Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    2-minute assessment

    How submission-ready is your cybersecurity package?

    Seven questions mapped to the FDA's Feb 3, 2026 final premarket cybersecurity guidance. Get a score, a domain-by-domain gap list, and the fastest next move.

    Christian Espinosa, Founder & CEO, Blue Goat Cyber

    Reviewed by

    Christian Espinosa

    Founder & CEO, Blue Goat Cyber

    Last reviewed July 4, 2026
    Question 1 of 70% complete

    Do you have a documented threat model traceable to your design inputs?

    What you'll see after you submit

    Seven dimensions → score, tier, and a domain-by-domain gap list

    • Score, tier (submission-ready / gaps / high risk), and per-domain status badge.
    • Gap list flagged Missing (red) or Partial (amber) with concrete remediation.
    • Each gap deep-links into the most relevant interactive tool to close it.
    • JSON export so you can hand the score and gap list to regulatory affairs.

    Common misconceptions

    What teams usually get wrong

    • Myth: A high readiness score guarantees first-cycle clearance.

      Reality: This quiz is a fast pulse-check. Reviewers still scrutinize artifacts. Use the SPDF Gap Checker and eSTAR Cybersecurity Checklist for artifact-level coverage.

    • Myth: If our QMS passes ISO 13485, our cyber readiness is fine.

      Reality: ISO 13485 / QMSR set the lifecycle; §524B and the Feb 2026 guidance add specific cyber artifacts (SBOM, CVD, threat model, postmarket plan) that QMS audits don't validate.

    • Myth: Cybersecurity readiness is a one-time premarket check.

      Reality: The FDA expects readiness to be maintained across the TPLC. Re-take this every release cycle and after any architecture or component change.

    Why this tool is current

    Recent regulatory + supply-chain activity

    Tracked signals that change what reviewers expect. Items move on as new ones land.

    Close the gaps

    Each readiness dimension maps to a dedicated service. Start with the lowest-scoring areas first.

    Threat modeling for medical devices

    Documented STRIDE-based threat model traceable to your design inputs.

    Read Threat modeling for medical devices

    FDA-compliant SBOM services

    SPDX/CycloneDX SBOMs with continuous CVE and KEV mapping.

    Read FDA-compliant SBOM services

    Medical device penetration testing

    Independent exploit-driven testing across device, wireless, USB, and cloud paths.

    Read Medical device penetration testing

    FDA premarket cybersecurity

    Full SPDF + eSTAR-ready submission package aligned to current FDA guidance.

    Read FDA premarket cybersecurity

    Postmarket cybersecurity program

    Vulnerability monitoring, CVD, patch validation, and FDA reporting workflows.

    Read Postmarket cybersecurity program

    Cost-of-delay calculator

    Quantify what every week of submission slip costs in revenue and gross profit.

    Read Cost-of-delay calculator