Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K

    FDA & Regulatory

    The State of FDA Medical Device Cybersecurity Deficiencies

    What FDA reviewers flag most in cybersecurity submissions, by pathway, with average resolution time.

    Forthcoming. This page reflects the methodology and structure of an upcoming report. Numeric findings and charts will be published after the analyst extract and legal review are complete. Press contacts can request early access at [email protected].
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: March 15, 2026 · Last reviewed: March 15, 2026

    Executive summary

    FDA cybersecurity deficiencies are the single largest source of avoidable submission delay in MedTech. This report quantifies what reviewers flag most often, how long each category takes to resolve, and where teams can intervene earliest to avoid them.

    Findings are drawn from cybersecurity-related deficiency correspondence across submissions Blue Goat Cyber supported between 2021 and 2025. Deficiency text was categorized by an internal taxonomy aligned to FDA's 2023 premarket cybersecurity guidance.

    Pending analyst extract and legal review — numeric findings will be populated before the public release.

    Methodology

    Sample
    Cybersecurity deficiency correspondence across submissions supported between 2021 and 2025.
    Time period
    January 2021 – December 2025
    Inclusion criteria
    • Submissions where Blue Goat Cyber authored or reviewed cybersecurity documentation.
    • Correspondence categorized as a cybersecurity deficiency or AI-request related to cybersecurity content.
    • Submissions with a final FDA outcome (clearance, denial, or withdrawal) by 31 Dec 2025.
    Limitations
    • Sample reflects engagements that selected Blue Goat Cyber and may not represent the full FDA submission population.
    • Deficiency text is categorized by internal taxonomy; FDA does not publish standardized categories for cybersecurity content.
    • Time-to-resolution is measured from deficiency receipt to FDA acknowledgement of the response, not to final clearance.
    Anonymization
    • All client and product names removed before analysis; records are keyed by an internal study ID.
    • Device-specific identifiers (510(k) numbers, De Novo numbers, UDIs) stripped from the source dataset.
    • Findings reported only at aggregate level; minimum cell size of 5 to prevent re-identification.
    • Free-text deficiency excerpts paraphrased; no verbatim FDA correspondence is reproduced.

    Key findings

    1. 1. Threat modeling depth is the most-flagged content area.

      internal extract pending

      Pending extract — exact share and ranking will be populated after analyst review.

    2. 2. SBOM completeness is the second-most-flagged content area.

      internal extract pending

      Pending extract.

    3. 3. PMA submissions show different deficiency patterns than 510(k).

      internal extract pending

      Pending extract.

    Charts

    All charts are free to re-use with attribution to Blue Goat Cyber. Each chart has an embed-friendly URL — see the press kit for the iframe snippet.

    Most frequent FDA cybersecurity deficiency categories

    internal extract pending

    Share of deficiencies by content area, all pathways combined.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber internal deficiency dataset, 2021–2025. · Unit: % of deficiencies

    Deficiency rate by submission pathway

    internal extract pending

    Share of supported submissions that received at least one cybersecurity deficiency, by pathway.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber internal deficiency dataset, 2021–2025. · Unit: % of submissions

    Average time to resolve by deficiency category

    internal extract pending

    Median days from deficiency receipt to FDA acknowledgement of response.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber internal deficiency dataset, 2021–2025. · Unit: days (median)

    Cybersecurity deficiency rate by device class

    internal extract pending

    Share of submissions with at least one cybersecurity deficiency, by FDA device class.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber internal deficiency dataset, 2021–2025. · Unit: % of submissions

    Deficiency volume trend, 2021–2025

    internal extract pending

    Cybersecurity deficiencies received per quarter.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber internal deficiency dataset, 2021–2025. · Unit: deficiencies/quarter

    Cite this report

    Blue Goat Cyber. (2026). The State of FDA Medical Device Cybersecurity Deficiencies. https://bluegoatcyber.com/research/fda-medical-device-cybersecurity-deficiencies-2026

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. FDA — Cybersecurity in Medical Devices (Premarket Guidance, 2023)— FDA
    2. AAMI TIR57 — Principles for Medical Device Security: Risk Management— AAMI
    3. MITRE CWE — Common Weakness Enumeration— MITRE
    4. NVD — National Vulnerability Database— NIST
    Ready when you are

    Want a deeper briefing on these findings?

    We host private analyst briefings for journalists, investors, and MedTech regulatory teams.