FDA Cybersecurity Major vs Minor Deficiency: How Reviewers Grade Findings

Sponsors who have received an Additional Information letter often focus on the number of deficiencies rather than the grading. The grading matters more. A single Major cyber finding can stall a submission for months. Ten Minor findings can sometimes be closed in a single tight response.

This post breaks down how reviewers decide Major vs Minor for cybersecurity findings, what response strategy each grade requires, and how to keep findings out of the Major column in the first place.

Key takeaways

• Major: blocks a substantive decision, pauses the clock, 180-day response window.
• Minor: clarification or limited request, smaller clock impact, faster turnaround expected.
• Most cybersecurity findings grade as Major because they prevent the FDA from assessing the device's security risk profile.
• A Minor finding mishandled in the response can be re-issued as a Major in the next round.
• The Feb 3, 2026 FDA premarket cybersecurity guidance has tightened the bar for what reviewers accept as Minor.

What "Major" actually means to a reviewer

A Major deficiency is one the reviewer cannot move past to reach a substantive decision on the submission. The finding is not optional information - it is missing evidence the FDA needs to determine whether the device meets the safety and effectiveness standard.

Concretely, a finding tends to be Major when:

• The reviewer cannot complete their assigned section of the review without the answer.
• The finding identifies a gap in a deliverable the guidance lists as required.
• Resolving the finding may require changes to other artifacts (threat model, risk assessment, labeling).
• The finding implicates Section 524B compliance directly.

A Major cybersecurity finding looks like:

• "The threat model does not identify trust boundaries between the device and the cloud backend."
• "The SBOM does not include firmware components."
• "No VEX document is provided for SBOM components with known CVEs."
• "The security testing summary does not demonstrate traceability from identified threats to test cases."
• "The cybersecurity management plan does not describe a coordinated vulnerability disclosure (CVD) process."

Each of these prevents the reviewer from closing the security section of the review.

What "Minor" actually means to a reviewer

A Minor deficiency is a clarification, a request to add a specific detail, or a request to correct a discrepancy that does not block the review. The reviewer can reach a decision once it is addressed, but is asking the sponsor to make the package internally consistent or to add a specific piece of supporting evidence.

A Minor cybersecurity finding looks like:

• "Confirm that the SBOM component versions in Section 12 match the build manifest in Appendix B."
• "Clarify whether the penetration test in Section 14.3 was conducted on the final production firmware or a release-candidate build."
• "Provide the date the threat model was last reviewed by the cybersecurity engineering team."
• "Update Table 4 to indicate the VEX status format used (CycloneDX-VEX or OpenVEX)."
• "Confirm the cryptographic library version listed in Section 8.2 is FIPS 140-3 validated."

Each is answerable in a sentence or two with a pointer to the relevant section. None of them require rebuilding an artifact.

Clock and response-window impact

	Major	Minor
Review clock	Paused until response received	Paused (or minimally affected, depending on the letter format)
Response window	180 days; submission considered withdrawn if missed	Typically faster turnaround expected, usually within the same AI letter window
Format expectation	Full response with rebuilt artifacts and evidence	Targeted clarification, often a single paragraph per finding
Risk of re-issue	High if response is weak	Low if response is direct

The 180-day window for Major deficiencies is a maximum, not a target. Sponsors who use the full 180 days are typically already in trouble - they discovered late that a Major finding required rebuilding the threat model or the security risk assessment from scratch.

Why most cyber findings grade as Major

The cybersecurity review section is one of the few areas of premarket review where missing evidence is binary. Either the sponsor provided a threat model, an SBOM, a VEX, a security risk assessment, and a security testing summary, or they did not. A reviewer cannot infer a threat model from labeling text or reconstruct an SBOM from a software description.

This means:

• Missing deliverables grade as Major almost by default.
• Incomplete deliverables (e.g., a threat model that doesn't cover the wireless interface) usually grade as Major because they prevent completion of the security review.
• Only formatting, version-discrepancy, or single-data-point clarifications tend to grade as Minor.

The practical implication: cybersecurity is the section of the submission most likely to drive Major deficiencies, which is why FDA review delays so often trace back to security findings rather than clinical or mechanical findings.

How a Minor can become a Major in the next round

A common failure pattern: the sponsor receives a Minor cybersecurity finding, answers it tersely, and triggers a Major finding in the next review round.

