The Cybersecurity Management Plan

Cybersecurity is an ever-moving target, with new vulnerabilities being discovered daily. 2023 had an average of 79 reported vulnerabilities per day! With the Omnibus act, the FDA is empowered and funded to require medical device manufacturers to secure their systems and maintain the security throughout the life-cycle of the device. And a crucial part of that is a robust cybersecurity management plan. The plan needs to include vulnerability monitoring, updates and patches, coordinated vulnerability disclosures, incident response, and up-to-date security documentation. In this blog, I will discuss these important components of your Cybersecurity Management Plan.

Vulnerability Monitoring

Logos for CISA and NVD

New vulnerabilities in your system’s off-the-shelf (OTS) software will likely be discovered while your device is in the market. Your plan must include running the device’s SBOM (Software Bill of Materials) through the CISA and NIST databases on a regular, justifiable schedule. Your security team should also follow security news and get alerts for new critical vulnerabilities. Newly discovered vulnerabilities that could cause uncontrolled risks in your device need to be handled as soon as possible. Make sure your plan elaborates on the personnel involved, timeline, schedule, and methods used for monitoring.

Updates and Patches

Addressing vulnerabilities generally requires a software change, and the processes for updates and patch management should be part of the plan. Establish and document the timelines for managing scheduled and off-schedule software updates, patches, and security fixes. Include the process of testing these updates for compatibility and security before deployment to ensure they do not introduce new risks. Penetration testing should be included for major updates. Don’t forget to Indicate how you intend to communicate patches and updates to customers.

Coordinated Vulnerability Disclosure Process

The FDA requires you to have a Coordinated Vulnerability Disclosure Process, whereby third parties can disclose vulnerabilities they discovered on your medical device. The goal is to promote transparency and cooperation, and to minimize the risk of exploitation. Your plan should describe the established communication channel (such as dedicated email addresses or web portal), through which security researchers can securely report vulnerabilities. The plan should also elaborate on how you will assess and validate the reported vulnerability to confirm its validity and determine the potential impact and risk. Once a vulnerability is confirmed, planned collaboration with the reporting party to address the issue responsibly and discuss potential mitigations is expected.

Incident Response

Your plan needs a cybersecurity incident response process for the case that an incident has been reported on your device. The process needs to include how you will respond to, mitigate, and recover from the event. Include the process to notify the FDA, affected customers, patients, and other relevant stakeholders. 

Keep documentation Up-to-date

A stamp of the word "MANDATE," red and in all caps

Maintaining records of changes and updating the risk management documentation is crucial for being able to respond quickly and effectively to new security threats. Your plan should include record keeping of each change, update and patch. Threat modeling needs to be revisited with changes, and new controls added need to be documented. Also, make sure the SBOM stays current for your vulnerability scans.


The post-market cybersecurity management plan is one of the critically analyzed documents of your FDA submission. Make sure your submitted security management plan provides the unambiguous assurance of on-going cybersecurity maintenance while your device is in the market. If you need help, please contact us, and we will be happy to help with your cybersecurity submission needs.

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science and following with Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CypherMed Cloud is SOC2 Type II certified.