Mar 18, 2026·FDA · Enforcement signalActiveMedium impact

FDA postmarket cybersecurity 'update letter' cadence increases

Blue Goat Cyber tracking shows a year-over-year jump in postmarket cybersecurity update letters citing missing CVD URLs, stale SBOMs, and lack of triage SLAs.

What changed

More letters are referencing the 2026 premarket guidance for postmarket expectations.
Top deficiency themes: missing/stale CVD URL, SBOM not refreshed in 12+ months, no documented triage SLA.

Action for manufacturers

Run a one-day postmarket hygiene sprint: publish or update CVD URL on the device label and security.txt, regenerate SBOM+VEX, and put a numeric triage SLA in your SOP.

Primary sources

FDA postmarket cybersecurity guidance

Related Blue Goat Cyber resources

Entry metadata

Date: Mar 18, 2026
Agency: FDA
Type: Enforcement signal
Status: Active
Impact: Medium
Last reviewed: Jun 5, 2026

Applies to

Marketed cyber devices

What changed

Action for manufacturers

Primary sources

Related Blue Goat Cyber resources

Get FDA cleared without the cybersecurity headaches.