Skip to content
CROSSWALK

FDA Cybersecurity §V.A.1, V.B.2

Maps to

FDA Cybersecurity: §V.A.1 Threat Modeling, §V.B.2 Security Architecture Views

Pre-QMSR Part 820 (legacy QSR): §820.30(c) Design input.

ISO 14971: §5.4 Identification of hazards and hazardous situations

IEC 81001-5-1: §5.3 Software architectural design

Requirement text

FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026; originally September 27, 2023) recommends that the manufacturer provide a comprehensive threat model as part of premarket cybersecurity documentation. The threat model should identify and diagram the device in its intended use environment, enumerate all system interfaces and data flows, identify threat sources and attack surfaces, and characterize potential cybersecurity risks to the device and connected systems.

What changed

The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.

Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.

FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.

Atomic constraints

  • The threat model must include a system diagram showing the device, connected systems, network boundaries, and data flows.
  • All interfaces (wired, wireless, removable media, cloud, user interfaces) must be enumerated as potential attack surfaces.
  • Threat sources must be identified including nation-state actors, criminal organizations, insiders, and unintentional users.
  • The threat model must consider the device in its intended use environment, including connected hospital networks and cloud services.
  • Known vulnerability classes relevant to the device technology must be addressed.
  • The threat model must be submitted as part of the premarket cybersecurity documentation package.
  • Security architecture documentation must include a Global System View showing the device's full operating environment, all network connections, and trust boundaries (per FDA guidance V.B.2, Appendix 2).
  • Security architecture documentation must include a Multi-Patient Harm View identifying system functions or components whose compromise could simultaneously affect multiple patients.
  • Security architecture documentation must include an Updateability/Patchability View demonstrating the mechanisms by which software updates and security patches can be applied to the device.
  • Security architecture documentation must include Security Use Case View(s) depicting how security controls interact with device functions for the intended use scenarios.
  • Each required security architecture view must include both diagrams and explanatory text sufficient for FDA reviewers to assess the security architecture without requiring additional clarification.

Common gaps

Incomplete threat models lacking system context

major

Threat models submitted to FDA frequently lack system diagrams showing the device in its intended use environment, omit interfaces (wireless, cloud, removable media), or fail to identify relevant threat sources. FDA expects system-level models including cloud, mobile apps, and network infrastructure. Threat modeling deficiencies appear in a majority of FDA deficiency letters. STRIDE, PASTA, and Attack Trees are all accepted methodologies.

Evidence signals

  • FILE_EXISTS

    Threat.*Model|Cybersecurity.*Threat|FDA.*Cyber|Premarket.*Cyber|Security.*Architecture

  • CONTENT_MATCH

    Does this document contain a threat model for FDA premarket submission that includes system architecture diagrams showing the device in its use environment, enumerated interfaces and data flows, identified threat sources and attack surfaces, and characterized cybersecurity risks?

Audit defense

The Threat Model for [your product] (Doc ID: [your document ID]) provides comprehensive threat analysis per FDA Premarket Cybersecurity Guidance (current edition February 3, 2026; originally September 27, 2023), including system architecture in the intended use environment, enumerated interfaces, identified threat sources, and characterized cybersecurity risks for premarket submission.

Related clauses

Cybersecurity Risk AssessmentSoftware Bill of MaterialsVulnerability Assessment and ManagementPatch and Update Management Plan

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.