Navigating the FDA’s Updated Cybersecurity Guidance for Medical Devices: What Manufacturers Need to Know

On June 27, 2025, the FDA released its updated Cybersecurity in Medical Devices Guidance. While much of the content remains from the 2023 version, the updates provide clarity on some specific areas of prior confusion.

 A Definition of a Cyber Device

The FDA has sharpened its interpretation of what qualifies as a Cyber Device under Section 524B of the FD&C Act.

Here’s the key takeaway:

  • It’s not just about whether your device was intended to connect to the internet.
  • If it could connect — even unintentionally — the FDA expects cybersecurity documentation.

Consider a USB port designed for a keyboard. In theory, it could be used for a WiFi dongle, creating an unintended pathway for cyber risk. By this definition, nearly all software-driven devices are “cyber devices.”

Pathway for Previously Cleared Devices

Another critical clarification applies to devices cleared before 2023 but have been modified. If modifications are unlikely to impact cybersecurity, only a subset of the documentation will be required: specifically an SBOM (Software Bill of Materials) and associated vulnerability assessment, and post market plan. 

Alternatively, if the changes can impact cybersecurity, the full set of documentation will be required.

AAMI SW96

The FDA now explicitly references AAMI SW96, a standard that complements ISO 14971 by addressing cybersecurity as part of risk management.

Why this matters:

  • ISO 14971 focuses primarily on harm based on health, property, and environmental harm.
  • SW96 expands the definition of harm to include loss of effectiveness and breach of data/system security.
  • SW96 lays out a structured framework for cybersecurity risk management processes, plans, and reports.

In practice, SW96 can be a valuable standard that will reduce ambiguity and align your risk management processes with FDA expectations.

At Promenade Software we help medical device manufacturers navigate FDA Cybersecurity documentation complexities - from developing cybersecurity risk management plans, to preparing 510(k) documentation that stands up to FDA scrutiny.

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science and following with Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
530 Technology Drive, Suite 100
Irvine, CA. 92618
(949) 333-4634
linkedin logo
YouTube logo
facebook logo
Terms of UsePrivacy Policy Subscribe to Newsletter
CONTACT US
SUBSCRIBE TO
NEWSLETTER
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
ABOUT
PROMENADE SOFTWARE

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade's Quality Management System is ISO 13485 certified. Our Cloud systems are  SOC2 Type II certified.

Amtivo Certified