A Guide to FDA’s Cybersecurity Documentation Requirements (2025)

Updated December 27, 2025

If you’re preparing a 510(k), De Novo, PMA, PDP, or HDE for a device with connectivity or software-driven features, the question isn’t whether FDA cares about cybersecurity—it’s whether your submission includes the right documentation in a way reviewers can quickly follow.

The FDA’s current premarket cybersecurity guidance, issued on June 27, 2025, explains what the FDA expects manufacturers to provide for devices with cybersecurity risks and includes specific directions related to Section 524B of the FD&C Act (“Ensuring Cybersecurity of Medical Devices”) for cyber devices.

This guide breaks down the documentation the FDA requires and how to structure it. It provides a practical checklist to help you avoid review delays, deficiency letters, or a refusal to accept (RTA) due to cybersecurity gaps.

First: Are you submitting a “cyber device” under Section 524B?

Section 524B applies to a “cyber device”, which the FDA describes (via the statute) as a device that:

includes software validated, installed, or authorized by the sponsor as a device or in a device,
has the ability to connect to the internet, and
contains technological characteristics that could be vulnerable to cybersecurity threats.

FDA notes that sponsors submitting a 510(k), PMA, PDP, De Novo, or HDE for a device that meets this definition are required to submit information to help ensure the device meets the cybersecurity requirements in 524B.

Practical takeaway: If your device is connected (directly or through a companion app, cloud service, update server, or hospital network) and includes software, you should assume you’ll be treated as a “cyber device” unless you can clearly justify otherwise.

What the FDA wants (2025): Your documentation should show four things

Strong submissions make it easy for the FDA to see a transparent chain from risk → design controls → verification evidence → lifecycle management. In practice, reviewers want to understand:

What could go wrong (threat model + risk assessment in the context of the full system),
What you built to reduce risk (security requirements + architecture + controls),
How you proved it (testing and objective evidence), and
How you will maintain it postmarket (monitoring, disclosure, and remediation planning).

The FDA also emphasizes that cybersecurity is part of device safety and effectiveness and that devices increasingly operate as elements of larger systems (networks, update servers, other software).

Use the SPDF structure (it maps cleanly to what the FDA expects)

The FDA establishes cybersecurity expectations within a Secure Product Development Framework (SPDF)—a set of processes designed to mitigate vulnerabilities throughout the entire product lifecycle.

For documentation, this SPDF concept shows up in four practical buckets:

Security Risk Management (threat modeling, risk assessment, third-party components)
Security Architecture (design decisions, controls, architecture views/flows)
Cybersecurity Testing (verification of evidence that controls work)
Cybersecurity Transparency (labeling + lifecycle plans for monitoring and response)

If you organize your submission around these buckets, reviewers can follow your story without needing to dig.

The 2025 FDA cybersecurity documentation checklist (premarket-ready)

Below is a practical checklist you can use to build an FDA-friendly cybersecurity package. Not every device requires the same level of depth, but these elements typically appear in most modern reviews of devices with cybersecurity risks.

1) Device cybersecurity scope and system context

What’s in-scope: device, accessories, mobile apps, cloud services, update mechanisms, APIs
Intended use environment (home, hospital, enterprise network constraints)
Connectivity and data flows (where data goes, what protocols are used)

2) Threat model (system-level, not just a feature list)

Assets, threats, entry points, trust boundaries
Misuse cases/attack scenarios (how an attacker would actually reach the device/system)
Linkage to mitigations (controls and requirements)

3) Cybersecurity risk assessment tied to safety and effectiveness

Risk decisions that reflect device context (clinical impact, essential performance, availability)
Clear rationale for severity and acceptability
Risk controls identified, implemented, and verified

FDA explicitly links cybersecurity to safety and effectiveness and notes that cyber incidents can disrupt patient care and lead to patient harm (e.g., delayed diagnosis/treatment).

