Most of the deficiency letters I see start with the same gap: a security program built for the submission, not the device.
The FDA's framing is Total Product Lifecycle (TPLC) for a reason. A medical device is in the field for years. Threats evolve. Third-party components age out. Operating systems go end-of-life. Vulnerabilities get disclosed.
If your cybersecurity work ended the day you filed, your device is already drifting.
TPLC means the same engineering discipline runs from concept to decommissioning:
Design. Threat modeling, security requirements, architecture views — all derived from the intended use and the clinical risk, not bolted on once the design is frozen.
Development. Secure coding, third-party component analysis, SBOM generation as a build artifact (not a deliverable you scramble to produce later).
Verification. Penetration testing, vulnerability scanning, and fuzz testing scoped to the threat model — not a checkbox at the end.
Premarket submission. The story of all of the above, told with the evidence to back it.
Postmarket. Coordinated vulnerability disclosure, monitoring, patching, SBOM updates, communication with users. The boring, expensive, durable part.
End of support. A plan for what happens when the device is still in clinical use after the company has moved on. Most manufacturers haven't thought about this. Reviewers are starting to.
The teams that operate this way file fewer times, get cleaner clearances, and have fewer postmarket fires. Not because they're spending more. Because they're spending in the right order.
The lifecycle isn't a documentation exercise. It's the design philosophy that makes everything else possible.