FDA Cybersecurity §V.A.6, VI.B, VII.C.2

FDA Cybersecurity: §V.A.6 TPLC Security Risk Management, §VI.B Cybersecurity Management Plans, §VII.C.2 Design, Develop, and Maintain Processes and Procedures to Provide a Reasonable Assurance of Cybersecurity (Section 524B(b)(2))

Pre-QMSR Part 820 (legacy QSR): §820.90 Nonconforming product.

IEC 62304: §6.2 Problem and modification analysis

IEC 81001-5-1: §6 SOFTWARE MAINTENANCE PROCESS

Vulnerabilities in medical device software components are discovered and published on an ongoing basis that has no natural stopping point during the device's service life — the question is not whether new vulnerabilities will appear in SBOM components, but how quickly they will be detected and how systematically the manufacturer will evaluate and respond to them. The §524B(b)(2) reasonable-assurance requirement was designed to address the failure mode where manufacturers treated premarket vulnerability assessment as the terminal activity, with no process for detecting that a component disclosed to FDA as free of critical CVEs had acquired new critical CVEs eighteen months after clearance. Automated alerting is specifically required — not periodic manual review — because the latency between CVE publication and detection is itself a risk factor: a critical vulnerability with a published exploit detected by automated monitoring within hours produces a materially different exposure window than the same vulnerability discovered during a semi-annual manual review cycle. The severity-tiered SLA structure reflects the proportionality principle in IEC 81001-5-1 §6, where the urgency of response is calibrated to the actual patient safety impact of exploitation rather than applying a uniform timeline that is simultaneously too slow for critical findings and too demanding for low-severity informational items.

The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.

Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.

FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.