Synced 16 Jun 2026 15:24 UTC Account
← Home
U.S. FDA · Section 524B · medical-device cybersecurity

Build your SBOM & vulnerability evidence for FDA premarket submissions

Section 524B wants more than a parts list: a machine-readable SBOM with each component's support level and end-of-support date, plus an assessment and remediation plan for known vulnerabilities. IsItPatched produces exactly that — per-component support & end-of-support, known and actively-exploited CVEs, the minimum safe version (your remediation target), and exportable VEX/risk evidence.

Scan your SBOM → Monitor your components Export FDA 524B pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for everyone on the submission

Device manufacturers

Sponsors of 510(k), De Novo and PMA submissions for cyber devices. Produce the SBOM vulnerability analysis and patch evidence 524B expects.

Regulatory & quality (RA/QA)

Document a defensible postmarket vulnerability-management process — and keep the evidence — without standing up new tooling.

HDOs & biomedical eng.

Hospitals tracking deployed devices: see which components are actively exploited or past end-of-support across your fleet.

524B requirements → what IsItPatched gives you

SBOM: support level & end-of-support per component

FDA's guidance wants more than a parts list — for each component it expects the level of support and the end-of-support date. IsItPatched resolves exactly that from your CycloneDX/SPDX SBOM, with a CycloneDX VEX export — the part generic SBOM tools handle weakly.

Scan an SBOM →

Postmarket vulnerability management

Monitor your components and get alerted when a new vulnerability lands later. A prioritised patch queue plus exportable evidence of the ongoing process.

Open your dashboard →

Out-of-cycle patch triggers

FDA expects patches on a regular cycle, and out-of-cycle for critical vulns. IsItPatched flags actively-exploited (CISA KEV) and high-EPSS CVEs so those triggers are defensible.

See actively-exploited CVEs →

End-of-support / legacy

Devices live for years. End-of-life tracking and minimum-safe-version guidance flag components that can no longer be patched — a documented lifecycle risk.

End-of-life calendar →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing your versions and end-of-support dates
  • A prioritised, known-exploited-first patch queue — postmarket vulnerability-management evidence

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: IsItPatched is an informational tool built on public vulnerability data (NVD · CISA KEV · OSV · endoflife.date). It supports specific FDA Section 524B elements — SBOM/component vulnerability analysis, known-exploited prioritisation, end-of-support tracking and postmarket vulnerability management — but it is not regulatory or legal advice, does not constitute an FDA premarket submission, and cannot clear or approve a device. Confirm your obligations with your regulatory team. Disclaimer.

FDA Section 524B — frequently asked

What is FDA Section 524B?

Section 524B of the U.S. Federal Food, Drug & Cosmetic Act — added by the Consolidated Appropriations Act, 2023 — requires makers of "cyber devices" (any medical device that contains software and can connect to a network, e.g. Wi-Fi or Bluetooth) to address cybersecurity in their premarket submissions. Sponsors must provide a machine-readable software bill of materials (SBOM), a plan to monitor and remediate postmarket vulnerabilities including coordinated disclosure, and processes to ship security updates and patches. The FDA's final guidance on this was updated in June 2025.

How does IsItPatched help with FDA premarket cybersecurity?

Bring your CycloneDX or SPDX SBOM and IsItPatched gives you the vulnerability picture the FDA expects you to manage: which components have known CVEs, which are actively exploited (CISA KEV) so you can justify out-of-cycle patches, the minimum safe version to upgrade to, end-of-support dates for legacy components, and a CycloneDX VEX plus a risk register you can keep as postmarket-vulnerability-management evidence.

Does IsItPatched make my device FDA-compliant or clear it?

No. IsItPatched is an informational tool built on public vulnerability data. It supports specific 524B elements — SBOM/component vulnerability analysis, known-exploited prioritisation, end-of-support tracking and postmarket vulnerability management — but it is not regulatory or legal advice, it does not constitute an FDA premarket submission, and it cannot clear or approve a device. Work with your regulatory team.

Selling into other regulated markets? See our EU CRA edition → and ISA/IEC 62443 edition →