FDA Cybersecurity 101
The premarket cybersecurity vocabulary every MedTech engineer and RA professional now needs.
-
1Cybersecurity
Section 524B of the FD&C Act(524B)
The federal statute that gives FDA explicit premarket authority over cybersecurity for cyber devices.
-
2Cybersecurity
Premarket Cybersecurity Submission
The bundle of cybersecurity artifacts a sponsor includes in a 510(k), De Novo, PMA, or HDE submission for a cyber device.
-
3Cybersecurity
Secure Product Development Framework(SPDF)
A documented, risk-based set of processes that build cybersecurity into a medical device across its full lifecycle.
-
4Cybersecurity
Threat Modeling
A structured analysis that identifies how an attacker could compromise a medical device and what controls mitigate each threat.
-
5Cybersecurity
STRIDE Threat Model(STRIDE)
A six-category framework for enumerating threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
-
6Cybersecurity
Software Bill of Materials(SBOM)
A machine-readable inventory of all software components, including open-source and third-party libraries, used to build a medical device.
-
7Cybersecurity
CycloneDX
A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.
-
8Cybersecurity
Vulnerability Exploitability eXchange(VEX)
A machine-readable statement that explains whether a known vulnerability is actually exploitable in a specific product.
-
9Cybersecurity
Common Vulnerabilities and Exposures(CVE)
A globally unique identifier for a publicly disclosed cybersecurity vulnerability.
-
10Cybersecurity
Common Vulnerability Scoring System(CVSS)
An industry-standard 0–10 score that quantifies the severity of a software vulnerability.
-
11Regulatory
Refuse to Accept(RTA)
FDA administrative decision that a submission is incomplete and won't be substantively reviewed.
Finished the path? Test yourself with the acronym quiz.