2025 FDA Cybersecurity Guidance: How Sectech Solutions Can Help

2025 FDA Cybersecurity Guidance: How Sectech Solutions Can Help

The U.S. Food and Drug Administration (FDA) released its updated guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, on June 26, 2025, superseding the 2023 version. This update introduces stricter requirements for medical device manufacturers, particularly for "cyber devices" that contain software or connect to networks, even indirectly. With cybersecurity incidents impacting 53% of connected medical devices in hospitals, according to a 2022 FBI report, the FDA’s new rules are critical for patient safety and regulatory compliance. At Sectech, our expert cyber consultants are equipped to guide manufacturers through these changes to achieve seamless FDA 510(k) clearance.

This blog highlights the key updates in the 2025 FDA guidance, focusing on Software Bill of Materials (SBOM) requirements and security testing, and explains how SecTech Solutions can help your team stay compliant.

Key Changes in the 2025 FDA Cybersecurity Guidance

The 2025 guidance builds on the 2023 framework, introducing clarifications, updated standards, and a new section to align with Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act). Below are the most significant updates, supported by relevant statistics:

Expanded Definition of "Cyber Device"

The FDA now defines a "cyber device" as any medical device containing software (including firmware) or programmable logic, regardless of network connectivity. This includes devices with latent connectivity features like USB ports or Bluetooth. A 2024 report by Finite State notes that 68% of medical devices with software are now classified as cyber devices, significantly expanding the scope of compliance. Manufacturers must demonstrate a "reasonable assurance of cybersecurity" for these devices, even if cleared before 2023.

What This Means for You: If your device contains software, you must comply with the new cybersecurity requirements, including submitting comprehensive documentation. For devices previously cleared without cybersecurity documentation, any modification—whether it impacts cybersecurity or not—requires specific submissions, such as a Vulnerability Monitoring and Management Plan.

Strengthened SBOM Requirements

The Software Bill of Materials (SBOM) is a cornerstone of the 2025 guidance, with clearer expectations for inclusion in premarket submissions. The guidance mandates that SBOMs adhere to the National Telecommunications and Information Administration (NTIA) minimum requirements and be provided in machine-readable formats like SPDX or CycloneDX. A 2024 survey by Blue Goat Cyber found that 72% of medical device manufacturers struggle to produce compliant SBOMs due to complex third-party software dependencies. SBOMs must detail all software components, including commercial, open-source, and off-the-shelf software, along with their support windows and known vulnerabilities.

Key Updates to SBOM Requirements:

• Mandatory for Cyber Devices: All 510(k) submissions for cyber devices must include an SBOM as part of the 12 required cybersecurity documents in the eSTAR submission process. Since October 2023, submissions lacking a compliant SBOM face a Technical Screening hold, with 15% of 510(k) submissions receiving Refuse to Accept (RTA) letters for incomplete cybersecurity documentation.

• Change-Impact Taxonomy: The guidance introduces a taxonomy to categorize updates as "may impact" or "unlikely to impact" cybersecurity. Modifications affecting cybersecurity require a new SBOM and full compliance. Even for changes with no cybersecurity impact, a minimal SBOM update is required to demonstrate no critical vulnerabilities.

• Post-Market Monitoring: Manufacturers must continuously monitor SBOM components for vulnerabilities throughout the device lifecycle, aligning with the FDA’s 2016 post-market cybersecurity guidance and AAMI TIR97:2019. A 2023 report by MITRE noted that 60% of legacy medical devices lack updated SBOMs, increasing vulnerability to ransomware attacks.

Why It Matters: An accurate SBOM is essential for identifying vulnerabilities and ensuring timely remediation. Non-compliant SBOMs can delay FDA clearance, with 20% of manufacturers reporting delays due to SBOM-related issues in 2024.

Enhanced Security Testing Requirements

The 2025 guidance emphasizes rigorous security testing to ensure device resilience against cyber threats. The FDA recommends a Secure Product Development Framework (SPDF) that includes threat modeling, security architecture, and comprehensive testing. A 2025 study found that 65% of medical devices fail initial penetration tests due to unaddressed vulnerabilities, underscoring the need for robust testing protocols.

Key Updates to Security Testing:

• Mandatory Penetration Testing: A penetration test report is now a critical component of premarket submissions, particularly for devices with software or connectivity. In 2024, 30% of 510(k) submissions were flagged for inadequate penetration testing documentation.

• Fuzz Testing: The guidance highlights fuzz testing to identify unexpected vulnerabilities in software, especially for web, mobile, cloud, and embedded systems. AAMI SW96 recommends fuzz testing for all cyber devices to ensure resilience.

• Continuous Monitoring: Post-market cybersecurity requires ongoing vulnerability monitoring and rapid response to new threats. For vulnerabilities posing uncontrolled risks to patient safety, manufacturers must communicate with customers within 30 days and provide remediation within 60 days. A 2022 FBI report noted that ransomware attacks on medical devices increased by 47% from 2020 to 2022, emphasizing the need for continuous monitoring.

• Alignment with Standards: The guidance references AAMI SW96 and IEC 81001-5-1 for risk-based cybersecurity testing. These standards ensure testing processes meet FDA expectations.

Why It Matters: Robust security testing is a regulatory requirement. Inadequate testing can lead to FDA rejection, with 25% of 510(k) submissions in 2024 delayed due to insufficient cybersecurity testing evidence.

New Section VII: Addressing Section 524B of the FD&C Act

The introduction of Section VII outlines compliance with Section 524B, mandating cybersecurity requirements for cyber devices. This section requires manufacturers to submit:

• A security risk management plan.

• An SBOM.

• A vulnerability monitoring and management plan.

• Assurance narratives demonstrating cybersecurity resilience.

What This Means for You: Even devices with minimal connectivity (e.g., USB ports) are subject to these requirements. Non-compliance can lead to criminal penalties or RTA letters, with 10% of 2023 submissions rejected for failing to address Section 524B requirements.

How Sectech Solutions Can Help

Navigating the 2025 FDA cybersecurity guidance requires specialized expertise. At Sectech, we offer tailored cybersecurity consulting to ensure compliance and streamline your 510(k) submission process:

• Gap Assessments: Our experienced consultants conduct thorough gap assessments to identify deficiencies in your current cybersecurity practices, ensuring alignment with the 2025 FDA guidance and industry standards like AAMI SW96 and IEC 81001-5-1.

• SBOM Development and Management: Our team helps create machine-readable SBOMs compliant with NTIA standards, integrating tools like CycloneDX and SPDX. We also implement continuous monitoring to keep SBOMs updated, reducing vulnerability risks.

• Comprehensive Security Testing: We conduct penetration testing, fuzz testing, and vulnerability assessments aligned with AAMI SW96 and IEC 81001-5-1, ensuring your device meets FDA expectations.

• Regulatory Documentation: We assist in preparing the 12 required cybersecurity documents for eSTAR submissions, minimizing the risk of RTA letters.

• Post-Market Compliance: Our consultants develop vulnerability monitoring and management plans to ensure ongoing compliance and rapid response to emerging threats.

With cyber threats to medical devices rising, partnering with Sectech Solutions ensures your devices are secure and compliant. Contact us to learn how we can support your FDA 510(k) journey and safeguard patient safety.