Blue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · Insights

    AAMI TIR57 vs TIR97 vs SW96: Medical Device Guide

    Compare AAMI TIR57, TIR97, and SW96: scope, lifecycle stage, FDA recognition, and how to stack them in a 2026-ready SPDF program.

    Hero illustration for the article: AAMI TIR57 vs TIR97 vs SW96: Medical Device Guide
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Trevor Slattery, COO at Blue Goat Cyber

    Reviewed by Trevor Slattery

    COO · Blue Goat Cyber

    Last reviewed: May 1, 2026

    Last updated: May 2026

    Three documents from AAMI keep getting conflated in FDA submissions: TIR57, TIR97, and SW96. They cover overlapping ground but solve different problems, and citing the wrong one (or only one) is a frequent cause of cybersecurity deficiency letters under the FDA's February 2026 final guidance and Section 524B of the FD&C Act.

    This post is the short version: what each document does, where it applies in the lifecycle, what the FDA actually recognizes, and how to stack them in a working Secure Product Development Framework (SPDF).

    TL;DR comparison

    Dimension AAMI TIR57:2016 (R2023) AAMI TIR97:2019 AAMI SW96:2023
    Type Technical Information Report (TIR) Technical Information Report (TIR) Consensus standard
    Title (short) Principles for medical device security — risk management Principles for medical device security — postmarket risk management Standard for medical device security — security risk management
    Lifecycle stage Premarket (design and verification) Postmarket (fielded and legacy devices) Whole lifecycle
    FDA recognition Cited in guidance; not on the Recognized Consensus Standards list Cited in guidance; not on the Recognized Consensus Standards list On the FDA Recognized Consensus Standards Database (recognition number 13-122)
    Relationship to ISO 14971 Implementation guide that applies ISO 14971 to security Extends TIR57 thinking into postmarket Formalizes TIR57 concepts and aligns with ISO 14971 and IEC 62304
    Best use today Internal "how-to" for the security risk process Postmarket vulnerability triage and CVE handling on fielded devices Cite this as your primary security risk-management standard in the submission

    What each document actually covers

    AAMI TIR57:2016 (R2023) — the original "how-to"

    TIR57 is the practical guide that introduced the medical-device industry to applying ISO 14971 risk-management discipline to cybersecurity. It defined the now-standard pattern of:

    threats → security capabilities → controls → verification → residual security risk

    It is still the most useful reference for how to actually run threat modeling, build a security risk file, and document residual risk. But because it is a TIR (informational), it is not on the FDA's Recognized Consensus Standards Database. Citing TIR57 alone in a 2026 submission is no longer enough.

    AAMI TIR97:2019 — the postmarket companion

    TIR97 fills the gap TIR57 left open: what do you do once the device is fielded? It covers:

    • Triage of newly disclosed vulnerabilities (CVEs) against fielded devices
    • Postmarket security risk reassessment when a SBOM component changes
    • Coordinated Vulnerability Disclosure (CVD) intake and response
    • Decision-making for patch, mitigate, accept, or end-of-life

    If your postmarket cybersecurity plan does not reference TIR97, FDA reviewers and Notified Bodies often flag it. It is the standard companion to a postmarket vulnerability management process and aligns with the FDA's postmarket cybersecurity guidance and Section 524B(b)(2) obligations.

    AAMI SW96:2023 — the consensus standard

    SW96 is the consensus standard that pulls TIR57's concepts into a formal, auditable framework aligned with ISO 14971 (general risk management) and IEC 62304 (software lifecycle). Key things SW96 does that the TIRs do not:

    • Defines normative requirements (not just recommendations) for the security risk-management process
    • Maps explicitly to ISO 14971 clauses so security risk is a true subset of the device risk file
    • Provides a formal definition of "security risk" distinct from safety risk, while keeping the two linked
    • Is on the FDA Recognized Consensus Standards Database (recognition number 13-122) — meaning a Declaration of Conformity to SW96 carries regulatory weight

    In our practice, SW96 is now the primary standard to cite in the cybersecurity section of a 510(k), De Novo, or PMA submission. TIR57 and TIR97 are still useful as the underlying "how-to" references, but they sit under SW96, not in front of it.

