Two years into Section 524B enforcement, the most common FDA cybersecurity deficiencies cluster around three themes:
1. SBOMs that list components but lack version pinning, hash, or supplier — making vulnerability monitoring impossible to verify.
2. No VEX (Vulnerability Exploitability eXchange) statements paired with the SBOM, leaving reviewers to assume every CVE is exploitable.
3. Coordinated Vulnerability Disclosure policies with no working intake address, no triage SLA, and no evidence of past coordination.
Fix these three before submission and you'll preempt the majority of cyber RTAs.
More updates
-
QMSR replaces 21 CFR 820 — what changes for cybersecurityFDA's Quality Management System Regulation harmonizes Part 820 with ISO 13485. Cyber design controls and CAPA expectations carry over with subtle scoping changes.
-
MDCG 2019-16 Rev.2 expectations carry into Notified Body auditsEuropean Notified Bodies are now expecting evidence of IEC 81001-5-1 alignment, not just MDCG 2019-16 narrative.
-
MedTechCyberTips.com is liveNine deeply organized topics, a guided journey, and a glossary covering every acronym in FDA cyber guidance.