Cybersecurity Requirements

GSA just changed the game for every federal contractor handling CUI. New mandatory cybersecurity requirements dropped January 5. Not guidance. Requirements. This is not CMMC. This is GSA building its own CUI protection framework, and it goes further than DoD in several areas. Translation: - NIST 800-171 Revision 3 required (DoD still allows Rev 2) - No self-assessment option. Third-party assessment mandatory. - One-hour incident reporting. Not 72 hours. One hour. - Nine "showstopper" controls including MFA, encryption, and vulnerability monitoring - Five-phase compliance lifecycle: Prepare, Document, Assess, Authorize, Monitor This is the first major expansion of CUI protections beyond the Department of Defense. If you have a GSA contract and you handle CUI, your compliance posture just changed overnight. The organizations that prepared for CMMC are ahead. Everyone else is scrambling. #GRCEngineering #CMMC

📢 Cybersecurity in Medical Devices: A Regulatory Perspective 🔐 As #medicaldevices become increasingly connected, #cybersecurity is now a key focus for regulatory bodies worldwide. The #EUMDR and #FDA both emphasize cybersecurity requirements to ensure patient safety and data protection. This week’s infographic provides a comprehensive analysis of cybersecurity requirements under both frameworks. 💠 Pathway for Cybersecurity Compliance per EU MDR ⚡ Design Phase: Incorporate cybersecurity into risk management activities and align with General Safety and Performance Requirements (#GSPRs) ⚡ Development & Manufacturing: Implement secure-by-design principles, conduct verification/validation, and document residual risks ⚡ Conformity Assessment: Engage a Notified Body to review and certify cybersecurity compliance ⚡ Pre-Market Submission: Include cybersecurity measures in technical documentation, such as risk files, validation reports, and user instructions ⚡ Post-Market Activities: Monitor risks, address vulnerabilities through timely updates, and incorporate cybersecurity findings into post-market surveillance (PMS) and clinical follow-up (PMCF) 💠 Pathway for Cybersecurity Compliance per FDA ⚡ Pre-Market Development: Follow the Security Product Development Framework (SPDF), integrating secure design and risk management ⚡ Risk Management: Conduct risk assessments to identify and mitigate vulnerabilities ⚡ Documentation: Prepare cybersecurity management plans, testing reports, architecture details, and labeling ⚡ Submission: Provide this documentation in 510(k), De Novo, or PMA submissions ⚡ Post-Market Monitoring: Evaluate cybersecurity risks from device use, incidents, and vulnerability sources; deploy patches and updates as necessary 🎇 Additional EU Regulations Supporting Cybersecurity ✔️ #GDPR: Protects patient data collected or processed by medical devices. ✔️ NIS 2 Directive: Strengthens cybersecurity for critical infrastructure, including healthcare. ✔️ EU Cybersecurity Act: Establishes a European certification framework for digital products. ✔️ #CyberResilience Act: Focuses on secure-by-design principles for connected devices. 📌 High-Level Comparison of Cybersecurity Requirements for EU MDR and FDA ✳️ Approach: 🏹 EU MDR: Prioritizes pre-market compliance with rigorous assessments. 🏹 FDA: Focuses more on post-market monitoring and risk mitigation. ✳️ Compliance Requirements: 🏹 EU MDR: Imposes stringent obligations, emphasizing transparency, detailed documentation, and adherence to best practices. 🏹 FDA: Ensures device safety with flexibility, allowing manufacturers to determine how to meet cybersecurity requirements. 📢 Engage with This Post 👉 Let’s discuss: How is your organization navigating cybersecurity challenges in medical devices? 👉 Share your strategies for compliance or ask questions in the comments!

A cybersecurity program should be well rounded and needs strong components, one of which is a Third-Party Vendor Cyber Risk Assessment program. I believe there will be regulatory push for this moving forward so adopting this practice is beneficial sooner rather than later. Organizations within critical infrastructure—such as energy, healthcare, finance, and transportation—are increasingly vulnerable to cyber threats due to the interconnected nature of modern supply chains. Third-party vendors often have direct access to sensitive data and critical systems, making them a significant cybersecurity risk. A single breach through a compromised vendor can lead to operational disruptions, data theft, regulatory penalties, and even national security threats. To mitigate these risks, organizations must implement rigorous third-party vendor cyber risk assessments as part of their cybersecurity strategy. These assessments help ensure compliance with regulatory frameworks (such as NIST, ISO 27001, CIS and CISA guidelines), protect sensitive data, and strengthen operational resilience against supply chain attacks. Key components of a robust vendor risk assessment include: Vendor Risk Profiling: Identifying vendors with access to critical systems. Security Policy & Compliance Review: Ensuring adherence to cybersecurity standards. Access Controls & Data Protection: Enforcing least privilege access and encryption. Incident Response & Recovery Readiness: Evaluating vendors’ breach response capabilities. Continuous Monitoring & Penetration Testing: Regularly assessing vulnerabilities and security posture. Contractual Security Requirements: Embedding cybersecurity obligations in vendor agreements. To strengthen third-party risk management, organizations should adopt a risk-based approach, enforce Zero Trust principles, require real-time security monitoring, and conduct regular cybersecurity exercises. Cyber threats are escalating, and organizations can no longer afford to overlook vendor risks. A proactive cybersecurity strategy that includes thorough third-party risk assessments is essential for safeguarding critical infrastructure, ensuring regulatory compliance, and maintaining national security.

