In this issue
-
FDA & US regulatory
Letters, guidance, enforcement
-
CISA KEV & CVEs
Vulnerabilities in your SBOM
-
Standards & international
AAMI, ISO, IEC, EU MDCG
-
What to do this week
Concrete actions for security leads
The most significant medical device cybersecurity news for the week of June 22, 2026 is the FDA's March 18 expansion of its postmarket "update letter" cadence, which is now landing in manufacturers' inboxes weekly rather than quarterly. Two recent CISA KEV additions (a BLE pairing bypass and a Linux kernel netfilter flaw) affect a wide swath of connected device fleets, AAMI SW96 Amendment 1 is in member review, and Red Hat Enterprise Linux 7 Extended Life Support ends June 30, leaving legacy device fleets without vendor patches.
This is the first edition of The Goat's Weekly, our Monday digest of the medical device cybersecurity items that actually changed something for manufacturers in the last seven days. Every item below is sourced from our Regulatory Tracker, CISA's KEV catalog, and the FDA's Safety Communications archive. The summaries are short on purpose. The value is in the "what to do this week" section at the end, where we translate each item into a concrete action for a manufacturer's security lead. If you want the raw firehose, the tracker RSS feed updates as items publish.
Key Takeaways
- The FDA's postmarket update letter cadence is now effectively weekly, which means a 30-day response clock starts more often than most postmarket programs are staffed for.
- Two CISA KEV additions this quarter (CVE-2026-0511 Linux netfilter, plus a widely embedded BLE pairing bypass) likely sit inside your SBOM today.
- AAMI SW96 Amendment 1 is open for member review through April 30, and the changes will affect how you document risk-row residual risk in 2027 submissions.
- RHEL 7 Extended Life Support ends June 30, 2026; any deployed device still running it after that date is operating without vendor security patches.
- One concrete action this week: run your SBOM against the two new KEV CVEs and draft the customer-facing memo before a hospital procurement office asks.
Table of Contents
- Why this week matters
- Top story: FDA postmarket update letter cadence
- FDA and US regulatory
- CISA and vulnerability watch
- Standards and international
- What to do this week
- How Blue Goat Cyber helps
- Frequently asked questions
Four of the five items below carry hard deadlines or active response clocks in the next 90 days. Treat this brief as a working checklist, not a reading list.
Why this week matters
Four of the five items in this digest carry hard deadlines or active response clocks. The FDA's accelerated update-letter cadence (announced March 18, 2026) is operating now, and we are seeing it in client traffic: the agency is sending postmarket cybersecurity update requests roughly weekly, each with a 30-day response window under the February 3, 2026 final premarket cybersecurity guidance and the postmarket framework that flows from FD&C Act Section 524B(b)(1). CISA's two recent KEV additions trigger the Binding Operational Directive 22-01 timeline for federal customers, which translates downstream into hospital procurement questions for any manufacturer whose SBOM contains the affected components. The AAMI SW96 amendment is in a member-comment window that closes April 30. And RHEL 7 ELS ends June 30, after which any field device on that base OS is unpatched for the rest of its deployed life. None of these are "watch and wait" items.
Top story: FDA postmarket update letter cadence
The FDA's March 18, 2026 announcement confirmed what postmarket teams had already noticed: the agency is now issuing postmarket cybersecurity update letters on a roughly weekly cadence rather than the historical quarterly pattern. Each letter still carries a 30-day response window, which means a manufacturer with three or four cleared cyber devices can realistically expect a letter every month. The letters reference Section 524B(b)(1) postmarket plans and the February 3, 2026 final premarket cybersecurity guidance, and they typically ask for an updated SBOM, a VEX statement on a specific CVE cluster, and evidence that the postmarket plan executed. The change is not a new rule. It is a resourcing reality: any postmarket program staffed for a quarterly cadence is now four times under-resourced.
FDA and US regulatory
- FDA postmarket update letter cadence increases (Mar 18). Covered above. Source: Regulatory Tracker entry.
- QMSR effective date reminder (Feb 2). The Quality Management System Regulation has been in force since February 2, 2026. Any cybersecurity activity that still lives in a parallel binder, outside design controls and supplier management, is now a documented QMS gap. Source: Regulatory Tracker entry.
CISA and vulnerability watch
Both KEV additions below are widely embedded in connected medical device fleets. If either CVE shows up in your SBOM, hospital procurement will ask for a VEX statement within days , have it drafted before the request lands.
