This FDA guidance addresses off-the-shelf (OTS) software including operating systems, database management systems, programming language compilers, libraries, and middleware incorporated into medical devices. The document provides practical recommendations for documenting OTS software in premarket submissions, recognizing the regulatory challenges associated with software of unknown or partially known provenance (SOUP). Manufacturers should evaluate and document vendor information, known defects and vulnerabilities, product lifecycle and support duration, configuration management practices, and compatibility with device safety and effectiveness requirements. The guidance establishes documentation expectations proportionate to OTS software risk contribution to overall device safety. Manufacturers must demonstrate that OTS software selection and management processes follow systematic risk-based approaches. This document serves as the practical foundation for implementing IEC 62304 Section 7.1 (SOUP management) requirements, bridging international standards and FDA regulatory expectations. Manufacturers should maintain current understanding of OTS software vulnerabilities and security patches, coordinating with vendors to receive timely security updates and assessing impact on marketed devices through post-market surveillance protocols.

This FDA final guidance (September 2023) establishes current cybersecurity requirements for medical device manufacturers, implementing legal mandates from the Consolidated Appropriations Act 2023 (Section 524B). The guidance specifies mandatory inclusion of software bill of materials (SBOM), vulnerability disclosure policies, and cybersecurity management plans in premarket submissions for devices with network connectivity or remote functionality. Manufacturers must establish processes for identifying, evaluating, and disclosing known and potential cybersecurity vulnerabilities to the FDA and relevant stakeholders. The cybersecurity management plan should address threat modeling, risk assessment, security design controls, and post-market monitoring strategies. The guidance demonstrates alignment with international standards including IEC 81001-5-1 (application of risk management to network security) and AAMI TIR57 (medical device security guidance), facilitating harmonized global regulatory compliance. Manufacturers should integrate cybersecurity considerations throughout the device lifecycle from design through post-market surveillance. The guidance represents current regulatory expectations and serves as the primary reference for FDA premarket submissions incorporating cybersecurity requirements. Compliance demonstrates manufacturer commitment to protecting patient safety and data integrity.

This FDA final guidance (2023) specifies required documentation content for software in premarket submissions including 510(k), PMA, and De Novo pathways. The guidance provides structured requirements based on software risk level (minor, moderate, major) classification, recognizing that documentation scope should be proportionate to patient risk. For each software risk category, the document delineates specific submission requirements for design specifications, system architecture, verification and validation (V&V) documentation, cybersecurity considerations, and unmet need summaries. Manufacturers must provide detailed design specifications describing intended functionality and performance parameters, system architecture documentation explaining software structure and interfaces, comprehensive V&V documentation demonstrating safety and effectiveness testing, and cybersecurity management plans addressing relevant threats. The guidance replaces the previous "Content of Premarket Submissions for Software" document, incorporating contemporary regulatory expectations including artificial intelligence considerations, interoperability requirements, and cybersecurity standards. Compliance with these content requirements streamlines FDA review and supports timely device approval decisions.