Maps to
QMSR / ISO 13485: §820.30(b)
ISO 13485: §7.3.9
IEC 81001-5-1: §6
FDA Cybersecurity Guidance: §V.A.6, VI.B, VII.E
Requirement text
The manufacturer shall define an end-of-life (EOL) cybersecurity plan that describes how security will be managed as the device approaches and reaches end of support. The plan must define the supported lifecycle duration, how customers will be notified of end-of-support dates, what security measures will remain in place after end of support, and recommendations for transitioning to replacement devices.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Atomic constraints
- •The expected supported lifecycle duration must be defined (e.g., security patches provided for X years from product launch).
- •Customer notification procedures for end-of-support and end-of-life milestones must be documented.
- •The plan must define which security measures remain available after end of support (e.g., last patch remains available for download).
- •Recommendations for device decommissioning must address data sanitization and secure disposal.
- •The plan must define the transition period between end-of-support announcement and final end-of-life.
- •Residual risks to patients from devices remaining in use after end of support must be addressed.
Common gaps
No defined support lifecycle or decommissioning guidance
majorManufacturers do not specify a supported lifecycle duration, do not define customer notification milestones for end-of-support, and provide no data sanitization or secure decommissioning guidance. The FBI reported that over 40% of devices at end-of-life had few or no security patches.
Evidence signals
- •
FILE_EXISTS
End.*Life|EOL.*Plan|Lifecycle.*Plan|Decommission|Product.*Lifecycle
- •
CONTENT_MATCH
Does this document define an end-of-life cybersecurity plan with supported lifecycle duration, customer notification milestones for end-of-support, data sanitization guidance, and risk assessment for devices remaining in use after security support ends?
Audit defense
The End-of-Life Cybersecurity Plan for [your product] (Doc ID: [your document ID]) defines the supported lifecycle duration, customer notification timeline, transition provisions, and data sanitization guidance per FDA Premarket Cybersecurity Guidance, demonstrating total product lifecycle security management.