- CVE-2026-0511 (Linux kernel netfilter, use-after-free) added to KEV April 22. Affects any device on a Linux base older than 6.8.12. Federal civilian agencies must remediate or remove from service per BOD 22-01. Hospitals are starting to ask for the equivalent statement from manufacturers. Source: Regulatory Tracker entry.
- BLE pairing bypass added to KEV April 15. Embedded in numerous wearable, infusion, and home-monitoring devices. If your device uses BLE Just Works pairing without out-of-band verification, this needs a VEX statement or a firmware mitigation. Source: Regulatory Tracker entry.
Standards and international
- AAMI SW96 Amendment 1 draft circulated for member review (Mar 31). Member comment window closes April 30. The amendment tightens how residual risk is justified on each risk row and adds explicit traceability columns. Worth reviewing now, even if you do not plan to comment, because the changes will appear in 2027 submissions. Source: Regulatory Tracker entry.
RHEL 7 Extended Life Support ends June 30, 2026. After that date, every fielded device on RHEL 7 is unpatched for the remainder of its deployed life. Migration plans need a customer-facing memo, not just an internal ticket.
- RHEL 7 Extended Life Support ends June 30, 2026. Any field device on RHEL 7 will be unpatched after that date. If you cannot migrate, you need a written memo to customers explaining the compensating controls. Source: Regulatory Tracker entry.
What to do this week
If you only do one thing this week: diff your latest SBOM against the two new KEV CVEs and pre-draft the customer memo. That single artifact answers most of the hospital and federal-customer questions the rest of the items below will generate.
- Run your SBOM against CVE-2026-0511 and the BLE pairing bypass. If either component is present, draft a one-page VEX statement and a customer-facing memo before a hospital security office requests one. Use our SBOM and VEX field guide as the template.
- Audit your postmarket staffing against a weekly update-letter cadence. If your plan assumes quarterly volume, calendar a conversation with engineering this week about who picks up the next four letters.
- Confirm none of your cleared or in-development devices ship on RHEL 7. If any do, schedule the migration memo by Friday so customers receive it before the June 30 cutoff.
How Blue Goat Cyber helps
We run postmarket cybersecurity programs and respond to FDA postmarket update letters for medical device manufacturers under our postmarket SBOM and VEX monitoring service. That includes the weekly SBOM-to-KEV diff, the customer-facing VEX statements, and the 30-day response packages the FDA expects. Our team holds CISSP and OSCP certifications and includes former military red team operators. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.
Talk to a postmarket cybersecurity specialist
Frequently asked questions
What is the best source for medical device cybersecurity news? The FDA Safety Communications archive, CISA's KEV catalog and ICS-MA advisories, and AAMI's standards portal are the primary sources. We aggregate the ones that change a manufacturer's required actions in our Regulatory Tracker and summarize them weekly in this digest.
How often does the FDA send postmarket cybersecurity update letters? As of March 18, 2026, the FDA is sending postmarket cybersecurity update letters on a roughly weekly cadence rather than the historical quarterly pattern. Each letter carries a 30-day response window and typically requests an updated SBOM, a VEX statement on a specific CVE cluster, and evidence that the postmarket plan executed.
Does a CISA KEV addition require manufacturer action? KEV additions create a Binding Operational Directive 22-01 deadline for federal civilian agencies, not directly for manufacturers. In practice, hospital procurement offices and federal customers will request a VEX statement on the affected CVE within days of the KEV addition. A manufacturer with the component in its SBOM should have the VEX statement ready before the request arrives.
When does the AAMI SW96 Amendment 1 comment window close? The member comment window for AAMI SW96 Amendment 1 closes April 30, 2026. The final amendment is expected to publish in late 2026 and will affect risk documentation in 2027 submissions.
What happens to medical devices running RHEL 7 after June 30, 2026? Red Hat Enterprise Linux 7 Extended Life Support ends June 30, 2026. After that date, no further security patches are issued. Any deployed device still on RHEL 7 is operating without vendor patches and needs a documented set of compensating controls plus a customer-facing memo explaining the residual risk.
About the author
Christian Espinosa is the founder of Blue Goat Cyber and a former US Air Force cybersecurity officer with CISSP and CCISO credentials. He has led medical device cybersecurity submissions and postmarket programs for more than a decade and authored "The Smartest Person in the Room." More from Christian.