Blue Goat Cyber^SMMedical Device Cybersecurity

⌘K

Book Strategy Session How to prepare →

All regulatory tracker entries

Oct 21, 2025·CISA · Pledge expansionActiveMedium impact

CISA Secure by Design pledge expanded with VEX publication expectation

CISA expanded the Secure by Design pledge so signatories are expected to publish VEX statements alongside SBOMs for shipped products.

What changed

VEX publication is now an explicit pledge expectation, not an aspirational item.
Pledge tracker pages flag signatories that publish SBOM but not VEX.

Action for manufacturers

If you've signed the pledge, stand up a public VEX channel; if you haven't, expect customers to ask why.

Primary sources

CISA Secure by Design

Related Blue Goat Cyber resources

VEX document for medical device FDA

Entry metadata

Date: Oct 21, 2025
Agency: CISA
Type: Pledge expansion
Status: Active
Impact: Medium
Last reviewed: Jun 5, 2026

Applies to

Pledge signatories

More from CISA

CISA adds Linux kernel netfilter use-after-free to KEV (CVE-2026-0511)Apr 22, 2026
CISA adds widely embedded BLE pairing bypass to the KEVApr 15, 2026

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services