What Does FDA Require for SaMD Cybersecurity?
- Beng Ee Lim
- 2 days ago
- 2 min read
TL;DR:
FDA’s 2025 draft mandates that SaMD developers provide a Software Bill of Materials (SBOM), threat model, secure-by-design evidence, and penetration-test results as part of premarket submissions. These must be embedded into your De Novo or 510(k) eSTAR modules.
Why Cybersecurity Matters for SaMD
With cyber-attacks on medical software rising and connected devices becoming more common, cybersecurity is no longer optional. The FDA has explicitly tied patient safety to strong cyber hygiene. Several warning letters in 2024 cited insufficient cyber documentation as the root cause for clearance delays. SaMD products face high scrutiny, especially those with network interfaces, data processing functions, or cloud dependencies.
Key 2025 Cybersecurity Expectations
1. SBOM (Software Bill of Materials)
The FDA expects a machine-readable SBOM that lists every software component, including:
Component name and version
Supplier
License type
Known vulnerabilities (linked to CVEs)
Use formats like CycloneDXÂ or SPDX, and automate SBOM generation at build-time.
2. Threat Modeling
Map your architecture using STRIDEÂ or PASTAÂ frameworks to identify:
Entry points
Threat vectors
Mitigations applied
Attach diagrams and mitigation plans that align with your software risk profile.
3. Secure-by-Design Controls
Demonstrate implementation of controls like:
Encryption (at rest & in transit)
Role-based access control (RBAC)
Digital signatures / code signing
Evidence should show these controls were considered from early development.
4. Validation & Penetration Testing
Include:
Penetration test protocols
Red team test results
Fuzz testing summaries
Document vulnerabilities found, actions taken, and ensure test reproducibility.
5. Update & Patch Process
FDA wants to see:
Defined roles for monitoring & patching
48–72 hour patch deployment window
Rollback strategy for failed patches
Include this as part of your risk control and maintenance documentation.
Submission Checklist
Deliverable | Description | Template / Tool |
SBOM | Full component list (CycloneDX or SPDX format) | SBOM wizard export |
Threat Model | STRIDE diagram + mitigation table | Threat-model template |
Secure-by-Design Evidence | Architecture diagram with security controls highlighted | Secure-design slide |
Penetration-Test Report | Third-party test summary, vulnerability log, remediation actions | Pen-test report PDF |
Patch & Rollback Plan | Documented update process, roles, timelines, rollback criteria | Patch plan checklist |
Best Practices & Pro Tips
Automate SBOMÂ generation in your CI/CD pipeline (e.g., CycloneDX plugin).
Embed security tests in every build, not just pre-submission.
Link security docs to your IEC 62304/ISO 14971 traceability matrix—show how risk controls tie to cyber tests.
Use version control for SBOMs and threat-model artifacts (tag commits with submission versions).
Validate early with FDA’s pre-Sub Q-meeting to avoid last-minute surprises.
FAQ
Is an SBOM required for SaMD submissions?
Yes. FDA’s 2025 draft requires a complete SBOM for all premarket pathways.
What threat-modeling standard should I use?
STRIDE or PASTAÂ are both acceptable. Pick one, be consistent, and provide mitigation documentation.
Do I need third-party penetration tests?
Yes. FDA expects independent pen-test results and remediation summaries, especially for connected or critical SaMD.