FDA Updates Cybersecurity Guidance: Key Changes and Clarifications
The FDA released an updated version of its cybersecurity guidance document for pre-market submissions on June 27, 2025, marking the first revision since the original September 2023 release.
Below you’ll find redlined version of the 2025 guidance as compared to the 2023 version, along with a video explaining some of the key differences. .
While the document shows approximately 1,300 tracked changes, the core requirements remain fundamentally unchanged—FDA has focused on clarification and additional context rather than introducing new mandates.
Key Takeaways
Bottom Line: The updated guidance provides more clarity and context but doesn’t change the fundamental scope of the guidance or cybersecurity requirements for medical device manufacturers. If your device has software, this guidance likely applies regardless of internet connectivity.
Major Changes
• New Section 7 Added: FDA explicitly defines “cyber devices” and clarifies Section 524B requirements of the FD&C Act, distinguishing between cyber devices (a subset) and all devices covered by the guidance
• Expanded Scope Clarification: The cybersecurity guidance applies to any medical device with software, not just network-enabled devices—including firmware and programmable logic like FPGAs
• Updated Standards Reference: Now points to ANSI/AAMI SW96 (an actual standard with requirements) alongside TIR 57, providing manufacturers with clearer implementation guidance
• Enhanced Context: Added real-world examples like the 2020 German hospital ransomware attack to illustrate cybersecurity risks
Scope and Requirements Framework
• Guidance Scop vs FD&C 524B Scope: FDA’s scope and requirements are supersets of Section 524B—meeting FDA guidance automatically satisfies 524B, but not vice versa
• Risk-Based Approach: Cybersecurity documentation requirements are based on cybersecurity risk, not safety risk levels from other FDA guidance documents
• Non-Probabilistic Risk Assessment: Unlike traditional safety risk management, cybersecurity focuses on exploitability and impact rather than probability and severity
Technical Clarifications
• Cyber Device Definition: Must have software, ability to connect to internet (intentionally or not), and be vulnerable to cybersecurity threats
• Internet Connectivity Interpretation: Includes indirect connections through USB ports, WiFi, Bluetooth, NFC, or any hardware connector that could enable internet access
• Ongoing Process: Threat modeling and security assessments must occur throughout the product lifecycle, including post-market
• SBOM Requirements: Software Bill of Materials must be machine and human readable, covering both third-party and proprietary software components
Practical Implications
• Existing Devices: Previously cleared devices still need full cybersecurity documentation if modifications are submitted to FDA
• Reasonable Assurance: Interpreted as properly completing the 12 required cybersecurity attachments that FDA expects
• Safety Integration: Cybersecurity must be linked to safety risk management. They are different and separate, but interrelated.
The updated guidance reinforces that cybersecurity is now a permanent fixture in medical device regulation, with FDA emphasizing that security, safety, and usability are distinct but interrelated processes that must all be addressed in device development.