How FDA clearances actually get won.

An FDA reviewer issued a cybersecurity AI Request on a De Novo submission for an AI triage SaMD, citing an incomplete threat model, a non-conformant SBOM, and missing evidence that the model-loading pipeline had been security-tested. The team had 30 days to respond, no in-house cybersecurity lead, and an investor-board commitment to a Q3 commercial launch.

• Reconstructed the threat model in Microsoft Threat Modeling Tool to AAMI SW96 expectations - 47 STRIDE threats across the DICOM gateway, model loader, inference API, and clinician web app, each traced to a 14971 harm and a control
• Generated an FDA-compliant CycloneDX 1.5 SBOM for the entire model-serving stack, including transitive Python wheels and the CUDA/cuDNN runtime; mapped 312 components against KEV and EPSS
• Ran an authenticated gray-box pen test against the SaMD REST API, the DICOMweb endpoints, and the model-loader (pickle deserialization, model substitution, prompt-injection-style adversarial inputs)
• Drafted the deficiency response narrative aligned line-by-line to the reviewer's questions, with a cross-reference matrix back to the SPDF evidence package

Deficiency cleared in

21 days

Final submission outcome

De Novo granted

Additional reviewer rounds

0

High/critical pen-test findings closed before response

100%

• 47-threat STRIDE model with traceability matrix to ISO 14971 harms
• CycloneDX 1.5 SBOM (312 components) + vulnerability disclosure sheet
• Pen test report with 3 highs / 11 mediums and remediation guidance
• FDA AI Request response letter (12 pages) with evidence appendices
• Updated SPDF cybersecurity plan and postmarket monitoring SOP

• Pickle-based model loading is the single most common cyber finding we see in PyTorch SaMDs - swap to safetensors before submission, not after
• Reviewers want to see the SBOM tied to a vulnerability triage process, not just an inventory - KEV + EPSS scoring closes that loop
• Threat models written without explicit harm mapping read as security theater; SW96 traceability is what moves a reviewer

A connected cardiac event monitor with cellular backhaul needed a complete premarket cybersecurity package for a 510(k), with the device launching to a national hospital network at scale. The MCU firmware had been carried over from a legacy un-cleared product line, secure boot was implemented but never audited, and the cellular AT-command surface had never been fuzzed.

• Full STRIDE threat model spanning implant-side firmware, BLE pairing, the home gateway, and the AWS IoT cloud control plane - 62 threats with explicit attack trees for the high-risk paths (cellular MITM, BLE pairing downgrade, gateway-side firmware update poisoning)
• Hardware and firmware penetration test: JTAG/SWD reachability, fuse state, secure boot bypass attempts, anti-rollback enforcement, and SDR-based RF capture/replay on the BLE link
• Cellular AT-command and TCP/TLS surface fuzzing on the modem stack; PKI review of the device certificates and AWS IoT policies
• FDA-aligned CycloneDX SBOM for firmware, gateway image, and cloud microservices, with a postmarket vulnerability management plan keyed to KEV/EPSS and a 30-day patch SLA
• Drafted the cybersecurity sections of the 510(k) eSTAR package and the §524B SPDF evidence binder

510(k) clearance

Granted on first cycle

Cybersecurity AIs from FDA

0

High/critical findings closed pre-submission

100%

Days from submission to clearance

84

• 62-threat STRIDE model + 4 detailed attack trees
• Hardware/firmware pen-test report (38 pages) with fix verification re-test
• CycloneDX SBOM across 3 components (firmware / gateway / cloud)
• Postmarket cybersecurity plan with CVD policy and disclosure timelines
• eSTAR cybersecurity module content + SPDF evidence binder

• BLE pairing must use Numeric Comparison or OOB - 'Just Works' will draw an AI Request 100% of the time on a Class II monitor
• Anti-rollback is the single highest-leverage control on field-deployed firmware; test it in production-equivalent units, not dev boards
• A postmarket plan with named SLAs (patch window, CVD response time) is what separates a 'pass' from 'pass with minor comments'

A pre-PMA implantable neurostimulator with a wireless programmer, patient remote, and cloud telemetry needed a full Section 524B cybersecurity package that would survive an Advisory Panel and a multi-cycle PMA review - with patient-safety risk tolerances far tighter than a typical 510(k). The device is life-sustaining, the radio link is proprietary, and a successful attack on the firmware update path would be unrecoverable in the field.

• End-to-end STRIDE threat model covering implant, programmer, patient remote, gateway, and cloud - 138 threats with explicit life-sustaining harm scenarios mapped to ISO 14971, including therapy-suspension, over-stimulation, and battery-drain attack paths
• FIPS 140-3 cryptographic review of the MICS/BLE link, programmer authentication, and signed firmware update path; identified and closed a nonce-reuse risk in the implant's session establishment
• Hardware, firmware, and RF penetration test on production-equivalent units - JTAG fusing audit, secure boot chain validation, anti-rollback enforcement, MICS-band replay/jamming, and side-channel analysis on the inductive programmer link
• FDA-compliant CycloneDX SBOM for implant firmware, programmer software, and cloud services (1,847 components total) with KEV/EPSS-driven postmarket vulnerability management plan and a 14-day patch SLA for critical findings
• Authored the §524B narrative, full SPDF evidence package, and postmarket cybersecurity plan inside the PMA modules; supported two FDA AI Request rounds and the cybersecurity portion of Advisory Panel prep

PMA outcome

Approved

Cybersecurity AI rounds resolved

2 of 2

Field-replaceable cyber controls at approval

100%

Open high/critical findings at lock

0

Schedule slip caused by cyber workstream

0 days

• 138-threat STRIDE model with life-sustaining harm matrix
• FIPS 140-3 cryptographic assessment + remediation verification
• Hardware/firmware/RF pen-test report (94 pages) + side-channel addendum
• CycloneDX SBOMs for 3 components (1,847 components, KEV/EPSS triaged)
• §524B narrative + full SPDF evidence binder embedded in PMA modules
• Advisory Panel cybersecurity briefing deck and Q&A backstop
• Postmarket cybersecurity plan with CVD policy and 14-day critical patch SLA

• On a life-sustaining implant, every cyber control must be field-recoverable - if a finding can only be fixed by explant, it must be closed before lock, not deferred postmarket
• Proprietary RF links don't get a security pass; reviewers will ask for the same evidence you'd show for BLE - replay resistance, freshness, and authenticated firmware updates
• Two AI rounds is the median for Class III cyber; build the SPDF evidence binder so AI responses are a re-cut, not a rewrite