On June 27, 2025, the U.S. Food and Drug Administration (FDA) released its final guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”
The guidance builds on the foundations established based on the guidance and select updates issued in 2023 and 2024. The guidance provides recommendations regarding cybersecurity design, labeling, and documentation to be included in premarket submissions.
New Statutory Authority Under FD&C Act Section 524B
- June 2025 Guidance introduces an entirely new Section VII, detailing obligations under Section 524B (added by the 2022 Consolidated Appropriations Act, effective March 29, 2023). It defines what qualifies as a “cyber device” (software-enabled, internet-connected, and vulnerable) and specifies the premarket cybersecurity information required – like risk management plans, vulnerability monitoring strategies, and updates for postmarket changes.
- The September 2023 Guidance did not yet include formal Section 524B requirements—it focused broadly on cybersecurity but lacked this law-backed section.
Incorporation of Secure Product Development Framework (SPDF) & Risk Alignment
- The June 2025 Guidance finalizes expectations that companies should implement an SPDF, fully integrate threat modeling and cybersecurity into design controls (21 CFR 820), and document them prospectively—not retroactively.
- The September 2023 Guidance introduced SPDF and threat modeling for the first time, but the 2025 version ties them more tightly to design control regulations and lifecycle practices.
Expanded Expectations on Documentation & SBOM
- Software Bill of Materials (SBOM): Now required for all cyber devices, with emphasis on transparency about components, support/End Of Life timelines, and a vulnerability communication plan.
- Threat modeling: FDA now expects a detailed threat model as part of the submission.
- Cyber labeling and instructions: More explicit guidance on how cybersecurity considerations should be reflected in labeling and user instructions.
- The September 2023 Guidance introduced disclosure of known vulnerabilities and third-party software management, but the 2025 version elevates SBOMs to statutory requirement and gives labeling/documentation much more prominence.
Source Code Custodial Control
- The June 2025 Guidance continues this expectation, reinforcing configuration management throughout lifecycle and linking it with SPDF and FD&C 524B obligations.
- September 2023 Guidance already recommended custodial control of third-party source code (e.g., escrow/backups).
Lifecycle Integration and Labeling
- The June 2025 Guidance emphasizes cybersecurity as a core quality system element, not a separate add-on. It integrates cybersecurity into design controls, risk assessments, document control, and postmarket surveillance under 21 CFR Part 820.
- The September 2023 Guidance started this trend, but the June 2025 Guidance embeds it deeper, ensuring cybersecurity is visible in device labeling and instructions for use.
At-a-Glance Comparison:
| Topic | September 2023 Guidance | June 2025 Guidance |
|---|---|---|
|
Legal basis |
Voluntary guidance |
Includes binding Section 524B obligations |
|
Scope |
General cybersecurity considerations |
Applies specifically to defined “cyber devices” |
|
SPDF & Design Controls |
Introduced SPDF & risk modeling |
Embedded SPDF into design controls per 21 CFR Part 820 |
|
SBOM requirement |
Recommended disclosure |
Required for all cyber devices |
|
Threat Modeling |
Encouraged |
Explicit expectation |
|
Source code control |
Custodial control recommended |
Reinforced under lifecycle requirements |
|
Postmarket vulnerability |
General management approaches |
Formal monitoring & communication plans |
|
Labeling/Instructions |
Basic recommendations |
Clear, integrated cyber labeling expected |
|
Cybersecurity in Design Controls |
Cybersecurity recommended to align with Design Control practices |
Cybersecurity mandated as part of 21 CFR Part 820 design controls, documentation, and lifecycle |
Bottom Line
- The June 2025 Guidance consolidates the September 2023 Guidance’s framework, formally embeds statutory obligations under Section 524B, and strengthens design system integration, documentation, labeling, lifecycle management, and SBOM requirements.
- The September 2023 Guidance laid the groundwork—introducing concepts like SPDF, threat modeling, SBOMs, and source code management.
Action Items for Device Manufacturers with Internet-Connected or Software-Reliant Devices:
- Identify whether your device qualifies as a “cyber device” under Section 524B.
- Ensure submission includes: SPDF-aligned design documentation, full SBOM, threat model, source code control, and labeling that meets new expectations.
- Prepare cyber-vulnerability plans for postmarket and clearly map all cybersecurity processes to 21 CFR Part 820 design controls.
CriTech is Here to Help
Would you like help assessing whether your device is a cyber device, or how to build your submission to meet the new Section 524B requirements?
Give us a call at (734) 668-0005 or send us details on your specific needs and we can walk through the details and discuss compliance strategies.