FDA 524B Just Made Cybersecurity a Compliance Issue

If your organization develops cyber devices, runs clinical trials, or holds FDA-regulated R&D data, cybersecurity is no longer an IT topic with a separate compliance side. As of this year, it’s a compliance topic the FDA is actively prepared to enforce.

The shift happened gradually, then all at once. Section 524B was added to the FD&C Act in December 2022. The FDA issued final guidance in June 2025. The Quality Management System Regulation took effect February 2026. And in mid-2025, the Department of Justice reached a $9.8 million settlement with a biotech company for misrepresenting cybersecurity features under the False Claims Act.

That last one is the line in the sand. Cybersecurity claims about life sciences software are now actionable under federal fraud statutes. The compliance burden didn’t just change. The legal exposure did.

What Section 524B actually requires

Section 524B applies to any “cyber device” submitted to the FDA — defined as a medical device that contains software, can connect to the internet directly or indirectly, and is susceptible to cyber threats. That’s a broad net. It covers most modern medical devices, but the enforcement posture has implications for the broader life sciences operating environment too.

Under Section 524B, manufacturers submitting 510(k), De Novo, PMA, PDP, or HDE applications must demonstrate:

Cybersecurity in design. Devices must be designed, developed, and maintained to provide a “reasonable assurance” of cybersecurity. This is interpreted through the Secure Product Development Framework released in the 2025 guidance.

A software bill of materials. Manufacturers must provide an SBOM identifying every component of the device’s software, including third-party and open-source dependencies. The 2026 expectations require machine-readable formats maintained throughout the product lifecycle.

A postmarket vulnerability management plan. Manufacturers must document how they will monitor for, identify, and address cybersecurity vulnerabilities after the device is on the market. This is the requirement most often underestimated. It means active monitoring, not just a process document.

Coordinated vulnerability disclosure. A defined process for receiving, evaluating, and addressing cybersecurity reports from researchers, customers, and others.

The FDA’s position, articulated in agency guidance and reinforced in legal analysis, is that failure to comply with Section 524B constitutes a “prohibited act” under the FDCA. Premarket submissions lacking the required cybersecurity documentation can be refused. Existing devices with unresolved vulnerabilities may be considered unsafe for clinical use under the February 2026 guidance.

Why this matters beyond medical device makers

If your organization isn’t a medical device manufacturer, the headline reads like someone else’s problem. It isn’t. Three reasons:

Connected systems blur the line. Pharmaceutical companies, biotech firms, contract research organizations, and clinical labs all increasingly run digital systems that touch FDA-regulated processes. The same scrutiny the FDA applies to medical device cybersecurity is informing how the agency thinks about cybersecurity in manufacturing, quality systems, and GxP-regulated environments.

QMSR ties cybersecurity to your quality system. The Quality Management System Regulation, which took effect February 2026, harmonizes FDA’s quality requirements with ISO 13485 and directly maps cybersecurity risk management to the QMS. If you have a QMS — and any FDA-regulated life sciences operation does — cybersecurity is now part of it.

The False Claims Act precedent matters. The DOJ’s 2025 settlement with the biotech company established that cybersecurity misrepresentations to the federal government can be prosecuted as fraud. Every cybersecurity assertion in an FDA submission, a federal grant application, or a government contract is now a statement that could later be examined under the FCA. That changes how every life sciences operation should think about cybersecurity claims.

The five questions to ask this quarter

You don’t need a Section 524B audit to start. You need a 30-minute scoping conversation between IT, quality, and regulatory affairs. Whether your life sciences operation is a startup or a publicly-traded biopharma, these are the questions:

1. Do we have an SBOM for every system that touches FDA-regulated data?

Not just medical devices — every system. Your electronic data capture platform, your lab information management system, your regulatory submission tool, your clinical trial management system. If you can’t produce a list of every software component in those systems, you can’t prove cybersecurity hygiene to the FDA, an auditor, or a partner.

