The FDA's June 2025 guidance added seven new cybersecurity evidence requirements to every cyber device submission.
Continuous evidence. No pre-submission assembly sprint. Submission-ready before the window opens.
and
Evidence assembled under submission pressure is the leading cause of Technical Screening holds and MDR findings.
Of 510(k) submissions receive a Technical Screening hold — with missing or non-compliant cybersecurity documentation among the top causes. Source: FDA submission data 2025.
New cybersecurity evidence requirements added by the FDA's June 27, 2025 final guidance — including updated SBOM content, eSTAR template requirements, and post-market monitoring expectations.
Reduction in submission preparation time when evidence is generated continuously rather than assembled manually. Source: X-DLM™ benchmarks.
System of record. Polarion links requirements, SOUP, architecture, test cases, test results, vulnerability decisions, and release evidence in one traceable Design History File thread.
The FDA reviewer does not evaluate your process. They evaluate the evidence package.
- 01
FDA 524B cybersecurity documentation — continuously maintained
X-DLM™ produces the FDA's required cybersecurity evidence package as a byproduct of engineering and security operations: SBOM in SPDX/CycloneDX, postmarket vulnerability management plan, threat model evidence, secure development process records, and SBOM update history — all in Polarion.
- 02
IEC 62304 SOUP management — documented, not reconstructed
Every SOUP component identified by Black Duck is routed into a Polarion work item with IEC 62304 Class B/C classification, risk assessment, change control record, and approval chain. The SOUP management record is a byproduct of the workflow — not assembled before the notified body visit.
- 03
EU MDR Technical File — traceable, not reconstructed
Polarion links clinical evidence, risk management (ISO 14971), design inputs, design outputs, verification and validation, labeling, and post-market surveillance records — the EU MDR Technical File structure, built continuously throughout the product lifecycle.
- 04
Design History File — maintained, not assembled
Polarion's controlled document environment maintains the Design History File throughout development. Requirements, architecture decisions, SOUP assessments, test protocols, test results, design reviews, and approval signatures — all traceable, all version-controlled, all exportable for FDA submission.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.
Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.
Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
Medical device companies answer to more than one framework — simultaneously.
FDA Section 524B is the floor, not the ceiling. IEC 62304, EU MDR, ISO 14971, HIPAA, and NIST SSDF run in parallel — each with its own evidence requirements, its own submission deadline, and its own consequence for missing components.
View FDA 524B, IEC 62304 & All Regulations →Stop assembling the submission package.
Start maintaining it.
See how X-DLM™ integrates Siemens Polarion and Black Duck to produce continuous FDA 524B cybersecurity evidence, IEC 62304 SOUP documentation, EU MDR Technical File traceability, and Design History File records — without a pre-submission assembly sprint.