The U.S. Food and Drug Administration (FDA) issued guidance on December 28, 2016, regarding cybersecurity vulnerabilities for the use of any marketed and distributed medical device as well as devices that are already on the market or in use. Recognizing that premarket controls alone are insufficient to mitigate cybersecurity risks, the FDA issued this document to provide recommendations to manufacturers to monitor, identify, and address cybersecurity issues as part of their postmarket management of these devices. The guidance emphasizes that manufacturers should develop a process to conduct a risk evaluation and determine whether a cybersecurity vulnerability presents an acceptable or unacceptable risk. It further provides a risk-based framework for assessing reporting obligations pursuant to 21 C.F.R. Part 806, requiring device manufacturers or importers to report any actions concerning device corrections and removals to the FDA. Importantly, the guidance encourages efficient cybersecurity risk management and therefore does not require premarket notification and review for routine cybersecurity software updates. Such an obligation would have proved costly to manufacturers that are constantly strengthening the security of their devices as technology develops. The FDA has planned a webinar for January 12, 2017 to address any industry questions or concerns.