Cybersecurity testing is crucial for demonstrating that the controls you've implemented are effective in a real-world security context. 🔬 FDA expects to see a comprehensive and well-documented cybersecurity testing program in premarket submissions. A common FDA objection in this area is: "you did not provide adequate cybersecurity testing which is important to comply with the requirements specified in section 524B(b)(2) of the FD&C Act to provide a reasonable assurance that the device and related systems are cybersecure." This highlights the need to go beyond standard software testing and include specific cybersecurity testing activities. The FDA guidance, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," provides helpful recommendations on cybersecurity testing (page 26). This includes testing activities such as requirement verification, threat mitigation, and vulnerability testing (including fuzz testing, vulnerability scanning, and penetration testing). Remember to provide detailed test reports that clearly demonstrate the effectiveness of your controls in mitigating identified threats. 📑 This helps build confidence in the safety and security of your device.

Given the enormous breaches in 2024, HHS is stepping up their game; shifting many best practices to requirements. Here are 22 takeaways. 1. Make all specifications mandatory, with limited exceptions. 2. Require written policies, procedures, plans, and analyses for Security Rule compliance. 3. Modernize definitions and specifications to align with current technology and terminology. 4. Compliance Timelines: Introduce specific deadlines for meeting requirements. 5. Maintain a technology asset inventory and network map of ePHI movement, updated annually or with environmental changes. 6. Require detailed, written assessments including inventory reviews, threat identification, and risk level evaluation. 7. Notify entities within 24 hours of changes to ePHI access. 8. Written restoration procedures for critical systems within 72 hours. 9. Analysis of system criticality for restoration prioritization. 10. Incident response plans, reporting protocols, and regular testing. 11. Conduct annual audits to ensure Security Rule compliance. 12. Business Associate Verification - Annual verification of technical safeguards by a subject matter expert with written certification. 13. Mandate encryption of ePHI at rest and in transit, with exceptions. 14. Anti-malware, software minimization, and port disabling based on risk analysis. 15. Multi-factor authentication required. 16. Perform vulnerability scans every six months and penetration tests annually. 17. Enforce segmentation to isolate sensitive systems. 18. Require dedicated technical controls for backup and recovery. 20. Test and review security measures annually. 21. Notify covered entities of contingency plan activations within 24 hours. 22. Require plan sponsors to comply with safeguards, ensure agents follow requirements, and notify plans within 24 hours of contingency plan activation. Public comments due in 60 days.

Out now: Cybersecurity Topical Requirement (CTR) What do internal auditors need to do? The IIA has released the Cybersecurity Topical Requirement (CTR) --setting a mandatory baseline for cybersecurity audits. What it covers: 1. Governance: cybersecurity strategy, policies, roles, and stakeholder engagement. 2. Risk management: identifying threats, managing risks, incident response, and communication. 3. Controls: network security, asset management, encryption, access controls, and monitoring. What internal auditors should do: 1. Align with existing frameworks: map CTR to NIST, COBIT, ISO 27001 to avoid duplication. 2. Integrate cyber into audit planning: ensure cybersecurity risks are part of annual assessments. 3. Build cybersecurity expertise: get trained or involve external specialists. 4. Engage leadership: communicate cyber risks and audit findings to management and the board. 5. Leverage technology: use automation and analytics to enhance cybersecurity audits. 📅 Effective Date: February 2026 (Link to the publication: in the comments) Will you implement this requirement? #ITaudit #internalaudit #digitaltransformation

The draft of the new HIPAA cybersecurity rules dropped today, and it includes some major changes. 11 Big takeaways in proposal: 1) Enhanced Risk Management: 1.a) Formalizes and expands the risk analysis process to include evolving threats like ransomware and supply chain vulnerabilities. 1.b) Mandates comprehensive documentation of risk management activities, ensuring organizations take a more proactive and structured approach. 2) MFA required for all remote access systems containing ePHI 3) Mandates regular technical vulnerability assessments, such as penetration testing, to identify and mitigate security gaps 4) Requires encryption of ePHI at rest and in transit, adhering to NIST-recommended standards 5) Requires a formalized incident response plan with clear steps for detecting, containing, mitigating, and reporting incidents involving ePHI. 6) Formalizes supply chain risk management by requiring risk assessments for third-party vendors and integrating cybersecurity requirements into contracts and vendor oversight. 7) Mandates tailored cybersecurity training for specialized roles, such as incident response teams or system administrators. 8) Requires designated cybersecurity governance structures, ensuring accountability for cybersecurity policies and strategies. 9) Requires continuous monitoring tools and enhanced logging capabilities to detect and respond to anomalous activity. 10) Expands disaster recovery planning to specifically address cybersecurity considerations, including ransomware scenarios. 11) Updates and clarifies definitions to align with modern threats and technology, ensuring clearer compliance expectations and expanding scope to fit modern threat landscapes. #HealthcareCompliance #cybersecurity #riskmanagement #healthtech Link to proposed changes in comments 👇