Examples:

• Minor finding: "Confirm the VEX format used." Sponsor responds with one word ("CycloneDX-VEX"). Next round, Major finding: "The VEX document does not include justifications for components flagged not_affected."
• Minor finding: "Clarify the penetration test scope." Sponsor responds with a one-paragraph description. Next round, Major finding: "The penetration test scope does not cover the BLE pairing flow."
• Minor finding: "Confirm threat model review cadence." Sponsor responds with "Quarterly." Next round, Major finding: "The threat model has not been updated to reflect the cloud backend changes documented in Section 5."

Reviewers escalate when a terse Minor response reveals a deeper substantive gap. The fix is to treat every Minor cyber finding as an invitation to demonstrate completeness, not as a single-question quiz.

How to keep findings out of the Major column

The pre-submission discipline that minimizes Major findings:

1. Build the threat model first, then the security risk assessment, then the SBOM/VEX, then the security testing plan. Out-of-order construction is the leading cause of internal inconsistencies that reviewers grade as Major.
2. Trace every identified threat to a test case and a result. Reviewers grade missing traceability as Major even when the underlying testing was actually done.
3. Provide the SBOM in CycloneDX or SPDX with an accompanying VEX. PDF screenshots of dependency lists trigger Major findings under the Feb 3, 2026 guidance.
4. Document the cybersecurity management plan with concrete CVD, patch cadence, and monitoring commitments. Vague language ("we will monitor for vulnerabilities") grades as Major.
5. Confirm the security risk assessment is aligned to IEC 81001-5-1 and that residual risk is quantified for each identified threat.
6. Have a senior cyber reviewer read the submission against the FDA premarket guidance before filing. Pre-submission gap analysis catches Major triggers cheaply.

The 2026 guidance has tightened the bar

The Feb 3, 2026 FDA premarket cybersecurity guidance superseded the 2023 document and raised the floor on what counts as a complete cyber package. Several deficiency patterns that were graded Minor in 2023-2024 are now consistently graded Major:

• Missing VEX accompanying the SBOM.
• Threat model without explicit trust boundary identification.
• Security testing summary without traceability to the threat model.
• Cybersecurity management plan without a documented CVD process.
• SBOM without firmware components or without transitive dependency expansion.

If your last submission was pre-2026, do not assume the grading you experienced still applies. The bar has moved.

Frequently asked questions

How many Major deficiencies is too many?

There is no formal threshold, but in practice more than three Major cybersecurity findings on a single submission signals systemic pre-submission gaps. At that point the right move is to step back from individual finding responses and rebuild the cybersecurity package against the Feb 3, 2026 guidance before submitting a consolidated response.

Can a Minor finding extend my review timeline?

Minor findings do not pause the clock the way Major findings do, but a slow or incomplete response can prompt the FDA to re-issue a Minor as a Major in the next round, which then pauses the clock. Treat Minor findings with the same response discipline as Major ones.

Does the FDA always label findings as Major or Minor?

In Additional Information letters, yes - the labels are explicit. Hold letters and RTA letters use different terminology but the underlying severity grading is the same. PMA Major Deficiency letters are explicit by name.

Are cybersecurity Major findings more common than clinical Major findings?

In our experience across 510(k) and PMA submissions, yes. The cybersecurity review section has the highest rate of Major findings of any technical section, because missing security artifacts are binary and the 2026 guidance bar is now high.

What happens if I disagree with a Major grading?

You can respond to the substance of the finding without engaging the grading - the right move is almost always to provide the requested evidence rather than contest the grade. If you genuinely believe the FDA misread the submission and the answer is already in the package, point to it explicitly with section and page references in the response.

How does Major vs Minor map to PMA Major Deficiency letters?

A PMA Major Deficiency letter is the PMA-pathway analog of an AI letter with Major findings. PMA letters do not use the Minor label the same way - clarifications are typically handled inside the substantive review rather than as a formal finding. See our PMA cybersecurity deficiencies post for the PMA-specific framing.

Getting Major findings on your submission?

Major cybersecurity deficiencies pause your clock and reset your launch date. Closing them takes a senior cyber response, not a junior point-by-point reply.

• Have an active Major finding? → FDA Cybersecurity Deficiency Response service
• Want to prevent them on the next submission? → Pre-submission cybersecurity review
• Comparing the letter types? → FDA Deficiency Letter vs RTA vs Hold Letter