Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published November 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · November 30, 2025 This episode of The Med Device Cyber Podcast unravels the often-misunderstood requirements for FDA cybersecurity premarket submissions. Hosts Christian Espinosa and Trevor Lynch demystify the 18 essential deliverables that map to the 13 sections of EAR 6.0, emphasizing that documentation requirements remain consistent across all device types and risk profiles, with complexity scaling based on the device. The discussion delves into critical elements such as the Risk Management Report, which encompasses threat modeling (using frameworks like STRIDE), cybersecurity risk assessment, and the Software Bill of Materials (SBOM) along with its supporting material. The hosts highlight the nuances of cybersecurity assessment of unresolved anomalies, the forward-looking approach to cybersecurity metrics, and the importance of robust security controls and architecture views. A significant portion of the conversation is dedicated to the Cybersecurity Management Plan for postmarket activities and the detailed aspects of cybersecurity testing, including SAST, test plans, and reports. Finally, the episode covers cybersecurity labeling, distinguishing between JSP2, MDS2, and interoperability considerations. This episode is a must-listen for product security teams, regulatory leads, and engineers navigating the intricate landscape of medical device cybersecurity compliance and aiming for efficient premarket submissions.
Key Takeaways
- The documentation requirements for FDA cybersecurity premarket submissions are consistent across all device types and risk profiles, with the complexity and detail of the deliverables scaling based on device risk and complexity.
- The 18 required deliverables map to 13 sections of EAR 6.0, with specific areas like SBOM, cybersecurity testing, and cybersecurity labeling involving multiple deliverables mapping to a single EAR section.
- Risk management is a critical component, requiring a comprehensive report that includes a threat model (often utilizing frameworks like STRIDE), a detailed cybersecurity risk assessment, and a Software Bill of Materials (SBOM) with supporting material on component support and maintenance plans.
- Cybersecurity testing encompasses various activities, including Static Application Security Testing (SAST), vulnerability assessments, penetration testing, and misuse case testing, all structured with a clear test plan, test cases, and a test report.
- Cybersecurity labeling is multifaceted, requiring information tailored to different audiences like the FDA (JSP2), healthcare delivery organizations (MDS2), and specific interoperability labeling for devices involved in clinical decision-making data flows.
- The Cybersecurity Management Plan outlines active responsibilities for postmarket security, including ongoing testing, coordinated vulnerability disclosure, and proactive monitoring for SBOM vulnerabilities.
- Early preparation and a 'begin with the end in mind' approach are crucial for managing the extensive documentation required, which can range from 150 to over 600 pages for complex devices.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.