Six frameworks. One evidence system.
Medical device companies do not get to choose which regulations apply to their software.
Submission Rejection
A missing SBOM doesn't delay your 510(k). It stops it.
FDA Technical Screening holds from missing or non-compliant cybersecurity documentation reset your review clock entirely — adding 90+ days minimum to your clearance timeline and deferring your market access window.
Market Disqualification
35% of hospital procurement teams won't consider a device without an SBOM.
SBOM absence now accounts for 34% of hospital device rejection decisions. For manufacturers without SBOM capability, that is an effective disqualifier in more than a third of the procurement market. Source: RunSafe 2026.
56% of hospital procurement teams have rejected a device on cybersecurity grounds. Up from 46% last year.
Of hospital procurement organizations have rejected a device on cybersecurity grounds. Source: RunSafe Medical Device Cybersecurity Index 2026.
Known vulnerabilities in Black Duck's KnowledgeBase — with 63,000+ exclusive BDSA advisories not found in NVD.
Of medical device manufacturers struggle to produce compliant SBOMs due to complex third-party and open-source software dependencies.
Of 510(k) submissions receive a Technical Screening hold. Cybersecurity documentation gaps are among the top causes.
BDSA advisories ahead of NVD — critical lead time for SOUP component vulnerability response in IEC 62304 Class B/C software.
Medical device software answers to six frameworks — simultaneously.
| Regulation | Who it affects | Timing | What you must answer | How X-DLM™ helps |
|---|---|---|---|---|
| FDA Section 524B | Medical device manufacturers submitting premarket applications (510(k), PMA, De Novo) for 'cyber devices' — any device that can connect to the internet, contains software, or is vulnerable to cybersecurity threats. | In force since March 29, 2023. FDA actively issuing Technical Screening holds and Refuse to Accept determinations. June 2025 guidance added updated SBOM and eSTAR requirements. | Machine-readable SBOM (SPDX or CycloneDX, NTIA minimum elements), postmarket vulnerability management plan, threat model, secure product development evidence, coordinated vulnerability disclosure policy, SBOM update procedure. | Black Duck generates SPDX/CycloneDX SBOMs aligned to NTIA requirements. X-DLM™ version-controls SBOMs in Polarion and links them to vulnerability decisions, build records, and release evidence. Postmarket surveillance evidence built continuously. |
| IEC 62304 | Medical device software teams globally — Class A, B, and C software. Required for FDA 21 CFR 820 / QMSR and EU MDR/IVDR submissions. | Ongoing — required for every new device and major software modification. FDA QMSR transition mandatory as of February 2026. | SOUP identification and management, software development lifecycle documentation, requirements traceability, unit and integration test records, software hazard analysis, change control, configuration management, Design History File. | Polarion links requirements through architecture, code, static analysis, test cases, test results, SOUP records, and release documentation. Black Duck identifies every SOUP component. X-DLM™ routes SOUP change control through governed Polarion workflows. |
| EU MDR (EU 2017/745) | Medical device manufacturers placing devices on the EU/EEA market — including software as a medical device (SaMD). Note: EU CRA does NOT apply to medical devices; EU MDR governs. | Ongoing — full enforcement across device classes. Notified body capacity constraints making early Technical File preparation critical. | Technical File with clinical evidence, risk management file (ISO 14971), design and manufacturing documentation, post-market surveillance plan, labeling, Declaration of Conformity, Unique Device Identification (UDI). | Polarion maintains the Technical File structure throughout the product lifecycle — requirements, risk management links, design documentation, verification and validation records, and post-market surveillance evidence. All traceable, version-controlled, and exportable. |
| ISO 14971 | All medical device manufacturers — required for both FDA 21 CFR 820 and EU MDR conformity. | Ongoing — integrated into product development lifecycle from concept through post-market. | Hazard identification, risk estimation, risk evaluation, risk control, residual risk assessment, benefit-risk analysis, risk management report, post-production information tracking. | Polarion links software hazard analysis, risk control measures, verification activities, and post-market surveillance signals. Black Duck vulnerability findings are linked to ISO 14971 risk records for cybersecurity risk management documentation. |
| HIPAA Security Rule | Medical device software that processes, stores, or transmits electronic Protected Health Information (ePHI) — including connected diagnostic, monitoring, and therapeutic devices. | Ongoing — HHS OCR actively enforcing. Per-violation penalties up to $1.9M/year. | Administrative, physical, and technical safeguards for ePHI. Access controls, audit controls, integrity controls, transmission security, risk analysis, workforce training, security incident procedures. | Black Duck identifies vulnerable components in ePHI-handling software. X-DLM™ routes security findings through Polarion with HIPAA safeguard mapping, remediation ownership, and audit-ready response records. |
| NIST SP 800-218 (SSDF) | Medical device manufacturers selling to US federal healthcare buyers (VA, DoD health systems, CMS systems) or seeking FedRAMP authorization for connected device cloud components. | Active federal procurement requirement. Referenced in FDA guidance as a recommended Secure Product Development Framework (SPDF) for Section 524B conformity. | Secure development practices, vulnerability management, SBOM provision, provenance tracking, third-party component control, evidence of process maturity. | Black Duck generates SPDX/CycloneDX SBOMs and supplies component intelligence. Polarion maintains SSDF lifecycle evidence. X-DLM™ synchronizes both for FDA SPDF evidence and federal procurement requirements. |
From Black Duck SOUP detection to FDA submission-ready evidence.
- 01
Detect
Black Duck scans source, binaries, containers, and firmware — identifying every SOUP component, vulnerability, license conflict, malware signal, and AI-generated code snippet with provenance risk.
- 02
Route
X-DLM™ synchronizes findings into Polarion as governed work items — with IEC 62304 Class mapping, assigned owners, risk assessment links, escalation timelines, and approval chains.
- 03
Trace
Findings are linked to requirements, architecture, code, test cases, test results, SOUP records, ISO 14971 risk controls, and release evidence — the IEC 62304 and FDA Design History File chain.
- 04
Submit
LiveDocs and Polarion workflow history produce the FDA 524B cybersecurity evidence package, EU MDR Technical File sections, and IEC 62304 SOUP records on demand — for submission, notified body review, or hospital procurement RFP.
One evidence system for every framework.
Book a walkthrough of how X-DLM™ operationalizes FDA 524B, IEC 62304, EU MDR, ISO 14971, HIPAA, and NIST SSDF evidence in medical device software development — on Siemens Polarion and Black Duck.