6-domain SPDF audit

SPDF Gap Checker

Score your Secure Product Development Framework across governance, design, implementation, V&V, postmarket, and supply chain - plus a conditional AI/PCCP domain - mapped to the FDA's Feb 3, 2026 final premarket cybersecurity guidance, IEC 81001-5-1, and the FDA PCCP final guidance.

Reviewed by

Christian Espinosa

Founder & CEO, Blue Goat Cyber

Last reviewed June 29, 2026

Device / product lineDevice includes AI/ML or ships a PCCPAdds a 7th domain (8 items) covering model cards, training-data provenance, drift monitoring, adversarial robustness, and PCCP envelope traceability.

Security Risk Management Governance

Security risk integrated into the QMS, with accountable roles and policy approvals.

Documented product cybersecurity policy approved by senior management

Sets scope, roles, escalation, and review cadence.

Named product security owner per product line

A single accountable person, not a committee.

Cyber requirements traceable in design inputs / design outputs

Per QMSR 820.30 / ISO 13485 §7.3.

Annual secure-development training for engineering

Recorded, role-specific.

Secure Design & Architecture

Cyber controls baked in, not bolted on.

Living threat model (STRIDE / TIR57) linked to architecture

Updated on architecture change.

Documented trust boundaries and data-flow diagram

Diagram, not prose.

Secure-by-default configuration baseline

No default credentials, services off by default.

Cryptography per FIPS 140-3 / NIST SP 800-131A

Approved algorithms, validated modules where applicable.

Identity, authentication, and least-privilege model

Per IEC 81001-5-1 §5.

Secure Implementation

Build the thing the design called for, with controls reviewers can verify.

SAST + secrets scanning in CI on every PR

Blocking, not informational.

SBOM generated each build (SPDX or CycloneDX)

Build-traceable, not periodic.

SCA + CVE / KEV correlation against SBOM

Daily or per-build.

Code-signing and verified / measured boot

Where the hardware supports it.

AI-generated code tracked, reviewed, and provenance-logged

Per 2026 guidance expectations.

Verification & Validation

Security testing tied back to threat-model items.

Independent penetration test scoped from the threat model

Not a one-off scan.

Protocol / interface fuzzing on exposed surfaces

Wi-Fi, BLE, USB, vendor APIs.

Test → threat → control → requirement traceability

Reviewers will look for it.

Security regression tests in CI

Re-run on every release.

Postmarket Vulnerability Management

Required by §524B and the postmarket guidance.

Published CVD policy with SLAs

ISO/IEC 29147-aligned.

Continuous SBOM monitoring + triage workflow

Documented intake → triage → fix.

Patch / OTA mechanism validated for the device

Signed, rollback-safe, integrity-checked.

21 CFR 806 / FDA postmarket reporting playbook

30-day window for uncontrolled risk.

Postmarket security metrics reviewed quarterly with management

MTTR, KEV exposure, patch coverage.

Supply Chain & Component Risk

What enters the build is as important as what you write.

Vendor / component security questionnaire on critical dependencies

Including AI training-data provenance.

Build provenance (SLSA L2+ or equivalent)

Hermetic, signed artifacts.

Dependency-confusion + typosquat defenses

Private registry pinning.

End-of-support roadmap for OS / chipsets

Pre-EoL replacement plan exists.

What you'll see after you submit

Six SPDF domains scored, with explicit gaps and weighted maturity

Governance, secure design, implementation, V&V, postmarket, supply chain - each scored independently.
Weighted maturity score so the items reviewers care most about move the needle most.
Domain-by-domain gap list (No = critical, Partial = follow-up) ready to drop into a remediation plan.
JSON export for handing to your QMS / GRC system.

Common misconceptions

What teams usually get wrong

Myth: SPDF is a single document we write before submission.

Reality: SPDF is the framework your organization operates under across the TPLC. The submission references it; the framework runs your engineering org.
Myth: IEC 62304 lifecycle = SPDF.

Reality: 62304 governs software lifecycle activities; SPDF adds security risk management, threat modeling, postmarket vulnerability handling, and supply-chain controls on top.
Myth: If we're 81001-5-1 conformant, the SPDF is done.

Reality: 81001-5-1 is the strongest single anchor, but the FDA expects integration with QMSR (21 CFR 820), 14971, and the premarket cyber guidance - not 81001-5-1 alone.