IEC 62304 software architecture and design input practices, ISO 14971 hazard identification methodology — threat modeling extends both into cybersecurity.
FDA guidance V.A.1 requires four mandatory security architecture views: Global System, Multi-Patient Harm, Updateability/Patchability, and Security Use Case — each with diagrams and explanatory text.
System diagram showing trust boundaries and data flows, enumerated attack surfaces including wireless and cloud — deficiency letters cite incomplete threat models in the majority of cybersecurity RTA findings.
Maps to
FDA Cybersecurity: §V.A.1 Threat Modeling, §V.B.2 Security Architecture Views
Pre-QMSR Part 820 (legacy QSR): §820.30(c) Design input.
ISO 14971: §5.4 Identification of hazards and hazardous situations
IEC 81001-5-1: §5.3 Software architectural design
Requirement text
FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026; originally September 27, 2023) recommends that the manufacturer provide a comprehensive threat model as part of premarket cybersecurity documentation. The threat model should identify and diagram the device in its intended use environment, enumerate all system interfaces and data flows, identify threat sources and attack surfaces, and characterize potential cybersecurity risks to the device and connected systems.
Why this clause exists
A threat model submitted without system-level context — no diagram, interfaces enumerated only partially, threat sources limited to abstract categories — cannot support an FDA reviewer's assessment of whether the device's attack surface is understood and defended. The dominant failure mode regulators observed in the pre-2023 era was threat documentation produced by regulatory affairs teams rather than security engineers: the resulting artifacts described threats in the abstract but could not answer whether a specific wireless interface was authenticated, whether a cloud service connection crossed a trust boundary, or whether a coordinated attack could simultaneously harm multiple patients. FDA guidance V.A.1 codified the four-view security architecture requirement because reviewers repeatedly received incomplete threat models that omitted cloud connections, mobile app interfaces, or removable media, leaving entire attack vectors uncharacterized. The Multi-Patient Harm View specifically exists because the connected nature of modern medical devices means a single compromised component can propagate adverse effects to all devices on a shared network — a failure class that per-device hazard analysis systematically misses when performed without a system-level security lens.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- Incomplete threat models lacking system context — Threat models submitted to FDA frequently lack system diagrams showing the device in its intended use environment, omit interfaces (wireless, cloud, removable media), or fail to identify relevant threat sources. FDA expects system-level models including cloud, mobile apps, and network infrastructure. Threat modeling deficiencies appear in a majority of FDA deficiency letters. STRIDE, PASTA, and Attack Trees are all accepted methodologies.