Medical Device Cybersecurity Audits: What FDA Investigators Are Actually Checking in 2026

Section 524B of the FD&C Act has been in effect since March 29, 2023. That’s more than three years ago — and yet we still see medical device manufacturers submitting 510(k)s with cybersecurity sections that read like checkbox exercises rather than genuine risk documentation. The result: Refuse to Accept (RTA) letters, 483 observations during ORA inspections, and in the worst cases, warning letters that cite inadequate software controls.

The gap isn’t usually ignorance of the law. It’s that manufacturers treat cybersecurity as a submission compliance problem rather than a quality system problem. Those are very different things, and FDA’s investigators are trained to tell them apart.

What Section 524B Actually Requires — Beyond the Checkbox

The Consolidated Appropriations Act of 2022 (signed December 29, 2022) added Section 524B to the Federal Food, Drug, and Cosmetic Act. FDA’s implementing guidance — Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions — arrived in final form on September 26, 2023. At 87 pages, it’s one of the more substantive guidance documents the agency has issued in recent years. Four requirements sit at the core.

A plan to monitor, identify, and address post-market cybersecurity vulnerabilities. This is not a generic SOC-style monitoring policy. FDA expects a device-specific cybersecurity management plan that describes how your team will track disclosed vulnerabilities in third-party components, evaluate severity, and deploy patches or mitigations within defined timelines. The guidance references a “reasonable timeframe” — but inspectors have begun interpreting that against CVSS scoring, with critical vulnerabilities (CVSS ≥ 9.0) expected to be addressed within 30 days of confirmed applicability.

A software bill of materials (SBOM). This is where most manufacturers still stumble. Your SBOM must enumerate every commercial, open-source, and off-the-shelf software component in the device — including third-party libraries nested inside firmware. The formats FDA accepts include SPDX and CycloneDX. A spreadsheet listing your top-level software packages is not an SBOM. It’s the artifact that gets cited on a Form 483.

Threat modeling and a security architecture diagram. FDA recommends the STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), with documented threat scenarios mapped to specific device interfaces and data flows. The security architecture diagram must show trust boundaries — not just a high-level network diagram with labeled boxes.

A coordinated vulnerability disclosure policy (CVDP). This means a published policy (or at minimum a documented internal process) explaining how security researchers and customers can report vulnerabilities, and what your response timeline commitments are. Many manufacturers have internal CVDPs that were never published. That’s not compliant.

Miss any of these four elements and your premarket submission is a candidate for RTA action. FDA started issuing RTA letters for cybersecurity deficiencies in late 2023 and has been consistent about enforcement since.

What ORA Investigators Are Checking on the Inspection Floor

Premarket review is only half the picture. Once your device is on the market, cybersecurity compliance lives inside your Quality Management System — and ORA investigators now arrive with specific cybersecurity questions on their inspection agenda.

Under the QMSR final rule (effective February 2, 2026, aligning 21 CFR Part 820 with ISO 13485:2016), design controls and software lifecycle procedures are the primary inspection targets. But cybersecurity fits into two additional areas that investigators probe specifically.

Corrective and Preventive Action (CAPA). If a vulnerability is disclosed in a third-party component in your SBOM — say, an OpenSSL library used in your device’s communication stack — your CAPA system should have a mechanism to detect it, evaluate it, and trigger an engineering review. Investigators ask to see CAPA records for software-related issues. Manufacturers who can’t produce them, or who produce generic software change records with no connection to external vulnerability disclosures, draw observations.

Post-Market Surveillance. FDA’s postmarket cybersecurity guidance (cross-referenced in the 2023 premarket guidance) requires manufacturers to maintain a proactive security monitoring process. In practice, investigators ask: “How do you know when a new vulnerability affects your device?” The expected answer involves some combination of NVD/CVE monitoring, SBOM cross-referencing, and membership in the Health-ISAC. Pointing to a quarterly manual review does not satisfy this.

