FDA Cybersecurity Guidance Update: What 2025 Changes Mean for Medical Device Manufacturers

The FDA released an updated version of its premarket cybersecurity guidance on June 27, 2025, its first revision since the original 2023 document. While the number of redlines may seem daunting (over 1,300 tracked changes), the core message is clear: the FDA is not adding entirely new requirements but clarifying how manufacturers should meet the existing ones. For medical device makers navigating both premarket and postmarket expectations, the update reinforces one thing — cybersecurity is now a continuous obligation, not a checkbox.

At ELTON, we help manufacturers meet these requirements with less effort and greater confidence. Below, we break down the key changes in the 2025 guidance and how they impact your development and regulatory strategy.

Clarified Scope: It’s About More Than Networked Devices

One of the most important updates is a new section that formally defines what qualifies as a “cyber device” under Section 524B of the FD&C Act. The FDA also makes it clear that any device with software falls under the cybersecurity guidance even if it does not connect to the internet. This includes embedded firmware, programmable logic (such as FPGAs), and other components that previously caused confusion about applicability.

In short: if your device runs code, this guidance applies.

SBOM and Risk Management: Now with More Precision

The new guidance strengthens requirements around the Software Bill of Materials (SBOM), requiring it to be both machine and human readable. It must cover all software components, including third-party and proprietary elements.

Equally important is the FDA’s reaffirmation that cybersecurity risk is not the same as safety risk. Manufacturers must adopt a nonprobabilistic risk model, focusing on exploitability and impact rather than just severity and likelihood. Traditional safety tools like FMEA are no longer sufficient by themselves, security requires its own rigor.

Standards and Real World Examples

To help manufacturers operationalize this guidance, the FDA now cites ANSI AAMI SW96 as a key implementation standard, alongside AAMI TIR57. It also includes real world examples — like the 2020 German hospital ransomware attack — to underline how cybersecurity failures translate into patient harm and regulatory exposure.

These examples serve as a reminder that cybersecurity is not theoretical, it is clinical.

Lifecycle Accountability and Legacy Devices

The guidance reinforces that cybersecurity does not stop at launch. Threat modeling, penetration testing, and risk assessments must occur throughout the product lifecycle. Even existing devices that undergo design or software modifications must meet these modern expectations if resubmitted to the FDA.

Manufacturers are also expected to provide a clear, auditable SOP for how they will manage vulnerabilities postmarket. This includes SBOM tracking, CVE triage, patch planning, and coordinated disclosure.

What This Means for You (and How ELTON Helps)

At ELTON, we designed our solution to meet both the letter and the spirit of FDA cybersecurity guidance — past, present, and future. We automate vulnerability discovery, CVE triage, scoring (CVSSv4), SBOM tracking, and postmarket monitoring. Our living vulnerability reports, integration of pen testing and SAST DAST, and audit ready documentation help customers meet FDA expectations without overburdening engineering teams.

The 2025 update does not add more work — it helps you do it smarter. And that is exactly what ELTON was built for.