Skip to main content

FDA Premarket Cybersecurity Requirements for Medical Devices (Section 524B)

FDA Section 524B requires connected medical device makers to demonstrate cybersecurity in premarket submissions, including SBOMs, update plans, and coordinated vulnerability disclosure. The FDA can refuse submissions that fall short.

Jurisdiction
United States

What the FDA Premarket Cybersecurity Requirements Are

Under Section 524B of the Federal Food, Drug, and Cosmetic Act, added by the Consolidated Appropriations Act of 2023, the FDA can require that makers of connected medical devices demonstrate cybersecurity as a condition of premarket review. These requirements exist because networked devices, such as infusion pumps, imaging systems, and monitors, can be exploited to harm patients or breach hospital networks. The FDA began enforcing these expectations through refuse-to-accept criteria and detailed premarket guidance.

The rule reframes device security as a lifecycle obligation that begins in design and continues through deployment and end of support.

Who It Applies To

The requirements apply to manufacturers submitting premarket applications for a "cyber device" — a device that includes software, can connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. This includes most modern connected medical devices and certain software as a medical device products seeking U.S. market clearance or approval.

Key Requirements

  • Secure product development — Apply secure-by-design practices and a plan to monitor, identify, and address vulnerabilities post-market.
  • Software bill of materials (SBOM) — Provide an SBOM covering commercial, open source, and off-the-shelf software components.
  • Patch and update process — Demonstrate the ability to deploy timely security updates and patches.
  • Vulnerability disclosure — Establish coordinated vulnerability disclosure and handling processes.
  • Threat modeling and testing — Provide evidence of threat modeling, security risk assessment, and security testing.
  • Labeling — Communicate security-relevant information to users and operators.

Penalties for Non-Compliance

The FDA can refuse to accept or clear submissions that do not meet cybersecurity expectations, delaying or blocking market entry. Post-market, inadequate security handling can trigger safety communications, recalls, and broader FDA enforcement under existing medical device authorities. Reputational and patient-safety consequences add to the regulatory risk.

How to Comply

Integrate security into the device development lifecycle, perform threat modeling, and generate and maintain a machine-readable SBOM. Establish a coordinated vulnerability disclosure program and a dependable mechanism for shipping signed updates across the device's supported life. Document the cybersecurity plan in premarket submissions, align with recognized consensus standards, and continue post-market monitoring so newly discovered vulnerabilities are triaged and remediated.