What does Section 524B require for postmarket?

Section 524B requires a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits in a reasonable time, plus processes to make updates and patches available on a defined cadence. In practice that means continuous SBOM monitoring with VEX triage, a published coordinated vulnerability disclosure program, a documented patch pipeline with validation evidence, and a defined process for FDA reportable event communications. The FDA's 2025 postmarket guidance expands on each of these expectations with concrete examples of the artifacts reviewers expect during inspections and supplements.

What is Coordinated Vulnerability Disclosure (CVD), and is it required?

CVD is the structured process for receiving, triaging, acknowledging, and responding to security reports from outside researchers and customers. The FDA expects manufacturers of cleared cyber devices to operate one, and we run our own program at /cvd as a working reference for clients building theirs. A credible CVD program publishes a policy on your website, exposes a security.txt file, defines an acknowledgement timeline (usually within five business days), defines a triage and remediation timeline by severity, and offers a safe-harbor commitment for good-faith researchers. Without these elements, researchers default to public disclosure - which is much more expensive to handle than a coordinated one.

How do we handle legacy devices that pre-date current guidance?

Compensating controls, end-of-support communications, and a documented risk acceptance process traceable into your ISO 14971 risk file. AAMI TIR97 gives the framework for end-of-life and end-of-support security planning; our legacy device service operationalizes it with a gap assessment against current FDA expectations, a remediation roadmap prioritized by clinical risk and regulatory exposure, generation of missing artifacts (SBOM, threat model, security risk assessment, architecture views), and customer-facing communication templates calibrated for hospitals and IDNs. The output is a defensible package that supports the next supplement without forcing a redesign of devices that were never built to today's expectations.

Topic hub

Postmarket Medical Device Cybersecurity

FDA clearance isn't the finish line - it's the start of your postmarket cybersecurity obligations. This hub collects our postmarket service, coordinated vulnerability disclosure (CVD) program guidance, legacy device strategy, and the standards (AAMI TIR97, IEC 81001-5-1, the FDA's 2025 postmarket guidance) that define what 'good' looks like in the field. A real postmarket program produces objective evidence at five touchpoints: continuous SBOM and CVE monitoring with weekly VEX triage, a published CVD policy with researcher acknowledgement workflow, a defined patch validation cadence integrated with your release pipeline, FDA reportable event templates and decision trees, and customer advisory communications calibrated for hospital and IDN procurement teams. The reporting cadence we recommend is monthly engineering review, quarterly leadership and audit-ready summary, and annual program assessment under your QMS.

Services

In-depth guides

Postmarket Cybersecurity Readiness PlanA three-phase plan, Premarket → Launch → Operate, for the cybersecurity work that starts before your 510(k) is filed, lights up before your first device ships, and runs for the life of the product. Aligned to the FDA February 2026 final guidance.

Standards & guidance

Defined entries from our MedTech Cybersecurity Standards Glossary.

From the blog

Related FDA deficiencies

The deficiency letters reviewers most often write on submissions in this topic area. Each links to the full response playbook.

Browse all deficiency topics

Topic FAQ

Postmarket Medical Device Cybersecurity - frequently asked questions

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services