Global Regulatory Approval

Design, develop, and ship secure medical devices that meet modern regulatory requirements using ELTON

Overview

Premarket Confidence for Streamlined Postmarket

ELTON helps manufacturers accelerate premarket regulatory approval and avoid mid-submission delays l by ensuring that medical devices are built to FDA standards on a secure and resilient foundation from day one. Through software vulnerability discovery, continuous cybersecurity testing, and context-aware CVSS scoring, ELTON equips teams with accurate, actionable insights throughout the design and development process.

Talk to an advisor

Identify Early to Avoid Delays

By providing platform vulnerability capabilities premarket, ELTON ensures each development software release continuously improves, vulnerability risks are well understood, and regulatory expectations are met long before submission. The result is a continuously improving security posture that streamlines FDA review and reduces costly rework late in the lifecycle.

Postmarket Continuity

When ELTON is engaged during premarket development, it already understands the product’s architecture, software components, and risk posture by the time regulatory submission occurs. This continuity streamlines the transition to postmarket monitoring, ensuring that ongoing vulnerability analysis is aligned with the same context, structure, and documentation previously submitted to the regulator.

Why ELTON

600+ Products Approved with ELTON Assistance

We’ve assisted hundreds of products and interfaced with global regulators in response to questions or concerns around the globe.

ELTON embodies years of hands-on regulatory expertise, bringing deep understanding of what it takes to meet premarket expectations the right way—efficiently, defensibly, and without overburdening engineering teams. By helping manufacturers build more secure designs from the start, ELTON reduces the long-term cost of postmarket maintenance, where vulnerabilities are more expensive to address.

ELTON seamlessly extends the regulatory process into long-term product maintenance without restarting from scratch.

Learn how ELTON manages vulnerabilities for FDA compliance

Meet DoD/DHA requirements for Authority-to-Operate (ATO)

The platform’s robust capabilities such as SBOM generation, continuous CVE monitoring, contextual vulnerability scoring, and audit-ready reporting align closely with key ATO expectations, including ongoing risk assessment, vulnerability tracking, and patch planning. By streamlining evidence collection and integrating vulnerability management into the full product lifecycle, ELTON reduces duplication of effort between civilian and military regulatory pathways.

A group of doctors collaborating on laptops around a table

Regulations

ELTON Meets Global Cybersecurity Regulations

Do it right the first time, for all markets

Starting in 2014 the US FDA released premarket guidance for cybersecurity and further introduced an update in 2023 with expansive additions. The US FDA release postmarket cybersecurity guidance in 2016 that remains in effect today.

In the EU, 74/2017 (MDR) and 746/2017 (IVDR) called the Medical Device Regulations are requiring all medical devices sold in the EU be recertified to enhanced cybersecurity standards. TheMedical Device Coordinating Group (MDCG) provided guidance for meeting the EU Medical Device Regulation (MDR) as it pertains to cybersecurity (MDR MDCG 2019-16).

China (CFDA) Cybersecurity Law (CSL) is the administration of medical devices in China, where as of 2018 medical devices must be assessed for cybersecurity protection under the Principles on Guiding Technology Examination of Medical Device Cybersecurity Registration (CFDA Guidelines).

Japanese regulation stipulates that, in addition to the conformity to the JIS T 2304 (IEC 62304), for medical devices connected to other IT devices and medical devices connected to the Internet, cyber security measures based on JIS T 81001-5-1 (IEC 81001-5-1) are required to reduce cyber security risks to acceptable levels. This new regulation was put into practice on April 1, 2023, with a one-year transitional period until March 31, 2024.

Get in touch

Get Faster Regulatory Approval by Meeting Premarket Guidance

Improper documentation will result in outright rejection

Meet global regulatory expectations the first time with ELTON’s cybersecurity testing and vulnerability management platform, purpose-built to support FDA and international premarket requirements. ELTON executes and documents all necessary cybersecurity activities such as SBOM generation, penetration testing, CVE triage, and risk analysis in the format expected by regulators, reducing the risk of delays or rejections due to missing or incomplete documentation. Unlike traditional services that require costly tools and dedicated teams, ELTON delivers a complete, subscription-based solution that streamlines compliance and reduces overhead for manufacturers and startups alike.

