FDA Response to NIST

The Food & Drug Administration (FDA) has issued a response to NIST to the Executive Order (EO) on Improving the Cybersecurity of the Federal Government (EO 14028), dated 26 May 2021.

The document, Response to NIST Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security, summarizes “established FDA practices and efforts presently underway for OT cybersecurity in the greater medical device ecosystem,” with focus on the following NIST identified areas in question:

  1. Criteria for designating “critical software”
  2. Standards and guidelines for federal purchasing
  3. Guidelines outlining security measures that shall be applied to the federal government’s use of critical software
  4. Initial minimum requirements for testing software source code
  5. Guidelines for software integrity chains and provenance

Notably, there is the inclusion of a a phased-in approach to implementation of a Cybersecurity Bill of Materials (CBOM) discussed for premarket submissions. For more information regarding CBOM, please visit this article published by SoftwareCPR last year.

There is also a particular emphasis on Threat Modeling and penetration testing, with statements about their high perceived value for security testing related to unknown vulnerabilities.

The document can be found on the FDA website or at the link below.

NIST Request on Presidential Executive Order: Comments Submitted by the FDA

Cybersecurity Review

Our cybersecurity experts are NESSUS Pro Licensed and can quickly remediate cybersecurity deficiencies with your medical device or digital health software.  Planning, requirements, validation, and submissions – we can assist with all.

Interested in having a conversation?  Email us to arrange a Zoom meeting or call us at +1 781-721-2921.


Corporate Office

15148 Springview St
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN), Canada, and Italy.