In June 2025, the U.S. Food and Drug Administration (FDA) issued its updated final guidance on cybersecurity in medical devices, formally titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This guidance supersedes the September 2023 version of the same title, reflecting the agency’s evolving expectations for how manufacturers should address cybersecurity across the total product lifecycle (TPLC).
At Rook Quality Systems, we help device manufacturers interpret and implement these requirements to ensure both compliance and patient safety. Below, we break down the FDA’s role, the purpose of this guidance, and the key differences between the 2023 guidance and the 2025 version.
FDA’s Role in Medical Device Cybersecurity
The FDA has consistently recognized that cybersecurity is inseparable from medical device safety. With increasing connectivity, devices are no longer isolated; they function within broader ecosystems that include hospital networks, cloud services, and third-party software. A single cyber incident can compromise patient safety by delaying diagnoses, disrupting treatment, or rendering devices inoperable.
Through this guidance, FDA provides nonbinding recommendations that reflect its current thinking on how manufacturers should incorporate cybersecurity into their Quality System (per 21 CFR Part 820) and demonstrate safety and effectiveness in premarket submissions.
Key Objectives of the 2025 Cybersecurity Guidance
-
Clarify submission expectations. Manufacturers must show reasonable assurance of cybersecurity as part of demonstrating overall device safety and effectiveness in premarket submissions.
-
Integrate cybersecurity into the quality system. Cybersecurity is treated as a core design control and risk management responsibility across the total product lifecycle (TPLC), not as a secondary consideration.
-
Ensure compliance with statutory requirements. Section 524B of the FD&C Act, introduced under FDORA in 2022, requires manufacturers of “cyber devices” to develop cybersecurity plans, maintain supporting processes, and include a Software Bill of Materials (SBOM).
-
Promote global alignment. The guidance references and encourages adoption of recognized international standards and frameworks such as ISO 13485, NIST’s Cybersecurity Framework, IEC 81001-5-1, and AAMI SW96.
Top Updates in FDA's 2025 Cybersecurity Guidance
Stronger Integration of Secure Product Development Frameworks (SPDFs)
FDA emphasizes that SPDF processes are a primary mechanism to meet QS regulation requirements and to reduce vulnerabilities throughout the lifecycle. The 2025 version provides expanded recommendations on how SPDFs should tie into design controls, CAPA, and postmarket monitoring.
Expanded Risk Management Requirements
Explicit distinction between safety risk management (ISO 14971) and security risk management (AAMI TIR57, AAMI SW96).
Manufacturers are now expected to provide a Security Risk Management Report in premarket submissions, documenting threat modeling, SBOMs, vulnerability assessments, and residual risk traceability.
Greater Detail on Documentation Expectations
The guidance expands submission documentation tables (including IDE-specific recommendations) to help scale requirements based on device risk. FDA also provides explicit expectations for security architecture diagrams and architecture views.
Reinforced SBOM and Transparency Requirements
FDA places greater emphasis on SBOM completeness and updateability, as well as labeling recommendations to communicate cybersecurity risks to users.
Stronger TPLC and Post-Market Alignment
The 2025 guidance highlights the expectation that cybersecurity is managed throughout the product lifecycle, including coordinated vulnerability disclosure and end-of-life considerations.
Why This Matters for Manufacturers
The 2025 update reinforces a shift:
Cybersecurity is no longer treated as an optional add-on but as a core safety requirement.
For medical device manufacturers, this means:
- Premarket submissions must provide robust cybersecurity documentation.
- Device design must reflect a proactive, system-wide approach to cybersecurity.
- Cybersecurity processes must be documented, auditable, and integrated into the QMS.
At Rook Quality Systems, we’ve guided clients through these transitions before, helping them build cybersecurity-ready QMS processes, conduct risk-based assessments, and prepare submission packages that meet FDA expectations.
Final Thoughts
The FDA’s 2025 final guidance reflects a growing recognition: protecting patients in a connected healthcare ecosystem requires cybersecurity by design. For device manufacturers, aligning early with these expectations can reduce regulatory friction, speed time to market, and most importantly, keep patients safe.
Rook Quality Systems is ready to help your team navigate this evolving landscape, whether you’re building your QMS from the ground up, updating your risk management process, or preparing a premarket submission under these new requirements.