Maps to
QMSR / ISO 13485: §820.30(c)
ISO 14971: §5.4
IEC 81001-5-1: §5.3
FDA Cybersecurity Guidance: §V.A.1
Requirement text
The manufacturer shall provide a comprehensive threat model as part of premarket cybersecurity documentation per FDA Premarket Cybersecurity Guidance (September 2023). The threat model shall identify and diagram the device in its intended use environment, enumerate all system interfaces and data flows, identify threat sources and attack surfaces, and characterize potential cybersecurity risks to the device and connected systems.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Atomic constraints
- •The threat model must include a system diagram showing the device, connected systems, network boundaries, and data flows.
- •All interfaces (wired, wireless, removable media, cloud, user interfaces) must be enumerated as potential attack surfaces.
- •Threat sources must be identified including nation-state actors, criminal organizations, insiders, and unintentional users.
- •The threat model must consider the device in its intended use environment, including connected hospital networks and cloud services.
- •Known vulnerability classes relevant to the device technology must be addressed.
- •The threat model must be submitted as part of the premarket cybersecurity documentation package.
Common gaps
Incomplete threat models lacking system context
majorThreat models submitted to FDA frequently lack system diagrams showing the device in its intended use environment, omit interfaces (wireless, cloud, removable media), or fail to identify relevant threat sources. FDA expects system-level models including cloud, mobile apps, and network infrastructure. Threat modeling deficiencies appear in a majority of FDA deficiency letters. STRIDE, PASTA, and Attack Trees are all accepted methodologies.
Evidence signals
- •
FILE_EXISTS
Threat.*Model|Cybersecurity.*Threat|FDA.*Cyber|Premarket.*Cyber|Security.*Architecture
- •
CONTENT_MATCH
Does this document contain a threat model for FDA premarket submission that includes system architecture diagrams showing the device in its use environment, enumerated interfaces and data flows, identified threat sources and attack surfaces, and characterized cybersecurity risks?
Audit defense
The Threat Model for [your product] (Doc ID: [your document ID]) provides comprehensive threat analysis per FDA Premarket Cybersecurity Guidance (Sept 2023), including system architecture in the intended use environment, enumerated interfaces, identified threat sources, and characterized cybersecurity risks for premarket submission.