FDA QMSR Surprise: Cybersecurity Just Moved Into the QMS

The quick version for busy people:

1. FDA now aligns with ISO 13485.

   One global quality system. Nice.

2. Cybersecurity is now clearly part of the QMS.

   Engineering and quality are about to spend more time together.

3. Threat modeling, vulnerability management, and updates now live inside documented quality processes.

   Not just engineering notes anymore.

4. You may need to buy ISO 13485 to read it.

   Regulatory harmonization apparently includes a shopping step.
   

So What Actually Changed?

The FDA’s new Quality Management System Regulation (QMSR) replaces the old Part 820 framework with a system based on ISO 13485:2016.

The goal is simple: align the U.S. with the rest of the world.

Most companies will barely notice the change in day-to-day engineering work. The device still needs to be secure. Software still needs to be maintained. Vulnerabilities still need to be managed.

For a more complete and entertaining description of the overall changes, my go-to person, Lisa Voronkova, has an excellent article here.

What does change is where cybersecurity lives organizationally.

Under the old system, cybersecurity often sat primarily with engineering. Teams handled threat modeling, vulnerability management, and update mechanisms, and then documented them when regulatory time came.

Under the new framework, cybersecurity is much more clearly tied to the Quality Management System itself.

That means activities like:

• threat modeling,

• vulnerability management,

• secure update processes,

• software lifecycle controls,

• and post-market monitoring

now fit directly into design controls, risk management, and post-market surveillance processes inside the QMS.

Translation: cybersecurity is no longer just an engineering activity. It is a quality system activity.

Quality teams and engineering teams are about to become even better friends.

The Small but Funny Surprise

There is also one small practical change that has caught a few startups off guard. Under the previous system, companies could read 21 CFR Part 820 online for free.

ISO standards work differently.

ISO 13485 is copyrighted, so companies usually need to purchase the standard to use it. It is not a massive cost, usually a couple of hundred dollars, but it does create a moment many founders recognize.

Someone eventually asks:

“Wait… do we actually have to buy the regulation?”

Not quite.

But you probably will buy the document that the regulation now points to.

The Bottom Line

From a cybersecurity perspective, the work itself has not changed much.

What has changed is that cybersecurity now sits squarely within the quality system rather than living mostly within engineering.

And somewhere along the way, someone will be approving a small purchase order for an ISO PDF.

Welcome to regulatory harmonization.

Further Reading

1. Food and Drug Administration. (2024). Quality management system regulation (QMSR); final rule. U.S. Department of Health and Human Services. https://www.federalregister.gov

2. Food and Drug Administration. (2023). Cybersecurity in medical devices: Quality system considerations and content of premarket submissions (Guidance for Industry and Food and Drug Administration Staff). U.S. Department of Health and Human Services. https://www.fda.gov

3. Food and Drug Administration. (2022). Quality management system regulation (QMSR) proposed rule. U.S. Department of Health and Human Services. https://www.federalregister.gov

4. International Organization for Standardization. (2016). Medical devices — Quality management systems — Requirements for regulatory purposes (ISO Standard No. 13485:2016). https://www.iso.org/standard/59752.html

5. International Organization for Standardization. (2019). Medical devices — Application of risk management to medical devices (ISO Standard No. 14971:2019). https://www.iso.org/standard/72704.html

6. International Electrotechnical Commission. (2006). Medical device software — Software life cycle processes (IEC Standard No. 62304:2006). https://www.iso.org/standard/38421.html

7. International Electrotechnical Commission. (2021). Health software and health IT systems safety, effectiveness and security, Part 5-1: Security — Activities in the product life cycle (IEC Standard No.  81001-5-1:2021). https://www.iso.org/standard/76097.html

8. Association for the Advancement of Medical Instrumentation. (2016). Principles For Medical Device Security - Risk Management (AAMI Standard No. TIR57:2016 (R2023)). https://webstore.ansi.org/standards/aami/aamitir572016r2023

9. Association for the Advancement of Medical Instrumentation. (2023). Principles For Medical Device Security - Postmarket Risk Management For Device Manufacturers (AAMI Standard No. TIR97:2019 (R2023)). https://webstore.ansi.org/standards/aami/aamitir972019r2023