Threat Modeling

Mitigation Development

Vulnerability Analysis

Risk Analysis

Software Composition & Vulnerability Analysis

Software Bill of Materials (SBOM) Generation

Secure Code Analysis

SAST/DAST Scanning

Penetration Testing

Fuzz Testing

Robustness Testing

Security Views of Architecture

Security Verification & Validation

Security Risk Management Reporting

Meet the Evolving challenges of postmarket

Cybersecurity is ever-evolving and the approach unique

How a manufacturer continuously predicts, identifies, and mitigates potential cybersecurity issues in a fleet of products is a new and evolving process for product security teams that don’t traditionally operate in this fashion.
Each postmarket cybersecurity issue requires an assessment to assure regulators your device has appropriately evaluated cybersecurity threats, identified vulnerabilities, mitigated them to an acceptable level, and documented the entire process appropriately.

Get help with the process

Postmarket Activities

Get Proactive with Postmarket Cybersecurity

The 2016 US FDA Postmarket Cybersecurity guidance requires manufacturers to execute a variety of functions once a product is on the market and evidence that they possess the capability during premarket submission. Level Nine provides a complete solution for postmarket cybersecurity management of a product, alleviating manufacturers and startups from the burden of executing a postmarket program requiring expensive software and multiple full-time staffers.

Annual penetration testing
Monitoring for vulnerabilities in Software Bill of Materials (SBOM)
Vulnerability disclosure portal for customers to learn of security issues in the product
Vulnerability handling process to intake reported vulnerabilities from researchers/customers
Vulnerability Management process for evaluating vulnerabilities and their risk to the device
Rapid patching strategy for addressing issues quickly
End of life cybersecurity planning and customer notification

Talk to an Advisor

Authority to operate (ATO)

What is ATO in Medical Device Cybersecurity?

Medical devices sold to DoD or DHA facilities must meet ATO compliance to ensure the device isn’t a threat to the environment it may reside.

The Authority to Operate (ATO) process involves a unique set of operational and technical controls that go beyond traditional regulatory requirements. ELTON supports medical device manufacturers in navigating ATO compliance by aligning existing FDA-focused cybersecurity artifacts with DoD expectations—eliminating duplication of effort. Our team works directly with DoD stakeholders to interpret control applicability, document implementation strategies, and build phased plans for future compliance. ELTON enables a streamlined path to ATO by leveraging the same platform used for premarket FDA submissions.

Assess

Assess the system at the stated DoD risk level.

Enumerate

Enumerate controls from eMASS that the client product has been assigned with (from ISSO).

Develop

Develop the System Security Plan (SSP), security assessment report (SAR), and plan of action and milestones (POAM or POA&M) for client with government templates and in collaboration with technical contact.

Scan

Perform initial scans as required (discovery, full plug-in, and config (STIG).

Insights

Learn More About ELTON

Our security experts regularly share insights and updates from the field.

View more insights

Path-Based Exploitability Analysis Delivers Smarter Remediation

ELTON, Vulnerability Research

When managing vulnerabilities in complex medical devices, context is everything. While traditional tools focus on whether a vulnerable function or dependency is used through static code analysis, binary reverse engineering, or runtime instrumentation they often fail...

ELTON Vulnerability Analysis Reflects the Real-World Threat Model for Medical Devices

ELTON, Vulnerability Research

In the real world, medical devices are not attacked through perfect knowledge of the binary or direct mapping of source code. Yet, many vulnerability management tools rely on exact binary or function-level reachability to determine whether a known vulnerability...

Function-Level Reachability Sounds Great—But Falls Short in Practice

ELTON, Vulnerability Research

Function- or dependency-level reachability analysis can be incredibly powerful. When you know for certain that a vulnerable function is never called, or that a dependency is unused, it becomes easy to de-prioritize or dismiss that finding. In ideal environments—such...

A doctor with a stethoscope working on a computer

Premarket Cybersecurity Starts with ELTON

Design, develop, and ship secure medical devices that protect customer data and meet all regulatory requirements.

Contact Us