The U.S. Food and Drug Administration (FDA) has released an updated version of its premarket submission guidance on cybersecurity requirements for medical devices to more closely align with current management system standards and practices.
The updated Guidance, “Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions,” addresses requirements of the FDA’s Quality Management System Regulation (QMSR), as they relate to the process of “identifying, analyzing, evaluation, controlling, and monitoring risk throughout the product lifecycle” of a given medical device.
As a potential approach to addressing the requirements of the QMSR, the Guidance proposes that manufacturers consider adopting and implementing a secure product development framework (SPDF). The Guidance defines an SPDF as “a set of processes that reduces the number and severity of vulnerabilities in products throughout the device lifecycle.”
The updated Guidance replaces an earlier version issued by the FDA in June 2025. The FDA says that the recommendations presented in the updated Guidance now generally align with or expand upon those presented in a guidance issued in March 2020 by the International Medical Device Regulators Forum (IMDRF).
As a reminder, guidance documents issued by the FDA are intended to reflect the agency’s current thinking on a particular issue and do not have the force of law.
The FDA’s updated version of its Guidance on cybersecurity in medical devices is available at https://www.fda.gov/media/119933/download.