2. What’s our process for tracking vendor vulnerabilities in real time?

Section 524B requires postmarket vulnerability management. The same expectation now applies functionally to your operational software stack. The Vercel breach, the Instructure breach, the Trellix breach — each one involved a vendor your peers depend on. If a critical CVE drops on a system you use, how fast do you know?

3. Are our cybersecurity controls documented in a way that maps to our QMS?

Under QMSR, cybersecurity risk management is part of your quality system. That means it needs to be documented, validated, and auditable — not just operational. If your cybersecurity program lives in a separate document from your QMS, that gap is itself a finding.

4. Have we reviewed our public cybersecurity statements for FCA exposure?

Every claim your organization makes about cybersecurity in FDA submissions, on your website, in investor materials, in customer contracts, or in federal grant applications is now a potential FCA exposure point. Walk through them with regulatory counsel and confirm each one is accurate, current, and supportable.

5. Who owns cybersecurity in our quality system?

This is the question that most often surfaces a gap. In many life sciences organizations, IT owns cybersecurity, quality owns the QMS, and regulatory owns FDA submissions. With Section 524B and QMSR, those three need a documented intersection — a named owner accountable for cybersecurity within the quality framework, with clear handoffs to IT and regulatory.

Need a structured way to walk through these five questions with your team? The FDA Audit Survival Score is a free 10-minute tool that scores your readiness against the same framework — useful as a starting point for the cross-functional review.

What to do this week

Two concrete actions:

Pull a current-state inventory. List every cyber device, every FDA-regulated software system, and every system that touches GxP data. For each, capture: does it have an SBOM, when was its last vulnerability assessment, is it covered by an incident response plan, and is it documented in the QMS.

Schedule a 60-minute cross-functional review. IT, quality, regulatory affairs, and a representative from senior leadership. Walk through the five questions above. Document what you don’t know yet. The list of unknowns is your first quarter of work.

You don’t need to solve Section 524B in a week. You do need to have started.

Common Questions

Does Section 524B apply to my company if we don’t make medical devices? Strictly, no. Section 524B applies to premarket submissions for cyber devices. But the FDA’s broader cybersecurity scrutiny — and the QMSR’s integration of cybersecurity into the quality system — affects every FDA-regulated life sciences operation. The compliance posture is shifting across the sector.

What’s the difference between Section 524B and 21 CFR Part 11? Part 11 governs electronic records and signatures in FDA-regulated industries — the integrity, accuracy, and traceability of electronic data. Section 524B specifically addresses cybersecurity for cyber devices. They’re related but distinct. A modern life sciences operation needs both.

What’s an SBOM and why does the FDA care? A software bill of materials is a structured inventory of every component in a piece of software, including dependencies and open-source libraries. The FDA cares because vulnerabilities most often hide in third-party components, and an SBOM is the prerequisite for tracking and remediating those vulnerabilities at scale.

How urgent is this for a Series A biotech that hasn’t filed with the FDA yet? The submission won’t happen for years, but the cybersecurity foundation needs to be in place before it does. Documenting cybersecurity decisions retroactively is expensive and often fails an audit. Building the program in parallel with your science is significantly cheaper and more defensible.

centrexIT has supported life sciences and biotech organizations across California, Arizona, Washington, Nevada, and Oregon since 2002. Section 524B readiness, QMSR cybersecurity integration, and FDA submission preparation are part of how we work — not billable extras when something breaks.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Sources

1. U.S. Food and Drug Administration, “Cybersecurity” — fda.gov
2. FDA, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (June 27, 2025 final guidance) — federalregister.gov
3. Jones Day, “Balancing Possibilities with Realities — Cyber and Privacy Legal Trends in Life Sciences” (December 2025) — jonesday.com
4. Morgan Lewis, “From Vulnerability to Violation: FDA Cybersecurity Requirements for Medical Devices and FCA Enforcement” (November 2025) — morganlewis.com
5. Medical Device Network, “FDA could intensify focus on medtech cybersecurity in 2026” (November 2025) — medicaldevice-network.com