Two years into Section 524B enforcement, the most common FDA cybersecurity deficiencies cluster around three themes:
1. SBOMs that list components but lack version pinning, hash, or supplier - making vulnerability monitoring impossible to verify.
2. No VEX (Vulnerability Exploitability eXchange) statements paired with the SBOM, leaving reviewers to assume every CVE is exploitable.
3. Coordinated Vulnerability Disclosure policies with no working intake address, no triage SLA, and no evidence of past coordination.
Fix these three before submission and you'll preempt the majority of cyber RTAs.
More updates
-
MDCG 2019-16 Rev.2 at six months: Notified Body audit patternsSix months in, Notified Body audits under MDCG 2019-16 Rev.2 show three clear failure modes - narrative-only SBOMs, CVD policies without operational evidence, and traceability gaps between security risk controls and design outputs.
-
Three years of Section 524B: the deficiencies that never went awayThree-year retrospective on Section 524B enforcement: SBOM depth, VEX justification, and CVD operational evidence remain the top three categories of cyber deficiencies. Two new patterns emerged in 2026 - AI/ML threat-model gaps and weak end-of-support labeling.
-
IEC 81001-5-1 Amendment 1 reaches FDIS - what MedTech teams should trackAmendment 1 to IEC 81001-5-1 (health software security lifecycle) is in Final Draft International Standard ballot. It sharpens SBOM, CVD, and postmarket vulnerability expectations - and it's the standard EU Notified Bodies are quietly aligning MDCG 2019-16 audits against.