The Future of Medical Device Security Is Transparent

Joe Mistretta

July 7, 2025

What the FDA’s June 2025 Cybersecurity Guidance Means for You

With the release of its updated cybersecurity guidance in June 2025, the FDA made one thing clear: the future of medical device regulation is rooted in transparency, not just safety. As artificial intelligence (AI) becomes increasingly embedded in connected healthcare technologies, securing AI systems is now just as critical as securing traditional software.While premarket and postmarket requirements remain technically distinct for now, this update represents a pivotal step toward treating device quality and device security as inseparable concepts.

At Manifest, we see this shift as a decisive endorsement of our mission, to bring universal visibility to the AI and software supply chains that underpin modern healthcare systems.

What’s New in the June 2025 Guidance?

The latest guidance reflects the FDA’s recognition that cybersecurity risk doesn’t stop at approval:

Expanded Definition of a “Cyber Device”: More devices now fall under the FDA’s cybersecurity oversight, particularly those with wireless or network connectivity.
Third-Party Component Transparency: Submissions must now include SBOMs and reports from third-party software providers, not just internally developed code.
Unresolved Vulnerabilities Must Be Assessed: Known but un-remediated vulnerabilities must be documented alongside mitigation plans and potential safety impact.
AI/ML Risk is Here: The FDA expects manufacturers to demonstrate how security objectives such as authenticity, authorization, and timely patching are addressed based on intended use, data interfaces, and potential for harm.

What Hasn’t Changed?

The FDA continues to expect end-to-end cybersecurity risk management across the Total Product Lifecycle (TPLC) as a part of a Secure Product Development Framework (SPDF):

SBOMs remain required for both pre- and post-market submissions.
Manufacturers must document threat models, architecture, vulnerability response processes, and update capabilities.
Device labeling must help users securely configure and maintain the product through its lifecycle.

The Unsung Hero of the FDA Guidance: VEX Documents

Let’s take a moment to celebrate one of the most powerful compliance tools the FDA implicitly supports: VEX documents. A Vulnerability Exploitability eXchange (VEX) document tells regulators, customers, and internal teams whether a vulnerability (e.g., a CVE) actually impacts a specific device—or not.

The true value add: VEX documents are machine readable. Meaning, they enable automatic generation by medical device manufacturers, seamless sharing with the FDA and hospitals, and efficient ingestion for summarizing vulnerability risk data. This streamlined process significantly benefits medical device manufacturer's product security/quality personnel, FDA reviewers, and hospital asset owners by saving time, and ultimately enhancing patient safety and security.

Each VEX record typically includes:

The CVE identifier (e.g., CVE-2023-12345)
Status (e.g., "Not Affected", "Affected", "Under Investigation")
Justification (e.g., unused vulnerable feature, in-place mitigation)
Optional links to patches or further remediation steps

Together with SBOMs, VEX documents enable targeted, actionable cybersecurity decision-making. For medical device manufacturers, this is a game-changer: VEX cuts through noise, accelerates audits, and supports FDA expectations for precise risk assessments.

How Manifest Helps You Operationalize the New FDA Mandates

At Manifest, we’ve built a platform that makes this new era of FDA compliance not just manageable, but strategic:

Automated SBOM & AIBOM Generation: Continuously create and ingest SBOMs and AI BOMs from first-party code and third-party vendors, aligned to CycloneDX and SPDX standards.
Integrated VEX Authoring & Validation: Generate, store, and communicate VEX metadata to prove whether CVEs in your SBOM actually apply—supporting proactive compliance.
Real-Time Vulnerability Intelligence: Daily scanning against NVD, KEV, EPSS, and proprietary exploitability models helps your team separate signal from noise.
Total Lifecycle Risk Management: Track exposure across the full TPLC, from submission to device decommissioning.
Labeling-Ready Outputs: Quickly surface the right security metadata for use in FDA-mandated labeling and configuration guidance.

Cybersecurity is now a core quality attribute of every connected medical device. The June 2025 guidance isn’t just a regulatory update, it’s a call to action for manufacturers to adopt systems that can continuously monitor, communicate, and mitigate cybersecurity risk.

At Manifest, we’re helping our partners lead this shift, not just to meet FDA expectations but to safeguard the integrity of care. Want to learn how Manifest can help you prepare for the future of medical device security? Let’s talk.

‍

You might be interested in

August 14, 2025

AI at Black Hat USA 2025

Daniel Bardenstein

December 21, 2023

Getting Started with SBOMs: The Basics

The basics of SBOM and its value for security, third party risk management, and compliance.

Daniel Bardenstein

March 6, 2024

SBOMs Take Center Stage in the EU’s Cyber Resilience Act

Learn how the Cyber Resilience Act enhances the security of digital products and services while elevating the importance of SBOMs to secure software supply chains.

Daniel Bardenstein

“Manifest knows the AIBOM and cybersecurity space, sees the problems arising, and always has a solution to showcase.”

Manager of Global Technology Legal Compliance,

Multinational Software Company

Secure your software supply chain today.

Get a demo