Understanding Section 524B of the FD&C Act

Mike McGuire

Authored by Mike McGuire

Jul 08, 2025 / 6 min read

Table of Contents

Medical devices are increasingly leveraging software to offer advanced diagnostics, personalized treatments, and remote patient monitoring. But the software that powers these technologies can become a gateway for threats, potentially compromising patient safety, data integrity, and the operational stability of healthcare facilities.

Regulatory bodies are stepping in to fortify the cybersecurity posture of the medical device ecosystem. A pivotal piece of this regulatory framework in the United States is Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act. Section 524B mandates “reasonable assurance of cybersecurity” for software-enabled medical devices, and requires Software Bills of Materials (SBOMs), secure product development frameworks (SPDFs), and postmarket vulnerability monitoring.

The need for enhanced cybersecurity in medical devices

The "why" behind Section 524B is rooted in the escalating threat landscape and the unique vulnerabilities of medical devices. Gartner® predicts that by the end of 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains. The potential financial fallout is equally alarming, with costs projected to reach $81 billion by 2026. Software supply chain attacks have tangible and devastating consequences, including significant financial losses, paralysis of critical business operations, and severe damage to organizational reputation and stakeholder trust.

Section 524B of the FD&C Act was enacted by the U.S. Congress to directly address cybersecurity risks inherent in medical devices. Its primary objective is to ensure that these devices possess a "reasonable assurance of cybersecurity" throughout their entire lifecycle. The aim of Section 524B is the protection of patient safety and the confidentiality and integrity of patient data. This legislative action reflects a broader trend: a move toward holding software producers more accountable for the security of their products throughout their life cycle, rather than placing the primary burden on consumers or end users.

Download our guide, "Key Regulations Shaping Software Supply Chain Security and the Role of SCA"

Download the Guide
Key requirements under Section 524B

Section 524B grants the Food and Drug Administration (FDA) the authority to establish and enforce cybersecurity requirements specifically for "cyber devices." A cyber device is defined as a medical device that includes software, can connect to the internet (directly or indirectly), and possesses characteristics that make it vulnerable to cyberthreats.

Manufacturers submitting premarket applications to the FDA for such devices must demonstrate compliance with a set of cybersecurity provisions. These include

A postmarket vulnerability management plan

Manufacturers must develop and submit a comprehensive plan detailing how they will monitor for, identify, and address postmarket cybersecurity vulnerabilities and exploits in a prompt manner. The plan must also include provisions to ensure that information about vulnerabilities is shared responsibly to facilitate remediation and reduce risk.

Secure design, development, and maintenance processes 

Section 524B mandates that manufacturers implement processes and procedures to ensure that the device and its related systems are secure throughout the entire product life cycle. This means embedding security considerations from the initial design and development phases through ongoing maintenance and support. The FDA guidance associated with Section 524B explicitly recommends adopting an SPDF to meet this requirement.

Postmarket updates and patches

Manufacturers must commit to making available timely updates and patches for their medical devices to address vulnerabilities that could be exploited to compromise the device's security and patient safety.

Software Bill of Materials

A significant step toward transparency, Section 524B requires manufacturers to provide an SBOM. The SBOM must list all software components integrated into the device, including commercial, open source, and off-the-shelf software. The FDA specifies a preference for a machine-readable format that aligns with the minimum elements outlined by the National Telecommunications and Information Administration (NTIA).

Who needs to comply with FDA Section 524B rules for cyber devices

The primary entities impacted by FDA Section 524B are manufacturers that are developing and intending to market cyber devices in the United States. As noted earlier, the FDA defines a cyber device as a medical device that includes software, can connect to the internet (directly or indirectly), and possesses characteristics that make it vulnerable to cyberthreats.

Any manufacturer looking to obtain premarket approval from the FDA for such a device must demonstrate that they have met the cybersecurity requirements stipulated in Section 524B. This means that the mandates for providing an SBOM, establishing secure development practices, and having robust vulnerability management plans are direct obligations for these manufacturers.

Section 524B timeline, jurisdiction, and life cycle scope

Section 524B requirements apply to cyber devices intended for the U.S. market, regardless of where the manufacturer is geographically located.