    How they stack in a real SPDF program

    A 2026-ready cybersecurity package usually looks like this:

    1. ISO 14971 — the device-level risk management standard. Security risk is a subset of overall risk.
    2. AAMI SW96 — the security risk-management standard you cite formally in the submission. Drives traceability from threat → control → verification → residual risk.
    3. AAMI TIR57 — your internal reference for how to run the SW96-required activities (STRIDE-style threat enumeration, control selection, residual-risk argument).
    4. AAMI TIR97 — your postmarket process: CVE triage, CVD intake, patch decisions, SBOM monitoring.
    5. IEC 81001-5-1 — security activities embedded in the software lifecycle (pairs with IEC 62304).
    6. NIST SP 800-218 (SSDF) — secure development practices reviewers increasingly expect to see referenced.

    Citing only one or two of these is a common deficiency pattern. Citing all of them — and being clear about which is the formal standard (SW96, IEC 81001-5-1) vs which is implementation guidance (TIR57, TIR97) — is what mature submissions look like.

    Common mistakes we see

    • Citing TIR57 alone. Common in submissions written against the 2014 or 2018 guidance and never refreshed. Reviewers now expect SW96 as the primary security risk standard.
    • No postmarket reference to TIR97. Postmarket plans default to generic "we will monitor CVEs" language; TIR97 gives you the structured process FDA reviewers (and Notified Bodies for EU MDR) actually want to see.
    • Treating SW96 as a swap-in for ISO 14971. SW96 complements ISO 14971; it does not replace it. The device risk file still lives under ISO 14971, with security risk as a traceable subset.
    • Buying the wrong edition. TIR57:2016 was reaffirmed in 2023 (TIR57:2016/(R)2023). The technical content is unchanged; the (R)2023 indicates current applicability. SW96 is dated 2023 and is the first edition.

    What the FDA actually wants

    From the FDA's February 2026 final guidance on cybersecurity in medical devices (and consistent with Section 524B):

    • A documented security risk-management process integrated with ISO 14971 — SW96 is the cleanest way to demonstrate this.
    • Traceability from threats through controls to verification evidence and residual risk — the SW96/TIR57 spine.
    • A postmarket plan that covers monitoring, CVD, patching, and end-of-life — where TIR97 earns its keep.
    • SBOM (CycloneDX or SPDX) maintained across the lifecycle, with vulnerability handling tied to the security risk file.

    Reviewers do not score you on which TIR you cite. They score you on whether the process is real, the evidence is traceable, and the postmarket plan is operable. The three AAMI documents above are the most efficient way to demonstrate all three.

    Frequently asked questions

    Do I need to cite all three (TIR57, TIR97, SW96) in my FDA submission?

    For a 2026 submission, cite SW96 as your primary security risk-management standard (it is FDA-recognized), reference TIR57 as the implementation guide your team follows, and cite TIR97 in the postmarket plan. Citing only TIR57 is a common cause of deficiency letters.

    Is AAMI SW96 mandatory for FDA submissions?

    No standard is strictly mandatory under Section 524B, but SW96 is on the FDA Recognized Consensus Standards Database and is the cleanest way to demonstrate that your security risk-management process meets the agency's expectations. A Declaration of Conformity to SW96 carries real weight in the cybersecurity section.

    What is the difference between AAMI SW96 and ISO 14971?

    ISO 14971 is the device-level risk-management standard covering all risk (safety, usability, security). AAMI SW96 is the security-specific risk-management standard that integrates with ISO 14971 — your overall risk file lives under ISO 14971, and your security risk file lives under SW96 as a traceable subset.

    How is AAMI TIR97 different from TIR57?

    TIR57 covers the premarket security risk-management process — threat modeling, control selection, verification, residual risk. TIR97 covers the postmarket equivalent — CVE triage, SBOM monitoring, CVD intake, patch decisions across fielded and legacy devices.

    Has TIR57 been replaced by SW96?

    TIR57 has not been withdrawn; it was reaffirmed as TIR57:2016/(R)2023. SW96 formalizes and supersedes much of TIR57's content into a consensus standard, but TIR57 remains useful as the implementation guide. Most mature programs use both.

    Where this fits

    If you are building or refreshing your cybersecurity submission package, the three AAMI documents above are foundational. See also:

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.