4) Security requirements (and traceability)

Security requirements derived from the threat model and risk assessment
Traceability from threats/risks → requirements → controls → test evidence

5) Security architecture documentation

Architecture diagrams/flows that show where controls live (auth, encryption, update chain, logging)
Key design decisions (trust boundaries, privilege separation, secure boot, key management)
Update mechanism architecture (how updates are validated and delivered)

6) Cybersecurity testing evidence

Test plan tied to security requirements and threat model
Vulnerability testing results (with disposition and remediation tracking)
Penetration testing results were appropriate (with retest evidence if fixes were made)
Software testing evidence appropriate to your stack (e.g., SAST/DAST where relevant)

7) SBOM (Software Bill of Materials)

A machine-readable SBOM that covers commercial, open-source, and off-the-shelf components
Evidence you can use it operationally (versioning, vulnerability monitoring, disposition records)

FDA notes 524B requires sponsors to submit information to help ensure cyber devices meet cybersecurity requirements, and it references SBOM expectations (including third-party components).

8) Cybersecurity transparency (labeling + customer-facing info)

Clear customer guidance: configuration, hardening, network needs, authentication practices
Update expectations: how and when updates are delivered, minimum supported versions
Security contact/disclosure pathway (how issues are reported)

9) Postmarket cybersecurity plans (critical for 524B)

How will you monitor, identify, and address vulnerabilities post-market
Coordinated vulnerability disclosure (CVD) approach
Patch/remediation planning and communication strategy

The FDA’s 2025 guidance explicitly addresses obligations under Section 524B for cyber devices, including what sponsors should submit to support these obligations.

What changed vs. older guidance (and why your old templates may fail)

FDA’s 2025 document:

is explicitly issued on June 27, 2025 and supersedes the September 27, 2023 version
ties recommendations to lifecycle cybersecurity and SPDF concepts
and directly addresses section 524B expectations for “cyber devices.”

Translation: If your cybersecurity documentation still reads like a generic “policy and procedure” narrative, or focuses on healthcare PHI breaches instead of device system risk and verification evidence, it’s time to update.

Common documentation mistakes that trigger FDA questions

Threat model is missing or superficial (no trust boundaries, no realistic attack paths)
No traceability from threats → controls → test evidence
Testing is generic (tool output dumps without device context or disposition)
SBOM is treated as a one-time file (no monitoring/maintenance plan)
Postmarket plan is vague (no CVD process, unclear patch approach)
Architecture isn’t shown (the reviewer can’t see where the controls live)

How to make your cybersecurity package “reviewer-friendly”

If you want to reduce review cycles, structure your cybersecurity section so a reviewer can answer these questions quickly:

Where are the external interfaces and trust boundaries?
What are the plausible attack scenarios?
What controls address each scenario?
What evidence proves those controls work?
How will vulnerabilities be handled after launch?

When those answers are easy to find, your submission is easier to review—and you’re less likely to get stuck in iterative Q&A.

Need help building a 2025-aligned FDA cybersecurity submission package?

Blue Goat Cyber helps medical device manufacturers turn cybersecurity requirements into a clear, test-backed documentation package aligned to FDA expectations—covering threat modeling, SBOM creation and analysis, penetration testing support, and submission-ready narratives.

Next step: If you’re on a deadline, start with a gap review to identify what’s missing and what can be reused; then, build a prioritized plan aligned with your submission date.

FAQs

Do we need to follow the 2025 FDA cybersecurity guidance exactly?

Guidance is nonbinding, but it represents the FDA’s current thinking and is the clearest roadmap for what reviewers expect. The closer your submission aligns with the guidance structure, the less friction you typically experience.

What is a “cyber device” under Section 524B?

FDA cites the statutory definition: a device with sponsor-authorized software, the ability to connect to the internet, and characteristics that could be vulnerable to cybersecurity threats.

Is an SBOM required?

For cyber devices, 524B requires specific cybersecurity information, and the FDA’s guidance discusses SBOM expectations as part of documenting third-party components and lifecycle cybersecurity.

What’s the fastest way to strengthen our cybersecurity documentation?

Build (or fix) your threat model, create traceability from threats to controls and test evidence, and ensure your postmarket monitoring/disclosure plan is specific—not generic.

How does SPDF show up in the submission?

SPDF is the lifecycle framework behind your evidence: how you manage security risk, document architecture and controls, test and verify security claims, and plan postmarket monitoring and response.