Fault tolerance and recovery requirements from system design controls — cyber-resiliency applies these to adversarial disruption scenarios including partial compromise and denial of service.
FDA Appendix 1.G requires containment of partial compromise using process isolation or hardware-backed trusted execution, authenticated recovery of trusted default configuration, and resilience to DoS, excessive bandwidth, and QoS disruption scenarios.
Isolation of critical clinical functions from compromise propagation, authenticated configuration recovery procedures, and validated resilience to DoS conditions — missing isolation design between clinical and non-clinical subsystems is the most common resilience deficiency.
Maps to
FDA Cybersecurity: §Appendix 1.G Resiliency and Recovery
Requirement text
FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026) recommends that devices be designed to be resilient to possible cyber incident scenarios and maintain availability. Cyber-resiliency capabilities are important for medical devices because they provide a safety margin against unknown future vulnerabilities. Devices should implement features that protect critical functionality and data even when the device has been partially compromised, provide methods for retention and recovery of trusted default device configuration by an authenticated and authorized user, and be designed to be resilient to network outages, Denial of Service, and other availability-disrupting conditions.
Why this clause exists
Resilience and recovery controls address the gap between preventing security incidents and surviving them — a medical device that fails non-safely in the presence of a cyberattack creates patient harm even if the attack is eventually detected and remediated. FDA Appendix 1.G was prompted by the recognition that the threat landscape will always include unknown future vulnerabilities, meaning that perfect prevention is not achievable. Cyber-resiliency provides the safety margin: even if an attacker partially compromises a device, process isolation, virtualization, and hardware-backed trusted execution environments can contain the damage to a portion of the system while critical clinical functions continue to operate safely. The specific enumeration of Denial of Service, excessive bandwidth usage, and QoS disruption reflects device operating environment realities — medical devices deployed on shared hospital networks face unintentional as well as intentional disruption from other network traffic. The requirement for authenticated recovery of trusted default configuration addresses a practical incident response scenario: once a compromise is detected, the device needs a verified clean-state configuration that an authorized user can restore without replacing the device.
What changed
FDA's September 2023 final guidance (updated February 2026) Appendix 1.G formalizes cyber-resiliency as an explicit design requirement for medical devices. The specific requirements for partial-compromise containment using hardware-backed mechanisms, authenticated configuration recovery, and resilience to Denial of Service and network disruption scenarios are new. The guidance frames cyber-resiliency as a safety margin against unknown future vulnerabilities — connecting device availability during a security event directly to patient safety.
Common gaps (what we see in audits)
- No isolation of critical clinical functions from non-critical software components — Many devices run clinical and non-clinical software in a single process space without isolation boundaries. FDA Appendix 1.G recommends implementing features that protect critical functionality and data even when the device has been partially compromised, using process isolation, virtualization, or hardware-backed trusted execution environments.