Premarket → Launch → Operate
What FDA expects, and when. A three-phase plan for the cybersecurity work that starts before your 510(k) is filed, lights up before your first device ships, and runs for the life of the product. Built for Regulatory, Quality, Engineering, and Executive leaders shipping connected medical devices in 2026.
FDA pushed cybersecurity left. It is no longer something you add after clearance — it is a documented, inspectable program FDA reviews as part of your 510(k), De Novo, or PMA. Miss it and your submission is refused. Operate it badly and your devices get recalled.
Section 524B of the FD&C Act made cybersecurity a precondition for clearance: every “cyber device” submission must include a postmarket cybersecurity plan, SBOM, coordinated vulnerability disclosure (CVD) policy, and patch process. The FDA’s Feb 2026 final guidance and QMSR (21 CFR Part 820) incorporating IEC 81001-5-1 raised the bar further. Post-clearance, you now run an ongoing program: monthly CVE triage against your SBOM, quarterly KPI reporting, annual pen tests and IR exercises, and a MedWatch-reportable decision workflow when something goes wrong.
Cybersecurity plan, SBOM baseline, CVD policy, patch process, and IR plan authored and reviewed as submission documents.
All plans made operational: SBOM tooling live in CI/CD, vulnerability monitoring active, CVD inbox standing, MDS2 published.
Monthly triage, quarterly KPI reports, annual pen test and IR exercise, MedWatch decision support for every cybersecurity event.
Unlike enterprise software, medical devices have decade-long field lifespans, constrained update windows, patient-safety implications for every patch decision, and a regulatory framework that treats your postmarket security program as an inspectable quality record. A vulnerability that would be a one-hour hotfix in SaaS is a multi-month change-controlled event tied to 21 CFR Part 820 and ISO 14971.
Premarket Build · Pre-Launch Activation · Postmarket Operate. Each phase has specific deliverables, owners, and regulatory tie-ins. Use this section as your program roadmap.
Author the complete postmarket program as submission documents. Every plan, policy, and process description FDA reviews on day one.
Author the postmarket plan FDA reviews as part of your submission. Defines how you will identify, assess, and address cybersecurity vulnerabilities for the life of the device.
Product Security Lead · VP Quality / Regulatory
21 USC §524B(b)(1) and FDA guidance §V — the cybersecurity plan is a required element of a “cyber device” submission.
Generate the first complete Software Bill of Materials in a machine-readable format. This is the artifact FDA uses to evaluate your vulnerability monitoring capability.
Engineering · Product Security
FDA guidance §VI.B — machine-readable SBOM with transitive dependencies required. IEC 81001-5-1 §5.6 requires SBOM throughout lifecycle.
Document exactly how you will correlate SBOM components to CVE feeds after clearance, who triages, and what the SLAs are for each severity tier.
Product Security · Quality
FDA guidance §VI.A — monitoring must be documented and operational post-clearance. IEC 81001-5-1 §5.7 requires ongoing TPLC vulnerability tracking.
Publish the intake path and response process for external security researchers — a required submission element and a patient-safety expectation.
Product Security · Legal · Communications
FDA guidance §VII — CVD is explicitly required. Absence of a documented program is a common deficiency.
Document the change-controlled workflow for delivering security patches: how updates are tested, signed, distributed, and validated in the field.
Engineering · Regulatory · Quality
FDA guidance §VI.C — updateability is a required architecture view. Update mechanism must be validated end-to-end.
Define the decision logic for cybersecurity incidents: triage, containment, MedWatch reporting threshold, customer notification, and corrective action.
Product Security · Regulatory Affairs · Executive Sponsor
21 CFR 803 — cybersecurity events causing patient harm are MedWatch-reportable. FDA expects a documented decision process.
We author the full premarket cyber package — RTA-proof on §524B elements.
Make every premarket plan operational before Day 1. Plans on paper are not enough — the moment a device is in a hospital, the clock starts on CVD response, MDS2 currency, and MedWatch reporting.
SBOM generation runs automatically on every release build. Output is stored, queryable, and diffable. No manual steps.
Engineering · DevSecOps
FDA guidance + IEC 81001-5-1 §5.6 — SBOM is a living artifact maintained throughout the device lifecycle.
Live correlation of SBOM components to NVD, CISA KEV, ICS-CERT, vendor PSIRTs, and H-ISAC. Daily digest routed to a named triage owner.
