Blue Goat CyberSMMedical Device Cybersecurity
    K
    All regulatory tracker entries
    Feb 3, 2026·FDA · Final GuidanceActiveHigh impact

    FDA finalizes 2026 premarket cybersecurity guidance

    FDA's 2026 final guidance replaces the 2023 document and sets binding expectations for SBOM, VEX, threat modeling, security testing, postmarket plans, and CVD for every cyber device submission.

    What changed

    • SBOM is required at submission with named components, versions, and suppliers (no vague 'TBD' rows).
    • VEX or equivalent exploitability status is expected for known vulnerabilities at submission time.
    • Threat modeling must be traceable to design controls and to the security risk file (AAMI SW96 / TIR57).
    • Postmarket plans must define monitoring sources, triage SLAs, and a published CVD URL.

    Action for manufacturers

    Update premarket templates to align with the 2026 structure: separate cybersecurity risk file, SBOM+VEX bundle, threat model traceability, and postmarket plan with CVD URL on the device label.

    Primary sources

    Related Blue Goat Cyber resources

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.