Safeguard
Solution · Medical Devices

Medical Devices. Premarket SBOM, ten-year patch lifetime, signed end-to-end.

Connected medical-device manufacturers ship firmware that lives inside patients and inside hospitals for a decade. FDA SaMD, MDR, IVDR, IEC 62304, and 81001-5-1 turn every firmware release into a regulator-readable evidence artefact. Safeguard makes that evidence a signed pipeline output, not a year-long submission project.

FDA SaMD
Aligned
IEC 62304
Mapped
IEC 81001-5-1
Control Library
10yr
Evidence Retention
Industry pressures

Four forces converging on every device firmware release.

Premarket SBOM, EU device regs, decade-long patch obligations, and PSIRT — all hitting one firmware team.

FDA premarket SBOM mandate

Premarket submissions now require a complete, signed SBOM for the exact firmware that ships on the device. The reviewer expects machine-readable CycloneDX or SPDX — not a spreadsheet attached to the cover letter.

IVDR / MDR EU device regulation

EU 2017/745 and 2017/746 push cybersecurity from a recommendation into a marketing-authorisation prerequisite. Notified bodies are reading the SBOM, the threat model, and the vulnerability-handling SOP before they sign.

Ten-year service-life patching

Connected devices stay in clinical use for a decade or more. Long after the original team has moved on, somebody has to be able to prove which transitive dependency is in field firmware version 3.1.7 — and patch it.

PSIRT obligations to disclose

Coordinated disclosure programs, FDA-mandated patch communications, and customer-hospital security teams all demand a CVE-to-patch story within tight SLAs. PSIRT is not a side function any more.

How Safeguard fits

Capability mapped to notified-body expectation.

Signed CycloneDX per device firmware

Every firmware build emits a signed CycloneDX SBOM pinned to the binary that flashed to the device. Provenance and attestation travel with the artefact through the regulator, the notified body, and the hospital security review.

Reachability-aware CVE prioritisation

Most CVEs in an RTOS or Bluetooth stack are not actually reachable from the device's threat boundary. Reachability turns a 1,900-row alert list into a defendable, ranked worklist for the embedded team.

Long-tail patch attestation

Firmware that shipped seven years ago still needs an evidence trail. Safeguard retains the signed SBOM, VEX, and policy verdicts for the full service life — queryable on the day the regulator or hospital asks.

Coordinated disclosure pipeline

PSIRT intake, triage, advisory drafting, and customer notification run on a single pipeline. CVE entries are linked to the affected firmware, the patch commit, and the field-update plan — no parallel spreadsheets.

Compliance alignment

Frameworks the platform is mapped to.

Pre-mapped control narratives and evidence in the formats FDA reviewers and EU notified bodies already accept.

FDA SaMD
MDR (EU 2017/745)
IVDR (EU 2017/746)
IEC 62304
IEC 81001-5-1
ISO 13485
ISO/IEC 27001:2022
HIPAA flow-down
Reference architecture

A typical deployment inside a device manufacturer.

Firmware CI signing pipeline, PSIRT-managed disclosure, multi-site evidence retention, and a regulator-ready trust packet.

Step 01

Device firmware CI pipeline

Firmware build farms emit a signed CycloneDX SBOM per binary, bound to the toolchain hash and the source commit. Reproducible builds, deterministic outputs.

Step 02

Signed SBOM emission

Every release artefact carries an in-toto attestation and sigstore signature. The premarket package and the EU technical file pull from the same evidence store.

Step 03

PSIRT-managed disclosure mailbox

Coordinated-disclosure intake, triage, and advisory drafting are linked to the SBOM and the firmware. Customer hospital security teams receive a machine-readable VEX, not a PDF.

Step 04

Ten-year evidence retention

SBOM, VEX, policy decisions, and disclosure history are retained for the full service life of the device. Queryable on day three thousand, not just on day thirty.

Where the risk lives today

Four risk surfaces every device security officer tracks.

Third-party RTOS / firmware library CVEs

RTOS kernels, BLE stacks, and TLS libraries deep inside the firmware carry a long CVE tail. Most are unreachable in the device threat model — but the regulator still wants to see the analysis.

AI-on-device model integrity

Diagnostic and imaging models that run on-device need signed weights, lineage, and drift monitoring. A silently corrupted model is a patient-safety event, not a software bug.

Cellular and Bluetooth stack vulnerabilities

The wireless surface is the most exposed part of a connected device. A new CVE in a baseband or BLE pairing routine can put an entire installed base into the disclosure clock at once.

Vendor abandonment of critical libraries

Open-source maintainers move on; commercial suppliers EOL components. Long-tail devices outlive their dependencies, and the manufacturer has to find the path forward — often before the regulator notices.

Current threat landscape

What is actually hitting device manufacturers this year.

Quantified benefits

Quantified benefits for medical-device teams.

Numbers from production deployments. Same regulator, same device, dramatically less submission overhead.

MetricBefore SafeguardWith Safeguard
FDA premarket SBOM prep3 weeks30 minutes
Field-patch reachability filter70% noise5% noise
PSIRT-disclosure response14 days24 hours
Ten-year evidence retentionManualAutomated
Tool consolidation5 vendors1
Alert volume per firmware / month~1,900~190
Recall risk identificationWeeksHours

Premarket-ready evidence, field-ready patching.

Talk to the team about FDA SaMD evidence pipelines, MDR / IVDR technical files, and a PSIRT shape that runs for the full service life of the device.