybersecurity Guidance recommends the manufacturer establish a plan for delivering security patches and updates throughout the product's supported lifecycle, defining how patches are developed, validated, and delivered to end users, manufacturer-defined timeframes for addressing vulnerabilities by severity level, and mechanisms for authenticated and verified update delivery.
Why this clause exists
A device that cannot be patched after market clearance is a device whose security posture can only degrade over time — every new vulnerability published against its components permanently reduces its defensive capability. Regulators codified the patching obligation in §524B(b)(2)(A) of the FD&C Act because pre-2023 enforcement relied on voluntary best practices, and the observable outcome was a field population of medical devices running unpatched operating systems and firmware years past known critical vulnerabilities, with no mechanism for the clinical operator to receive or apply fixes. The IEC 81001-5-1 §6.1.1 five-factor severity assessment embedded in this requirement reflects the principled observation that patch urgency cannot be determined by CVSS score alone — a moderately scored vulnerability with a published exploit affecting a high-volume deployed fleet warrants faster response than a theoretically critical vulnerability with no known exploit on a device with compensating network isolation. The requirement for authenticated and integrity-verified update delivery exists because an update mechanism that can itself be compromised — accepting unsigned or tampered update packages — converts the patch channel into an attack vector, inverting its purpose.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- Patch management plans lack procedural detail — Plans state an intent to provide security updates but lack specific procedures: who decides when to patch, what validation is required, how patches are delivered (including secure boot, signed firmware, and rollback capabilities), how customers are notified, and response timelines by severity. FDA expects 30-day notification and 60-day remediation for critical risks. If a device cannot be patched, compensating control guidance for users is required.