Cybersecurity is critical for medical devices. That’s why FDA raised the bar considerably in 2023. Here’s what you need to know about the new rules. 1. New Cybersecurity Law and Guidance The FDA now requires medical device manufacturers to provide "reasonable assurance" of cybersecurity. This is rooted in Section 524B to the Food, Drug, and Cosmetics Act, which was amended in December 2022. Now, the FDA will evaluate devices not just for safety and efficacy but also for security. 2. Broad Scope of “Cyber Devices” The FDA's cybersecurity guidance from September 2023 is wide-ranging. People assume that it only applies to cloud-connected devices, but that’s not the case. The scope covers devices with software functions, including firmware and even programmable logic. Simply stated: If your device has software, it must meet FDA’s cyber requirements. 3. eSTAR System for Submissions The FDA has launched the eSTAR system for 510k applications. This system replaces paper-based submissions. When submitting, if your device uses software, you must upload about a dozen cybersecurity-related documents. These attachments are crucial for your application. 4. Refuse to Accept Policy The FDA has a new refuse-to-accept policy focused on cybersecurity. Before they review your 510k application or PMA, they will check for proper cybersecurity documentation. If it’s not there, they won’t review anything else. Cybersecurity is not optional. It is now a key part of getting your medical device approved. Make sure you are prepared. PS. This is a clip from a more extended webinar where we cover a range of cybersecurity topics. Let me know in the comments (or DM me) if you want a link to the whole webinar or the slides. ♻️ And please repost if you think this is helpful!

Cybersecurity is complex enough for CISOs. Now NYDFS 500.13 is adding another wrinkle. By November 1, 2025, financial institutions must comply with NYDFS Section 500.13 on technology asset management and data retention. As a security leader, you’re already balancing protecting sensitive data while keeping systems operational. Here’s what NYDFS 500.13 means: 🛡 Your cybersecurity policies must include physical and digital asset inventory, device management, end-of-life (EOL) management, and vulnerability management. 🗑 Technology asset tracking is now a mandate, requiring key details such as owner, location, sensitivity, EOL date, and recovery time objectives (RTO). Regular updates to asset inventories are also non-negotiable. 🔄 Non-public information must be securely disposed of when physical assets reach EOL, with established policies to prove compliance. CISOs are no strangers to evolving regulatory landscapes. But there’s a main challenge to this new regulation: disjointed systems, unreliable data, and manual processes make compliance a moving target. That’s where modern ITAM steps in, helping CISOs: ✔ Automate inventory tracking, from owner and location to EOL data. ✔ Integrate vulnerability management workflows to align with your policies. ✔ Aggregate, normalize, and enrich data across systems for a single source of truth. ✔ Ensure audit readiness by keeping policies and data aligned with regulatory requirements. Think bigger than compliance: These changes will transform your security from reactive to resilient.

🔐 New FDA Rules: Is Your QMS Cyber-Ready? On June 27, 2025, the FDA finalized its guidance on Cybersecurity in Medical Devices, making clear that cyber risks are now central to device safety and regulatory compliance. This is no longer just a technical consideration. It’s a quality requirement. 🚨 From outdated SBOMs to incomplete threat models, cybersecurity gaps are now inspection risks. Here’s what every quality team needs to know: 1️⃣ Cybersecurity = Safety Cyber controls are now integral to QSR and harmonizing with ISO 13485 by 2026. 2️⃣ SPDFs Are Now Expected FDA wants Secure Product Development Frameworks across the entire product lifecycle—not afterthought controls. 3️⃣ Section 524B Requirements If your device is connected, you must submit: • A Cybersecurity Plan • An SBOM • Postmarket maintenance procedures 4️⃣ Full SBOM Disclosure Is Mandatory Include all software elements, open source, proprietary, third-party and describe their security posture. 5️⃣ Separate Risk Assessments Required Cyber risk ≠ safety risk. You now need both; using threat modeling and exploitability analysis, not just ISO 14971. 6️⃣ Design Controls Must Address Resilience Built-in authentication, patching, logging, encryption; these are now design expectations. 7️⃣ Labeling and Transparency Are Enforcement Priorities Omitting security disclosures or updates? That could result in misbranding or 483 observations. 📊 Bottom line: Quality systems must now embed cybersecurity from design to postmarket. 👉 Is your QMS ready for this shift? Link 🔗 https://lnkd.in/g9zciNBg ♻️Repost to inform others 📬 Want leadership insights without the noise? Subscribe to The Beacon Brief—delivered monthly, always free. Link: https://lnkd.in/gNXeXDzH #MedTech #QualityManagement #FDA #Cybersecurity #QMS #RegulatoryCompliance #MedicalDevices #ISO13485 #SBOM #DesignControls #RiskManagement