Supplier Qualification Package
Everything your purchasing and quality teams need to qualify Blue Goat Cyber as a cybersecurity testing and FDA submission documentation supplier under your ISO 13485 / 21 CFR Part 820 (QMSR) supplier controls.
Version 260423 - Effective April 23, 2026 - Reviewed and reissued on material change.
Service-Disabled Veteran-Owned Small Business focused exclusively on medical device cybersecurity.
Quality system mapped to the ISO 13485 clauses applicable to a service provider, ready for your supplier controls under 21 CFR Part 820 / QMSR.
Threat models, SBOMs, security architecture views, and pen test reports across 510(k), De Novo, PMA, and IDE pathways.
Professional liability and cyber liability coverage in force through biBERK (Berkshire Hathaway). COI available on request.
What's inside the package
A 10-page document built for the questions your supplier qualification process actually asks.
- Company overview and SDVOSB status
- Quality management system position and ISO 13485 alignment statement
- Clause-by-clause ISO 13485 alignment matrix
- Standards we work to (AAMI TIR57, SW96, IEC 81001-5-1, ISO 14971, IEC 62304, NIST SP 800-115)
- Mapping to the FDA February 3, 2026 final premarket cybersecurity guidance
- Service delivery methodology and release gates
- Personnel competence and training controls
- Client data handling, insurance, and corporate details
ISO 13485 alignment matrix
The clauses applicable to a cybersecurity testing and regulatory documentation service provider, mapped to our implemented controls. The full set of references and SOP excerpts is in the PDF.
| Clause | Requirement | Blue Goat implementation |
|---|---|---|
| 4.1 / 4.2 | QMS and document control | Documented quality system, versioned SOPs and templates, controlled records per the retention SOP. |
| 5.1 to 5.6 | Management responsibility | CEO-level ownership of the quality policy; management review of engagement metrics, client feedback, and CAPA. |
| 6.1, 6.2 | Resources and competence | Defined competence requirements per role; personnel records with credentials, training, and assignment qualifications. |
| 6.3, 6.4 | Infrastructure and work environment | Controlled testing environments, segregated client data handling, managed SCA, vulnerability analysis, and documentation tooling. |
| 7.1, 7.2 | Service planning and customer requirements | Signed SOW per engagement; scoping and architecture review with pathway determination before contract execution. |
| 7.3 | Design and development (applied to deliverables) | Deliverables follow defined development, peer review, and verification stages with documented release approvals. |
| 7.4 | Purchasing and supplier control | Subcontractors and tooling vendors are evaluated and approved before use; critical tool outputs are independently verified before client release. |
| 7.5 | Service provision and control | Testing executed per NIST SP 800-115 and Section V.C of the FDA Feb 3, 2026 final guidance, with templated deliverable production and a mandatory SBOM enrichment verification gate. |
| 8.2 / 8.3 | Monitoring, internal audit, and nonconforming output | Client feedback captured per engagement; internal audits on a defined schedule; nonconforming deliverables held at the release gate until rework. |
We do not hold an ISO 13485 certificate and do not represent ourselves as certified. No FDA regulation requires certification of cybersecurity testing or regulatory documentation providers. The PDF explains the rationale in Section 3.
FDA February 3, 2026 guidance, mapped to deliverables
Every deliverable we produce traces back to a specific section of the FDA's final premarket cybersecurity guidance, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (Feb 3, 2026).
| Guidance section | FDA expectation | Blue Goat deliverable |
|---|---|---|
| V.A Security Risk Management | Security risk management plan and report distinct from safety risk, with traceability between the two. | Security risk management documentation per AAMI TIR57 and SW96, traced to your ISO 14971 safety risk assessment. |
| V.A.1 Threat Modeling | Threat model covering the system, use environments, and update infrastructure. | Threat model developed from asset inventory and architecture, covering the device and manufacturer-controlled related systems. |
| V.A.2 Cybersecurity Risk Assessment | Exploitability-based risk assessment of threats and vulnerabilities. | Cybersecurity risk assessment using exploitability and patient-harm impact, with pre- and post-mitigation evaluation. |
| V.A.4 Third-Party Software Components | SBOM with NTIA minimum elements plus, per component, support level and end-of-support date, with vulnerability assessment. | SBOM generated, enriched, and verified through a mandatory release gate; component vulnerability assessment against NVD and the CISA KEV catalog. |
| V.B Security Architecture | Implementation of Appendix 1 control categories plus architecture views per Appendix 2. | Security architecture views authored to Appendix 2 content expectations across authentication, authorization, cryptography, integrity, confidentiality, logging, resiliency, and updates. |
| V.C Cybersecurity Testing | Requirements testing, abuse and misuse cases, robustness, fuzz, attack surface, vulnerability chaining, SCA on binaries, static and dynamic code analysis, and penetration testing. | Full testing coverage per NIST SP 800-115; pen test reports include the five FDA-specified elements (independence, scope, duration, methods, results). |
| VI.B Cybersecurity Management Plans | Plans for postmarket vulnerability management. | Coordinated vulnerability disclosure facilitation and postmarket plan documentation support. |
| VII.C Section 524B(b)(1)-(b)(3) | Plans to monitor, identify, and address postmarket vulnerabilities; processes providing reasonable assurance of cybersecurity; SBOM for commercial, OSS, and OTS components. | 524B documentation package: vulnerability monitoring and disclosure plans, secure development evidence, and the enriched SBOM, structured for direct eSTAR inclusion. |
FAQ
Need a signed copy, COI, or NDA-gated SOPs?
Send the request to your sales contact or use the form below and we will route it to the quality system owner.