What is the Center for Devices and Radiological Health

The Center for Devices and Radiological Health (CDRH) is the branch of the U.S. Food and Drug Administration responsible for regulating medical devices and radiation-emitting products. If you build, test, market, or maintain medical technology in the United States, CDRH is the part of the FDA that shapes the rules you live under.

Key Takeaways

• CDRH regulates medical devices and radiation-emitting products.
• Oversight spans premarket review to postmarket surveillance.
• CDRH policy shapes device design, testing, and lifecycle management.
• Cybersecurity is a key safety component for connected devices.
• Regulation balances patient access with safety and effectiveness.
• CDRH influences global medical device standards.

Table of Contents

• Key Takeaways
• What CDRH Does
• How CDRH Regulates Medical Devices and Radiological Health
• Why CDRH Matters to Public Health
• CDRH’s Influence Beyond the United States
• Where CDRH Is Headed

What CDRH Does

CDRH exists to help ensure patients get access to devices that are safe, effective, and appropriately controlled across the product lifecycle. That means far more than reviewing submissions. CDRH writes and interprets policy, evaluates evidence before devices reach the market, monitors performance after launch, and takes action when risk outweighs benefit.

For manufacturers, that translates into a very practical reality. CDRH influences how you design your device, document risk, validate claims, label the product, manage quality, and respond to postmarket issues. It is not just a gatekeeper at the submission stage. It is a regulator with lifecycle authority.

CDRH’s Mission and Scope

CDRH regulates medical devices from low-risk products to high-risk implantables, along with in vitro diagnostics and many radiation-emitting products. Its work spans premarket review, postmarket surveillance, compliance, enforcement, standards participation, and policy development.

That scope matters because device safety is not settled at clearance or approval. A device can look acceptable in a submission package and still create problems in the field due to usability failures, manufacturing drift, software defects, cybersecurity weaknesses, or poor servicing controls. CDRH’s oversight is built around that reality.

How CDRH Is Organized

CDRH sits within the FDA and operates through multiple offices with specialized functions. Those offices cover areas such as premarket review, in vitro diagnostics, radiological health, compliance, product quality, and center leadership.

That structure is not just bureaucratic plumbing. It reflects how device regulation actually works. Scientific review, quality system oversight, compliance action, and postmarket monitoring are interconnected. Manufacturers that treat them as separate workstreams usually end up with gaps, delays, or both.

How CDRH Regulates Medical Devices and Radiological Health

CDRH’s core job is oversight. In practice, that means reviewing products before marketing when required, enforcing applicable requirements, and monitoring how products perform in the real world.

Medical Device Oversight

For medical devices, CDRH reviews premarket submissions such as 510(k) notifications, PMA applications, and De Novo requests. The depth of review depends on the device type, risk profile, intended use, technological characteristics, and the evidence needed to support safety and effectiveness.

This is where many teams get tripped up. They think the submission is the product. It isn’t. The submission is evidence about the product. CDRH reviewers assess whether the design, testing, labeling, and supporting data justify market access under the relevant pathway.

Take an implantable cardiac device as an example. CDRH may review bench testing, software documentation, biocompatibility, electrical safety, clinical data, human factors, labeling, and manufacturing controls. If the device includes connectivity, cybersecurity is also part of the discussion. Not as an afterthought, but as a safety and effectiveness issue.

Radiological Health Oversight

CDRH also regulates radiation-emitting products such as X-ray systems, CT scanners, mammography equipment, lasers, and certain radioactive product categories. The goal is straightforward: limit unnecessary exposure and make sure these products meet applicable radiation safety standards.

That oversight includes guidance, inspections, reporting requirements, and action when manufacturers fail to meet requirements. For companies working in imaging or other radiation-related technologies, CDRH is not simply reviewing performance claims. It is also examining whether the product can be used safely in clinical settings without creating avoidable exposure risks.

Why CDRH Matters to Public Health

CDRH affects public health in two ways at once. It helps keep unsafe or ineffective products off the market, and it helps move useful technology to patients faster when the evidence supports it.

Safety and Effectiveness Are the Baseline

A central part of CDRH’s mission is evaluating whether medical devices perform as intended without creating unacceptable risk. That includes premarket review, postmarket signal detection, adverse event analysis, recalls, safety communications, and corrective actions.

Reusable devices are a good example. Cleaning and disinfection failures can turn an otherwise useful device into an infection vector. CDRH has repeatedly addressed these issues through guidance, review expectations, and postmarket action. That is the agency doing what it is supposed to do: connecting real-world use to regulatory control.

For manufacturers, the lesson is simple. Safety is not what your design team intended. Safety is what can be demonstrated, maintained, and monitored in actual use.

CDRH Also Pushes Innovation

Good regulation should not reward paperwork theater. It should reward evidence, clear claims, and disciplined engineering. CDRH has programs intended to support that, including the Breakthrough Devices Program for technologies that may offer more effective treatment or diagnosis for serious conditions.

