The SPDF Lifecycle: Premarket to Postmarket
Where Secure Product Development Framework activities live across the device lifecycle, from concept through end-of-support.
What the diagram shows
Concept + requirements
Cybersecurity requirements derived from intended use, clinical context, and Section 524B. Cost of a fix here: hours.
Design + architecture
Trust boundaries, update mechanism, auth model, and SBOM-generating build pipeline established. Cost of a fix here: days.
Implementation + verification
Secure coding, SAST/DAST, fuzz testing, third-party pen test. Cost of a fix here: weeks.
Submission
All seven cybersecurity sections bundled into eSTAR. Late additions trigger deficiency letters that cost months.
Postmarket monitoring
Continuous CVE/KEV monitoring against the SBOM, coordinated vulnerability disclosure intake, telemetry from deployed devices.
Patch + re-submit
Letter-to-file or new 510(k) depending on cybersecurity impact. Updated SBOM + VEX shipped to customers.
End of support
Pre-announced end-of-security-support date communicated to customers per FDA cybersecurity labeling expectations.
Embed this diagram
Use this on your blog, internal wiki, or training deck. We only ask that the credit line and link back stay intact.
<!-- The SPDF Lifecycle: Premarket to Postmarket, Blue Goat Cyber -->
<figure>
<a href="https://bluegoatcyber.com/resources/infographics/spdf-lifecycle">
<img src="https://bluegoatcyber.com/resources/infographics/spdf-lifecycle.svg" alt="Circular lifecycle diagram of the FDA Secure Product Development Framework, showing premarket activities (threat model, SBOM, testing) and postmarket activities (monitoring, disclosure, patching) as a continuous loop." loading="lazy" />
</a>
<figcaption>
<a href="https://bluegoatcyber.com/resources/infographics/spdf-lifecycle">The SPDF Lifecycle: Premarket to Postmarket</a> by
<a href="https://bluegoatcyber.com">Blue Goat Cyber</a>
</figcaption>
</figure>
Related reading
tagged · Lifecycle · SDLC · PostmarketIn-depth guides
Medical Device CVD Guide: FDA Compliance & Best Practices
Master Coordinated Vulnerability Disclosure (CVD) for medical devices. Learn FDA requirements, ISO/IEC 29147 standards, and how to handle security researchers.
Vulnerability Disclosure Programs for Medical Devices (VDP & CVD)
How to build a Vulnerability Disclosure Program (VDP) and Coordinated Vulnerability Disclosure (CVD) workflow for medical devices. ISO/IEC 29147 / 30111, FDA expectations, and a reference SLA model.
AAMI TIR57 vs TIR97: Cybersecurity Risk Management for Medical Devices
AAMI TIR57 (R2023) is the FDA-recognized standard for medical device cybersecurity risk management. Compare it with TIR97 (postmarket) and apply both across the device lifecycle.
Section 524B Compliance Checklist: FDA Cybersecurity Requirements for Cyber Devices
A line-by-line FDA Section 524B compliance checklist mapping every statutory requirement (SBOM, SPDF, postmarket plan, patchability) to a concrete premarket submission deliverable, aligned to the February 2026 final guidance.
From the blog
- Guide to Medical Device Cybersecurity Standards2025-04-13
- Does FDA Section 524B Apply to Legacy Devices?2026-06-23
- How Much Does Medical Device Cybersecurity Cost in 2026?2026-06-20
- FDA Section 524B Explained Subsection by Subsection: What Each Requirement Means in 20262026-06-18
- Secure Update Infrastructure for Medical Devices: A Safety-Critical Subsystem2026-06-05
Where this fits
More infographics
See allGet FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.