FDA SaMD Cybersecurity (2025): §524B, SBOM, Testing & eSTAR

In June 2025 FDA finalized its cybersecurity guidance and clarified §524B obligations for “cyber devices.” For SaMD that connects to the internet, you must provide a postmarket vulnerability plan, processes that ensure reasonable assurance of cybersecurity, and an SBOM. FDA also recommends threat modeling, security architecture views, vulnerability + penetration testing, and labeling/management plans—submitted via eSTAR (510(k) now; De Novo mandatory Oct 1, 2025).

Why Cybersecurity Matters for SaMD

With cyber-attacks on medical software rising and connected devices becoming more common, cybersecurity is no longer optional. The FDA has explicitly tied patient safety to strong cyber hygiene. Several warning letters in 2024 cited insufficient cyber documentation as the root cause for clearance delays. SaMD products face high scrutiny, especially those with network interfaces, data processing functions, or cloud dependencies.

Key 2025 Cybersecurity Expectations

1. SBOM (Software Bill of Materials)

The FDA expects a machine-readable SBOM that lists every software component, including:

• Component name and version

• Supplier

• License type

• Known vulnerabilities (linked to CVEs)

Use formats like CycloneDX or SPDX, and automate SBOM generation at build-time.

2. Threat Modeling

Map your architecture using STRIDE or PASTA frameworks to identify:

• Entry points

• Threat vectors

• Mitigations applied

Attach diagrams and mitigation plans that align with your software risk profile.

3. Secure-by-Design Controls

Demonstrate implementation of controls like:

• Encryption (at rest & in transit)

• Role-based access control (RBAC)

• Digital signatures / code signing

Evidence should show these controls were considered from early development.

4. Validation & Penetration Testing

Include:

• Penetration test protocols

• Red team test results

• Fuzz testing summaries

Document vulnerabilities found, actions taken, and ensure test reproducibility.

5. Update & Patch Process

FDA wants to see:

• Defined roles for monitoring & patching

• 48–72 hour patch deployment window

• Rollback strategy for failed patches

Include this as part of your risk control and maintenance documentation.

Submission Checklist

Best Practices & Pro Tips

• Automate SBOM generation in your CI/CD pipeline (e.g., CycloneDX plugin).

• Embed security tests in every build, not just pre-submission.

• Link security docs to your IEC 62304/ISO 14971 traceability matrix—show how risk controls tie to cyber tests.

• Use version control for SBOMs and threat-model artifacts (tag commits with submission versions).

• Validate early with FDA’s pre-Sub Q-meeting to avoid last-minute surprises.

The Fastest Path to Market

No more guesswork. Move from research to a defendable FDA strategy, faster. Backed by FDA sources. Teams report 12 hours saved weekly.

• FDA Product Code Finder, find your code in minutes.

• 510(k) Predicate Intelligence, see likely predicates with 510(k) links.

• Risk and Recalls, scan MAUDE and recall patterns.

• FDA Tests and Standards, map required tests from your code.

• Regulatory Strategy Workspace, pull it into a defendable plan.

👉 Start free at complizen.ai

FAQ

Is an SBOM required for SaMD submissions?

Yes. FDA’s 2025 draft requires a complete SBOM for all premarket pathways.

What threat-modeling standard should I use?

STRIDE or PASTA are both acceptable. Pick one, be consistent, and provide mitigation documentation.

Do I need third-party penetration tests?

Yes. FDA expects independent pen-test results and remediation summaries, especially for connected or critical SaMD.