Product Security · SOC / Managed Service Partner
FDA guidance §VI.A — monitoring must be active, not aspirational, the moment devices are in the field.
security@ inbox monitored, security.txt published on company and product domains, PGP key distributed, acknowledgement workflow live.
Product Security · IT · Communications
FDA guidance §VII — CVD must be operational, with a published intake path, before devices ship.
Hospitals, IDNs, and procurement teams expect a current MDS2 and a security documentation pack at point of sale. Missing either is now an RFP gating issue.
Product Marketing · Product Security · Customer Success
FDA guidance §VI.D + IMDRF transparency principles — timely customer communication is part of a recognized program.
Run at least one full tabletop cybersecurity incident exercise. Validate communications tree, MedWatch decision logic, and corrective-action workflow before any real event.
Product Security · Regulatory Affairs · Quality
FDA guidance — IR readiness is part of the inspectable postmarket program. Tabletop evidence satisfies both FDA and notified bodies.
Every quality and engineering team member understands their role in the cyber program. Every third-party software vendor has a contractual obligation to provide CVE notifications and SBOMs.
Quality · Procurement · Product Security
QMSR (21 CFR Part 820) — training and supplier controls are inspectable quality records.
Run the continuous loop: monthly triage, quarterly KPI review, annual exercises, and event-driven response. Every cycle produces inspectable evidence for FDA, notified bodies, and your board.
Every new CVE is correlated against the device SBOM. Each match is triaged to closure — patch, risk acceptance, or compensating control — within the defined SLA.
Product Security · Quality
IEC 81001-5-1 §5.7 + FDA guidance §VI.A — ongoing monitoring with documented disposition is the core of an inspectable postmarket program.
Security patches are developed, tested, approved, and delivered through the 21 CFR 820 change control process. No out-of-band hotfixes without a documented rationale.
Engineering · Regulatory Affairs · Quality
QMSR (21 CFR Part 820) — patches are device changes and require design history file documentation.
Measure the eight postmarket cybersecurity KPIs, review against thresholds, and escalate if any metric is out of bounds. Update MDS2 for any product change.
Product Security · Quality · VP Regulatory
FDA guidance §VI.D — transparency and communication cadence with customers is part of the recognized program.
Annual penetration test across all device interfaces, full-scale incident response exercise, and an executive board report on the state of the cybersecurity program.
Product Security · Executive Sponsor · Board
FDA guidance — annual pen testing and IR exercises are part of a credible, demonstrable postmarket program.
When a cybersecurity event occurs — a vulnerability causing patient harm risk, a confirmed exploit, or an end-of-life component with no patch — follow the defined escalation and reporting workflow.
Regulatory Affairs · Executive Sponsor · Legal
21 CFR 803 + FDA postmarket guidance — cybersecurity events with patient harm risk are MDR-reportable. FDA expects a documented and practiced decision process.
Every cycle produces records that can be pulled for an FDA inspection, notified body audit, or customer due diligence request with no scramble.
Quality · Product Security
QMSR (21 CFR Part 820) — cybersecurity records are quality records. FDA inspectors expect to pull them on-site.
Eight metrics every postmarket cybersecurity program reports on. If any metric is out of bounds, it goes to the board.
You do not need to hire a security team to run this plan. Blue Goat Cyber is the MedTech-only cybersecurity firm that builds the premarket package with you, activates the program before launch, and operates the postmarket loop on a fixed-fee subscription.
We author the cybersecurity plan, threat model, SBOM baseline, CVD policy, and patch process for your submission. RTA-proof on §524B elements.
We wire SBOM tooling, monitor CVE feeds, stand up your CVD inbox, publish your MDS2, and run your first IR tabletop — before the first device ships.
Monthly triage, quarterly KPI report, annual pen test, MedWatch decision support, and an inspectable evidence package — on a fixed-fee retainer.
Book a free 30-minute strategy session. We’ll review your current program, identify gaps, and give you a fixed-fee quote for all three phases — within 48 hours
We respond within 24 hours with a quote.
Tell us about your device, your timeline, and your submission type. No sales pressure — just a clear, honest assessment and a fixed-price quote.
.
Explore our post-market cybersecurity services, SBOM lifecycle monitoring, annual penetration testing, and FDA premarket submission support.
