How submission-ready is your cybersecurity package?
Seven questions mapped to the FDA's Feb 3, 2026 final premarket cybersecurity guidance. Get a score, a domain-by-domain gap list, and the fastest next move.
Reviewed by
Christian Espinosa
Founder & CEO, Blue Goat Cyber
Do you have a documented threat model traceable to your design inputs?
What you'll see after you submit
Seven dimensions → score, tier, and a domain-by-domain gap list
- Score, tier (submission-ready / gaps / high risk), and per-domain status badge.
- Gap list flagged Missing (red) or Partial (amber) with concrete remediation.
- Each gap deep-links into the most relevant interactive tool to close it.
- JSON export so you can hand the score and gap list to regulatory affairs.
Common misconceptions
What teams usually get wrong
-
Myth: A high readiness score guarantees first-cycle clearance.
Reality: This quiz is a fast pulse-check. Reviewers still scrutinize artifacts. Use the SPDF Gap Checker and eSTAR Cybersecurity Checklist for artifact-level coverage.
-
Myth: If our QMS passes ISO 13485, our cyber readiness is fine.
Reality: ISO 13485 / QMSR set the lifecycle; §524B and the Feb 2026 guidance add specific cyber artifacts (SBOM, CVD, threat model, postmarket plan) that QMS audits don't validate.
-
Myth: Cybersecurity readiness is a one-time premarket check.
Reality: The FDA expects readiness to be maintained across the TPLC. Re-take this every release cycle and after any architecture or component change.
References & further reading
Primary sources behind this tool
- FDA Cybersecurity in Medical Devices (Feb 3, 2026 final premarket guidance) - FDA
- AAMI TIR57:2016/(R)2023 - Principles for Medical Device Security: Risk Management - AAMI
- ANSI/AAMI SW96:2023 - Standard for medical device security risk management - AAMI
- FDA Section 524B (FD&C Act §524B / 21 U.S.C. 360n-2) - FDA / Congress.gov
Recent regulatory + supply-chain activity
Tracked signals that change what reviewers expect. Items move on as new ones land.
Where to focus next.
Each readiness dimension maps to a dedicated service. Start with the lowest-scoring areas first.
Threat modeling for medical devices
Documented STRIDE-based threat model traceable to your design inputs.
Read Threat modeling for medical devicesFDA-compliant SBOM services
SPDX/CycloneDX SBOMs with continuous CVE and KEV mapping.
Read FDA-compliant SBOM servicesMedical device penetration testing
Independent exploit-driven testing across device, wireless, USB, and cloud paths.
Read Medical device penetration testingFDA premarket cybersecurity
Full SPDF + eSTAR-ready submission package aligned to current FDA guidance.
Read FDA premarket cybersecurityPostmarket cybersecurity program
Vulnerability monitoring, CVD, patch validation, and FDA reporting workflows.
Read Postmarket cybersecurity programCost-of-delay calculator
Quantify what every week of submission slip costs in revenue and gross profit.
Read Cost-of-delay calculator