The FDA now requires all premarket submissions for "cyber devices" to include a comprehensive cybersecurity plan. Section 524B of the FD&C Act, enacted through the Consolidated Appropriations Act of 2023, gave the FDA explicit authority to refuse to accept submissions that lack adequate cybersecurity documentation. The FDA's Premarket Cybersecurity Guidance (September 2023) details exactly what manufacturers must provide.
What is a "cyber device"?
Under Section 524B, a cyber device is any device that:
- Includes software validated, installed, or authorized by the sponsor
- Has the ability to connect to the internet
- Contains any technological characteristics that could be vulnerable to cybersecurity threats
This definition is intentionally broad. It covers connected infusion pumps, implantable cardiac devices with wireless telemetry, diagnostic imaging systems on hospital networks, and cloud-connected SaMD. If your device has software and any form of network connectivity, it is a cyber device.
Premarket submission requirements
The FDA expects the following cybersecurity documentation in every 510(k), De Novo, and PMA submission for cyber devices:
Security risk management: A cybersecurity risk assessment that identifies threats and vulnerabilities, evaluates their potential impact on device safety and effectiveness, and documents the controls implemented to mitigate them. The FDA recommends aligning with AAMI TIR57 (Principles for medical device security) and using threat modeling frameworks such as STRIDE.
Secure Product Development Framework (SPDF): Evidence that security was integrated into the software development lifecycle. This includes secure coding practices, static and dynamic analysis, penetration testing, and third-party component security assessment.
Software Bill of Materials (SBOM): A machine-readable SBOM listing all software components, including commercial, open-source, and off-the-shelf software. The SBOM must include component names, versions, and suppliers. The FDA accepts formats aligned with NTIA minimum elements.
Cybersecurity management plan: A postmarket plan describing how the manufacturer will:
- Monitor the device and its ecosystem for vulnerabilities
- Assess and triage identified vulnerabilities
- Deploy patches and updates in a timely manner
- Communicate with users about cybersecurity risks and actions
Vulnerability disclosure policy: A documented coordinated vulnerability disclosure (CVD) process that allows external researchers to report vulnerabilities and ensures timely response.
Premarket vs. postmarket obligations
| Area | Premarket (Section 524B) | Postmarket |
|---|---|---|
| Risk assessment | Required in submission | Must be updated when new threats emerge |
| SBOM | Required in submission | Must be maintained and updated with each software release |
| Patching | Plan required in submission | Patches must be deployed in a timely manner throughout device lifecycle |
| Vulnerability monitoring | Plan required | Active monitoring required for known vulnerabilities in components |
| Coordinated disclosure | Policy required | Must be operational and responsive |
| Incident reporting | Plan referenced | Subject to existing MDR (21 CFR Part 803) reporting requirements |
Refuse to Accept: what happens without cybersecurity documentation
Since October 1, 2023, the FDA applies Refuse to Accept (RTA) criteria for cybersecurity. If your submission for a cyber device does not include the required cybersecurity documentation, the FDA will refuse to accept it for substantive review. Your submission will not enter the review queue until the documentation is provided.
This is not a discretionary review deficiency. It is a hard gate at the acceptance stage.
SBOM: practical requirements
The SBOM must be provided for every software component of the device, including:
- Operating system and kernel components
- Third-party libraries and frameworks
- Open-source software packages
- Custom firmware and application code (by component name and version)
The FDA expects manufacturers to actively monitor SBOM components for known vulnerabilities using resources such as the National Vulnerability Database (NVD) and to assess whether identified CVEs affect the device's safety or effectiveness.
| SBOM element | Required detail |
|---|---|
| Component name | Full name as published by the supplier |
| Version | Exact version number deployed in the device |
| Supplier | Original developer or distributor |
| Dependency relationships | Direct and transitive dependencies |
| Hash/checksum | Integrity verification value (recommended) |
Comparison with EU requirements
Manufacturers selling in both the US and EU face cybersecurity requirements from multiple frameworks:
| Requirement | FDA (Section 524B) | EU MDR (Annex I, 17.4) | EU CRA (if applicable) |
|---|---|---|---|
| Risk assessment | AAMI TIR57 / STRIDE | ISO 14971 + MDCG 2019-16 | CRA Annex I Part I |
| SBOM | Required in premarket submission | Not explicitly required (covered by technical documentation) | Required, maintained throughout lifecycle |
| Vulnerability reporting | CVD policy + MDR 803 | Vigilance system (MDR Article 87) | 24h/72h/14-day to CSIRT/ENISA |
| Patching | Lifecycle plan required | Covered by PMS plan | Security updates for minimum 5 years |
| Penetration testing | Expected in SPDF evidence | Recommended in MDCG 2019-16 | Expected under security by design |
Looking for the right regulatory intelligence tool? Read our guide to evaluating regulatory intelligence platforms.
Key takeaways
- Every connected medical device ("cyber device") must include comprehensive cybersecurity documentation in FDA premarket submissions
- The FDA will refuse to accept submissions that lack cybersecurity documentation
- An SBOM is mandatory and must be actively monitored for known vulnerabilities
- Manufacturers must operate a coordinated vulnerability disclosure policy
- A postmarket cybersecurity management plan with patching and monitoring commitments is required
- EU-bound manufacturers should align their cybersecurity approach with both FDA expectations and MDR/CRA requirements to avoid duplicated effort
How RegAid helps
RegAid covers FDA cybersecurity guidance, EU MDR Annex I cybersecurity requirements, and MDCG 2019-16. Ask "What cybersecurity documentation does the FDA require for a 510(k) submission?" and get a cited answer mapping Section 524B requirements to the FDA's premarket guidance and SBOM expectations.