The point is not speed for its own sake. The point is getting clinically meaningful technology to patients without dropping the standard. That balance matters, especially in software-enabled and connected devices where iteration is common but risk does not disappear just because the release cycle is fast.

CDRH’s Influence Beyond the United States

See also: Why Medical Device Cybersecurity Is Nothing Like Enterprise, How Can Medical Device Manufacturers Support Operational, and Navigating the Cybersecurity Landscape for MedTech.

CDRH regulates products for the U.S. market, but its influence reaches much further. Many of its policies, review approaches, and standards work shape how manufacturers build products for global distribution.

CDRH works with regulators and standards bodies outside the United States to improve alignment and reduce unnecessary duplication. That does not mean every market is the same. It means there is value in shared approaches to evidence, safety expectations, and technical standards.

One important piece of that work is participation in international standards development. For example, standards in the IEC 60601 family help define safety expectations for medical electrical equipment used across markets. When CDRH contributes to that work, manufacturers benefit from clearer design targets and more consistent expectations across jurisdictions.

International collaboration also matters for emerging technologies. Software, AI-enabled functions, wireless communications, and cybersecurity risks do not stop at borders. Regulators know that. Manufacturers should act like they know it too.

Where CDRH Is Headed

CDRH is dealing with a device market that looks very different from the one many legacy regulations were written for. Software updates are frequent. Connectivity is standard. Clinical functionality increasingly depends on data pipelines, third-party components, cloud services, and machine learning.

Emerging Challenges

Several issues continue to pressure both industry and regulators:

• digital health expansion
• AI and machine learning in device functions
• software validation and change management
• medical device cybersecurity
• postmarket visibility into real-world performance
• data integrity, privacy, and interoperability

Cybersecurity deserves special attention. Connected devices create real attack surface, and the FDA has made clear that cybersecurity is part of device safety. That means manufacturers need more than a vague risk statement and a few security claims in a design document. They need secure architecture, threat modeling, verification, SBOM discipline where applicable, vulnerability handling processes, and evidence they can defend in an FDA submission and after launch.

Strategic Priorities

CDRH’s priorities continue to center on patient access, product quality, regulatory science, and modern review approaches for newer technologies. Programs related to digital health and software oversight reflect an effort to adapt regulatory tools to how products are actually built and maintained.

The direction of travel is clear. The FDA expects manufacturers to understand their devices as systems, not static widgets. That includes software behavior, update mechanisms, interfaces, supply chain dependencies, and postmarket risk management. Teams that still treat compliance as a last-minute submission exercise will keep running into avoidable problems.

CDRH is one of the most important parts of the FDA for device manufacturers because it sits at the intersection of safety, innovation, and enforcement. If you make medical technology, understanding how CDRH thinks is not optional. It is part of building products that can survive review, perform in the field, and stay on the market.

As CDRH pushes harder on connected technology, manufacturers need cybersecurity work that stands up to scrutiny. Blue Goat Cyber, a Veteran-Owned business, helps medical device companies assess and strengthen security through penetration testing, HIPAA support, and FDA compliance services. If your device has software, connectivity, or patient risk tied to cyber failure, contact us today for cybersecurity help.

How Blue Goat approaches this

The Blue Goat Cyber methodology aligns with the FDA's expectations for medical device cybersecurity, preventing issues before they become costly problems. Our team identifies and mitigates vulnerabilities across the entire product lifecycle, from initial design to postmarket support. We perform thorough threat modeling, risk assessments, and penetration testing, applying specialized knowledge in medical device contexts. Our experts, including CISSP and OSCP certified professionals with ex-military red team experience, prepare and review documentation for FDA submissions, ensuring compliance. We focus on practical, actionable security measures that satisfy regulatory requirements and enhance device safety. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Learn more about our premarket cybersecurity services.

FAQ

What is the primary role of CDRH?

CDRH assures that medical devices and radiation-emitting products are safe and effective for patients. This involves premarket evaluation, postmarket monitoring, and enforcement of regulatory requirements.

How does CDRH handle cybersecurity for medical devices?

CDRH views cybersecurity as integral to device safety and effectiveness. The February 3, 2026 final guidance outlines expectations for secure product design, threat modeling, and postmarket vulnerability management for FDA submissions.

Does CDRH regulate all medical devices?

Yes, CDRH regulates all medical devices, from low-risk general wellness products to high-risk implantable devices, based on their classification and intended use.

How does CDRH support innovation in medical technology?

CDRH supports innovation through programs like the Breakthrough Devices Program, which aims to expedite market access for technologies offering more effective treatment or diagnosis for serious conditions, provided evidence supports safety and effectiveness.

Why is CDRH's influence global?

CDRH's policies and review approaches often shape global manufacturing practices. It also collaborates with international regulators and standards bodies to foster alignment and consistency in medical device oversight.

What emerging challenges is CDRH addressing?

CDRH is adapting to challenges posed by digital health, AI/ML integration, software as a medical device, and the increasing complexity of medical device cybersecurity and interoperability.

Related: Medical Device Cybersecurity: A Complete Lifecycle Guide

About the author

Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.