FDA Response to NIST

The Food & Drug Administration (FDA) has issued a response to NIST to the Executive Order (EO) on Improving the Cybersecurity of the Federal Government (EO 14028), dated 26 May 2021.

The document, Response to NIST Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security, summarizes “established FDA practices and efforts presently underway for OT cybersecurity in the greater medical device ecosystem,” with focus on the following NIST identified areas in question:

  1. Criteria for designating “critical software”
  2. Standards and guidelines for federal purchasing
  3. Guidelines outlining security measures that shall be applied to the federal government’s use of critical software
  4. Initial minimum requirements for testing software source code
  5. Guidelines for software integrity chains and provenance

Notably, there is the inclusion of a a phased-in approach to implementation of a Cybersecurity Bill of Materials (CBOM) discussed for premarket submissions. For more information regarding CBOM, please visit this article published by SoftwareCPR last year.

There is also a particular emphasis on Threat Modeling and penetration testing, with statements about their high perceived value for security testing related to unknown vulnerabilities.

The document can be found on the FDA website or at the link below.

NIST Request on Presidential Executive Order: Comments Submitted by the FDA

Upcoming SoftwareCPR Training Courses:

Public Course – Jan 9-11, 2023 – Risk Management (in-person)

Our newly updated ISO 14971:2019 Medical Device Risk Management, A Software Organization’s Perspective public training course is now open for registration!

Where:  Tampa, Florida

  • Coverage of ISO 14971:2019, IEC 62304; amd1, and IEC/TR 80002-1.
  • System level hazards analysis – mapping to software, cybersecurity, and usability
  • Why FMEA is incomplete for medical device risk management.
  • How to perform software hazards analysis.
  • And more!

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructors: Dr. Peter Rech, Brian Pate

Discount Registration through October 31, 2022.  Reserve your spot!

Register here: https://events.eventzilla.net/e/2023-softwarecpr-public-training-course–iso-14971-medical-device-risk-management-a-software-organizations-perspective-2138576610


Public Course – Dec 12-15, 2022 – Being Agile & Yet Compliant (virtual)

COST: 4 half days for $1,920 per person

HOURS: 11 am until 3 pm EDT each day

TRAINING LOCATION: Virtual – live online

Register here:



Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.