FDA Premarket
What changed in the Feb 3, 2026 final premarket cybersecurity guidance, what reviewers now expect, and a 90-day path to a fully aligned submission.
- Feb 3, 2026 final guidance - what's actually new
- Section 524B 'cyber device' definition decoded
- The four pillars: SPDF, threat model, SBOM, security testing
- eSTAR cybersecurity artifact checklist
5 pages 12-min read
SBOM & Supply Chain
How to generate, validate, and continuously update a CycloneDX SBOM with VEX statements that survives FDA review and powers your postmarket program.
- SPDX vs CycloneDX - which to choose and why
- What MUST be in a 2026-compliant SBOM
- Generation strategy by device type (SaMD, mobile, firmware, hybrid)
- VEX status values + acceptable not_affected justifications
6 pages 14-min read
Threat Modeling
STRIDE-per-element + AAMI TIR57 methodology, a device-specific threat checklist, an attack-tree template, and the traceability matrix reviewers want.
- Five-step methodology: scope → decompose → enumerate → rate → mitigate
- STRIDE quick reference with medical-device mitigations
- 13-point device-specific threat checklist
- Attack-tree template for high-value flows
6 pages 13-min read
Postmarket & CVD
A turn-key blueprint for standing up an FDA-aligned Coordinated Vulnerability Disclosure program: policy, intake, triage SLAs, advisories, and reviewer-ready evidence.
- FDA-aligned CVD policy structure (ISO/IEC 29147 + 30111)
- Intake channels, PGP, safe harbor language
- Triage SLAs by CVSS + clinical impact
- Advisory + MDS2 + CISA ICS-MEDICAL coordination
6 pages 14-min read
SBOM Operations
End-to-end field guide for generating, validating, distributing, and operating SBOMs for embedded, mobile, SaMD, and hybrid medical devices.
- Tool selection by device class (firmware, mobile, SaMD, container)
- Binary analysis workflow for embedded firmware
- PURL + hash discipline reviewers expect
- VEX operating model with example justifications
8 pages 18-min read
Legacy & Remediation
How to bring fielded legacy and end-of-support medical devices up to current FDA expectations without a full re-architecture - compensating controls, remediation tiers, and customer communications.
- Legacy device risk assessment template
- Tiered remediation: monitor / mitigate / patch / replace
- Compensating control catalog by threat
- End-of-support communication template
7 pages 16-min read
EU Market Access
Plain-English guide to the cybersecurity expectations of EU MDR Annex I, IVDR Annex I, MDCG 2019-16, and the upcoming Cyber Resilience Act - plus how to harmonize an FDA + EU package.
- MDR Annex I §17.2 + IVDR Annex I §16.4 decoded
- MDCG 2019-16 Rev.1 requirements walkthrough
- Cyber Resilience Act overlap and timing
- Notified Body evidence expectations
7 pages 16-min read
AI/ML SaMD
How to build a Predetermined Change Control Plan for AI/ML SaMD that survives FDA review - and how to threat-model the model itself (poisoning, inversion, adversarial inputs, prompt injection).
- PCCP structure that reviewers accept
- ML-specific threat catalog (poisoning, inversion, adversarial, prompt injection)
- ML-BOM in CycloneDX 1.5
- Monitoring drift + cybersecurity together
7 pages 16-min read
