Blue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · FDA

    A New Era for Quality and Safety

    FDA’s QMSR is now in effect. See why connected MedTech teams must build cybersecurity into the QMS - risk management, V&V, suppliers, and postmarket.

    Hero illustration for the FDA article: A New Era for Quality and Safety
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: February 8, 2026 · Last reviewed: May 1, 2026

    A New Era for Quality and Safety: What the FDA’s QMSR Means for Cybersecurity
    A New Era for Quality and Safety: What the FDA’s QMSR Means for Cybersecurity

    Updated: May 2026

    Direct answer

    The FDA's Quality Management System Regulation (QMSR) integrates cybersecurity as a critical component of medical device safety and quality. By incorporating ISO 13485:2016, QMSR reinforces that cybersecurity must be part of risk management, software validation, and overall quality processes throughout the entire product lifecycle. The February 3, 2026 premarket cybersecurity guidance explicitly aligns cybersecurity expectations with QMSR requirements, emphasizing secure product development frameworks and postmarket obligations.

    This month marks a pivotal moment for the medical device industry.

    The FDA’s Quality Management System Regulation, or QMSR, is now in effect. This represents a meaningful shift in how medical device quality systems are evaluated. By aligning with ISO 13485:2016 and emphasizing lifecycle thinking and risk-based decision-making, QMSR brings U.S. expectations closer to global regulatory standards.

    This is not just a regulatory update. It is a reset in how safety, quality, and accountability are expected to show up across the entire device lifecycle, from early design decisions through postmarket performance in the real world.

    For companies building connected, software-enabled, and AI-driven medical technologies, the implications are significant. QMSR reinforces a simple reality: quality is not something you document at the end of development. It is something you build into your product from day one.

    And today, that includes cybersecurity.

    Key Takeaways

    • QMSR integrates cybersecurity into device safety and quality management.
    • ISO 13485 (QMSR) demands cybersecurity via risk management criteria.
    • Software validation under QMSR mandates cybersecurity validation.
    • Secure Product Development Frameworks aid QMSR compliance.
    • Premarket submissions leverage QMSR documentation for cybersecurity.
    • Postmarket obligations include cybersecurity via QMSR processes.

    A New Era for Quality and Safety - key takeaways at a glance
    A New Era for Quality and Safety - key takeaways at a glance

    What QMSR Actually Is

    QMSR stands for the Quality Management System Regulation. It is the FDA's revised version of 21 CFR Part 820, the rule that governs how medical device manufacturers must run their quality systems. The final rule (89 FR 7496) took effect on February 2, 2026, replacing the older Quality System (QS) Regulation by incorporating by reference the 2016 edition of ISO 13485 - the international consensus standard for medical device quality management systems. The FDA aligned U.S. requirements with what other regulators around the world already expect, while keeping certain U.S.-specific provisions in Part 820.

    In short:

    QMSR = 21 CFR Part 820 (revised) + ISO 13485:2016 by reference.

    How QMSR Connects to Cybersecurity

    The link is direct and was made explicit in the FDA's February 2026 Premarket Cybersecurity Guidance, which was reissued specifically to align with the new QMSR. The core idea: cybersecurity is treated as part of device safety and quality, not as a separate compliance track. Five threads tie them together.

    1. Risk management is the bridge

    ISO 13485 (now pulled into Part 820) requires manufacturers to document processes for risk management throughout product realization (Subclause 7.1). The FDA's position is that security risk management must be integrated into that same quality management system - addressed across the Total Product Life Cycle (TPLC), not bolted on afterward. The FDA distinguishes security risk management from safety risk management (ISO 14971) because the scope of harm and risk factors differ, but expects both to be performed and to interface cleanly - referencing AAMI TIR57 and ANSI/AAMI SW96.

    2. Software validation pulls cybersecurity in

    Under 21 CFR 820.10(c), any device automated with software must comply with the design and development requirements in ISO 13485 Clause 7.3, including design validation (Subclause 7.3.7). The FDA's view is that meaningful software validation for connected devices necessarily includes cybersecurity validation - secure design requirements, controls, and evidence that those controls work in the device's environment of use.

    3. The SPDF is one way to satisfy QMSR

    The FDA recommends a Secure Product Development Framework (SPDF) - a set of processes that reduce the number and severity of vulnerabilities across a device's full lifecycle (design, development, release, support, decommission). The guidance is explicit that using an SPDF is one approach to meet QMSR obligations for cyber devices, though others are acceptable. Alternative frameworks the FDA mentions include the Medical Device and Health IT Joint Security Plan (JSP2), IEC 81001-5-1, and ANSI/ISA 62443-4-1.

