Skip to content
CROSSWALK

QMSR / ISO 13485 §820.30(g)

Maps to

QMSR / ISO 13485: §820.30(g)

ISO 14971: §5.4-5.5

IEC 81001-5-1: §7

FDA Cybersecurity Guidance: §V.A.2

Requirement text

The manufacturer shall perform a cybersecurity risk assessment that evaluates each identified threat from the threat model, determines the likelihood and impact of exploitation, identifies cybersecurity controls to mitigate risks, and evaluates residual risk. The assessment must demonstrate that cybersecurity risks are controlled to an acceptable level considering patient safety and data integrity.

What changed

The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).

Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.

FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.

Atomic constraints

  • Each threat identified in the threat model must have a corresponding risk assessment with likelihood and impact evaluation.
  • Risk assessment must use a consistent methodology (CVSS, custom severity/likelihood matrix) applied uniformly across all threats.
  • Cybersecurity controls must be identified for each unacceptable risk with traceability to the mitigated threat.
  • Residual risk after controls must be evaluated and documented.
  • The assessment must distinguish between risks to patient safety and risks to data confidentiality/integrity.
  • Unmitigated or accepted risks must have documented justification reviewed by the risk management authority.
  • Residual cybersecurity risks that are accepted must have explicit risk acceptance statements signed by an authorized individual (e.g., risk management authority), documenting the basis for acceptance and confirming the residual risk is acceptable given the intended benefit per FDA Premarket Cybersecurity Guidance V.A.2.
  • Cybersecurity risk assessment outputs must be traceable to and integrated with the ISO 14971 risk management file — threats that could compromise patient safety must appear as hazards in the ISO 14971 risk analysis, and cybersecurity controls reducing safety-related risk must be reflected in the risk management file as risk control measures.
  • The overall residual cybersecurity risk must be evaluated in aggregate, not only threat-by-threat, to demonstrate that the total residual cybersecurity risk is acceptable considering the intended use and benefits of the device.
  • The cybersecurity risk assessment must be updated whenever new threats are identified (e.g., from post-market surveillance, SBOM vulnerability monitoring, or CVD reports), and the risk management authority must re-evaluate risk acceptability after each update.

Common gaps

Risk assessment disconnected from threat model and safety risk management

major

Cybersecurity risk assessments use inconsistent methodologies, fail to assess every threat identified in the threat model, or lack traceability to the ISO 14971 safety risk management file. FDA rejects 'probability of occurrence' for cybersecurity — risk must be assessed based on exploitability using frameworks like CVSS or SSVC, not random failure probability.

Evidence signals

  • FILE_EXISTS

    Cybersecurity.*Risk.*Assessment|Security.*Risk.*Analysis|Cyber.*Risk|Risk.*Assessment

  • CONTENT_MATCH

    Does this document contain a cybersecurity risk assessment that evaluates each threat with likelihood and impact scores, identifies specific cybersecurity controls for each risk, evaluates residual risk after controls, and documents risk acceptance decisions?

Audit defense

The Cybersecurity Risk Assessment for [your product] (Doc ID: [your document ID]) evaluates each threat from our threat model with likelihood and impact analysis, identifies cybersecurity controls, and evaluates residual risk per FDA Premarket Cybersecurity Guidance requirements, integrated with our ISO 14971 risk management file.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.