FDA Cybersecurity Remediation

Don’t Let Cybersecurity Slow Down Your FDA Submission

Has the FDA issued an Additional Information Request (also known as a Hold Letter) to you due to major cybersecurity deficiencies? Do some of these deficiencies seem unreasonable? Are you uncertain about the necessary steps to expedite your submission?

Alternatively, you might have an upcoming 510(k), De Novo, or PMA and concerns about inadequate cybersecurity documentation. If your team lacks cybersecurity expertise, you may be worried that cybersecurity will become the bottleneck in your submission.

We help medical device manufacturers rapidly get their FDA Cybersecurity Documentation in order.

It’s not as bad as it looks

Your engineers may have tried working through the FDA guidance and have been overwhelmed. It is a lot to learn. Maybe they’ve read the MITRE “Playbook for Threat Modeling Medical Devices” but still had a hard time getting started making a threat model.

We’ve been through this before and can show you the way.

We Can Help Push Back

If you've received an FDA Hold Letter and some of the deficiencies seem excessively demanding, there might be an opportunity to challenge it.

The ideal time to do this is during the initial FDA meeting, which is typically offered 10 days after receiving the hold letter.

Not all FDA reviewers are cybersecurity experts. They often issue "stock deficiencies" without a complete understanding. We have a successful history of challenging these. For instance, we assisted a client in arguing they didn't require penetration testing for a specific AI/ML-enabled SaMD product.

Challenging the FDA is a delicate process. It often involves negotiation. Leveraging our past experiences and software expertise, we can guide you along the best path.

We can start immediately

The ideal time to push back on major deficiencies is during the initial FDA meeting, 10 days after receiving the hold letter. We can usually begin nearly immediately and can quickly put together a strategy.

We’ve Helped Others Like You

Our cybersecurity process has been used successfully in 6+ FDA submissions since the 2023 FDA Cybersecurity Guidance was finalized, and has been progressively refined with each subsequent submission. Our past experiences have helped us understand what FDA is looking for.

We really enjoyed working with Innolitics in reviewing our cybersecurity related documentation and compiling a response to the FDA. We were particularly impressed with their knowledge and expertise in the field, and quick turn-around times to our queries. We look forward to working with Innolitics on future projects.

– Andrei Migatchev (CTO and Co-Founder at Envisionit Deep AI)

Our Cybersecurity Remediation Process

The overall process works as follows:

  1. Sign NDA
  2. Quick Gap Analysis and Cost Estimate
  3. Sign SOW
  4. Kickoff Meeting
  5. Develop Plan
    1. Full Gap Assessment
    2. Plan for Third-Party Pen Testing
    3. Plan for Obvious Unavoidable Software Changes
    4. Plan Documentation Work
  6. Weekly Meetings to Fill in Documentation Gaps
  7. Final Documentation Review
  8. Submit to FDA
  9. Provide Support for AINN related to Cybersecurity

Unless your medical device was designed with security in mind, it's likely that some software changes will be required to secure your device and address the FDA's major deficiencies. For example, upgrading dependencies and implementing missing cybersecurity controls. Our process is tailored to pinpoint these necessary changes swiftly, enabling your engineers to start working on them. In some instances, we can also provide software engineering support.

Additionally, we promptly identify any required third-party cybersecurity testing so it can be scheduled without delay. This ensures that the penetration test, which is usually mandatory, doesn't become a bottleneck to the FDA response timeline.

Once your engineers get started, we'll continue addressing your specific significant deficiencies as outlined in the following sections.

Threat Modeling

We work the team through our process of developing a threat model over a sequence of collaborative meetings. As part of threat modeling we’ll develop a set of security architecture views that comply with FDA’s expectations. We’ll guide the team through identifying external connections, assets, threat actors, and threats. Our threat modeling typically uses STRIDE combined with as is appropriate. We consider the full end-to-end system, including “other functions”.

Security Risk Assessment

We can guide the Client’s team through writing an appropriate Security Risk Management Plan, including an appropriate means of assessing security risks.

We can then guide the team through a security risk assessment, using the threat modeling as an input. We’ll work with the team to trace security risks to safety risks. We’ll also help identify relevant cybersecurity controls (see the next section) and help ensure there is proper cybersecurity traceability.

Cybersecurity Controls

We’ll work with the team to identify appropriate security risk controls against the FDA guidance. (FDA typically requires at minimum one or two controls from each control category—authentication, authorization, cryptography, integrity, confidentiality, detection, resiliency & recovery, and updates.) We’ll work with the client to identify the most useful controls that add the minimum necessary software development cost.

Software Bill of Materials (SBOM)

We can usually produce an FDA-compliant SBOM with minimal input from Client’s engineers.

Alternatively, we can help Client’s engineers set up tools to automatically generate an SBOM as part of their automated build procedures (e.g., using a GitHub Action that produces the SBOM as a build artifact). This second approach takes longer in the short term, but is more efficient long term.

Cybersecurity Testing

We can guide the Client’s engineering team through the cybersecurity testing process.

  • Requirements Testing: Typically handled through standard Design Controls, however, we can help draft Design Verification Protocols for verification of the Design Control requirements.
  • Vulnerability Testing: We can help select an appropriate vulnerability testing tool and incorporate it into the development workflow. This typically includes analyzing third-party packages for vulnerabilities along with static code analysis.
  • Penetration Testing: We can help select an appropriate pen testing vendor and can facilitate communication with the vendor to ensure they provide records that meet the FDA guidance. (Note the cost of Penetration Testing is not included in this SOW.)

We can compile all of these records into tests that are appropriate for the 510(k) submission.

Postmarket Cybersecurity Management Plan

We can tailor our cybersecurity management plan template to Client’s existing quality processes. We can also help document how software updates are deployed and how malware prevention plan.

Cybersecurity Labeling

We can work with the client to draft the cybersecurity sections of the IFU based on our understanding of the device and previous submissions. This includes:

  • Instructions related to the user’s security responsibilities
  • Security diagrams
  • SBOM access
  • Software update notification
  • Security anomaly reporting and detection
  • Backup and restore functionality


How much does your typical FDA Cybersecurity Remediation project cost?

It varies quite a bit based on the state of the current documentation and the required speed of completion. For most prospective documentation projects for class II devices, the cost is often between $30k and $40k.

What are your hourly rates?

Please reach out to use and we can provide you a list of our hourly rates for the following roles:

  • Partner
  • Senior Regulatory Consultant
  • Regulatory Consultant
  • Staff Software Engineer
  • Senior Software Engineer
  • Software Engineer
  • Data Annotation Associate
Do you ever work on a fixed-price basis?

No. We do not work on a fixed-price basis. We will provide a detailed cost estimate before we start the project and we’ll provide budget estimates through out the project, however, due to the differing nature of each project its not possible to provide a fixed-price estimate.

Can you provide examples of past projects similar to our product?

Yes! Please review our case studies for a sampling of our past projects. If you don’t see anything relevant, please reach out as only a small number of our projects have case studies.

Top Cybersecurity Resources

Let's Talk

Every great partnership starts with a conversation. Fill out the form below for a discovery call, and an Innolitics team member will contact you soon.