Prepare for Audits & Submissions
Product Security Hub consolidates all your security documentation in one place. When it's time for an FDA submission, audit, or regulatory review, you can export comprehensive reports that demonstrate your security posture and due diligence.
Before You Begin
- Your product's security documentation is complete (threats assessed, requirements documented, risks scored)
- You've reviewed all content for accuracy before exporting
π Key Concept: Export Everything You Need
Product Security Hub provides multiple export options depending on your needs:
- β’ My Product Dashboard Export β Complete product data in Excel or JSON with tabs for every section
- β’ SBOM Export β Machine-readable CycloneDX format for SBOM deliverables
- β’ Diagram Export β Architecture diagrams in various image formats
π Use Product Security Hub as Your Data Source
Many manufacturers have their own internal templates, customer-required formats, or company-specific spreadsheets for cybersecurity documentation. Product Security Hub works as your central data sourceβyou can copy, paste, and input our exports directly into your existing templates.
How it works:
- Export your data from Product Security Hub in Excel format
- Copy the relevant data (threats, requirements, risks, etc.) from the export tabs
- Paste into your organization's templates or customer-required formats
- Product Security Hub remains your source of truthβupdate there, then refresh your templates
This approach lets you maintain all your security documentation in one place while still delivering in whatever format your organization, customers, or regulators require.
Export from My Product Dashboard
The primary way to export your complete product documentation is from the My Product Dashboard. This export includes everything you've documented in Product Security Hub.
Navigate to My Product Dashboard
Click My Product Dashboard in the top navigation to access your product overview and export options.
Choose Your Export Format
Select either Excel or JSON export based on your needs:
Excel Export
Human-readable format with separate tabs for each section. Ideal for review, printing, and including in reports.
JSON Export
Machine-readable format for programmatic processing, integration with other tools, or archival.
Review the Export Contents
The export includes separate tabs/sections for all your product data:
Product Details
Name, description, settings
Components
All product components
Threats
Threat model with scores
Requirements
All requirements & responses
Risks
Residual risk documentation
Vulnerabilities
All vulnerability records
Patches
Patch management records
π‘ Tip: Everything you've documented in Product Security Hub is included in the export. This is your single source of truth for the product's security posture.
Export SBOM Deliverables
For SBOM-specific deliverables, use the export options on the SBOM page. These exports follow the CycloneDX specification for machine-readable SBOMs.
CycloneDX JSON
Machine-readable SBOM in the CycloneDX JSON format. Use this for FDA submissions requiring a machine-readable SBOM.
CycloneDX with Vulnerabilities
CycloneDX JSON that includes vulnerability information (VEX). This combines your SBOM with known vulnerability data.
Human Readable Excel
Excel export of SBOM components for human review or inclusion in documentation.
π FDA SBOM Requirements
FDA guidance recommends submitting SBOMs in a machine-readable format. The CycloneDX JSON export meets this requirement and follows industry-standard specifications.
Export Architecture Diagrams
Architecture diagrams are exported separately from the Diagrams tab using the built-in draw.io functionality.
Navigate to Diagrams
Open the Diagrams tab for your product to view your architecture diagrams.
Option A: Copy and Paste
Select your diagram content and copy/paste directly into your documentation (Word, PowerPoint, etc.).
Option B: File β Export As
Use the draw.io File β Export As menu to save diagrams in various formats:
π‘ Recommended Formats
Use PNG or PDF for inclusion in submission documents. Use SVG if you need scalable vector graphics for presentations.
Using Exports for FDA Submissions
Product Security Hub exports can be used as attachments in your cybersecurity documentation or as standalone deliverables in your FDA submission.
Common Submission Documents:
Cybersecurity Documentation / Report
The main cyber report may include or reference the Excel/JSON exports as attachments, with architecture diagrams embedded in the document.
SBOM Deliverable
CycloneDX JSON export as a standalone machine-readable SBOM file, required by FDA guidance.
Threat Model Documentation
Threats tab from the export showing STRIDE analysis with CVSS scores and mitigations.
Requirements Traceability
Requirements tab showing how your product meets security requirements with industry standard mappings.
Residual Risk Documentation
Risks tab showing documented residual risks with CVSS scores, mitigations, and justifications.
Industry Standard Mappings
Your requirements export includes mappings to industry standards, helping auditors understand how your documentation aligns with recognized frameworks:
MDS2
Manufacturer Disclosure Statement for Medical Device Security
NIST CSF
NIST Cybersecurity Framework
NIST 800-53
Security and Privacy Controls
ISO 80001-2-2
Medical Device Security Capabilities
ISO 27001
Information Security Management
Trust Service Criteria
COSO/SOC 2 Framework
Pre-Export Checklist
Before generating exports for submission, review this checklist to ensure your documentation is complete:
Product Details β Name, description, and version are accurate
Architecture Diagram β Reflects current product design with all components and data flows
Components β All hardware and software components are documented
Threats β All threats have been assessed with status and CVSS scores
Requirements β All applicable requirements have "How Will This Be Met" responses
SBOM β Software components are imported and up to date
Vulnerabilities β Recent scan completed, all vulnerabilities triaged
Residual Risks β All risks have CVSS scores and mitigation documentation
Best Practices
Export before major reviews
Generate fresh exports immediately before submission or audit to ensure you have the latest data.
Keep dated copies
Archive exports with dates (e.g., "ProductX_Export_2026-01-16") for traceability and audit trails.
Use Excel for review, JSON for submission
Excel is easier to review with stakeholders; JSON is better for machine-readable requirements like SBOMs.
Review before sharing externally
Always review exports for accuracy and completeness before including them in official submissions.
What's Next?
Make sure your documentation is complete before exporting:
- 1 Complete Your Threat Model
Ensure all threats are assessed with CVSS scores and mitigations
- 2 Document Requirements
Complete "How Will This Be Met" for all applicable requirements
- 3 Finalize Residual Risks
Ensure all residual risks have complete documentation
Preparing for an FDA submission?
We can help you ensure your cybersecurity documentation meets FDA expectations.