Introduction In the medical device industry, every process and every tool used in design and development must meet rigorous quality standards. That includes not just testing equipment or software development tools—but also cybersecurity tools. Under FDA’s Quality...
Case Study: Responding to FDA Addition Information (AI) Requests
Summary
A medical device manufacturer faced an FDA challenge after submitting an SBOM with nearly 100 unresolved vulnerabilities. Default CVSS ratings made many issues appear critical, including several in end-of-life third-party components. ELTON stepped in to automate full-scale analysis across the product’s digital twin, mapping each SBOM component, recalculating CVSSv4 scores, and identifying real exploit paths using vulnerability chaining and attack-surface mapping.
Within weeks, ELTON delivered a defensible report justifying every CVE with product-specific reasoning. Eighty-five percent of vulnerabilities were proven unexploitable, all criticals were downgraded, and the customer avoided a one-month delay and $25K in manual validation costs. ELTON transformed an audit crisis into a repeatable, FDA-aligned process for future submissions and postmarket monitoring—proving that automated, architecture-aware cybersecurity delivers faster, more defensible compliance.
Background
A late-stage medical device manufacturer faced a major regulatory setback after the FDA questioned their premarket cybersecurity submission. Their Software Bill of Materials (SBOM) listed nearly 100 unfixed vulnerabilities spanning embedded firmware, cloud components, and clinician mobile apps. While the SBOM was accurate, the default CVSS-based severity ratings made several unresolved issues appear unjustifiable. Some of these vulnerabilities originated in third-party components that were already end of life (EOL) or end of support (EOS), creating further scrutiny from reviewers.
Attempting to patch or replace those dependencies so close to submission risked destabilizing the product and delaying market entry. The development team’s initial justifications for leaving the CVEs unresolved proved weak—largely based on developer opinion rather than defensible evidence. When the FDA issued additional information (AI) requests, the manufacturer turned to ELTON to resolve the issue rapidly and provide a defensible, data-driven justification for every vulnerability.
ELTON’s Approach
ELTON presented two options: perform limited manual validation of only the FDA-flagged CVEs, or complete a full SBOM-wide analysis. Given the risk that any unexamined vulnerability could be questioned later, the manufacturer opted for a comprehensive approach but needed it completed quickly and accurately.
ELTON deployed its AI-driven vulnerability management platform, leveraging the digital twin created during penetration testing to map every SBOM component to its logical location in the system. Using advanced contextualization, ELTON enriched CVE data with SSVC feeds for compromise intelligence and adjusted each CVSS score based on the product’s unique architecture, dataflows, and trust boundaries.
Through this process, ELTON applied FDA’s MDDT-aligned CVSS Rubric and native CVSSv4 metrics such as Attack Requirements (AR) to calculate defensible, product-specific exploitability scores. The platform performed path analysis from each attack surface (Bluetooth, Wi-Fi, and physical interfaces) to every CVE, accounting for vulnerability chaining across components. Each score was accompanied by traceable justifications, detailed explanations for all CVSS metrics, and the corresponding digital-twin references to prove reproducibility.
Customer Benefits
Within the FDA’s response window, the manufacturer submitted a complete Excel report generated by ELTON that justified every SBOM CVE. Each entry included product-specific reasoning, revised CVSSv3 and CVSSv4 ratings, and documentation aligning with their threat model and security controls.
The results were transformative:
-
All vulnerabilities previously rated High or Critical were downgraded to Medium or Low, with many proven to be unexploitable from any known attack surface.
-
ELTON’s automation replaced weeks of manual effort, saving significant time and cost while avoiding a potential one-month submission delay.
-
The manufacturer established a repeatable, defensible process for future submissions and postmarket monitoring, maintaining alignment with FDA cybersecurity expectations.
Key Metrics
-
85% of SBOM CVEs were determined to be unexploitable from the known attack surface.
-
3 weeks of manual analysis and approximately $25,000 in consulting labor were eliminated.
-
A 1-month submission delay was avoided by defensibly justifying all vulnerabilities.
Customer Quote:
“We see no purpose in procuring other vulnerability assessment tools with this type of methodology and defensibility.”
— Director, R&D, Late-Stage Startup
Conclusion
By combining regulatory intelligence with digital-twin technology, ELTON enabled the manufacturer to respond to the FDA confidently, defend every SBOM vulnerability, and accelerate submission approval. The result was not only a successful review but a sustainable process for continuous cybersecurity compliance across future product releases.
