Name: Product Security Hub
Brand: Product Security Hub
Price: Contact for pricing USD
Availability: OnlineOnly
Rating: 5 (1 reviews)

Why Product Security Readiness Matters

The FDA's Premarket Cybersecurity Guidance requires manufacturers to demonstrate that cybersecurity has been addressed throughout the product lifecycle. Reviewers expect to see threat models, risk assessments, SBOMs, and plans for managing vulnerabilities post-market. Having these elements documented and traceable isn't just about compliance—it's about demonstrating that security is built into your product, not bolted on.

Architecture & Threat Modeling

Document your product's architecture and systematically identify potential security threats.

Architecture diagram created

Visual representation of all components, data flows, external interfaces, and trust boundaries

Components documented

Each component has a defined type (mobile app, cloud service, embedded firmware, etc.) and security-relevant attributes

Threat model completed

Threats identified for each component using a systematic methodology (e.g., STRIDE categories)

Threats scored and prioritized

Each threat has a CVSS score (or equivalent) with documented justification for the scoring

Threats traced to weaknesses

Threats are linked to CWEs or other weakness identifiers where applicable

In Product Security Hub: Use the Architecture view to create diagrams, the Components tab to define component types, and the Threats tab to apply threats from the built-in catalog.

Security Requirements

Define what security controls your product must implement and document how they're addressed.

Security requirements defined

Product-level security requirements identified based on threats, regulations, and customer expectations

Requirements mapped to standards

Requirements traced to industry frameworks: MDS2, NIST CSF, NIST 800-53, ISO 27001, ISO 80001-2-2, SOC 2

Implementation documented

"How Will This Be Met" documented for each applicable requirement, describing specific controls or design decisions

Requirements linked to threats

Traceability established between requirements and the threats they mitigate

Not-applicable requirements justified

Requirements marked N/A include documented rationale for why they don't apply to this product

In Product Security Hub: The Requirements tab auto-generates requirements based on your components. Use AI Generate to draft "How Will This Be Met" descriptions.

Risk Assessment

Evaluate and document residual cybersecurity risks after security controls are applied.

Residual risks identified

Risks that remain after security controls are implemented have been documented

Residual risks scored

Each residual risk has a post-mitigation CVSS score reflecting the reduced likelihood or impact

Mitigations documented

Each residual risk includes clear documentation of what mitigating controls are in place

Scoring justifications provided

CVSS scoring decisions are justified with product-specific rationale (not generic descriptions)

Risk acceptance documented

Formal acknowledgment of accepted risks with appropriate stakeholder sign-off

In Product Security Hub: The Risks tab provides CVSS scoring with AI-assisted justification generation. Use "PM Scoring" for your product-specific assessment.

Software Bill of Materials (SBOM)

Maintain a complete inventory of software components with the details required by FDA.

SBOM created

Complete software bill of materials generated for all software components in the product

Third-party components included

All third-party libraries, SDKs, and open-source dependencies are listed with versions

Component identifiers present

Components have CPE, PURL, or SWID identifiers where available for vulnerability matching

Support status documented

End-of-support dates tracked for components; no end-of-life software without documented justification

Machine-readable format available

SBOM exportable in CycloneDX JSON format for FDA submission and automated processing

In Product Security Hub: Import CycloneDX SBOMs via the SBOMs tab, or create components manually. Export in CycloneDX JSON or human-readable Excel.

Vulnerability Management

Scan for known vulnerabilities and document your assessment and response for each.

Vulnerability scan completed

SBOM components scanned against vulnerability databases (NVD, OSV, GitHub Advisories)

KEV check performed

Vulnerabilities checked against CISA's Known Exploited Vulnerabilities catalog

All vulnerabilities triaged

Each vulnerability has a documented disposition: remediate, mitigate, accept, or not affected

Exploitability assessed

VEX-style analysis documented: is the vulnerable code reachable? Is the vulnerability exploitable in your context?

Patch information documented

For vulnerabilities being remediated, target versions and patch timelines are recorded

Critical/High vulnerabilities addressed

No unmitigated Critical or High severity vulnerabilities without documented justification and risk acceptance

In Product Security Hub: The Vulnerabilities tab shows scan results with severity filtering. Use KEV Check to flag actively exploited CVEs. Document analysis in Vulnerability Details.

Documentation for Submission

Prepare the evidence package for FDA premarket submissions and customer security reviews.

Threat model report exportable

Complete threat model with architecture, threats, and risk scores ready for export

Requirements traceability complete

Matrix showing requirements → threats → controls → test evidence (where applicable)

SBOM in required format

Machine-readable SBOM (CycloneDX JSON) and human-readable version available

Architecture diagrams exportable

System architecture and data flow diagrams available in standard formats (PNG, PDF, SVG)

Vulnerability assessment documented

List of known vulnerabilities with triage decisions and justifications

Residual risk summary available

Summary of accepted residual risks with severity scores and mitigations

In Product Security Hub: Export from My Product Dashboard (Excel/JSON with 7 tabs) or use SBOM-specific exports. Architecture diagrams export via draw.io.

Post-Market Planning

Establish processes for ongoing security monitoring and incident response after launch.

Vulnerability monitoring process defined

Plan for ongoing monitoring of SBOM components for newly disclosed vulnerabilities

Coordinated vulnerability disclosure process

Process established for receiving, triaging, and responding to externally reported vulnerabilities

Patch management process defined

Process for developing, testing, and deploying security patches with defined timelines

Customer communication plan

Plan for notifying customers about security updates, patches, and vulnerabilities

SBOM update process defined

Plan for updating SBOM with each product release and communicating changes to customers

Product lifecycle security maintained

Commitment to provide security support for documented product lifetime

In Product Security Hub: Use product versioning to maintain separate security documentation for each release. Nightly KEV checks help identify newly exploited vulnerabilities.

Quick Reference: FDA Cybersecurity Submission Elements

Based on the FDA's Premarket Cybersecurity Guidance, your submission should demonstrate:

Security risk management process

Threat modeling methodology

Cybersecurity risk assessment

Security controls and mitigations

Software bill of materials (SBOM)

Vulnerability analysis and management

Post-market cybersecurity plan

Interoperability and update mechanisms

Related Guides

Preparing for Audits & Submissions

Export reports and evidence packages

End-to-End Workflow

Complete workflow from architecture to compliance

Import Your First SBOM

Get started with SBOM management

Manage Vulnerabilities

Triage and document vulnerability assessments

Product Security Readiness Checklist

This Checklist Covers