In June 2025 FDA finalized its cybersecurity guidance and clarified §524B obligations for “cyber devices.” For SaMD that connects to the internet, you must provide a postmarket vulnerability plan, processes that ensure reasonable assurance of cybersecurity, and an SBOM. FDA also recommends threat modeling, security architecture views, vulnerability + penetration testing, and labeling/management plans—submitted via eSTAR (510(k) now; De Novo mandatory Oct 1, 2025).
Why Cybersecurity Matters for SaMD
With cyber-attacks on medical software rising and connected devices becoming more common, cybersecurity is no longer optional. The FDA has explicitly tied patient safety to strong cyber hygiene. Several warning letters in 2024 cited insufficient cyber documentation as the root cause for clearance delays. SaMD products face high scrutiny, especially those with network interfaces, data processing functions, or cloud dependencies.
Key Cybersecurity Expectations
1. SBOM (Software Bill of Materials)
The FDA expects a machine-readable SBOM that lists every software component, including:
- Component name and version
- Supplier
- License type
- Known vulnerabilities (linked to CVEs)
Use formats like CycloneDX or SPDX, and automate SBOM generation at build-time.
2. Threat Modeling
Map your architecture using STRIDE or PASTA frameworks to identify:
- Entry points
- Threat vectors
- Mitigations applied
Attach diagrams and mitigation plans that align with your software risk profile.
3. Secure-by-Design Controls
Demonstrate implementation of controls like:
- Encryption (at rest & in transit)
- Role-based access control (RBAC)
- Digital signatures / code signing
Evidence should show these controls were considered from early development.
4. Validation & Penetration Testing
Include:
- Penetration test protocols
- Red team test results
- Fuzz testing summaries
Document vulnerabilities found, actions taken, and ensure test reproducibility.
5. Update & Patch Process
FDA wants to see:
- Defined roles for monitoring & patching
- 48–72 hour patch deployment window
- Rollback strategy for failed patches
Include this as part of your risk control and maintenance documentation.
Submission Checklist
Deliverable
Description
Template / Tool
SBOM
Full component list (CycloneDX or SPDX format)
SBOM wizard export
Threat Model
STRIDE diagram + mitigation table
Threat-model template
Secure-by-Design Evidence
Architecture diagram with security controls highlighted
Secure-design slide
Penetration-Test Report
Third-party test summary, vulnerability log, remediation actions
Pen-test report PDF
Patch & Rollback Plan
Documented update process, roles, timelines, rollback criteria
Patch plan checklist
Best Practices & Pro Tips
- Automate SBOM generation in your CI/CD pipeline (e.g., CycloneDX plugin).
- Embed security tests in every build, not just pre-submission.
- Link security docs to your IEC 62304/ISO 14971 traceability matrix—show how risk controls tie to cyber tests.
- Use version control for SBOMs and threat-model artifacts (tag commits with submission versions).
- Validate early with FDA’s pre-Sub Q-meeting to avoid last-minute surprises.
The Fastest Path to Market
FAQ
Is an SBOM required for SaMD submissions?
Yes. FDA’s 2025 draft requires a complete SBOM for all premarket pathways.
What threat-modeling standard should I use?
STRIDE or PASTA are both acceptable. Pick one, be consistent, and provide mitigation documentation.
Do I need third-party penetration tests?
Yes. FDA expects independent pen-test results and remediation summaries, especially for connected or critical SaMD.