A Q&A glossary of acronyms that appear in FDA medical device cybersecurity guidance, statutes, and submissions.
What is an SPDF in FDA cybersecurity?
The Secure Product Development Framework (SPDF) is the lifecycle process the FDA expects every cyber-device manufacturer to use to design, build, release, and maintain medical device software. The 2026 premarket guidance treats SPDF documentation as a required submission artifact.
Source: FDA premarket guidance
What is an SBOM for an FDA submission?
An SBOM is a machine-readable inventory of every software component (open-source, third-party, and proprietary) included in a medical device. Section 524B of the FD&C Act makes an SBOM a statutory requirement for every cyber-device premarket submission.
Source: FD&C Act §524B
What is a Cybersecurity Bill of Materials?
A CBOM extends the SBOM concept to include hardware components and runtime libraries that affect the device's security posture. The FDA 2018 draft guidance introduced the term; it has largely been absorbed into the SBOM and HBOM concepts in modern practice.
What is VEX in cybersecurity?
VEX is a machine-readable statement that says whether a known vulnerability in an SBOM component is actually exploitable in the shipped product. It lets manufacturers communicate 'not affected' or 'fixed' status for CVEs without requiring customers to triage every CVE themselves.
What is Coordinated Vulnerability Disclosure?
CVD is the published process by which a manufacturer receives, triages, and remediates cybersecurity vulnerability reports from researchers and customers. The FDA postmarket guidance and ISO/IEC 29147 require every medical device manufacturer to operate one.
Source: ISO/IEC 29147
What is an FDA Refuse-To-Accept letter?
An RTA letter is the FDA's formal notice that a premarket submission was administratively incomplete and will not enter substantive review. Cybersecurity gaps under Section 524B are now one of the most common RTA causes for 510(k) submissions.
What is eSTAR?
eSTAR is the FDA's interactive PDF submission template. It has been mandatory for 510(k) submissions since October 2023 and for De Novo since October 2025, and contains a structured cybersecurity section.
Source: FDA eSTAR program
What is Software as a Medical Device (SaMD)?
SaMD is software intended to be used for one or more medical purposes that performs those purposes without being part of a hardware medical device. The IMDRF defined the term in 2013; FDA cybersecurity expectations apply to SaMD just as they do to embedded device software.
Source: IMDRF SaMD definition
What is a Predetermined Change Control Plan?
A PCCP is a section of an FDA submission that pre-authorizes specified post-clearance changes (often AI/ML model updates) so the manufacturer can ship them without a new 510(k). Cybersecurity controls and re-verification testing must be documented in the PCCP.
What is the MDS2 form?
The MDS2 is a HIMSS/AAMI-published standard form (AAMI/HIT 1.0) used by manufacturers to disclose security-relevant features of a device to hospital procurement teams. The FDA references it as an acceptable labeling artifact.
Source: HIMSS MDS2 form
What is TPLC in FDA terminology?
TPLC is the FDA's framework for considering a medical device across design, premarket, postmarket, and end-of-life. The cybersecurity guidance is explicitly written against the TPLC because vulnerabilities can emerge at any stage.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.
