On this page
Key Takeaways
- Reviewers expect **full-attack-surface** coverage: firmware, hardware interfaces, wireless, mobile companion app, APIs, and cloud backend.
- White-box is the default - reviewers explicitly expect testers to leverage source code, threat models, and architecture documentation.
- A reviewer-ready engagement always produces a **Letter of Attestation** signed by the engagement lead.
- Scope depth differs by pathway: 510(k) maps to the predicate; De Novo and PMA require deeper architectural justification; IDE focuses on study-subject safety.
Pillar Guide · Updated 2026 · 18 min read
Talk to a MedTech cybersecurity expert
What "full attack surface" means
FDA's 2026 final premarket cybersecurity guidance expects the test report to demonstrate coverage of every interface a threat actor could reach. In practice, that means six distinct test domains:
- Firmware - secure boot, debug interfaces (JTAG/SWD/UART), update integrity, key storage, runtime integrity.
- Hardware - chip-level attack surface, side channels, fault injection where relevant to threat model.
- Wireless - BLE, Wi-Fi, cellular, NFC, proprietary RF. Pairing, encryption, GATT permissions, rogue-AP scenarios.
- Mobile companion app - iOS and Android: storage, transport, IPC, biometric handling, jailbreak/root checks.
- APIs - REST/GraphQL endpoints: authn, authz, IDOR, mass assignment, rate limiting, BAA-relevant logging.
- Cloud backend - tenancy isolation, IAM configuration, key management, logging integrity, data export paths.
White-box vs black-box: why white-box wins for FDA
The 2026 guidance says reviewers expect testers to leverage source code, threat models, and architecture documentation. That is white-box testing by definition. Black-box testing simulates an external attacker but consistently misses logic flaws in firmware update validation, key management, secure boot, and inter-component trust assumptions - exactly the controls that matter for patient safety. Default to white-box for premarket, reserve black-box for adversary-simulation scenarios after clearance.
Scope by submission pathway
510(k)
Full attack surface, white-box. Test plan should explicitly compare the cybersecurity attack surface to the predicate device, especially where you have added connectivity, mobile, or cloud beyond the predicate's footprint. Reviewers cite 'predicate divergence not addressed' often.
De Novo
Full attack surface, white-box, plus an architectural-justification section because there is no predicate. The pen test report should map findings against the security architecture you proposed in the De Novo classification request.
PMA
Deepest documentation requirement. Pen test evidence flows into the design history file with full traceability. PMA reviewers frequently coordinate with non-cyber reviewers (risk management, human factors) so the pen test report should be cross-referenced from the security risk assessment and the ISO 14971 risk file.
IDE
Scope focuses on whether unresolved cybersecurity risks could expose study subjects to unreasonable risk under 21 CFR §812.42. Pen testing must validate that compensating controls in the clinical environment are sufficient before enrollment.
The Letter of Attestation
A signed document from the testing firm stating that testing was conducted in accordance with the FDA premarket cybersecurity guidance, that the full attack surface was covered, and that every finding has been remediated or formally risk-accepted. Reviewers look for it because it confirms the test meets FDA-specific expectations rather than general IT-security best practice. Without one, expect a deficiency.
What a reviewer-ready report contains
- Executive summary with risk-rated findings and Letter of Attestation reference.
- Methodology section documenting white-box approach, tools, and standards (NIST SP 800-115, OWASP MASVS, OWASP ASVS, OWASP API Top 10).
- Attack surface inventory with coverage notes per interface.
- Findings written with severity (CVSS + clinical impact under ISO 14971), reproduction steps, evidence (screenshots, packet captures, code references), remediation, status.
- Traceability appendix linking findings back to threat-model entries.
- Signed Letter of Attestation.
Scope mistakes that get cited
- Mobile app tested but not in source-leveraged white-box mode (jailbreak detection bypassed in 30 minutes during reviewer follow-up).
- Cloud testing limited to OWASP API Top 10 scan - no tenancy or IAM validation.
- Wireless tested in protocol stack only, not at the radio layer.
- Firmware tested via released binary - secure boot and key storage not exercised.
- No Letter of Attestation - or a Letter that does not enumerate scope.



