The SPDF Lifecycle: Premarket to Postmarket
Where Secure Product Development Framework activities live across the device lifecycle — from concept through end-of-support.
What the diagram shows
Concept + requirements
Cybersecurity requirements derived from intended use, clinical context, and Section 524B. Cost of a fix here: hours.
Design + architecture
Trust boundaries, update mechanism, auth model, and SBOM-generating build pipeline established. Cost of a fix here: days.
Implementation + verification
Secure coding, SAST/DAST, fuzz testing, third-party pen test. Cost of a fix here: weeks.
Submission
All seven cybersecurity sections bundled into eSTAR. Late additions trigger deficiency letters that cost months.
Postmarket monitoring
Continuous CVE/KEV monitoring against the SBOM, coordinated vulnerability disclosure intake, telemetry from deployed devices.
Patch + re-submit
Letter-to-file or new 510(k) depending on cybersecurity impact. Updated SBOM + VEX shipped to customers.
End of support
Pre-announced end-of-security-support date communicated to customers per FDA cybersecurity labeling expectations.
Embed this diagram
Use this on your blog, internal wiki, or training deck. We only ask that the credit line and link back stay intact.
<!-- The SPDF Lifecycle: Premarket to Postmarket — Blue Goat Cyber -->
<figure>
<a href="https://bluegoatcyber.com/resources/infographics/spdf-lifecycle">
<img src="https://bluegoatcyber.com/resources/infographics/spdf-lifecycle.svg" alt="Circular lifecycle diagram of the FDA Secure Product Development Framework, showing premarket activities (threat model, SBOM, testing) and postmarket activities (monitoring, disclosure, patching) as a continuous loop." loading="lazy" />
</a>
<figcaption>
<a href="https://bluegoatcyber.com/resources/infographics/spdf-lifecycle">The SPDF Lifecycle: Premarket to Postmarket</a> by
<a href="https://bluegoatcyber.com">Blue Goat Cyber</a>
</figcaption>
</figure>Related reading
tagged · Lifecycle · SDLC · PostmarketIn-depth guides
Vulnerability Disclosure Programs for Medical Devices (VDP & CVD)
How to build a Vulnerability Disclosure Program (VDP) and Coordinated Vulnerability Disclosure (CVD) workflow for medical devices. ISO/IEC 29147 / 30111, FDA expectations, and a reference SLA model.
Section 524B Compliance Checklist: FDA Cybersecurity Requirements for Cyber Devices
A line-by-line FDA Section 524B compliance checklist mapping every statutory requirement (SBOM, SPDF, postmarket plan, patchability) to a concrete premarket submission deliverable, aligned to the February 2026 final guidance.
FDA Section 524B Cybersecurity Requirements: Compliance Guide
Master FDA Section 524B cybersecurity requirements for cyber devices: SBOM, vulnerability disclosure, patchability, and premarket evidence.
SBOM Vulnerability Management for Medical Devices (2026)
How to maintain, monitor, and triage an SBOM for FDA premarket and postmarket cybersecurity compliance under Section 524B.
From the blog
- Guide to Medical Device Cybersecurity Standards2025-04-13
- Secure Update Infrastructure for Medical Devices: A Safety-Critical Subsystem2026-06-05
- SBOM End-of-Support, EOL, and Level of Support2026-06-01
- Postmarket Cybersecurity for Medical Devices2026-04-10
- SPDF Cybersecurity Documentation: What FDA Reviewers Expect2026-04-09
Where this fits
More infographics
See allGet FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.