Skip to main content
    MedTech Cyber Tips
    The Ultimate Guide
    All topics
    Concept · Premarket

    Secure Product Development Framework (SPDF)

    A Secure Product Development Framework (SPDF) is essential for medical device manufacturers to meet FDA cybersecurity requirements, avoid delays, and ensure patient safety. It integrates cybersecurity throughout the product lifecycle, from concept to postmarket.

    For: Medical device manufacturers and MedTech startups preparing for FDA submissions (510(k), De Novo, PMA). 4 min readLast updated · yesterday
    Reviewed by ·Last reviewed July 2026
    SPDF activities by lifecycle phase

    Which security activity belongs where

    Activity Concept Premarket Submission Postmarket Incident
    Security risk assessment
    Threat model
    SBOM generation
    Secure design / coding
    Penetration testing
    Vulnerability monitoring
    CVD & patch governance
    Incident response
    Primary activity Supporting / iterative
    7 structured tips

    The walk-through

    01
    Compliance

    Align with FDA and Industry Standards

    Design your SPDF (Secure Product Development Framework) to align with FDA Section 524B, AAMI SW96, IEC 81001-5-1, and ISO 14971 to ensure regulatory acceptance.

    02
    Process

    Integrate SPDF into Quality Management System

    Implement your SPDF as an integrated process within your Quality Management System (QMSR - 21 CFR 820 / ISO 13485:2016) and IEC 62304 lifecycle, rather than a standalone document.

    03
    Technical

    Conduct Thorough Threat Modeling (STRIDE)

    Perform workshops to create data flow diagrams, threat trees, and risk ratings specific to your device's intended use, addressing multi-patient harm, updateability, and secure use views.

    04
    Technical

    Manage SBOM and SOUP Effectively

    Generate SPDX-format Software Bill of Materials (SBOM), conduct Software of Unknown Provenance (SOUP) analysis, and implement continuous vulnerability monitoring.

    05
    Technical

    Perform Comprehensive Security Testing

    Conduct penetration and fuzz testing across your device, cloud, mobile components, and medical protocols (DICOM, HL7/FHIR, MedRadio), with unlimited retests until risks are mitigated.

    06
    Documentation

    Prepare Robust Regulatory Documentation

    Develop an eSTAR-ready Cybersecurity Risk Management Report, Management Plan, Labeling, and Traceability documentation aligned with the FDA February 3 2026 final premarket cybersecurity guidance.

    07
    Process

    Establish Postmarket Monitoring

    Implement a Total Product Lifecycle (TPLC) cybersecurity risk management process, including patch timeline management, Coordinated Vulnerability Disclosure (CVD), and Common Vulnerabilities and Exposures (CVE) tracking.

    Common pitfalls

    • Ignoring FDA Section 524B requirements, leading to "Refuse-to-Accept" (RTA) determinations or deficiency letters.
    • Failing to adequately document SPDF artifacts, resulting in 3-6 months of submission delays and significant revenue loss.
    • Lack of a comprehensive SPDF, increasing the risk of vulnerabilities in production, patient safety incidents, recalls, and reputational damage.

    Your next steps

    1. 1Conduct an SPDF gap assessment to identify discrepancies between your current state and FDA 524B, AAMI SW96, and IEC 81001-5-1 requirements.
    2. 2Embed cybersecurity experts within your engineering teams to conduct threat modeling workshops and generate necessary artifacts.
    3. 3Regularly review and update your SPDF to adapt to evolving regulatory guidance and cybersecurity threats.

    Sources & references

    Authoritative guidance and standards underpinning this topic. Always confirm the latest revision with the publisher.

    Frequently asked questions

    Quick answers to the questions teams most often ask about this topic.

    An SPDF is a documented, repeatable process that bakes security into every stage of the device lifecycle: design, development, verification, release, and postmarket. The FDA's February 3 2026 premarket cybersecurity guidance explicitly recommends an SPDF as the foundation for premarket submissions.

    The FDA strongly recommends an SPDF and reviewers expect to see one. While the statute does not name 'SPDF' specifically, the documentation FDA requires under Section 524B is dramatically easier to produce when you have an SPDF in place.

    IEC 81001-5-1, AAMI TIR57, AAMI SW96, and the NIST Secure Software Development Framework (SSDF) all align. Building your SPDF against IEC 81001-5-1 gives you both FDA credibility and EU MDR/CRA alignment.

    The SPDF slots inside your existing QMS. ISO 13485 governs the overall quality system, IEC 62304 governs software lifecycle activities, and the SPDF layers cybersecurity-specific activities (threat modeling, SBOM management, security testing, CVD) onto those.

    A security risk assessment, threat model, security requirements, SBOM, VEX, penetration test report, security architecture views, labeling, a CVD policy, and a postmarket monitoring plan. Each maps directly to a section reviewers expect in the submission.

    Continue by phase

    Jump to all guides for the lifecycle phase that fits where you are.