← Frameworks / FDA Cybersecurity Guidance / Control Mappings

FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

FDA guidance establishing cybersecurity expectations for medical device manufacturers throughout the total product lifecycle. 42 requirements across secure product development framework (SPDF), threat modelling, security architecture, authentication and authorisation, cryptography and data protection, software bill of materials (SBOM), security testing and vulnerability management, postmarket monitoring and coordinated vulnerability disclosure, patch and update management, labelling and transparency, and interoperability security. Addresses both premarket submission requirements and postmarket management obligations. Enacted under Section 524B of the FD&C Act (Consolidated Appropriations Act 2023).

Controls: 111
Total Mappings: 240
Publisher: U.S. Food and Drug Administration (FDA) Version: 2023
FDA Cybersecurity Guidance → SP 800-53 SP 800-53 → FDA Cybersecurity Guidance Coverage Analysis
AC (8) AU (8) CA (4) CM (6) CP (6) IA (11) IR (8) MP (3) PL (4) PM (12) RA (7) SA (10) SC (10) SI (10) SR (4)

AC Access Control

Control Name FDA Cybersecurity Guidance References
AC-01 Access Control Policies and Procedures
SA-1
AC-02 Account Management
SA-1
AC-03 Access Enforcement
SA-1SA-4
AC-04 Information Flow Enforcement
SA-4TM-2
AC-06 Least Privilege
SA-1SA-4
AC-07 Unsuccessful Login Attempts
SA-1
AC-14 Permitted Actions Without Identification Or Authentication
SA-1
AC-24 Access Control Decisions
SA-1

AU Audit and Accountability

Control Name FDA Cybersecurity Guidance References
AU-02 Auditable Events
SA-5
AU-03 Content Of Audit Records
SA-5
AU-04 Audit Storage Capacity
SA-5
AU-05 Response To Audit Processing Failures
SA-5
AU-06 Audit Monitoring, Analysis, And Reporting
SA-5
AU-08 Time Stamps
SA-5
AU-09 Protection Of Audit Information
SA-5
AU-12 Audit Record Generation
SA-5

CA Security Assessment and Authorization

Control Name FDA Cybersecurity Guidance References
CA-02 Security Assessments
524B-4SPDF-2
CA-05 Plan Of Action And Milestones
CRA-3VR-2
CA-07 Continuous Monitoring
524B-2524B-4
CA-08 Penetration Testing
CRA-1ST-2

CM Configuration Management

Control Name FDA Cybersecurity Guidance References
CM-02 Baseline Configuration
PU-2SA-3
CM-03 Configuration Change Control
PU-1PU-2SA-3
CM-04 Monitoring Configuration Changes
PU-1
CM-05 Access Restrictions For Change
SA-3
CM-06 Configuration Settings
PU-2SPDF-3
CM-08 Information System Component Inventory
524B-1SBOM-1SBOM-2SBOM-3ST-4

CP Contingency Planning

Control Name FDA Cybersecurity Guidance References
CP-02 Contingency Plan
SA-6
CP-09 Information System Backup
SA-6
CP-10 Information System Recovery And Reconstitution
SA-6
CP-11 Alternate Communications Protocols
SA-6
CP-12 Safe Mode
SA-6
CP-13 Alternative Security Mechanisms
SA-6

IA Identification and Authentication

Control Name FDA Cybersecurity Guidance References
IA-01 Identification And Authentication Policy And Procedures
SA-1
IA-02 User Identification And Authentication
SA-1
IA-03 Device Identification And Authentication
SA-1
IA-04 Identifier Management
SA-1
IA-05 Authenticator Management
SA-1
IA-06 Authenticator Feedback
SA-1
IA-07 Cryptographic Module Authentication
SA-1
IA-08 Identification and Authentication (Non-Organizational Users)
SA-1
IA-09 Service Identification and Authentication
SA-1
IA-11 Re-authentication
SA-1
IA-12 Identity Proofing
SA-1

IR Incident Response

Control Name FDA Cybersecurity Guidance References
IR-01 Incident Response Policy And Procedures
INC-1
IR-02 Incident Response Training
INC-1
IR-03 Incident Response Testing And Exercises
INC-1
IR-04 Incident Handling
INC-1INC-2VR-1
IR-05 Incident Monitoring
INC-1INC-2VR-1
IR-06 Incident Reporting
524B-3CVD-1CVD-2INC-1INC-3
IR-07 Incident Response Assistance
524B-3CVD-1INC-1
IR-08 Incident Response Plan
INC-1

MP Media Protection

Control Name FDA Cybersecurity Guidance References
MP-02 Media Access
SA-4
MP-04 Media Storage
SA-4
MP-06 Media Sanitization And Disposal
SA-4

PL Planning

Control Name FDA Cybersecurity Guidance References
PL-02 System Security Plan
524B-4CRA-3SPDF-1SPDF-3TM-3TR-1TR-3
PL-04 Rules Of Behavior
TR-1TR-3
PL-07 Concept of Operations
SPDF-3
PL-08 Security and Privacy Architectures
SPDF-1SPDF-3

PM Program Management

Control Name FDA Cybersecurity Guidance References
PM-01 Information Security Program Plan
524B-4SPDF-1
PM-04 Plan of Action and Milestones Process
524B-2INC-3VR-2
PM-07 Enterprise Architecture
SPDF-1
PM-09 Risk Management Strategy
524B-4CRA-2CRA-3SPDF-2TM-3TR-2VR-1
PM-11 Mission and Business Process Definition
CRA-2
PM-12 Insider Threat Program
TM-1
PM-15 Security and Privacy Groups and Associations
524B-2524B-3CVD-1CVD-2MON-1MON-3
PM-16 Threat Awareness Program
MON-1MON-3TM-1
PM-20 Dissemination of Privacy Program Information
TR-1
PM-21 Accounting of Disclosures
TR-1
PM-22 Personally Identifiable Information Quality Management
CVD-1
PM-28 Risk Framing
SPDF-2

RA Risk Assessment

Control Name FDA Cybersecurity Guidance References
RA-01 Risk Assessment Policy And Procedures
SPDF-2
RA-02 Security Categorization
SPDF-2
RA-03 Risk Assessment
524B-4CRA-1CRA-2CRA-3INC-2MON-2SPDF-2TM-1TM-2TM-3TR-2VR-1
RA-05 Vulnerability Scanning
524B-2CRA-1MON-1MON-2SBOM-3ST-1ST-2ST-3ST-4TM-1
RA-07 Risk Response
CRA-3INC-2MON-2SPDF-2TM-3TR-2VR-1VR-2
RA-09 Criticality Analysis
CRA-2SPDF-2
RA-10 Threat Hunting
CRA-1MON-3ST-2TM-1

SA System and Services Acquisition

Control Name FDA Cybersecurity Guidance References
SA-03 Life Cycle Support
SPDF-1
SA-04 Acquisitions
524B-1SBOM-1
SA-05 Information System Documentation
SPDF-3TR-1TR-2TR-3
SA-08 Security Engineering Principles
SPDF-1SPDF-3TM-2TM-3
SA-09 External Information System Services
TR-3
SA-10 Developer Configuration Management
524B-1PU-1SA-3SBOM-1SBOM-2
SA-11 Developer Security Testing
524B-4CRA-1PU-1ST-1ST-2ST-3ST-4TM-1
SA-15 Development Process, Standards, and Tools
SPDF-1ST-1
SA-17 Developer Security and Privacy Architecture and Design
SPDF-1SPDF-3TM-2
SA-22 Unsupported System Components
PU-2PU-3

SC System and Communications Protection

Control Name FDA Cybersecurity Guidance References
SC-04 Information Remnance
SA-4
SC-07 Boundary Protection
PU-3TM-2
SC-08 Transmission Integrity
SA-2SA-4
SC-12 Cryptographic Key Establishment And Management
SA-2
SC-13 Use Of Cryptography
SA-2
SC-17 Public Key Infrastructure Certificates
SA-2
SC-23 Session Authenticity
SA-2
SC-24 Fail in Known State
SA-6
SC-28 Protection of Information at Rest
SA-2SA-4
SC-34 Non-modifiable Executable Programs
SA-3

SI System and Information Integrity

Control Name FDA Cybersecurity Guidance References
SI-02 Flaw Remediation
524B-2MON-2PU-1PU-2PU-3SBOM-2SBOM-3VR-2
SI-03 Malicious Code Protection
PU-3
SI-04 Information System Monitoring Tools And Techniques
MON-3PU-3SA-5
SI-05 Security Alerts And Advisories
524B-2524B-3CVD-1CVD-2INC-3MON-1MON-2MON-3SBOM-3
SI-06 Security Functionality Verification
SA-5
SI-07 Software And Information Integrity
SA-3ST-1
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
ST-3
SI-13 Predictable Failure Prevention
SA-6
SI-16 Memory Protection
SA-3
SI-17 Fail-safe Procedures
SA-6

SR Supply Chain Risk Management

Control Name FDA Cybersecurity Guidance References
SR-04 Provenance
524B-1SBOM-1SBOM-2SBOM-3ST-4
SR-05 Acquisition Strategies, Tools, and Methods
524B-1SBOM-1ST-4
SR-06 Supplier Assessments and Reviews
SBOM-3
SR-08 Notification Agreements
MON-1