AAMI CR515:2025 establishes cybersecurity considerations specific to machine learning-enabled medical devices. Recognized by the FDA as a consensus standard (Recognition Number: 13-153) on December 22, 2025, the document serves as a normative reference in the Software/Informatics domain. The standard specifies security risk management requirements essential for the development and operational deployment of medical devices incorporating artificial intelligence and machine learning technologies. Manufacturers should implement the specified cybersecurity controls and risk management procedures to address vulnerabilities introduced by machine learning algorithms, including model drift, adversarial attacks, and data integrity threats. The document provides manufacturers with practical guidance for integrating cybersecurity considerations throughout the device lifecycle, from initial algorithm development through post-market surveillance and model updates.

Technical information report providing recommendations for complying with IEC 62304, FDA 21 CFR 820, and ISO 13485 when using agile practices to develop medical device software. Covers integration of cybersecurity, risk management, design validation, and human factors within an agile framework. Second edition revising TIR45:2012, approved March 2023.

Technical information report providing guidance on postmarket security risk management for medical devices within the ISO 14971 safety risk management process. Designed for use with AAMI TIR57:2016. Covers PSIRT establishment, vulnerability disclosure policy, and coordinated vulnerability disclosure (CVD) frameworks. Closely aligned with FDA postmarket cybersecurity guidance. Published 2019, reaffirmed 2023.

Technical information report providing guidance on information security risk management for medical devices within the ISO 14971 safety risk management process. Incorporates expanded risk management concepts from IEC 62443, presenting practical methods for threat modeling and security risk assessment. Directly referenced by FDA's 2023 final cybersecurity guidance. Complementary to IEC 81001-5-1. Originally published 2016, reaffirmed 2023.

Technical information report providing a mapping of US FDA 21 CFR 820 requirements to the regulatory requirement references in ISO 13485:2016. Developed by AAMI QM/WG 01 to help US industry identify applicable regulatory requirements through an ISO 13485 quality management system.

This AAMI technical information report establishes a standardized classification system for defects identified in health software, including software embedded in medical devices and Software as a Medical Device (SaMD). The document defines defect categories based on type, severity, and origin within the software development lifecycle, enabling consistent defect tracking, root cause analysis, and process improvement. The classification scheme supports compliance with IEC 62304 software lifecycle requirements and FDA quality system expectations, and is referenced in the context of cybersecurity vulnerability management and postmarket surveillance activities. Currently under reaffirmation review by the AAMI SM-WG08 Software Defect Classification Working Group (as of April 2025).