FDA publishes new premarket cybersecurity guidance (June 2025)

The guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” released on June 27, 2025, replaces the previous guidance issued on September 27, 2023. This updated version integrates content from the draft select update published on March 13, 2024, along with additional new material not included in the draft.

The fundamental and most significant difference between the 2023 and 2025 guidance documents is theย inclusion of detailed information and requirements to help manufacturers comply with Section 524B โ€œEnsuring Cybersecurity of Medical Devicesโ€ of the FD&C Act. This section was added by Section 3305 of the Food and Drug Omnibus Reform Act of 2022 (FDORA) and became effective onย March 29, 2023, requiring sponsors to include specific information in premarket submissions for “cyber devices”.

Here are the key differences in requirements and recommendations between the two guidance documents:

New Statutory Requirements for “Cyber Devices”

The 2025 guidance introduces an entirely newย Section VII. Cyber Devices, which details the specific information that manufacturersย mustย now include in their premarket submissions for devices that meet the definition of a “cyber device”. There is no changes to the table of content of Section VII from the draft select update document. The 2023 guidance mentions Section 524B but does not include this dedicated, comprehensive section detailing its requirements.

For “cyber devices,” the 2025 guidance mandates the submission of:

A plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure (CVD) and related procedures. This plan must outline:

  • Timelines for developing and releasing updates and patches.
  • Updates forย “known unacceptable vulnerabilities” on a reasonably justified regular cycle.
  • Updates forย “known unacceptable vulnerabilities” on a reasonably justified regular cycle.
  • Updates forย “critical vulnerabilities that could cause uncontrolled risks” as soon as possible out of cycle.

Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. “Related systems” include manufacturer-controlled elements like other devices, software update servers, and connections to healthcare facility networks.

A Software Bill of Materials (SBOM), including commercial, open-source, and off-the-shelf software components. The 2025 guidance further recommends that this SBOM be machine-readable and consistent with minimum elements identified by NTIA, also suggesting the inclusion of the software component’s level of support and end-of-support date.

Clarifications and Expanded Recommendations

Beyond the new statutory requirements, the 2025 guidance provides significant elaborations and clarifications that enhance or modify recommendations present in the 2023 version:

โ€ขย Definition and Scope of “Cyber Devices”: The 2025 guidance offers a more detailed explanation of what constitutes a “cyber device” under Section 524B(c) of the FD&C Act, particularly clarifying what “ability to connect to the internet” includes (e.g., network, server, cloud connections, various radio-frequency communications, magnetic inductive communications, and hardware connectors like USB, Ethernet, serial port). No major changes to cyber device definition from the draft select update.

โ€ข Updates to Quality System (QS) Regulation Alignment: The 2025 guidance updates its discussion on the QS regulation (21 CFR Part 820) to reflect a final rule issued on February 2, 2024, which aligns the QS regulation more closely with international consensus standards like ISO 13485. The 2023 guidance referred to a proposed rule for this amendment.

โ€ขย Risk Management Standards: In the section on Security Risk Management, the 2025 guidance addsย ANSI/AAMI SW96ย as an additional standard, alongside AAMI TIR57, for detailing how security and safety risk management processes should interface and for content in security risk management plans and reports. The 2023 guidance primarily referenced only AAMI TIR57.

โ€ขย Documentation for Modifications: The 2025 guidance introduces a newย Section VII.D. Modifications, which provides specific recommendations for submitting documentation for device modifications to comply with Section 524B of the FD&C Act. It differentiates between changes that may impact cybersecurity (e.g., changes to authentication, new connectivity) and changes unlikely to impact cybersecurity (e.g., material changes, sterilization method changes).

โ€ขย Reasonable Assurance of Cybersecurity: The 2025 guidance addsย Section VII.E. Reasonable Assurance of Cybersecurity of Cyber Devices, explaining that a “reasonable assurance of cybersecurity” can be part of FDAโ€™s determination of a deviceโ€™s safety and effectiveness across various premarket pathways.

โ€ขย Software Bill of Materials (SBOM): While both guidances recommend providing an SBOM, the 2025 guidance explicitly highlights that for “cyber devices,” an SBOMย is requiredย by Section 524B(b)(3) of the FD&C Act.

โ€ข Appendix 4: Premarket Submission Documentation Table: The table summarizing recommended documentation elements (Table 1) in Appendix 4 of the 2025 guidance explicitly notes which items are required for “Cyber Devices (Sec. 524B)”. The corresponding table in the 2023 guidance does not include this explicit linkage to Section 524B requirements.

โ€ขย Controlled Risk: The 2025 guidance includes a new definition for “Controlled Risk” in Appendix 5. Specifically, the guidance states that “Controlled Risk” occurs “when there is sufficiently low (acceptable) residual risk of patient harm due to a deviceโ€™s particular cybersecurity vulnerability”. This definition is in alignment to the 2016 post market cybersecurity guidance.

It elaborates on “Controlled Risk” within the context of postmarket cybersecurity vulnerabilities and updates for “cyber devices”. It clarifies the distinction between “known unacceptable vulnerabilities” and “critical vulnerabilities that could cause uncontrolled risks”. The guidance explains that a “known unacceptable vulnerability” could include a vulnerability that “could present controlled risk”. Updates and patches to address these types of vulnerabilities are intended to maintain software supportability and are not primarily aimed at reducing uncontrolled risk or correcting a violation of the FD&C Act. Such updates are expected to be made available on a “reasonably justified regular cycle”

โ€ข Cybersecurity Transparency: The 2025 guidance specifically notes that manufacturers of cyber devices should consider the recommendations in the Cybersecurity Transparency section (Section VI) as they “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure”.

In summary, the 2025 guidance significantly reinforces and formalizes the FDA’s expectations for medical device cybersecurity, primarily driven by the new statutory requirements for “cyber devices” under Section 524B of the FD&C Act. It provides more explicit, detailed, and legally backed requirements for a subset of devices, alongside expanded recommendations and updated references that reflect the evolving cybersecurity landscape and regulatory framework.

Aktriva, LLC

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by