JSP Maintenance Phase - Keeping the Cybersecurity House in Order

Launch day isn’t the finish line - it’s move-in day. From here, your cybersecurity house needs regular upkeep. Without it, cracks spread, shingles loosen, and trust erodes.

That’s what the Maintenance Phase of the Joint Security Plan (JSP) is all about: the ongoing care and protection that keeps your secure-by-design product safe, reliable, and compliant long after the ribbon-cutting.

The work that started in Design & Development - patch planning, SBOM tracking, and security monitoring - now becomes routine maintenance. This phase is proof that security isn’t a project; it’s a practice.

From Construction to Caretaking

Once the house is built, ownership begins. In product terms, Maintenance is about sustaining trust - ensuring the device remains secure, supported, and monitored throughout its total product lifecycle (TPLC).

The JSP divides this phase into five key upkeep activities that mirror real-world home care:

1. Surveillance - Watching for warning signs before damage spreads.
2. Vulnerability & EOL/EOS Management - Replacing worn-out materials and keeping an eye on supplier components.
3. Security Incident Response - Fixing what breaks fast and coordinating the cleanup.
4. Patch & Software Update Deployment - Performing regular maintenance to keep systems strong.
5. Customer Security Communication - Sharing what you’ve fixed and how to stay protected.

Catching Leaks Before They Cause Damage: Surveillance (JSP2 Section F.1)

Every responsible homeowner checks the roof after a storm. For medical device manufacturers, that means monitoring for new vulnerabilities across products in the field.

A strong surveillance program - guided by your Maintenance Plan and Cybersecurity Signal Monitoring Procedure - continuously watches for new threat intelligence, CVD reports, supplier advisories, and Health-ISAC alerts.

When a potential issue surfaces, it’s assessed, triaged, and documented. Regular leadership reviews ensure nothing is ignored, and that lessons learned inform future builds. Surveillance keeps your house watertight - preventing small drips from becoming costly floods.

Replacing Worn-Out Parts: Vulnerability & EOL/EOS Management (JSP2 Section F.2)

Even the best-built home needs replacement parts - shingles age, windows crack, appliances wear out. Similarly, device components reach end-of-support. Vulnerability and EOL/EOS management ensures these aging elements don’t weaken your product’s security.

Your maintenance crew - typically the product security, engineering, and RA/QA teams - reviews new vulnerabilities, validates whether they impact the product, and classifies severity. Low-risk issues can be addressed during the next update; critical vulnerabilities trigger immediate remediation, communication to customers within 30 days, and patch deployment within 60 days.

This process also manages supplier lifecycle risks: when a third-party dependency goes EOL, manufacturers must act - either replacing the component, mitigating the exposure, or notifying customers with guidance for safe continued use. It’s like issuing a recall notice for a faulty breaker before it sparks a fire.

Fixing What Breaks Fast: Security Incident Response (JSP2 Section F.3)

Sometimes, despite preventive care, a pipe bursts. When an active security incident occurs - whether it’s a suspected breach, data exposure, or system compromise - the response must be immediate, coordinated, and documented.

The manufacturer’s Product Security and Incident Response Teams works alongside hospital IT and clinical staff to contain, eradicate, and recover. Communication is critical: clinicians, customers, and regulators must understand what happened, what’s being done, and whether patient data or safety were affected.

A strong incident response process is the emergency plumber of your cybersecurity house - trained, equipped, and ready to act before the damage spreads.

Routine Maintenance Matters: Patch & Software Update Deployment (JSP2 Section F.4)

Preventive maintenance saves money - and reputations. Just as a homeowner changes air filters and services the furnace, manufacturers must regularly deploy validated patches and software updates to sustain performance and mitigate vulnerabilities.

Routine updates address known issues on a predictable cadence, while emergency patches (critical updates) resolve newly discovered vulnerabilities fast. Manufacturers document each update, verify its effectiveness, and communicate results to leadership - proof that the system is running safely.

Updates may be applied remotely, through validated customer downloads, or via service visits - whatever method ensures secure delivery and minimal downtime. Consistency here is key: homes that are never maintained eventually fail inspection.

Keeping Everyone Informed: Customer Security Communication (JSP2 Section F.5)

A trustworthy builder doesn’t just fix problems - they tell the homeowner what was done, why, and how to prevent it next time. Manufacturers do the same through customer security communication: timely bulletins, vulnerability disclosures, and updated MDS2s, SBOMs, and security whitepapers.

Cross-functional teams - from legal and public relations to field service and customer success - collaborate to ensure messages are clear, accurate, and actionable. Even if mitigation steps aren’t yet available, transparency builds trust.

This is how you keep the neighborhood informed and safe - ensuring your customers feel supported, not blindsided, when updates or issues arise.

Who’s in the Room

Maintenance is an all-hands effort. Engineering and DevOps teams roll up their sleeves to build and verify patches, while Product Security and PSIRT keep their eyes on the horizon-monitoring signals, triaging vulnerabilities, and coordinating disclosures. QA and Regulatory Affairs ensure every update is properly logged, verified, and compliant. Meanwhile, Field and Service teams close the loop with hospitals and operators, ensuring fixes reach the front lines. And at the top, executives back it all - funding ongoing maintenance, setting transparency policies, and reinforcing response readiness. Everyone plays a role in keeping the cybersecurity house secure, stable, and livable.

Why It Matters

Maintenance isn’t optional - it’s the heartbeat of product trust. Regulators now expect continuous surveillance, disclosure, and patching processes under FDA 524B and the JSP framework. Customers demand assurance that devices remain secure and supported long after they leave the factory floor. And executives know the math: downtime, data breaches, and reputational damage always cost more than prevention. Neglecting maintenance is like ignoring a roof leak - it only grows costlier with time. Sustaining cybersecurity is what separates a one-time build from a home that stands the test of storms.

Designed for Life

By the end of this phase, your product should tell a story of stewardship. You’ve built a living record of surveillance and vulnerability management, demonstrated a proven patch and update process with measurable performance, and documented incident response procedures that show preparedness in action. SBOMs are current, components are tracked through end-of-life, and communications are transparent and timely. In short, you’re walking away not with a house that’s just well-built - but one that’s cared for, inspected, and ready to weather whatever comes next.

Securing Your Legacy

The Maintenance Phase is where trust is sustained - or lost. No matter how strong the foundation or meticulous the design, a house left unattended will eventually falter. Continuous monitoring, open communication, and timely patching aren’t just technical checkboxes - they’re how you protect patients, data, and the reputation you’ve built. Security doesn’t end when the device ships; it’s renewed every single day that device stays secure in the field.

‍