Maps to
QMSR / ISO 13485: §820.90
IEC 62304: §6.2
IEC 81001-5-1: §6
FDA Cybersecurity Guidance: §V.A.6, VI.B, VII.C.2
Requirement text
The manufacturer shall perform vulnerability assessment of all software components identified in the SBOM and establish a process for ongoing vulnerability management. Known vulnerabilities (CVEs) must be analyzed for applicability and impact, with documented mitigations or risk acceptance for each applicable vulnerability.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Atomic constraints
- •All SBOM components must be assessed against known vulnerability databases (NVD, vendor advisories) at time of submission.
- •Each known vulnerability (CVE) applicable to a component must be documented with its CVSS score and applicability analysis.
- •For each applicable vulnerability, a mitigation (patch, compensating control, or architectural isolation) must be documented.
- •Vulnerabilities without available patches must have documented compensating controls or risk acceptance with patient safety justification.
- •The vulnerability assessment must be current as of the premarket submission date.
- •A process for ongoing vulnerability monitoring post-market must be defined.
Common gaps
Vulnerability assessment not current at time of submission
majorThe vulnerability assessment is performed early in development and not refreshed before premarket submission. New CVEs between assessment and submission are unaddressed. Assessments scan components but do not include applicability analysis explaining whether each CVE is exploitable in the product's specific configuration.
Evidence signals
- •
FILE_EXISTS
Vulnerability.*Assessment|Vulnerability.*Report|CVE.*Analysis|Known.*Vulnerability|Security.*Scan
- •
CONTENT_MATCH
Does this document contain a vulnerability assessment of software components listing known CVEs with CVSS scores, applicability analysis for each vulnerability, documented mitigations or compensating controls, and a process for ongoing vulnerability monitoring?
Audit defense
The Vulnerability Assessment Report for [your product] (Doc ID: [your document ID]) documents the analysis of all known CVEs applicable to our SBOM components per FDA Premarket Cybersecurity Guidance, with mitigations or risk acceptance for each applicable vulnerability and a defined process for ongoing monitoring.