Here’s what’s changed in 2025–2026 compared to earlier inspection cycles: investigators are no longer satisfied with documentation that describes the right processes in the abstract. They want evidence of execution. One large device manufacturer received a Form 483 observation in Q1 2025 specifically because their cybersecurity management plan described quarterly SBOM vulnerability reviews — but their records showed no reviews had been conducted in the previous 14 months. The documentation was fine. The practice wasn’t. That distinction is now the standard investigator frame.

The SBOM Scaling Problem — And Where AI Changes the Math

Let’s be honest about the operational challenge. Modern medical device software is complex. A mid-tier infusion pump firmware stack might contain 400–600 individual software components once you account for all transitive dependencies. Maintaining an accurate, current SBOM for that device — across multiple hardware revisions, with ongoing patches — is not a task that scales through quarterly spreadsheet updates.

The National Vulnerability Database publishes roughly 25,000–30,000 new CVE entries per year. No PSIRT team can manually cross-reference that volume against a 500-component SBOM on any realistic schedule. And yet that’s effectively what FDA’s post-market monitoring requirements call for.

AI-augmented quality tools are starting to close this gap in a meaningful way. At Aurora TIC, the approach we’re building through DeepGMP and LIMSAI applies machine-readable SBOM formats — CycloneDX JSON, specifically — combined with automated CVE matching to give quality teams a real-time vulnerability signal rather than a periodic snapshot. The practical result: instead of discovering during an FDA inspection that you have 14 months of unreviewed vulnerability disclosures, your quality system surfaces relevant CVEs within 48–72 hours of NVD publication and routes them through your existing CAPA workflow automatically.

That’s not a workaround. It’s what the FDA guidance actually envisions when it describes a “proactive security monitoring process” — and it’s increasingly the infrastructure that sophisticated device manufacturers are building toward as regulatory compliance consulting services mature in this space.

If you’re evaluating your QMS platform or your regulatory compliance consulting services partners right now, ask a direct question: does their change control module integrate with SBOM tooling or CVE feeds? If the answer is “no, but we export to Excel,” that’s a gap worth scoping before your next inspection.

Three Things to Audit in Your Cybersecurity Documentation This Quarter

If your next FDA inspection is within 18 months, these are the three areas with the highest return on audit effort.

Check your SBOM for completeness at the transitive dependency level. Run your codebase through a generation tool — Syft, Trivy, or FOSSA work well — and compare the output against what’s in your current premarket submission file. The delta between those two documents is your documentation gap. Fix it before an investigator finds it.

Pull your last 12 months of CAPA records and filter for software-related inputs. Count how many were triggered by external vulnerability disclosures versus internal findings. A ratio heavily weighted toward internal findings suggests your external monitoring process isn’t functioning as a CAPA input — and that’s exactly the thread investigators pull.

Verify your CVDP is publicly reachable. Section 524B requires a coordinated vulnerability disclosure policy. That policy needs to be publicly accessible — typically via a security.txt file on your domain or a dedicated security page. Search your own domain right now. If you can’t find it in 60 seconds, an investigator won’t either.

None of this is glamorous work. But it’s the type of systematic gap assessment that separates manufacturers who leave inspections with zero observations from those who spend the following six months writing CAPA responses. FDA’s cybersecurity requirements for medical devices are not going to simplify — the agency’s Digital Health Center of Excellence continues to publish new guidance, post-market expectations are tightening, and the intersection of AI/ML software with device classification is adding new compliance layers every cycle. Getting your quality system infrastructure right now, before the inspection clock starts, is genuinely cheaper than fixing it under pressure after.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Reserve early access to our AI audit tools Contact us

Related from our network

• ISO 17025-Accredited Device Component & Raw Material Testing — Qalitex Laboratories provides accredited analytical testing for medical device components and finished products requiring regulatory documentation.
• GMP Compliance Testing for Regulated Manufacturers in Canada — Androxa supports Health Canada compliance with analytical testing services for pharmaceutical and device manufacturers operating under Canadian GMP frameworks.