--- case_studies: - 64011d5f-db70-46cc-bf72-818a1bce7a02 - 16cbd5b7-a754-80b9-bc20-ed002d88b119 description: You need help preparing cybersecurity documents for an FDA submission or to respond to a Hold Letter. featured: true is_solution: false service_name: FDA Cybersecurity sort_order: 14 title: FDA Cybersecurity widget_icon: [] ---
## Don't Let Cybersecurity Slow Down Your FDA Submission
Do you have an upcoming 510(k), IDE, De Novo, or PMA and have **inadequate cybersecurity documentation**?
Did you submit already, and received **major cybersecurity deficiencies** in a hold letter?
**We help medical device manufacturers secure their devices and rapidly get their FDA Cybersecurity Documentation in order.**
Let's Talk
![](/img/services/FDA_Cybersecurity-1c8bd5b7a75481b99e27fed9c5bac36a.png)
## We've Helped Others Like You Our cybersecurity process has been used successfully in **many FDA submissions since the 2026 FDA Cybersecurity Guidance was finalized**, and has been progressively refined with each subsequent submission. Our past experiences have helped us understand FDA's expectations. ## It's not so bad Your engineers may have tried working through the FDA guidance and have been overwhelmed. It is a lot to learn. **We've been through this before** and can show you the way. ## We can help push back If you've submitted to FDA and they've identified deficiencies that seem excessive, you **may be able to push back**! The ideal time to do this is during the FDA meeting within 10 days of receiving the hold letter. We can **usually begin immediately** and can quickly put together a strategy.
Let’s Meet
## Engagement Models We can work with you in these ways: | Name | Situation | |---------------------------|-------------------------------------------------------------------------------------------------------------------------| | Gap Analysis | You don\'t know what you don\'t know | | Support | You are still building the device and want cybersecurity support during design and implementation. | | Remediation | Your software is nearly complete and you need submission-ready cybersecurity documentation, testing, and risk controls. | | AINN Deficiencies Support | You submitted to FDA and received an AINN letter with cybersecurity deficiencies. | ## Support The overall process for our Support engagement works as follows: 1. Plan and initial assessment 2. Implementation support (monthly or every two weeks) 3. Full risk assessment 4. Testing and final reports 5. Submit to FDA 6. Address FDA requests for additional information (no additional cost) 7. **FDA clearance**
See How Our Process Can Work For You
## Quality Guarantee We have extensive experience helping companies with FDA submissions. If FDA finds any cybersecurity issues we missed, we\'ll fix them at no extra cost to you. ## FAQ

What are the deliverables from the Support engagement?

For the Support engagement, we help you produce the cybersecurity artifacts typically needed for 510(k), De Novo, and PMA submissions. The documents are organized so they can be uploaded directly into the latest eSTAR template.

We align the content to FDA’s current cybersecurity expectations, using these guidance documents as key references:

See below for summary descriptions of each deliverable:

Security Architecture Views

Visual diagrams of system components, data flows, connections, and trust boundaries. Includes Global System View, Multi-Patient Harm View (if applicable), Use Case Views, and Updateability View.

Cybersecurity Controls (Draft/Final)

Proposed and final security controls addressing FDA's 8 risk control categories to mitigate identified risks.

Initial draft provided in Phase 1 for software team implementation.

Cybersecurity Management Plan

Plan for managing cybersecurity risks throughout product lifecycle, including development, vulnerability handling, and monitoring.

Cybersecurity Measures and Metrics

Indicators tracking security control effectiveness (e.g., vulnerability count, patch response time).

For new devices, outlines planned metrics only.

Threat Model

STRIDE analysis of threat actors, assets, and attack vectors, showing potential vulnerabilities and safety impacts.

Security Risk Assessment

Risk evaluation showing traceability between vulnerabilities, controls, and residual risks.

Cybersecurity Labeling

User documentation covering security responsibilities, diagrams, updates, and anomaly reporting.

Software Bill of Materials (SBOM)

List of all software components and third-party libraries used in the device.

Software Level of Support and End of Support

Support duration and end-of-life plans for each SBOM component.

Vulnerability Assessment

Review of vulnerabilities found in SBOM scan.

Assessment of Unresolved Security Anomalies

Open security issues with impact analysis and mitigation plans.

Cybersecurity Metrics Report

Addresses plan for on-going cybersecurity metrics.

Cybersecurity Testing Report

Summary of all security testing activities and results.

Penetration Testing Report

Third-party pen-test findings and recommendations with FDA-aligned analysis.

Security Risk Management Report

Final summary of all security activities providing submission-ready overview.

How much does the support package cost?

Pricing depends on your device, submission type, and scope. Contact us for a custom quote.

Will we need to make changes to our software?

Unless your medical device was designed with security in mind, it's likely that some software changes will be required. Our process is tailored to pinpoint these necessary changes swiftly so your engineers can start working on them. In some instances, we can also provide software engineering support.

Can you provide examples of past projects similar to our product?

Yes! Please review our case studies for a sampling of our past projects. If you don’t see anything relevant, please reach out as only a small number of our projects have case studies.

How does your team provide support with threat modeling?

Yes! We can work your team team to develop a threat model over a sequence of collaborative meetings. As part of threat modeling we’ll develop a set of security architecture views that comply with FDA’s expectations. We’ll guide the team through identifying external connections, assets, threat actors, and threats. Our threat modeling typically uses STRIDE combined with other threat modeling methodologies as is appropriate.

Our threat modeling approach considers the full end-to-end system, including “other functions”.

How does your team provide support with security risk management?

Yes! We can guide the Client’s team through writing an appropriate Security Risk Management Plan, including an appropriate means of assessing security risks.

We can then guide the team through a security risk assessment, using the threat modeling as an input. We’ll work with the team to trace security risks to safety risks. We’ll also help identify relevant cybersecurity controls (see the next section) and help ensure there is proper cybersecurity traceability.

Can your team help us define necessary cybersecurity controls?

Yes! We’ll work with the team to identify appropriate security risk controls against the FDA guidance. FDA typically requires at minimum one or two controls from each control category:

We’ll work with you to identify the most useful controls that add the minimum necessary software development cost. We also understand what controls FDA expects for different types of devices.

Can your team help implement cybersecurity controls?

In most cases, yes, although this is at an additional cost. For most clients, it is more cost effective to have their own team implement the software controls.

How does does your team help with SBOM generation?

We can usually produce an FDA-compliant SBOM with minimal input from your engineers.

Alternatively, we can assist your engineers in setting up tools to automatically generate an SBOM as part of their automated build procedures (e.g., using a GitHub Action that produces the SBOM as a build artifact). This second approach takes longer in the short term, but is more efficient in the long term.

How does your team help with cybersecurity testing?

We can handle the testing on your behalf or we can guide your engineering team through the cybersecurity testing process. FDA requires four categories of cybersecurity testing:

We can compile all of these records into tests that are appropriate for the 510(k) submission.

How does your team help with cybersecurity labeling?

We can work with your team to draft the cybersecurity sections of the IFU based on our understanding of the device and previous submissions. This includes:

Can you guarantee our submission will be cleared?

Yes. We’ve done enough submissions that we’re confident we understand what FDA will require to get your submission cleared or approved.

That being said, FDA’s expectations are continuing to evolve. Strategies that we’ve seen work previously have stopped working in new submissions. However, depending on the offer you choose, we will guarantee that you won’t pay anything extra for our support addressing any requests for additional information the FDA identifies.

Have other questions? Let’s talk!
## Top Cybersecurity Resources We are experts in our field. Here are a few of our most popular cybersecurity resources: