If you want your FDA submission to hold up, I’d treat cybersecurity risk ranking as a traceable scoring process, not a loose checklist.
I’d keep the approach simple: score each medical device security risk by exploitability and patient impact, document both pre-mitigation and post-mitigation risk, connect each risk to controls, tests, and results, and update rankings across the device lifecycle. I’d also flag any item tied to patient harm for the ISO 14971 safety process, review SBOM findings as foreseeable risks, and move fast on issues tied to the CISA KEV catalog.
Here’s the article in plain terms:
- Use exploitability, not probability, when ranking cyber risk
- Set scoring rules first in the Cybersecurity Management Plan
- Score twice: before controls and after controls
- Map every threat to clinical use, not just device-only use
- Trace each risk to assets, requirements, controls, testing, and residual-risk decisions
- Review SBOM vulnerabilities and treat listed CVEs as foreseeable
- Do not accept KEV-listed issues as-is; they need design or remediation action
- Send patient-harm cyber risks into the ISO 14971 safety workflow
- Re-rank risks over time using threat intel, exploit changes, and end-of-support notices
- Keep QMS records current under the FDA’s QMSR, effective February 2, 2026
A few dates and numbers stand out. The FDA issued the main premarket cybersecurity guidance on September 27, 2023. QMSR took effect on February 2, 2026. And the article points to triage targets of 24–48 hours for intake, 5 days for assessment, and 14 days for a remediation decision.
If I were turning this into action, I’d focus on one question: Can a reviewer follow the path from threat, to score, to control, to test evidence, to residual-risk decision without guessing? If the answer is yes, the process is in much better shape.
Webinar: Master Medical Device Cybersecurity: Avoid FDA Delays
sbb-itb-535baee
Build the Foundation for FDA-Aligned Prioritization
Before you rank any risk, set the rules on paper and gather the source files that back them up. That step matters because the FDA's QMSR, effective February 2, 2026, lines up with ISO 13485:2016 and pulls cybersecurity risk management into the QMS [4][2].
Define Risk Criteria, Scoring Scales, and Acceptance Thresholds
Write your scoring method into the Cybersecurity Management Plan. This plan should spell out how risk is scored, which thresholds trigger escalation, and who can accept a risk [3][4].
"Cybersecurity risks are difficult to predict, meaning that it is not possible to assess and quantify the likelihood of an incident occurring based on historical data or modeling (also known as a 'probabilistic manner')." - FDA February 3, 2026 Final Guidance [5]
That quote gets to the point: for cybersecurity, likelihood-based scoring isn't the right fit. Instead, score risk using exploitability and clinical impact.
For exploitability, CVSS v3.1 gives you a steady way to score factors like:
- Access Vector
- Attack Complexity
- Privileges Required
- User Interaction
Then connect severity to patient harm and device disruption. Think in plain terms: missed therapy, incorrect dosing, or alarm suppression. Use fixed tiers such as Low, Medium, High, and Critical instead of case-by-case calls that shift from one review to the next [3][5].
Each risk should be scored twice:
- Pre-mitigation, assuming no controls are in place
- Post-mitigation, after controls have been checked and confirmed
That side-by-side view helps show whether the controls are doing their job [3].
If a risk could lead to patient harm, move it into the ISO 14971 safety process. Don't leave that handoff vague. Document which risks move over, who owns the transfer, and how safety decisions feed back into cybersecurity controls [3].
Gather the Core Artifacts FDA Expects
Once the scoring rules are in place, pull together the documents that support steady prioritization. If attachments are missing or cybersecurity responses are off target, the eSTAR system can place the submission on Technical Screening hold [4].
| Core Artifact | Role in Prioritization |
|---|---|
| Cybersecurity Management Plan | Sets the scoring method, acceptance thresholds, and governance authority |
| Threat Model | Points to the threats and failure modes that need scoring |
| Architecture Views & Data Flow Diagrams | Show trust boundaries, lateral movement paths, and system-level impact |
| SBOM (SPDX or CycloneDX format) | Shows known vulnerabilities in third-party components |
| Safety and Security Assessment | Records the link between cyber threats and patient harm |
These materials feed the next step: inventory assets, map threats, and rank risk in clinical context.
One practical point on SBOMs: any CVE listed in the SBOM should be treated as a foreseeable risk [3]. And if a vulnerability appears in the CISA Known Exploited Vulnerabilities (KEV) catalog, the FDA expects it to be designed out, not accepted as a risk [3][4].
With that groundwork in place, the prioritization workflow can start.
Follow the Step-by-Step Risk Prioritization Process
FDA Cybersecurity Risk Prioritization: 7-Step Process for Medical Devices
Use the plan, threat model, architecture views, and SBOM as the inputs to one fixed workflow. That way, each risk is inventoried, scored, ranked, mitigated, and rescored with evidence you can trace back later.
Steps 1 and 2: Inventory Assets and Model Threats in Clinical Context
Start by cataloging device software, firmware, hardware interfaces, wireless links, and cloud dependencies [2]. Then map how the device connects to EHRs, PACS, hospital networks, and mobile devices [2][3].
After that, build the threat model around the device's actual operating setting. That means looking at both malicious attacks and day-to-day failures, including misconfiguration and accidental PHI exposure [3]. Each threat should have its own ID. That ID becomes the anchor for the traceability chain used in the rest of the process.
Use those threat IDs and system maps as the basis for scoring.
Steps 3 Through 5: Score Severity, Rank Risks, and Select Controls
Score each threat for severity and exploitability. Severity should reflect clinical harm, such as delayed therapy or incorrect dosing. Exploitability should follow your defined CVSS-based scoring method [3].
If a risk is scored below worst-case exploitability, you need to show why. Point to the technical barriers that support the lower score. Stated claims on their own won't stand up during review [3].
Next, rank risks against the acceptability matrix and assign controls to every risk that needs mitigation. Use the ranking result to choose controls across the eight eSTAR categories:
| Control Category | Focus Area |
|---|---|
| Authentication | Verifying user and system identity |
| Authorization | Managing privileges and access levels |
| Cryptography | Encryption and key management |
| Integrity | Protecting code, data, and execution |
| Confidentiality | Preventing unauthorized data exposure |
| Event Detection | Logging and monitoring security events |
| Resiliency | Recovery and system continuity |
| Updates | Secure firmware and software patching |
Link each control ID back to its risk ID and threat ID [3].
Those rankings set the baseline for residual-risk review.
Steps 6 and 7: Recalculate Residual Risk and Reprioritize Over Time
Once controls are verified, rescore the risks to set residual risk. If the score barely moves, the control didn't do much to lower the risk.
Any cybersecurity risk that could plausibly lead to patient harm at the residual level needs a documented handoff into the ISO 14971 safety risk management process [3].
This work doesn't stop at submission. Priorities need to change when threat intelligence, end-of-support notices, or new exploit tools shift exploitability. Build structured triage timelines into the process:
- 24–48 hours for initial triage
- 5 days for risk assessment
- 14 days for a remediation decision
When exploitability scores change, rescore the risk and update the traceability matrix. That's what keeps the risk file credible across the Total Product Life Cycle (TPLC) [3].
Connect Prioritized Risks to FDA Submission and Governance
Once you rank risks, the next step is to turn those rankings into submission evidence and controlled QMS records.
Start with a traceability matrix. It should link each risk ID to the related requirement, control, test, and result. Then carry that same prioritized risk ID across the full record set: the threat model, risk assessment, control evidence, testing, and residual-risk justification. For each prioritized risk, the residual-risk justification needs to spell out why the selected controls are acceptable in light of patient safety and device effectiveness.
