Section 524B of the FD&C Act has been operational long enough that medical device manufacturers have moved past the initial scramble and into routine compliance. The FDA's premarket cybersecurity expectations are now baked into 510(k) and PMA submission workflows, and the agency's premarket review feedback has shaped industry practice substantially. The postmarket side has been less aggressively enforced, but several 2024 advisories around installed-base vulnerabilities suggest that attention is shifting there.
This post is about what cybersecurity engineering for medical devices actually looks like in 2026, with attention to where the submission expectations and the operational reality have settled.
What does FDA Section 524B actually require in submissions?
Section 524B requires premarket submissions for cyber devices to include a plan for monitoring, identifying, and addressing postmarket cybersecurity vulnerabilities; design and processes that provide reasonable assurance of cybersecurity; and a software bill of materials. The FDA's premarket cybersecurity guidance, finalized in September 2023, provides the operational detail and has been actively used in review since. The agency has issued refuse-to-accept decisions for submissions that did not include adequate cybersecurity information, with several public examples through 2024 and 2025.
The practical 2026 baseline for submissions is a structured cybersecurity section covering threat modeling, security risk management aligned to AAMI TIR57 or ANSI/ISA 62443, an SBOM in machine-readable format with vulnerability assessment, and a documented postmarket plan. The FDA reviewers have converged on consistent expectations, and submissions that follow the structure recommended in the September 2023 guidance generally move through review without cybersecurity findings. Submissions that include cybersecurity as an afterthought routinely receive deficiencies that delay clearance by months.
How has SBOM submission practice actually settled?
SBOM submission practice has settled on SPDX and CycloneDX as the accepted formats, with vulnerability assessment as a required accompaniment rather than just the SBOM itself. The FDA has been clear in feedback that a raw SBOM without analysis does not meet the statutory requirement. The expectation is a current SBOM, vulnerability mapping against an authoritative feed, and disposition for any unresolved vulnerabilities including compensating controls.
The harder operational question is SBOM maintenance across the device lifecycle. The premarket SBOM is a snapshot at submission, but the postmarket plan requires continuous monitoring of the deployed software. Manufacturers that built SBOM generation into their CI/CD pipelines have a relatively smooth path to maintaining current SBOMs across software updates. Manufacturers that generated the submission SBOM as a one-time exercise are usually rebuilding the workflow under postmarket pressure. The 2026 baseline is integrated SBOM generation tied to the build, with delivery to internal vulnerability management workflows on every release.
Which threats have actually hit medical devices recently?
The medical device threat landscape in 2024 and 2025 was characterized by both opportunistic compromise of hospital-deployed devices through known vulnerabilities and targeted research disclosure of new attack paths in specific device categories. Several infusion pump CVEs disclosed in 2024 and 2025 affected installed bases of hundreds of thousands of devices, with the patching cadence in hospital environments lagging the disclosure by months in most cases. CISA and the FDA both issued advisories on these patterns.
The other meaningful pattern is supply chain compromise of medical device software dependencies. The 2024 incidents at several mid-sized device manufacturers involved compromised software components introduced through normal dependency updates, with the malicious code reaching devices through routine software releases. The exploitation outcomes were generally credential exfiltration rather than direct patient impact, but the precedent is significant and the FDA's postmarket guidance has explicitly addressed supply chain risk management as part of the manufacturer's required postmarket plan.
What does postmarket vulnerability management actually look like?
Postmarket vulnerability management for medical devices has matured significantly under the combined pressure of Section 524B and direct customer expectations from hospital systems. The 2026 baseline includes monitoring of vulnerability feeds against the deployed device SBOM, defined notification SLAs for affected hospital customers, and documented remediation timelines that account for the device class and clinical use context. Manufacturers that built these workflows have a substantial competitive advantage in hospital procurement, where the customer cybersecurity scrutiny has tightened in parallel with the regulatory scrutiny.
The harder discipline is balancing the patching cadence with the validation requirements that come with software changes to cleared medical devices. A software update that addresses a security vulnerability still triggers verification and validation obligations, and in some cases a 510(k) special clearance review. The 2026 baseline includes pre-approved validation protocols for cybersecurity updates, fast-track review paths internally, and clear separation between cybersecurity patches and feature releases so that patching cadence is not bottlenecked by feature development.
How do you handle legacy installed-base devices?
The legacy installed base is the single hardest medical device cybersecurity problem, and the 2026 baseline reflects the limits of what is achievable. Devices designed before Section 524B was operational often lack the cryptographic infrastructure, update mechanisms, or platform capability to support modern security expectations. The pragmatic approach is documented risk acceptance with compensating controls, including network segmentation, monitoring, and clear hospital-facing guidance on operational mitigations.
The FDA has not retroactively imposed Section 524B requirements on legacy devices, but the postmarket vulnerability management expectations apply regardless of manufacture date for devices still being supported. The practical 2026 baseline is to maintain SBOM coverage for the legacy installed base where possible, generated through firmware analysis if necessary, and to operate vulnerability monitoring against the generated inventory. Several manufacturers in 2024 and 2025 used this approach to identify previously unknown component-level exposure in their legacy fleets.
How Safeguard Helps
Safeguard generates and maintains SBOMs across your medical device portfolio in FDA-accepted SPDX and CycloneDX formats, ready for premarket submission and tied to continuous postmarket monitoring. Griffin AI correlates emerging medical-device-targeting threats with your specific software inventory and surfaces the small set of issues that warrant immediate action under your postmarket plan. Reachability analysis filters CVE noise to the findings that actually expose deployed devices, which is what FDA reviewers and hospital customers care about. TPRM scoring captures upstream software supplier posture, supporting supply chain risk management evidence in your postmarket documentation. Policy gates enforce SBOM delivery and severity thresholds in your device build pipeline, and zero-CVE base images give your cloud-side infrastructure a clean starting point.