    4. Premarket submissions can leverage QMSR documentation

    For cyber devices (as defined in FDA Section 524B of the FD&C Act - devices with software, internet connectivity, and vulnerable technological characteristics), the documentation a manufacturer generates to comply with QMSR can also serve as evidence in 510(k), PMA, De Novo, and similar submissions to demonstrate the cybersecurity required under Section 524B(b). The FDA was careful to note it won't evaluate QMSR compliance during a 510(k) substantial equivalence review - but it will look at the cybersecurity outputs that QMSR-compliant processes produce.

    5. Postmarket obligations also flow from QMSR

    Cybersecurity isn't just a premarket concern. The FDA expects manufacturers to maintain cybersecurity programs consistent with QMSR throughout the postmarket period, including:

    • Complaint handling (ISO 13485 Subclause 8.2.2 / 21 CFR 820.35(a))
    • Quality audits (8.2.4)
    • Data analysis and improvement (8.4, 8.5)
    • Software validation (7.3.7)
    • Risk management (7.1)
    • Servicing (7.5.4 / 21 CFR 820.35(b))

    The Bottom Line

    QMSR is the regulatory container; cybersecurity is one of the things that has to live inside it. For a connected medical device today, you can't really "do cybersecurity" as a standalone deliverable - you have to weave it into the same quality processes (design controls, risk management, software validation, CAPA, complaint handling, servicing) that QMSR already requires. The 2026 premarket cybersecurity guidance was rewritten specifically to map cybersecurity expectations onto QMSR/ISO 13485 clauses, so manufacturers can show that meeting one helps satisfy the other.

    This is where early planning matters.

    Threat modeling, secure architecture design, and verification and validation of security controls are no longer optional best practices. They are concrete evidence of a mature quality system that aligns with current regulatory expectations. Waiting until submission, or worse, postmarket, to address cybersecurity often results in documentation gaps, rework during testing, regulatory delays, increased costs, and avoidable risk.

    QMSR raises the bar by reinforcing lifecycle accountability. Regulators are no longer focused only on what you built. They want to understand how you identified risk, how you controlled it, and how you plan to maintain safety as your product evolves in the field.

    “QMSR makes one thing clear: cybersecurity is no longer a separate conversation. It is a core measure of whether a medical device is truly safe and fit for use.” - Christian Espinosa, Founder & CEO, Blue Goat Cyber

    At Blue Goat Cyber, we see this shift as an opportunity. When cybersecurity is treated as part of quality rather than a parallel effort, organizations strengthen their regulatory position, build more resilient products, and earn greater trust from clinicians, patients, and partners.

    In a connected healthcare ecosystem, cybersecurity is one of the clearest indicators of whether that system is truly designed to protect the people who depend on it. And, proactive protections today will dictate the healthcare system of tomorrow.

    Whether your MedTech company is preparing for an upcoming submission, aligning your processes to QMSR, or trying to close gaps before an inspection, it is worth asking a direct question: does your cybersecurity approach hold up as evidence of quality?

    Blue Goat Cyber is your cybersecurity partner. Book a no-cost Discovery Session with us today to understand where you stand and what concrete steps are needed to move forward with confidence under QMSR.

    FAQs

    What is the FDA's QMSR?

    The FDA's Quality Management System Regulation (QMSR) is the revised version of 21 CFR Part 820. It incorporates ISO 13485:2016 by reference, aligning U.S. Quality system requirements with international standards for medical device manufacturing.

    How does QMSR impact medical device cybersecurity?

    QMSR integrates cybersecurity into the quality management system, treating it as implicit to device safety and quality. This means cybersecurity must be addressed through risk management, software validation, design controls, and postmarket activities as part of QMSR compliance.

    Does QMSR require specific cybersecurity frameworks?

    While QMSR does not mandate a single framework, the FDA recommends using a Secure Product Development Framework (SPDF) to meet cybersecurity obligations. Other frameworks like IEC 81001-5-1 or ANSI/ISA 62443-4-1 are also mentioned as acceptable approaches.

    When did the QMSR go into effect?

    The QMSR final rule (89 FR 7496) became effective on February 2, 2026, replacing the older Quality System Regulation (21 CFR Part 820).

    Can QMSR documentation be used for FDA premarket cybersecurity submissions?

    Yes, documentation generated for QMSR compliance can serve as evidence in premarket submissions (e.g., 510(k), PMA) to demonstrate the cybersecurity requirements mandated by FDA Section 524B(b) of the FD&C Act.

    What postmarket cybersecurity obligations are tied to QMSR?

    QMSR requires manufacturers to maintain cybersecurity programs throughout the postmarket period. This includes integrating cybersecurity into complaint handling, quality audits, data analysis, corrective actions, software validation, and servicing processes.

    Related: Medical Device Cybersecurity: A Complete Lifecycle Guide

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. Quality Management System Regulation- U.S. FDA
    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.