Guidance: Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions
Issued: February 3, 2026
FDA's 'Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions' guidance applies broadly to devices with cybersecurity considerations, including software, firmware, and programmable logic. It is not limited to network-enabled devices and covers multiple submission pathways, including 510(k), De Novo, PMA/PMA supplements, PDP, IDE, HDE, BLA, and IND. It also states that the recommendations may apply even where a premarket submission is not required, such as certain 510(k)-exempt devices. FDA links this guidance to the QMSR under 21 CFR Part 820, which now incorporates ISO 13485:2016, and to FD&C Act section 524B for devices that meet the statutory definition of a cyber device. For cyber devices, sponsors submitting under 510(k), PMA, PDP, De Novo, or HDE must provide information demonstrating that the device meets the section 524B cybersecurity requirements.
The core FDA expectation from manufacturers is that they use a Secure Product Development Framework (SPDF) across the total product lifecycle (TPLC). FDA emphasizes secure-by-design development, ongoing maintenance, and cybersecurity risk management integrated into the quality system. Premarket documentation should show how the device addresses the key security objectives of authenticity, authorization, availability, confidentiality, and secure/timely updatability and patchability.
In submissions, the FDA expects documentation to scale with the device's cybersecurity risk, not merely the software documentation level. Core submission content includes a security risk management plan/report with threat modeling, cybersecurity risk assessment, SBOM, third-party software and supply-chain considerations, assessment of unresolved anomalies with security impact, residual risk conclusions, mitigation activities, and traceability across threat model, risk assessment, SBOM, and testing. The FDA also recommends lifecycle metrics such as time to identify, patch, and deploy fixes for vulnerabilities.
Cybersecurity testing is expected to go beyond standard software V&V and may include threat-mitigation testing, boundary analysis, attack surface analysis, fuzz testing, software composition analysis, static/dynamic code analysis, known-vulnerability scanning, and penetration testing. FDA places strong emphasis on user-facing cybersecurity transparency. Labeling should provide enough information for users to securely configure, operate, update, and manage the device.
For devices that meet the statutory definition of a cyber device, FDA highlights three core statutory elements: a postmarket cybersecurity management plan, processes and procedures to provide a reasonable assurance of cybersecurity for the device and related systems, and an SBOM. FDA recommends keeping supporting documentation updated throughout the lifecycle as new threats, vulnerabilities, and risks emerge.
In conclusion, this guidance raises the expected maturity of premarket cybersecurity submissions, and manufacturers should be prepared to show a lifecycle-based cybersecurity program embedded in design controls and risk management.
https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-management-system-considerations-and-content-premarket
------------------------------
Zakia Alavoodin
Sr. Regulatory Affairs Specialist
Frisco TX
United States
------------------------------