How to Prepare the Cybersecurity Section of Your FDA Premarket Submission
Step-by-step checklist for compiling the complete cybersecurity package for 510(k), De Novo, and PMA submissions — covering every artifact CDRH reviewers expect under Section 524B and the finalized 2023 cybersecurity guidance.
Submission Overview
What This Guide Covers
This guide walks you through assembling the complete cybersecurity documentation package for an FDA premarket submission. It maps every required artifact to its source document, provides eSTAR field-level guidance, and highlights the most common RTA triggers reported by CDRH reviewers.
Prerequisites
- SPDF process established and documented
- Threat model completed with traceability matrix
- SBOM generated from your build pipeline
- Cybersecurity risk assessment completed
- Security testing (SAST, SCA, fuzz, pen test) executed
Step 1: Determine Your Cybersecurity Submission Scope
Step 2: Compile SPDF Evidence
Step 3: Prepare Threat Model & Risk Assessment
Step 4: Prepare SBOM and Vulnerability Analysis
Step 5: Document Post-Market Cybersecurity Plans
Step 6: Cybersecurity Labeling & Customer Communication
Step 7: Assemble & Submit the Cybersecurity Package
Step 1: Determine Your Cybersecurity Submission Scope
Classify your device and determine which cybersecurity documentation is required
1. Is Your Device a "Cyber Device" Under Section 524B?
Section 524B of the FD&C Act (enacted March 2023) defines a "cyber device" as a device that: (1) includes software validated, installed, or authorized by the sponsor, (2) has the ability to connect to the internet, and (3) contains software components that could be vulnerable to cybersecurity threats. If your device meets all three criteria, cybersecurity documentation is legally mandatory — FDA can issue a Refuse to Accept (RTA) if it is missing.
RTA Risk: Since October 2023, FDA actively applies the RTA criteria for cyber devices. Submissions lacking SBOM, SPDF evidence, or vulnerability patch plans are being rejected before substantive review begins. Do not treat cybersecurity as an afterthought.
Use Our Tool: Run the Cyber Device Classification Tool to determine if your device meets the Section 524B definition.
2. Submission Type Determines Cybersecurity Depth
The level of cybersecurity documentation expected varies by submission type, though all cyber devices require the core artifacts:
| Submission Type | Cybersecurity Expectation | Key Differences |
|---|---|---|
| 510(k) — Class II | Full cybersecurity package | Predicate comparison includes cybersecurity posture differences; focus on substantial equivalence of security controls |
| De Novo — Class II | Full cybersecurity package | No predicate, so cybersecurity review is based entirely on the submitted risk assessment and controls |
| PMA — Class III | Enhanced cybersecurity package | Deeper scrutiny: attack trees required, pen testing results expected, extended post-market monitoring commitments |