The FDA released a revised guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” Key updates include:

• Alignment with FD&C Act Section 524B: Applies to all “cyber devices” (including SaMD), making it binding legally.

• Added Section VII to consolidate premarket cybersecurity recommendations for “cyber devices” under FD&C Act 524B

• Clearer expectations for labeling, software updates, SBOM tracking, third-party software management, and vulnerability management.

• Supersedes the 2023 guidance of the same title.

• Secure Product Development Framework (SPDF) is now the central strategy.

• Risk-based documentation requirements: Went from being High-level suggestions to requiring detailed scaling & architecture flow.

• Structured premarket documentation to streamline FDA review and improve device resilience.

• Appendices: expanded with templates and technical content.

• Explicitly aligns with ISO 13485 and IMDRF Cybersecurity principles.

In short, the FDA has made its cybersecurity guidelines stricter. Link

FDA Introduces Elsa: Its GenAI Assistant

To modernize internal operations, the FDA launched Elsa, a generative AI tool supporting staff across reviews, inspections, and compliance workflows, signaling growing FDA interest in leveraging AI responsibly. Link.

FDA Warns of Operational Technology Risks

In a June whitepaper, the FDA urged manufacturers to strengthen OT security in medical product manufacturing, citing increasing vulnerabilities in industrial control systems. Link

Cyberattack Hits Device Manufacturer

On June 5, Minnesota-based Surmodics suffered a cybersecurity breach, disrupting its IT systems. The incident underscores the urgency of strong postmarket surveillance and response capabilities. Link

Questions and feedback?