IEC 62304 problem and modification analysis and ISO 14971 risk control framework — SBOM-driven CVE assessment extends safety risk management to the software supply chain.
FDA guidance V.A.6 and §524B(b)(2) require submission-current CVE assessment for all SBOM components with CVSS scores, applicability analysis, mitigations, and a defined post-market monitoring process.
CVE list current to submission date, per-component applicability rationale, and compensating control documentation for unpatched vulnerabilities — assessments not refreshed before submission trigger deficiencies.
Maps to
FDA Cybersecurity: §V.A.6 TPLC Security Risk Management, §VI.B Cybersecurity Management Plans, §VII.C.2 Design, Develop, and Maintain Processes and Procedures to Provide a Reasonable Assurance of Cybersecurity (Section 524B(b)(2))
Pre-QMSR Part 820 (legacy QSR): §820.90 Nonconforming product.
IEC 62304: §6.2 Problem and modification analysis
IEC 81001-5-1: §6 SOFTWARE MAINTENANCE PROCESS
Requirement text
FDA's Premarket Cybersecurity Guidance recommends that the manufacturer perform vulnerability assessment of all software components identified in the SBOM and establish a process for ongoing vulnerability management. For cyber devices, §524B(b)(2) of the FD&C Act requires processes that provide reasonable assurance the device is cybersecure — vulnerability management is a core component of that assurance. Known vulnerabilities (CVEs) should be analyzed for applicability and impact, with documented mitigations or risk acceptance for each applicable vulnerability.
Why this clause exists
A known vulnerability that is not assessed for applicability is an undecided risk — the manufacturer has neither accepted nor mitigated it, and therefore has no documented basis for asserting that the device is cybersecure. The structural failure mode regulators targeted in FDA guidance V.A.6 was the manufacturer who performed a vulnerability scan once during development, documented the result, and never returned to it: by submission date, new CVEs had been published against components in the submitted SBOM, the assessment was stale, and neither the manufacturer nor the FDA reviewer had visibility into the current exposure. The §524B(b)(2) reasonable-assurance requirement places a continuous obligation on manufacturers that a point-in-time scan cannot satisfy — the statute contemplates a living process, not a document produced for submission and then archived. The applicability-analysis requirement per CVE reflects a further principle: a generic CVE affecting a library does not necessarily affect every product that includes that library; whether the vulnerable code path is reachable in the specific product configuration is a substantive engineering question whose answer changes the actual risk, and regulators expect that question to be answered rather than defaulting all CVEs in listed components to applicable.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- Vulnerability assessment not current at time of submission — The vulnerability assessment is performed early in development and not refreshed before premarket submission. New CVEs between assessment and submission are unaddressed. Assessments scan components but do not include applicability analysis explaining whether each CVE is exploitable in the product's specific configuration.