FD&C Act §524B - premarket package + lifelong postmarket plan
Any device that includes software, connects to the internet, and has features vulnerable to cyber threats is a 'cyber device' under FD&C Act §524B. FDA will refuse to accept a 510(k), De Novo, or PMA that does not include the required cybersecurity content - regardless of clinical merit.
Per the Feb 2026 cybersecurity guidance and §524B, premarket submissions must include a Secure Product Development Framework, threat model, cybersecurity risk assessment, SBOM, vulnerability assessment, and a postmarket monitoring plan with a coordinated vulnerability disclosure process.
Software Bill of Materials in a machine-readable format (CycloneDX or SPDX) is required content. Generate it from your CI pipeline; do not assemble it by hand. Update it for every release.
Cybersecurity is not a launch milestone - it's a 10-year operational commitment. CISA medical advisories, vulnerability disclosures, patch deployment, and updated threat models continue for the life of the device.