FDA Issues Updated Final Guidance on Cybersecurity in Medical Devices
The U.S. Food and Drug Administration (FDA) issued a final guidance titled “Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions” on 3 February 2026. According to the document, this guidance supersedes the FDA guidance of the same title issued on 27 June 2025.
The guidance states that it represents the FDA’s current thinking on cybersecurity for medical devices and is issued as nonbinding recommendations for industry and FDA staff. It addresses cybersecurity considerations for medical devices that include software, firmware, or programmable logic, and describes the cybersecurity information FDA recommends be included in premarket submissions, as well as considerations linked to quality management system activities.
Scope of the guidance
The guidance applies to medical devices that:
Include software, firmware, or programmable logic;
Contain a device software function; and
May or may not be network-enabled or intentionally connected.
It covers multiple regulatory pathways, including 510(k), De Novo, PMA, PMA supplements, IDE, HDE, BLA, and IND submissions, and also applies to devices that are 510(k)-exempt.
Importantly, the document also addresses “cyber devices” as defined under Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act, introduced by the Food and Drug Omnibus Reform Act of 2022 (FDORA).
Cybersecurity as part of the Quality Management System
A central message of the updated guidance is that cybersecurity is an integral part of device safety and effectiveness and must be embedded within the manufacturer’s Quality Management System (QMS).
The FDA highlights the transition to the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference. As a result, cybersecurity-related activities—such as risk management, software validation, design controls, and corrective and preventive actions—are expected to align with existing QMS processes.
The guidance encourages manufacturers to adopt a Secure Product Development Framework (SPDF) as one possible way to meet QMSR requirements and systematically reduce cybersecurity vulnerabilities throughout the device lifecycle.
Premarket submission expectations
For devices with cybersecurity risks, FDA recommends that premarket submissions include documentation demonstrating how those risks have been identified, assessed, and controlled. The level of documentation is expected to scale with the cybersecurity risk of the device.
Key elements highlighted in the guidance include:
Threat modeling to identify potential cybersecurity threats and system vulnerabilities;
Cybersecurity risk assessments focused on exploitability rather than probabilistic safety risk;
Security architecture documentation, including defined architecture “views” (e.g. global system view, multi-patient harm view, updateability and patchability view);
Cybersecurity testing, such as vulnerability testing and penetration testing; and
Traceability between risks, controls, and testing activities.
The FDA notes that cybersecurity controls should be built into device design rather than added later, and that known vulnerabilities should be treated as reasonably foreseeable risks.
Software Bill of Materials (SBOM)
The guidance reinforces the importance of a Software Bill of Materials (SBOM) as a key tool for managing software supply chain risk.
For cyber devices, an SBOM is a statutory requirement under Section 524B of the FD&C Act. The FDA recommends that SBOMs:
Be provided in a machine-readable format;
Include proprietary, commercial, open-source, and off-the-shelf software components;
Identify software support status and end-of-support dates; and
Support vulnerability monitoring and postmarket risk management.
Manufacturers are also expected to identify known vulnerabilities, including those listed in CISA’s Known Exploited Vulnerabilities Catalog, and describe how associated risks are controlled.
Postmarket cybersecurity and transparency
The updated guidance places continued emphasis on postmarket cybersecurity management. Manufacturers are expected to establish and maintain:
Cybersecurity management plans;
Processes for vulnerability monitoring and coordinated vulnerability disclosure;
Timely patching and update mechanisms; and
Clear communication with users throughout the device lifecycle.
The FDA also provides detailed recommendations on cybersecurity-related labeling, aimed at ensuring that users have sufficient information to securely configure, operate, update, and decommission devices.
Implications stated in the guidance
The guidance describes FDA recommendations directed to device manufacturers, including manufacturers of devices that meet the definition of cyber devices under Section 524B of the FD&C Act.
According to the document, manufacturers are expected to:
Address cybersecurity as part of device safety and effectiveness;
Establish and maintain cybersecurity-related activities within the Quality Management System, as set out in the Quality Management System Regulation (21 CFR Part 820), which incorporates ISO 13485:2016 by reference;
Provide cybersecurity-related documentation in premarket submissions, with the scope and level of detail scaling based on the device’s cybersecurity risk;
For devices that meet the definition of cyber devices, submit information required under Section 524B, including plans and procedures, documentation supporting reasonable assurance of cybersecurity, and a Software Bill of Materials (SBOM);
Consider cybersecurity risks and controls throughout the total product lifecycle, including postmarket monitoring, updates, and end-of-support considerations.
The guidance reiterates that its recommendations are nonbinding, but reflect FDA’s current thinking and are intended to support FDA’s assessment of device safety and effectiveness during premarket review and postmarket oversight.
Read the full document below.