That same traceability should extend into SBOM review and vulnerability monitoring. In plain terms, the SBOM can't sit in a static file and gather dust. Link it to live vulnerability sources so review stays current, not point-in-time.
Translate Risk Rankings into Premarket Submission Content
Once the submission file is traceable, move those same rankings into lifecycle governance. Under the FDA's Quality Management System Regulation (QMSR), which became effective on February 2, 2026, manufacturers must maintain a Cybersecurity Management Plan, a Security Risk Management Plan, and a Postmarket Maintenance Plan as distinct QMS records [6][7]. Treat each one as a controlled QMS record with a named owner, a set review cycle, and a clear approval path.
Embed Prioritization into QMS and Device Lifecycle Management
High-priority cyber risks should flow straight into design inputs and change control. Every design change needs a security impact analysis to confirm that no new vulnerabilities were introduced [8]. The FDA says it plainly: "Cybersecurity risk management should be an integrated part of a manufacturer's entire quality management system, addressed throughout the TPLC." [1] So risk rankings shouldn't stay frozen after release. They need updates when the SBOM changes, when new exploits appear, or when a component reaches end-of-support [9].
Postmarket plans should also include clear labeling and a Security Guide. That guide should tell HDOs how to configure the device securely, what network requirements apply, and how patches will be delivered and applied [6][8].
| Governance Metric | What It Measures |
|---|---|
| Patch Completion Rate | Percentage of identified vulnerabilities that have been successfully updated or patched [9] |
| Vulnerability Remediation Duration | Time from vulnerability identification to patch release [9] |
| Field Implementation Duration | Time from patch availability to full implementation across field devices [9] |
Use these metrics in CAPA to trigger a risk review when remediation slows down or field rollout starts to lag [9].
Conclusion: A Practical FDA Cybersecurity Prioritization Model
FDA-aligned risk prioritization isn’t a one-time exercise. It’s a repeatable process: define your scoring criteria, rank pre-mitigation risk, verify controls, and then rescore residual risk. A control is only doing its job when residual risk goes down.
That residual-risk view should carry into ongoing TPLC review. It shouldn’t stop at submission.
Reprioritization is part of FDA's Total Product Lifecycle (TPLC) expectation [3], which means the record needs to stay traceable from threat to control to test evidence [3]. If that chain breaks, the assessment loses traceability.
FAQs
How should we set cyber risk scoring thresholds?
Set and document clear risk acceptability criteria with tiers like Low, Medium, High, and Critical. Each tier should have a plain next step attached to it. For example:
- Critical: Act at once. Mitigate the risk or make major design changes before moving forward.
- High: Address the risk as a priority and put controls in place soon.
- Medium: Reduce the risk where practical and track it closely.
- Low: Accept the risk with normal monitoring.
Review these thresholds across the total product lifecycle, not just at launch. Things change. New attack methods show up, old assumptions stop holding, and a risk that looked minor six months ago may not look minor anymore.
When you assess risk, give more weight to exploitability than probability. In plain terms, focus on how easy it is for someone to use the weakness against you, not just how likely you think an attack might be. And if a vulnerability appears in CISA’s Known Exploited Vulnerabilities Catalog, treat it as unacceptable. That’s not something to watch later. It needs action.
What evidence should support residual risk decisions?
Residual risk decisions need clear records. That record should show how each risk was found, judged, and reduced.
That usually includes:
- threat models
- cybersecurity risk assessments
- testing results
The documentation should also show how exploitability and impact were assessed, what residual risk conclusion was reached, and how the evidence connects across threat models, SBOMs, and testing.
Just as important, it should include risk scores before and after mitigation, backed by data such as vulnerability severity, exploitability, and clinical impact.
When should a cyber risk move into ISO 14971?
A cybersecurity risk should move into ISO 14971 when the threat can lead to a device malfunction or an operating problem that may harm patients. That includes issues like loss of device function or unauthorized data access.
Once it crosses that line, assess it for clinical impact, especially when patient safety may be at risk.