Compliance with Section 524B is tied to the premarket submission process. This means manufacturers must have their cybersecurity documentation and plans in order before they can receive FDA approval to sell their cyber devices in the U.S.

Plus, manufacturer obligations under Section 524B do not cease once a device receives premarket approval. The regulation strongly emphasizes requirements for a postmarket vulnerability management plan and the commitment to provide timely patches and updates into the postmarket phase. Manufacturers must be prepared for continuous monitoring, risk assessment, and response activities as long as their devices are in use.

How medical device manufacturers can demonstrate Section 524B compliance

Navigating the requirements of Section 524B demands a strategic and tool-supported approach to software security. The FDA itself provides guidance on how manufacturers can meet these obligations, with a strong emphasis on proactive measures.

Adopt an FDA-aligned secure product development framework

While Section 524B outlines the mandatory requirements, the FDA's associated guidance strongly recommends the adoption of an SPDF. This framework is a holistic approach that integrates security activities and considerations throughout the entire product life cycle. This includes

  • Security risk management: Incorporating activities like threat modeling to identify potential threats and vulnerabilities early in the design process
  • Security architecture design: Building security into the fundamental architecture of the device and its software
  • Cybersecurity testing: Implementing rigorous testing methodologies, including vulnerability testing and penetration testing, to uncover and address weaknesses before release

By adopting an SPDF, manufacturers can proactively build security "by design" rather than trying to bolt it on as an afterthought. The structured approach also helps with systematically generating the necessary evidence and documentation to demonstrate the "reasonable assurance of cybersecurity" required by Section 524B.

NIST Special Publication 800-218, (SSDF V1.1) serves as an example and foundation for establishing such a framework, offering a core set of outcome-based practices for secure software development.

Establish robust postmarket vulnerability monitoring and patch management

Section 524B mandates the need for cybersecurity well into the postmarket phase. A plan to monitor, identify, and address vulnerabilities, coupled with the requirement for timely patches and updates, means manufacturers must have robust processes for ongoing life cycle management.

Leverage software composition analysis and SBOMs to streamline section 524B compliance

Meeting the multifaceted demands of Section 524B, from SBOM generation to vulnerability management and secure development, can be significantly streamlined and enhanced using advanced security tools. Software composition analysis (SCA) has emerged as a key technology to achieve Section 524B’s requirements. SCA tools provide

  • Comprehensive SBOM generation and management: Section 524B explicitly requires an SBOM listing all commercial, open source, and off-the-shelf software components.
  • Proactive vulnerability detection and prioritized management: The FDA mandates a plan to monitor, identify, and address postmarket vulnerabilities, as well as provide timely patches.
  • Support for secure development life cycles: Section 524B requires secure design, development, and maintenance processes. FDA guidance points to SPDFs to achieve this requirement.
  • Identification of third-party and open source component risks: Section 524B focuses on managing all cybersecurity risks in medical devices, including those related to third-party and open source components, which nearly all modern medical device software relies on to function.
  • Evidence for compliance: Detailed scan reports, SBOMs, vulnerability assessments, and policy enforcement records generated by software composition analysis tools can serve as valuable evidence to support FDA premarket submissions, demonstrating due diligence and adherence to the cybersecurity requirements of Section 524B.

By investing in a comprehensive SCA solution like Black Duck® SCA, medical device manufacturers can automate critical compliance tasks, gain deep visibility into their software supply chain, manage vulnerabilities proactively, and integrate security seamlessly into their development workflows.

For medical device manufacturers, achieving compliance with Section 524B is more than just a regulatory hurdle, it's a strategic investment in risk reduction, operational resilience, and most importantly, the preservation of trust with healthcare providers and patients. The ultimate goal, shared by both regulators and responsible manufacturers, is patient safety and the protection of sensitive health data in an increasingly connected world.

Dive deeper into software supply chain security regulations

Download our guide, "Key Regulations Shaping Software Supply Chain Security and the Role of SCA," to gain detailed insights into Section 524B, the EU Cyber Resilience Act, the NIST secure software development framework, and learn how software composition analysis helps you achieve compliance and build more secure products.

Get the Guide
Continue Reading
Explore Topics
Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security