ISO 14971 risk management process and IEC 81001-5-1 security risk management — cybersecurity risk assessment integrates with, and feeds into, the existing safety risk file.
FDA guidance V.A.2 replaces probabilistic likelihood with exploitability scoring (CVSS or SSVC); aggregate residual risk evaluation required, not just threat-by-threat — signed risk acceptance statements mandatory.
Traceability between threat model and risk assessment entries, CVSS-scored CVE list, and signed risk acceptance records — missing ISO 14971 file integration is a frequent deficiency.
Maps to
FDA Cybersecurity: §V.A.2 Cybersecurity Risk Assessment
Pre-QMSR Part 820 (legacy QSR): §820.30(g) Design validation.
ISO 14971: §5.4 Identification of hazards and hazardous situations, §5.5 Risk estimation
IEC 81001-5-1: §7 SECURITY RISK MANAGEMENT PROCESS
Requirement text
FDA's Premarket Cybersecurity Guidance recommends that the manufacturer perform a cybersecurity risk assessment that evaluates each identified threat from the threat model. Because likelihood of occurrence cannot typically be quantified for cybersecurity risks using historical data or modeling (unlike ISO 14971 safety risk assessment), the assessment should focus on exploitability and impact, identify cybersecurity controls to mitigate risks, and evaluate residual risk. The assessment should demonstrate that cybersecurity risks are controlled to an acceptable level considering patient safety and data integrity.
Why this clause exists
Safety risk management and cybersecurity risk management rest on fundamentally different probability models — ISO 14971 uses statistical likelihood of failure to estimate risk, but a determined adversary's probability of exploitation depends on motivation, skill, and opportunity, none of which follow a random-failure distribution. Manufacturers who apply ISO 14971's probabilistic likelihood framework to cybersecurity threats systematically underestimate adversarial risk: a known, unpatched vulnerability with a published exploit has high exploitability regardless of how rarely the device has been attacked historically. FDA guidance V.A.2 established the exploitability-and-impact model to correct this mismatch, requiring CVSS or SSVC scoring rather than traditional P×S estimation. The integration requirement with the ISO 14971 risk management file reflects a further regulatory finding: organizations that maintained separate safety and cybersecurity risk processes routinely failed to recognize that a cybersecurity attack compromising device software could trigger the same patient harm pathways identified in the safety risk analysis — leaving a gap where the risk management file did not reflect cybersecurity-sourced safety hazards and the cybersecurity assessment did not carry through to risk controls visible to safety reviewers.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- Risk assessment disconnected from threat model and safety risk management — Cybersecurity risk assessments use inconsistent methodologies, fail to assess every threat identified in the threat model, or lack traceability to the ISO 14971 safety risk management file. FDA rejects 'probability of occurrence' for cybersecurity — risk must be assessed based on exploitability using frameworks like CVSS or SSVC, not random failure probability.