Question 1

What is Section 524B and when did it take effect?

Accepted Answer

Section 524B of the Federal Food, Drug, and Cosmetic Act was enacted as part of the Consolidated Appropriations Act of 2023 (signed December 29, 2022). It requires medical device manufacturers to include cybersecurity information in premarket submissions starting October 1, 2023. This includes a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities, a process for coordinated vulnerability disclosure, and a software bill of materials (SBOM).

Question 2

Does the FDA require an SBOM for all devices?

Accepted Answer

Yes. Under Section 524B, the FDA requires a Software Bill of Materials for all cyber devices submitted for premarket review. The SBOM must include commercial, open-source, and off-the-shelf software components, including any components that may be susceptible to known vulnerabilities. We generate SBOMs in industry-standard formats (SPDX or CycloneDX) and help you establish a process for keeping them current through the device lifecycle.

Question 3

What frameworks does the FDA reference for cybersecurity?

Accepted Answer

The FDA's premarket cybersecurity guidance (Section 524B of the FD&C Act, effective October 2023) requires medical device manufacturers to submit cybersecurity documentation as part of their premarket submissions.

Our FDA cybersecurity practice helps medical device manufacturers, digital health companies, and IVD developers build and document the cybersecurity controls the FDA expects.

We bring a compliance-first approach grounded in NIST CSF 2.0, IEC 62443, AAMI TIR57, and the FDA's own guidance documents.

Frameworks: FDA Premarket Cybersecurity Guidance, NIST CSF 2.0, IEC 62443, AAMI TIR57, HIPAA, UL 2900

Question 4

Can you help if we received an FDA deficiency letter about cybersecurity?

Accepted Answer

Yes. We have experience remediating FDA cybersecurity deficiency letters. Our process includes analyzing the specific deficiency cited, identifying the gaps in your submission, building or updating the required cybersecurity documentation, and preparing a response package that addresses each deficiency point. Typical turnaround for deficiency letter remediation is 4 to 8 weeks depending on the scope of gaps identified.

Question 5

Do you perform penetration testing on medical devices?

Accepted Answer

Yes. We perform penetration testing on medical devices including firmware analysis, wireless protocol testing (Bluetooth, Wi-Fi, Zigbee), API and cloud backend testing, and network interface testing. Our testing methodology aligns with FDA expectations and produces documentation suitable for inclusion in premarket submissions. We also provide retesting after remediation to verify that identified vulnerabilities have been addressed.

FDA Cybersecurity

Who This Is For

What You Get

Frequently Asked Questions

Strengthen Your FDA Cybersecurity Compliance with Penetration Testing

Ready to Get Started?