Discover the new cyber‑device, SBOM, and patch‑management requirements in the June 2025 guidance—and what your 510(k) team needs to do next.
On 27 June 2025 the FDA released its updated Cybersecurity in Medical Devices final guidance, replacing the September 2023 version. The new document tightens definitions, formalises submission structure, and links cybersecurity evidence to the coming ISO 13485‑aligned Quality System Regulation (QSR). Below we explain what changed and provide a step‑by‑step plan for staying compliant.
What’s New in the June 2025 FDA Cybersecurity Guidance
- Dedicated Section VII for “cyber devices”. Sponsors must self‑declare against FDORA §524B(c) and submit a bundled packet—SBOM, patch plan, and assurance narrative.
- Stricter SBOM requirements. SBOMs—already mandatory for cyber‑devices since March 2023—must now use an NTIA‑compatible, machine‑readable format and be maintained through the product lifecycle.
- Mandatory patch & monitoring procedures. FDA elevates vulnerability intake, triage, and notification plans from best practice to submission deliverable.
- New change‑impact taxonomy. Updates are categorised as may impact or unlikely to impact cybersecurity, guiding when a new 510(k)/PMA is needed.
- Alignment with the 2026 QSR overhaul. Cybersecurity risk management now maps directly to the ISO 13485‑harmonised QSR effective February 2026.
How the 2025 Guidance Affects Your MedTech Project
| Scenario | Required Action |
|---|---|
| First‑time FDA submission | Include Section VII with SBOM, patch plan, and assurance narrative. |
| Submission under review (2023 guidance) | File an amendment or risk an RTA hold. |
| Commercialised device | Update DHF, post‑market surveillance, and change‑control SOPs to reflect Section VII. |
6‑Step FDA Cybersecurity Compliance Checklist
- Confirm “cyber device” status. Check connectivity and software functions against §524B(c).
- Generate or refresh your SBOM. Export SPDX or CycloneDX; include dependencies and support windows.
- Create a vulnerability‑management plan. Define intake channels, triage timelines, patch cadence, and customer notifications.
- Map cybersecurity risks to ISO 13485 clauses. Show how your Secure Product Development Framework meets the new QSR.
- Revise change‑control SOPs. Use FDA’s new taxonomy to decide when regulatory notification is required.
- Educate stakeholders. Align R&D, QA/RA, DevOps, and suppliers on these new obligations.
BioT Platform: Fast‑Track Your FDA Cybersecurity Compliance
- Continuous SBOM management. Every BioT cloud release ships with an NTIA‑compatible SBOM you can export and embed in your 510(k)/PMA file.
- Secure OTA patch engine with audit‑ready logs of each update event.
- Branded vulnerability‑intake workflows. Use the Manufacturer‑Portal builder to create a “Report a Vulnerability” page and dashboards that track findings through to remediation.
- Submission‑ready compliance reports (DHF, cyber‑risk files, Section VII cross‑walk) generated on demand.
Key FDA Cybersecurity Dates to Remember
- 27 Jun 2025 – New guidance effective
- Feb 2026 – ISO 13485‑aligned QSR becomes effective (transition period opens)
Disclaimer: This blog is for informational purposes only and does not constitute legal or regulatory advice. Always consult your regulatory affairs counsel.
