The U.S. Food and Drug Administration (FDA) has issued a comprehensive guidance titled “Computer Software Assurance for Production and Quality System Software“ on 23rd September 2025, which presents nonbinding recommendations for validating computers and automated data processing systems used in medical device production or within the quality system. Prepared by the Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER), this document establishes a risk-based framework for Computer Software Assurance (CSA)—that specifically integrates modern concepts, including cybersecurity requirements, directly into quality assurance activities.

The guidance is intended to supplement the FDA’s existing “General Principles of Software Validation” guidance, though it supersedes Section 6 concerning validation of automated process equipment and quality system software. The core principle of CSA is to use a risk-based approach to maintain confidence that software is fit for its intended use. This approach follows a “least-burdensome” philosophy, meaning the validation effort should be scaled to the identified risk.

Cybersecurity as a Component of High Process Risk

A key step in the CSA Risk Framework is determining whether a software feature, function, or operation poses a high process risk. A failure is deemed high process risk if it results in a quality problem that foreseeably compromises safety, thus posing a medical device risk. Crucially, the guidance identifies specific scenarios where cybersecurity considerations elevate the risk level:

Cybersecurity Essential to Safety: Software functions that automate surveillance, trending, or tracking of data identified by the manufacturer as essential to device safety and quality are generally considered examples of high process risk. This linkage ensures that systems monitoring or protecting critical device safety attributes (such as cybersecurity defenses) are subjected to the highest level of assurance rigor.

Assurance Activities and Security Testing

When determining the appropriate assurance activities (like testing) necessary to establish confidence in the software, the guidance explicitly recognizes the importance of security testing methods.

1. Experience-Based Testing: The framework promotes the use of unscripted testing methods, such as experience-based testing, which is defined as techniques based on using the experience of testers to generate test cases. This type of testing can include concepts like test attacks and error taxonomies that specifically target potential problems such as security, performance, and other quality areas and is very much aligned to how penetration testing is performed.

2. Leveraging Existing Cybersecurity Guidance: The guidance refers manufacturers to the newly released FDA guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submission.” Manufacturers are encouraged to consider utilizing the cybersecurity testing methods described in that guidance when conducting the assurance activities outlined in the CSA framework, as appropriate.

3. Process Controls for Exposure Reduction: When developing assurance strategies, manufacturers should consider leveraging additional process controls, including activities to reduce cybersecurity exposure, that have been incorporated throughout production. For instance, if subsequent process steps verify process outputs, these controls can reduce the effort of assurance activities needed for the software component itself.

Integrating Cybersecurity into Vendor Management

Given the widespread adoption of commercial off-the-shelf (COTS) and cloud computing solutions (IaaS, PaaS, and SaaS), the guidance places significant emphasis on evaluating external software vendors. Cybersecurity practices are an integral part of this vendor assessment:

• Reviewing Vendor Documentation: When assessing a software vendor (whether cloud-based, on premise, or a hybrid solution), manufacturers are recommended to review the vendor’s practices and documentation regarding cybersecurity. Third-party assurance reports like SOC 2 and ISO 27001 are cited as examples of accreditations and certification manufacturers should review. Guidance also suggests other examples of security documentation to review including:

• Security risk assessments
• Threat Modeling
• Security design reviews
• Software Bill of Materials (SBOM)
• Testing and risk mitigation

• Data Integrity and Security: Vendor assessment activities should also focus on data integrity capabilities or controls, such as securing data at rest and in transit (e.g., maintaining secure, computer-generated, time-stamped audit trails of users’ actions, and encrypting data).

• Service Agreements: For vendors providing cloud solutions (e.g., SaaS), the manufacturer may establish a service agreement that specifically includes requirements for security, data integrity, privacy, availability, change management, and business continuity.

The examples provided in the guidance (such as the Nonconformance Management System, Business Intelligence Applications, and SaaS Product Life Cycle Management System) consistently demonstrate that a thorough vendor assessment includes a review of vendor’s cybersecurity documentation and life cycle management plans as a foundational assurance activity.

By incorporating robust cybersecurity review—from initial risk analysis and vendor assessment to the selection of appropriate testing methods—the FDA’s CSA guidance encourages a holistic approach where device safety and quality are inherently protected against software failure and external threats throughout the entire life cycle