Maps to
QMSR / ISO 13485: §820.30(e)
ISO 13485: §7.3.5
IEC 81001-5-1: §5.7
FDA Cybersecurity Guidance: §V.C
Requirement text
The manufacturer shall provide evidence of penetration testing as part of premarket cybersecurity documentation. The penetration test must cover the scope defined by the threat model, use appropriate tools and methodologies, and document all findings with severity ratings. Critical and high findings must be remediated before submission, or compensating controls and risk justification must be provided.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Atomic constraints
- •Penetration testing must be performed and documented before premarket submission.
- •The test scope must be derived from the threat model and cover identified attack surfaces.
- •Testing methodology must be documented (e.g., OWASP Testing Guide, PTES, NIST SP 800-115).
- •Tools used for testing must be identified and documented.
- •All findings must be documented with severity ratings (CVSS), proof of concept, and affected components.
- •Critical and high findings must be remediated or have documented compensating controls with risk justification.
- •Retest evidence must be provided for remediated findings.
Common gaps
Penetration testing not scoped to threat model or independently performed
majorPen test reports show generic web application testing not scoped to the device's threat model. FDA expects tests on the final production-equivalent version covering network, application, and firmware layers. Critical findings listed as 'accepted risk' without adequate justification. Testers are internal developers lacking independence.
Evidence signals
- •
FILE_EXISTS
Penetration.*Test|Pen.*Test.*Report|Security.*Test|VAPT.*Report|Cybersecurity.*Test
- •
CONTENT_MATCH
Does this document provide penetration testing evidence including test methodology, scope derived from the threat model, tools used, findings with CVSS severity ratings and proof of concept, and remediation or retest evidence for critical and high findings?
Audit defense
The Penetration Test Report for [your product] (Doc ID: [your document ID]) provides evidence of security testing per FDA Premarket Cybersecurity Guidance, covering threat model attack surfaces with documented methodology, tools, findings with CVSS severity ratings, and remediation evidence for all critical and high findings.