FDA 524B Is Here: What Medical Device Makers Must Test Now
Contributors
Section 524B of the Federal Food, Drug, and Cosmetic Act changed the regulatory landscape for medical device cybersecurity in a way that guidance documents never did. Guidance is advisory. 524B is law. As of March 2023, the FDA has the authority to refuse to accept premarket submissions for cyber devices that do not include adequate cybersecurity documentation. Understanding what that means for your pen testing program is not optional.
What 524B Actually Requires
Section 524B requires manufacturers of cyber devices to submit cybersecurity information as part of premarket submissions, establish processes to monitor and address postmarket cybersecurity vulnerabilities, and provide a software bill of materials covering commercial, open-source and off-the-shelf components. Penetration testing is a core component of the premarket cybersecurity evidence the FDA expects to see.
The FDA's Refuse to Accept policy means that submissions without adequate cybersecurity sections are rejected before substantive review begins. That is a significant shift from the prior environment, where cybersecurity deficiencies typically surfaced as questions during review rather than grounds for outright rejection at intake. The bar for what constitutes adequate has been raised, and pen testing is part of meeting it.
Which Devices Are Covered
A cyber device under 524B is any device that includes software validated, installed or authorized by the sponsor, has the ability to connect to the internet, and contains any such technological characteristics that could be vulnerable to cybersecurity threats. That definition covers a wide range of devices including infusion pumps, patient monitors, imaging systems and any device with network connectivity or software that affects safety or effectiveness.
Manufacturers should not assume that limited connectivity excludes a device from 524B scope. Bluetooth-only devices, devices that connect only to a proprietary network and devices with indirect internet connectivity through a gateway have all been treated as cyber devices in FDA review contexts. When in doubt, the safer assumption is that 524B applies.
How to Scope a Pen Test for FDA Premarket Submission
The scope of a 524B pen test must reflect the device's intended use environment and its actual attack surface. That means testing hardware interfaces including USB ports, debug interfaces and physical access points. It means testing software and firmware for known vulnerabilities, authentication weaknesses and logic flaws. It means testing communication interfaces including wireless protocols, Bluetooth implementations and any network connectivity the device supports.
The intended use environment matters because it shapes the threat model. A device used in an ICU connected to a hospital network faces a different threat profile than a home-use device connecting to a consumer smartphone app. The pen test methodology should be calibrated to the environment where the device will actually operate, not a generic enterprise IT environment.
What the FDA Looks for in Pen Test Evidence
FDA reviewers evaluating the cybersecurity section of a premarket submission are looking for evidence that the manufacturer understands the device's attack surface, tested against a threat model that reflects real-world adversary behavior, found and addressed vulnerabilities before submission, and has a plan to manage vulnerabilities discovered after clearance.
The pen test report needs to demonstrate all four of these things, not just document what the testers did. That means the report must connect to the threat model, reference the SBOM for context on tested components, document findings with enough detail to show they were genuinely assessed and not just noted, and map to the design controls and risk management file that FDA reviewers will cross-reference.
Postmarket Obligations
524B does not end at clearance. Manufacturers are required to establish processes to monitor for cybersecurity vulnerabilities and to address them in a reasonable time. The FDA expects a patch management plan as part of the premarket submission, and it expects manufacturers to demonstrate that they have the organizational capability to execute on it postmarket.
Building that capability requires more than writing a policy. It requires a tested process for receiving vulnerability disclosures, assessing their relevance to specific device models, developing and validating patches, and communicating with customers and the FDA when significant vulnerabilities are addressed. Pen testing plays a role in validating that process as well as in the initial premarket submission.
Frequently Asked Questions
Section 524B requires makers of cyber devices to do three things: submit cybersecurity information as part of their premarket submission, establish processes to monitor and address postmarket cybersecurity vulnerabilities, and provide a software bill of materials covering commercial, open-source, and off-the-shelf components. Penetration testing is a core part of the premarket cybersecurity evidence the FDA expects to see supporting these requirements.
The difference is legal force. FDA guidance documents are advisory, meaning they describe expectations without binding authority. Section 524B is law, part of the Federal Food, Drug, and Cosmetic Act. Since March 2023, the FDA has had the authority to refuse to accept premarket submissions for cyber devices that do not include adequate cybersecurity documentation, which turns what used to be a recommendation into a condition of submission.
The Refuse to Accept policy means the FDA can reject a premarket submission at intake, before substantive review even begins, if its cybersecurity section is inadequate. This is a significant shift from the prior environment, where cybersecurity gaps surfaced as questions during review rather than as grounds for outright rejection. Adequate penetration testing evidence is part of clearing that intake bar.
A cyber device is any device that includes software validated, installed, or authorized by the sponsor, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. That definition covers a wide range of products, including infusion pumps, patient monitors, imaging systems, and any device with network connectivity or software that affects safety or effectiveness.
Manufacturers should not assume limited connectivity puts a device outside 524B scope. Bluetooth-only devices, devices that connect only to a proprietary network, and devices with indirect internet connectivity through a gateway have all been treated as cyber devices in FDA review contexts. When connectivity is in question, the safer assumption is that 524B applies and the device needs cybersecurity evidence.
The scope must reflect the device's intended use environment and its actual attack surface. That means testing hardware interfaces such as USB ports, debug interfaces, and physical access points; testing software and firmware for known vulnerabilities, authentication weaknesses, and logic flaws; and testing communication interfaces such as wireless protocols, Bluetooth implementations, and any network connectivity the device supports. The methodology should match where the device actually operates, not a generic enterprise IT environment.
Because the environment shapes the threat model. A device used in an ICU and connected to a hospital network faces a different threat profile than a home-use device that connects to a consumer smartphone app. Calibrating the pen test to the real operating environment, rather than a generic setup, is what makes the evidence credible to FDA reviewers assessing whether the testing reflects realistic adversary behavior.
FDA reviewers look for evidence of four things: that the manufacturer understands the device's attack surface, tested against a threat model reflecting real-world adversary behavior, found and addressed vulnerabilities before submission, and has a plan to manage vulnerabilities discovered after clearance. The report must demonstrate all four, connecting to the threat model, referencing the SBOM, documenting findings in genuine detail, and mapping to the design controls and risk management file.
524B obligations do not end at clearance. Manufacturers must establish processes to monitor for cybersecurity vulnerabilities and address them within a reasonable time, and the FDA expects a patch management plan as part of the premarket submission. It also expects proof of the organizational capability to execute that plan, including a tested process for receiving disclosures, assessing them per device model, validating patches, and communicating with customers and the FDA.
The software bill of materials is a required element of a 524B submission and must cover commercial, open-source, and off-the-shelf components. Beyond satisfying the requirement itself, the SBOM gives context for the penetration test: the pen test report should reference it so reviewers can see which components were tested and understand the device's software supply chain when assessing findings.
Other Popular Articles
In the digital age, businesses must adopt an ad
GRC is the capability, or integrated collection