Medical Cybersecurity Assurance Program (CAP)

The Medical Cybersecurity Assurance Program (CAP) establishes standardized, testable criteria to assess software vulnerabilities and weaknesses in connected products and systems. These assessments help reduce the likelihood of exploitation, address known malware, enhance security controls and increase security awareness.  

Medical CAP certifications are conducted through well-defined processes aligned with organizational quality standards such as ISO/IEC 17065:2012, Conformity assessment - Requirements for bodies verifying products, processes and services. The certifications demonstrate conformance to nationally and internationally recognized cybersecurity standards that are trusted by regulators, purchasers, customs officials and other key stakeholders involved in bringing healthcare technologies to market. 

Your product requirement specifications define what your product is intended to do, including how it resists cybersecurity threats that could put systems like hospitals at risk. Verifying that these requirements align with industry standards and include appropriate security controls is essential to achieving cyber resiliency before, during and after a cyberattack. UL Solutions offers independent third-party reviews of product specifications and security architecture, an approach long trusted in safety-critical software domains to help you strengthen security and reduce risk.

UL Solutions provides cybersecurity testing services in line with globally recognized standards, including ISO/IEC 17025, Testing and calibration in laboratories. We support industry frameworks such as Federal Information Processing Standards (FIPS) and Common Criteria (CC). Whether you're seeking early-stage insights to support research and development or require formal testing for regulatory procurement needs, we offer flexible testing options tailored to your goals.

Our testing services include:

• Static and dynamic application security testing (SAST/DAST) 
• Penetration testing using realistic attack scenarios based on threat actor behavior 
• Source code analysis, binary/bytecode review and software composition analysis 
• Scanning for known vulnerabilities, open ports and services 
• Malformed input testing and known malware detection 

Audits and inspections can help build more robust development and manufacturing processes to support the safety and security of new technologies. UL Solutions offers audit-based process certifications, third-party attestations and inspection services that align with industry-recognized frameworks. These services help organizations stay ahead of regulatory expectations and establish a strong foundation for cybersecurity risk management.

Software plays a central role in today's medical technologies, including embedded firmware, software as a medical device (SaMD) and complex systems with software-defined functions. With supply chain attacks and zero-day vulnerabilities as leading threat vectors, proactive software security has never been more critical. UL Solutions helps you assess your product's software architecture, identify potential weaknesses and implement security best practices across the full development life cycle. 

Our software-focused services include: 

• Software Bill of Materials (SBOM) generation – Visibility into third-party components to reduce supply chain risk 
• Weakness analysis – Identification of vulnerabilities early in development 
• Secure life cycle support – Guidance on maintaining cybersecurity from design to decommission

Understanding and responding to real-world cybersecurity incidents requires the ability to make sense of complex data, including event logs and test reports. Whether your product has been compromised in the field or you're seeking to prevent future breaches, UL Solutions helps organizations turn data into actionable insights. Our engineers work with your team to analyze vulnerabilities, identify attack vectors and develop meaningful security metrics to guide product improvement over time. 

Our data-driven services include: 

• Vulnerability management – Identify, track and prioritize issues based on real-world impact 
• Sensitive data management – Strengthen controls around high-risk data types 
• Test result analysis – Interpret findings to refine controls and support incident response

Making a product secure by design starts long before development begins. UL Solutions offers advisory services that support you from the earliest stages of product ideation, helping you assess technologies, reduce attack surfaces and avoid regulatory pitfalls. Our team provides expert input on failure modes, architecture choices and threat modeling to support robust cybersecurity from concept to retirement.   

Our early-stage and life cycle advisory services include: 

• Threat modeling – Identify potential threats and define mitigations early 
• Secure by design – Embed security into your architecture from the ground up 
• Cyber regulatory guidance – Navigate complex requirements with clarity and confidence

Keeping pace with evolving cybersecurity demands requires a workforce that's continually learning. UL Solutions can help your organization build internal cybersecurity competencies through tailored training programs and ongoing professional development. Whether you need to upskill current staff, onboard new team members or meet quality management system (QMS) requirements, we provide practical training grounded in real-world applications across the medical device industry and beyond.

Our training and capability-building support includes:

• Custom training programs – Targeted content based on your products, team and goals
• Securing programmable electrical medical systems (PEMS) – Expert-led training specific to PEMS devices
• Cross-industry insights – Learn how others are successfully managing similar technology risks

UL Solutions offers flexible field evaluation services to meet your logistical or operational needs, including on-site testing, remote observation or assistance setting up your own testing facility. We provide options that accommodate complex product portfolios and hard-to-move equipment. For organizations managing extensive in-house testing, we also offer participation in our Data Acceptance Test Laboratory (DATL) program.

Flexible support where you need it:

• On-site evaluation – Testing conducted within your facility
• Tele-support – Remote witnessing or guidance during your in-house testing
• DATL program – Qualify your laboratories for internal cybersecurity testing