Cyber threats can present a direct risk to patient lives. The FDA’s updated 2025 guidance on cybersecurity in medical devices emphasizes, with templates and examples, the importance of cybersecurity considerations from the first line of code. The new guidance adds on to previous guidances to outline the FDA’s expectations from what manufacturers must do to ensure secure, effective devices from design to decommission.
Inadequate cybersecurity measures can lead to misdiagnoses, treatment delays, or worse, loss of life. Security is legally and ethically inseparable from device safety. In response to escalating cyber threats targeting healthcare infrastructure and the proliferation of connected devices, the Agency now requires sponsors to embed cybersecurity risk management as a fundamental design control element under 21 CFR Part 820. The guidance consolidates prior premarket expectations and introduces a framework that harmonizes with emerging statutory mandates under Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act.
The key deliverable expected for all devices connected to the internet in any way is the Secure Product Development Framework (SPDF), a lifecycle-based approach to secure design, development, release, and maintenance. The SPDF represents a structured, end-to-end methodology encompassing secure-by-design principles across the total product lifecycle (TPLC). FDA strongly encourages the integration of SPDF into the sponsor’s quality management system as a proactive mechanism to identify, assess, and mitigate exploitable vulnerabilities before market entry and beyond. The guidance emphasizes that cybersecurity design controls are not ancillary but integral to establishing a reasonable assurance of device safety and effectiveness.
Devices must be evaluated against five critical security objectives: authenticity, authorization, availability, confidentiality, and secure updatability. Sponsors must now include comprehensive cybersecurity documentation in premarket submissions commensurate with the device’s risk profile, including a Security Risk Management Plan, Threat Modeling Outputs, Cybersecurity Risk Assessment, Software Bill of Materials (SBOM), and Security Architecture Views. These elements must be integrated, traceable, and aligned with the intended use, interface complexity, and real-world threat environment. Devices must demonstrate their ability to withstand real-world misuse scenarios, interoperability challenges, and third-party software risks.
The guidance formalizes the SBOM as a required component for “cyber devices” under Section 524B, which encompasses any device that includes software validated by the manufacturer, connects to the internet, and possesses characteristics that could render it vulnerable to cyber threats. The SBOM must provide machine-readable documentation of all proprietary and third-party software components, including support status, known vulnerabilities, and end-of-life disclosures. Furthermore, sponsors must articulate compensatory control strategies for unsupported or high-risk components and provide clear, actionable labeling to facilitate stakeholder cybersecurity posture management.
FDA also highlights the importance of cybersecurity transparency, recognizing that insufficient disclosure of known risks, device interfaces, or update mechanisms to end users, such as hospitals and patients, undermines the safe and effective integration of medical devices into clinical environments. Submissions that omit adequate labeling or configuration instructions may be deemed misbranded under Sections 502(f) or 502(j) of the FD&C Act. For postmarket surveillance, the Agency recommends that manufacturers continuously monitor vulnerability landscapes, maintain updated risk assessments, and track cybersecurity metrics such as patch latency, defect density, and mean time to mitigation.
In addition, sponsors must demonstrate that cybersecurity risk management activities are distinct from but interfaced with traditional safety risk analyses under ISO 14971. The FDA recommends using dual-track assessments—one for safety and one for security—ensuring that threat modeling, vulnerability assessments, and residual risk justifications fully encapsulate both clinical and exploit-based harm pathways. Tools like the Common Weakness Enumeration (CWE), CISA’s Known Exploited Vulnerabilities Catalog, and the AAMI SW96 standard are cited as authoritative references. Risk management must continue throughout the device lifecycle. Metrics like patch response time and percentage of resolved vulnerabilities should be tracked and submitted in annual PMA reports.
The guidance applies to all device submissions, including 510(k), PMA, IDE, De Novo, and even 510(k)-exempt devices. Each of these must scale with the cybersecurity risk posed by the device. The guidance document includes 5 appendices that provide helpful definitions and suggested strategies for complying with the current FDA expectations for cybersecurity.
The new guidance consolidates and expands on previous guidance documents. In today’s threat landscape, security isn’t optional—it’s clinical. The FDA’s 2025 guidance makes cybersecurity a central pillar of medical device compliance, demanding secure architecture, transparent risk management, and proactive lifecycle planning. If your device isn’t cybersecure, it’s not market-ready.
