What the FDA Actually Wants in a 2026 Premarket Cybersecurity Submission

When I founded Blue Goat Cyber in 2022, premarket cybersecurity was still treated by many manufacturers as a checklist item near the end of the project. By 2024, after the FDA gained Refuse-to-Accept authority under Section 524B of the FD&C Act, that approach started costing companies six-figure delays per submission. In 2025 my team cleared more than 250 FDA cybersecurity submissions, and the pattern is unambiguous: the manufacturers who pass on the first round are the ones who treat cybersecurity as a Total Product Lifecycle (TPLC) discipline, not a documentation drill at the end.

For a connected device today, a single deficiency letter typically delays clearance 60–120 days and costs the program more than the entire cybersecurity engagement would have. Compound that across an EU CRA, MDR, IMDRF, and a multi-region launch, and the math is brutal. Getting the premarket package right the first time is now the single highest-ROI cybersecurity investment a MedTech company can make.

At minimum, FDA reviewers expect a Secure Product Development Framework (SPDF) description, a security architecture view, a threat model, a cybersecurity risk management report aligned to AAMI TIR57, a Software Bill of Materials (SBOM) with vulnerability and SOUP analysis, evidence of cybersecurity testing (penetration testing and vulnerability scanning), labeling that informs users of cybersecurity controls and responsibilities, and a postmarket cybersecurity management plan.

The FDA's Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions guidance enumerates the expectations. What it does not tell you is how reviewers actually read these documents. They read for traceability: every identified threat must trace to a control, every control to a verification, every residual risk to a justification. If those threads break anywhere in the package, you get a deficiency.

A threat model that survives review names the asset, identifies the entry point, classifies the threat using a structured methodology like STRIDE, scores the likelihood and impact, and ties the mitigation back to a verifiable design control.

Reviewers do not want a STRIDE table copied from a tutorial. They want to see the intended-use context, the network and trust boundaries drawn explicitly, every external interface (wired, wireless, USB, service-port) enumerated, and a defensible argument for why each identified threat is either mitigated or accepted with justification. "Out of scope" is not an answer for an entry point that physically exists on the device.

Reviewers want a complete SBOM in a machine-readable format (SPDX or CycloneDX), a vulnerability assessment against known CVEs at time of submission, and a Software of Unknown Provenance (SOUP) analysis for any component you did not author and cannot fully verify.

In practice, the SBOM is the easy part — modern build pipelines produce one in minutes. The hard part is the SOUP analysis, where you have to justify the security posture of each third-party component, including any open-source library, embedded RTOS, or chipset firmware blob. Reviewers are now actively cross-referencing submitted SBOMs against the CISA Known Exploited Vulnerabilities Catalog. If a critical KEV is in your bill of materials and your report does not address it, you will hear about it.

For any device with network, wireless, or removable-media interfaces, FDA expects credentialed and uncredentialed penetration testing performed by qualified testers, plus vulnerability scanning of the device and any companion software. The report should describe scope, methodology, tools, tester qualifications, findings with severity, and remediations.

An attestation that "penetration testing was performed" is not a penetration test report. Reviewers want to see what was actually attempted — fuzzing of the wireless stack, attempts to bypass authentication, manipulation of update mechanisms, exploitation of exposed services — and what was found. Negative findings ("no exploitable vulnerabilities identified at this scope") are acceptable, but only when the scope is itself credible.

The postmarket plan must describe how the manufacturer will monitor for new vulnerabilities affecting the device or its components, how it will coordinate disclosure with researchers and regulators, how it will patch deployed devices (and within what timeframe), and how it will communicate with users when a cybersecurity event affects safety or effectiveness.

Reviewers want concrete commitments: who runs the monitoring, what feeds you subscribe to, how triage decisions get made, and how a patch reaches a fielded device without breaking validated functionality. A postmarket plan that ends at "we will issue updates as needed" is a deficiency waiting to happen.

If you build the package to FDA expectations and align documentation language to IMDRF Principles and Practices for Medical Device Cybersecurity and MDCG 2019-16, you can submit the same evidence base to Notified Bodies under MDR, to the MHRA, to the TGA in Australia, and increasingly to the NMPA in China and PMDA in Japan with minimal rework.

The EU Cyber Resilience Act adds horizontal cybersecurity obligations for connected products that already overlap heavily with MDR Annex I requirements. Designing for the strictest jurisdiction in your launch plan and back-mapping documentation is almost always cheaper than reverse-engineering compliance for each region after the fact.

My team at Blue Goat Cyber has cleared more than 250 FDA cybersecurity submissions across Class II and Class III devices, including SaMD, IoMT, wearable monitors, infusion systems, imaging platforms, and implantables. We treat cybersecurity as a Total Product Lifecycle discipline from concept through postmarket, and we map every artifact in the submission to the underlying FDA guidance, AAMI TIR57, IMDRF, and (where it applies) the EU MDR and CRA.

The approach in my 2026 book — Medical Device Cybersecurity: An In-Depth Guide — codifies what we have learned. It is the playbook I wish had existed when I was first navigating these submissions with my own product clients in 2022.