Premarket Cybersecurity Updates

The FDA released select updates on its premarket cybersecurity guidance yeseterday (26 June 2025, for those of you from the future). In a quick "tale of the tape" analysis, the new guidance comes in at 64 pages, compared to the 57 pages of the 2023 Final Guidance. A new section (VII - Cyber Devices) makes up most of that page difference, integrating definitons and specific requirements from section 524B of the FD&C Act. While there are some useful clarifications in the document, most of these changes should be expected for those who have been following the FDA's trajectory on cybersecurity.

Quick note: Because it has recently been difficult to find and download historical data from the FDA website, we are maintaining static copies of the 2023 guidance and the 2025 updates here for those who would like to do their own side-by-side comparisons.

Cyber Device Confusion

We have seen some discussion about a lack of clarity on what constitutes a "cyber device" in the eyes of the FDA. A lot of this controversy surrounds the ability to "connect to the internet." A reader may see this and assume that it means that only devices with an IP address would be considered a "cyber device" under this definition. However, the FDA makes clear that they will continue to regulate according to a broader definition that considers alternative data flows to "the internet." Take a look at these examples provided by FDA on page 32 of the document:

Don't forget to take a look at those footnotes for more of FDA's perspective on why those pathways are valid:

Could there be legal arguments around this language? Sure, there may be legal challenges to this approach, however if there are any plans to market a device outside the US, those language based arguments probably won't apply in those jurisdictions. We at Logic Hazard Labs believe that the threat actors are a few steps ahead of regulators anyway, so it's best to assume that if your product meets the other two requirements to be a "cyber device," then it is a "cyber device."

Software Bill of Materials (SBOM)

Providing a Software Bill of Materials has become a requirement as part of the new guidance. SBOM is another area that FDA has been pushing manufacturers to implement, but some manufacturers have struggled with traction here. FDA seems to acknowledge this with a short blurb:

SBOM enforcement will likely increase over time as more products and processes become available to generate both human readable and machine readable information. However, key questions remain about information FDA is requesting, such as support. How "active" does an open source library need to be in order to be considered "actively maintained?" How much runway is acceptable to upgrade components where end-of-support has been announced?

Going beyond the regulations, SBOMs are just one useful tool in maintaining a product. The presence of a vulnerable library in an SBOM is not necessarily an uncontrolled cybersecurity risk - it depends on the nature of the vulnerability and how that library is used in the system. The guidance specifically called out vulnerabilities that are included in CISA's Known Exploited Vulnerabilities catalog, so expect a greater degree of scrutiny if any software component falls into this category. This is where evidence of technical testing, such as penetration testing or security-focused unit tests, can help you demonstrate the effectiveness of compensating controls and layered defense.

Conclusions

FDA is continuing to press the industry forward toward a more structured approach to medical device cybersecurity. Premarket guidance changes have now integrated the language from section 524B in a way that makes clear that provisions are enforceable across many different device types and use cases.

Sales-y Post-script

Logic Hazard Labs has years of experience identifying vulnerabilties in medical devices and helping mitigate risks. If you need help with the cybersecurity of your device, reach out to us at sales@logichazard.com today!