Skip to content
CROSSWALK

QMSR / ISO 13485 §820.90

Maps to

QMSR / ISO 13485: §820.90

IEC 62304: §6.2

IEC 81001-5-1: §6

FDA Cybersecurity Guidance: §V.A.6, VI.B, VII.C.2

Requirement text

The manufacturer shall establish a continuous vulnerability monitoring process for all software components in the SBOM. The process shall define how new CVEs are detected, assessed for applicability, and remediated within committed timeframes. Vulnerability response time commitments shall be defined by severity level and tracked as a quality metric.

What changed

The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).

Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.

FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.

Atomic constraints

  • Continuous monitoring of vulnerability databases (NVD, vendor advisories, GitHub Security Advisories) must be established for all SBOM components.
  • Automated alerting must be configured to notify responsible personnel when new CVEs affect SBOM components.
  • A defined process for assessing CVE applicability to the specific product configuration must be documented.
  • Response time commitments must be defined by severity (e.g., critical CVE: assessment within 48 hours, remediation within 30 days).
  • Vulnerability remediation tracking must be maintained with status (open, in progress, mitigated, accepted, not applicable).
  • Periodic vulnerability status reports must be generated for management review.

Common gaps

No continuous vulnerability monitoring against SBOM components

major

Manufacturers monitor NVD manually or not at all for vulnerabilities affecting SBOM components. Automated monitoring tools are not configured against the product SBOM. No defined response time commitments by severity level, and remediation tracking is ad hoc.

Evidence signals

  • FILE_EXISTS

    Vulnerability.*Monitor|CVE.*Monitor|Vulnerability.*Response|Security.*Monitor|Component.*Vulnerability

  • CONTENT_MATCH

    Does this document define a continuous vulnerability monitoring process for software components with automated CVE alerting, applicability assessment procedures, severity-based response time commitments, and remediation tracking with periodic status reporting?

Audit defense

The Vulnerability Monitoring and Response Procedure for [your product] (Doc ID: [your document ID]) establishes continuous CVE monitoring for all SBOM components with automated alerting, defined response SLAs by severity, and tracked remediation status, demonstrating proactive security maintenance.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.