Monitoring & Patch Cadence Calculator
Three inputs - risk class, connectivity, PHI sensitivity - return the monitoring, patching, and reporting cadence FDA postmarket reviewers expect for your device.
Reviewed by
Christian Espinosa
Founder & CEO, Blue Goat Cyber
Device risk class
Connectivity
PHI / sensitive data on device
What you'll see after you submit
Risk + connectivity + PHI sensitivity → a tiered cadence plan
- TierGauge infographic: A / B / C tier placement based on your inputs.
- Monitoring, patching, pen test, and FDA-reporting SLAs tuned to the tier.
- Reviewer-aligned cadence narrative you can drop into your postmarket plan.
- Tie-back to §524B postmarket obligations so audit trail is obvious.
Common misconceptions
What teams usually get wrong
-
Myth: Annual pen testing is fine for any device.
Reality: FDA expects pen test cadence to scale with risk and connectivity. Internet-connected Class II/III with PHI typically warrants every release plus a yearly external test - not just annual.
-
Myth: 30-day FDA reporting only applies to recalls.
Reality: Uncontrolled cybersecurity risk (CVSS-style or otherwise) can trigger a 30-day report under 21 CFR 806. The threshold is impact, not the word 'recall.'
-
Myth: We monitor CVEs against our SBOM once a quarter.
Reality: Reviewer expectation is continuous monitoring with documented triage SLAs. Quarterly cadence is a deficiency for any internet-connected device.
-
Myth: Patch validation is the same for all devices.
Reality: Closed-loop or life-supporting devices need bench + simulated-clinical validation per patch; lower-risk SaMD can use staged rollout with telemetry. The cadence tool tells you which lane you're in.
References & further reading
Primary sources behind this tool
- Postmarket Management of Cybersecurity in Medical Devices (Dec 2016) - FDA
- 21 CFR Part 806 - Reports of Corrections and Removals - U.S. Code of Federal Regulations
- AAMI TIR97:2019 - Principles for Medical Device Security: Postmarket Risk Management - AAMI
- CISA Known Exploited Vulnerabilities Catalog - CISA
- FDA §524B Postmarket Obligations Summary - FDA
Recent regulatory + supply-chain activity
Tracked signals that change what reviewers expect. Items move on as new ones land.
-
Jun 30, 2026EOS clock
RHEL 7 Extended Life Support phase ends - devices on RHEL 7 need a compensating-controls memo
-
Jun 9, 2026CISA KEV
CISA adds Arista Extensible Operating System (CVE-2026-7473) to KEV - Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
-
Jun 2, 2026CISA KEV
CISA adds Linux Kernel (CVE-2022-0492) to KEV - Linux Kernel Improper Authentication Vulnerability
-
Jun 2, 2026CISA KEV
CISA adds Android Framework (CVE-2025-48595) to KEV - Android Framework Integer Overflow Vulnerability
From cadence on paper to operating program.
Postmarket cybersecurity services
Monitoring, CVD, patch validation, and FDA reporting workflows.
Read Postmarket cybersecurity servicesPostmarket readiness plan
The plan template reviewers expect to see.
Read Postmarket readiness planSBOM services
Continuous CVE/KEV/VEX monitoring against your SBOM.
Read SBOM servicesMore tools
PCCP, threat model starter, CVD policy generator.
Read More tools