Align with FDA and Industry Standards
Design your SPDF (Secure Product Development Framework) to align with FDA Section 524B, AAMI SW96, IEC 81001-5-1, and ISO 14971 to ensure regulatory acceptance.
A Secure Product Development Framework (SPDF) is essential for medical device manufacturers to meet FDA cybersecurity requirements, avoid delays, and ensure patient safety. It integrates cybersecurity throughout the product lifecycle, from concept to postmarket.
| Activity | Concept | Premarket | Submission | Postmarket | Incident |
|---|---|---|---|---|---|
| Security risk assessment | |||||
| Threat model | |||||
| SBOM generation | |||||
| Secure design / coding | |||||
| Penetration testing | |||||
| Vulnerability monitoring | |||||
| CVD & patch governance | |||||
| Incident response |
Design your SPDF (Secure Product Development Framework) to align with FDA Section 524B, AAMI SW96, IEC 81001-5-1, and ISO 14971 to ensure regulatory acceptance.
Perform workshops to create data flow diagrams, threat trees, and risk ratings specific to your device's intended use, addressing multi-patient harm, updateability, and secure use views.
Conduct penetration and fuzz testing across your device, cloud, mobile components, and medical protocols (DICOM, HL7/FHIR, MedRadio), with unlimited retests until risks are mitigated.
Develop an eSTAR-ready Cybersecurity Risk Management Report, Management Plan, Labeling, and Traceability documentation aligned with the FDA February 3 2026 final premarket cybersecurity guidance.
Authoritative guidance and standards underpinning this topic. Always confirm the latest revision with the publisher.
Quick answers to the questions teams most often ask about this topic.
An SPDF is a documented, repeatable process that bakes security into every stage of the device lifecycle: design, development, verification, release, and postmarket. The FDA's February 3 2026 premarket cybersecurity guidance explicitly recommends an SPDF as the foundation for premarket submissions.
The FDA strongly recommends an SPDF and reviewers expect to see one. While the statute does not name 'SPDF' specifically, the documentation FDA requires under Section 524B is dramatically easier to produce when you have an SPDF in place.
IEC 81001-5-1, AAMI TIR57, AAMI SW96, and the NIST Secure Software Development Framework (SSDF) all align. Building your SPDF against IEC 81001-5-1 gives you both FDA credibility and EU MDR/CRA alignment.
The SPDF slots inside your existing QMS. ISO 13485 governs the overall quality system, IEC 62304 governs software lifecycle activities, and the SPDF layers cybersecurity-specific activities (threat modeling, SBOM management, security testing, CVD) onto those.
A security risk assessment, threat model, security requirements, SBOM, VEX, penetration test report, security architecture views, labeling, a CVD policy, and a postmarket monitoring plan. Each maps directly to a section reviewers expect in the submission.
Jump to all guides for the lifecycle phase that fits where you are.