FDA Deficiency: Inadequate Vulnerability Management Plan

What FDA reviewer language looks like

Paraphrased patterns from real deficiency letters. Not verbatim FDA quotes.

• Pattern 1

  The vulnerability management plan does not specify the timelines within which newly identified vulnerabilities will be assessed, prioritized, and remediated. Provide quantitative triage and remediation timelines aligned with the severity classifications used in the plan.

• Pattern 2

  The plan does not describe a coordinated vulnerability disclosure process. Provide a documented process by which security researchers and customers can report vulnerabilities and how the manufacturer will acknowledge, investigate, and respond to those reports.

• Pattern 3

  The mechanism by which security updates will be delivered to fielded devices is not described. Provide a description of the update delivery mechanism, including whether updates are signed, how integrity is verified, and how customers are notified.

Why this happens

• The VM plan is written by the regulatory team using a template, not by the security operations team that will execute it.
• Triage timelines are missing because no internal SLA exists, or the SLA is informal and was not committed to writing.
• There is no published CVD process, often because the company does not have a security.txt file, a disclosure email, or a public policy document.
• Update delivery is described in product documentation but not surfaced in the cybersecurity package.

How to fix it

• State quantitative triage SLAs by severity (e.g., critical: triage in 24h, fix in 30 days; high: triage in 72h, fix in 60 days). Reviewers grade specificity.
• Publish a coordinated vulnerability disclosure policy at a stable URL, reference it in the plan, and describe acknowledgement timeframes and safe harbor.
• Document the patch lifecycle end to end: discovery, triage, fix, test, sign, distribute, verify-on-device, customer notify.
• Connect the plan to the SBOM: when a new CVE drops against an SBOM component, who is notified and on what timeline does the triage clock start.
• Reference the post-market cybersecurity plan and demonstrate the two are consistent.

Why timelines beat policy language every time

Reviewers read VM plans for numbers. A page of policy language about 'commitment to timely remediation' will not satisfy a reviewer; a one-paragraph SLA table with severity, triage time, and remediation time will. The reason is operational: timelines are auditable. The FDA can come back during post-market surveillance and ask whether the manufacturer met the SLA they committed to in the submission. Vague language gives the FDA nothing to audit, which is exactly why it is being asked for.

CVD is now a hard expectation

Coordinated vulnerability disclosure used to be a 'nice to have' bullet at the end of the plan. Under the current guidance, the absence of a documented, externally accessible CVD process is itself a deficiency. The minimum bar is a published policy describing how reports are submitted, how they are acknowledged, the expected response timeframe, and the safe-harbor terms for good-faith researchers. Linking to the public policy from the VM plan, and including a screenshot or copy in the submission appendix, closes this thread.

Standards involved

• FDA 2026FDA Premarket Cybersecurity Guidance (Feb 3, 2026)
• SPDFSecure Product Development Framework
• Section 524BSection 524B of the FD&C Act
• IEC 81001-5-1IEC 81001-5-1:2021 - Health Software and Health IT Systems Safety, Effectiveness and Security

Already responding to this deficiency?

Our deficiency response engagement rebuilds the underlying artifact and produces a reviewer-ready response narrative.