Published: June 3, 2026 · Last reviewed: May 1, 2026
Class III device sponsors on the PMA pathway can receive cybersecurity findings inside four different letter types: a Refuse to File (RTF) before review begins, a Major Deficiency letter during substantive review, an Approvable or Not Approvable letter at the decision stage, and - for combination products reviewed under CDER as the lead center - a Complete Response Letter (CRL). The letter names differ from 510(k), but the substantive cybersecurity expectations are the same: a complete threat model, SBOM with VEX, security risk assessment per IEC 81001-5-1, security testing summary, and full Section 524B alignment under the FDA's February 2026 premarket cybersecurity guidance.
Most cybersecurity guidance written for medical device sponsors is implicitly written for 510(k) submissions. That's where the volume is. But Class III sponsors on the PMA pathway - implantables, life-sustaining devices, certain IVDs - get a different set of letters from the FDA when something is wrong with their cybersecurity package, and confusing 510(k) terminology with PMA terminology can cost months.
This post is the PMA-specific companion to our FDA Deficiency Letter vs RTA vs Hold Letter breakdown. It covers what each PMA letter actually means for cybersecurity, where Complete Response Letters fit in, and the substantive expectations that don't change regardless of which letter you receive.
Key takeaways
- PMA's acceptance gate is Refuse to File (RTF) - the analog of 510(k)'s RTA.
- During substantive review, the FDA issues Major Deficiency letters (sometimes called Deficiency Letters or AI requests).
- At decision time, the outcomes are Approval Order, Approvable Letter, or Not Approvable Letter.
- Complete Response Letters (CRLs) are a CDER/CBER mechanism. They reach device sponsors only when a combination product is reviewed with a drug or biologic as the lead center.
- The Feb 3, 2026 FDA premarket cybersecurity guidance applies to PMA submissions verbatim. Section 524B is statute - it does not care which pathway you're on.
The PMA letter sequence at a glance
| Stage | Letter type | 510(k) analog | Clock impact |
|---|---|---|---|
| Acceptance (filing review, ~45 days) | Refuse to File (RTF) | Refuse to Accept (RTA) | Clock resets on resubmission |
| Substantive review | Major Deficiency Letter | AI / Deficiency Letter | Pauses the 180-day review goal |
| Substantive review (cyber-specific) | Cybersecurity hold inside Major Deficiency | Hold Letter | Same as Major Deficiency |
| Decision | Approvable Letter | (no direct analog) | Outstanding items must be closed |
| Decision | Not Approvable Letter | (no direct analog) | Substantive deficiencies block approval |
| Combination product (CDER lead) | Complete Response Letter (CRL) | (drug/biologic mechanism) | 1 year to respond before withdrawn |
1. Refuse to File (RTF) - cybersecurity edition
The FDA's filing review for a PMA happens in the first ~45 days. If the submission isn't administratively and technically complete, you get an RTF. Under the February 2026 final premarket cybersecurity guidance, the cybersecurity items that most often trigger an RTF on a PMA are the same as for 510(k):
- No threat model, or a threat model that doesn't identify trust boundaries and assets.
- Missing SBOM, or an SBOM that isn't in CycloneDX or SPDX.
- No VEX document accompanying the SBOM.
- Missing security risk assessment aligned to IEC 81001-5-1.
- No cybersecurity management plan addressing postmarket monitoring and patch cadence.
- No security testing summary (no penetration test report, no fuzz testing summary, no static analysis evidence).
A PMA RTF is more expensive than a 510(k) RTA because the rest of the application is heavier. Rebuilding cyber and re-filing typically costs 60-90 days minimum.
2. Major Deficiency Letters during substantive review
Once the PMA is filed, substantive review begins. Cybersecurity findings during this phase land inside a Major Deficiency Letter (sometimes called a Deficiency Letter or Additional Information request, depending on the division). The mechanics:
- The 180-day MDUFA review clock pauses on the day the letter issues.
- You have 180 days to respond before the application is considered withdrawn.
- Multiple rounds are common - PMA reviews routinely go through two or three Major Deficiency cycles.
- A cyber-heavy Major Deficiency Letter functions like a 510(k) Hold Letter: the whole application is gated on resolving the security findings.
Common substantive cyber findings on PMA:
- Threat model doesn't address physical attack surface (relevant for implantables).
- Security risk assessment doesn't quantify residual risk for each identified threat.
- SBOM is incomplete on transitive dependencies or doesn't include firmware components.
- VEX status of
not_affectedclaimed without a documented justification. - No evidence the device update mechanism is signed and authenticated end-to-end.
- Penetration test scope doesn't cover wireless interfaces, BLE pairing, or cloud backend.
The response standard is the same as 510(k): point-by-point, evidence-backed, with explicit pointers into the amended submission.
3. Approvable and Not Approvable Letters
PMA decision letters have no direct 510(k) analog. They come at the end of substantive review:
- Approvable Letter. The FDA is prepared to approve once specific final items are closed. For cybersecurity, this often means: final labeling updates reflecting Section 524B postmarket commitments, the cybersecurity management plan as an approved postmarket commitment, or a final attestation that the SBOM and VEX shipped with the application match the device-as-released.
- Not Approvable Letter. Substantive deficiencies remain that, in the FDA's current view, prevent approval. The sponsor can respond, amend, or withdraw. Cybersecurity findings reaching this stage almost always trace back to threat model gaps that the sponsor didn't close in earlier Major Deficiency rounds.
Approvable letters are recoverable in weeks if the remaining items are administrative. Not Approvable letters typically take months.
4. Complete Response Letters (CRL) - the combination product case
This is where most device-side confusion happens. A Complete Response Letter is a CDER/CBER mechanism, used for drug and biologic application reviews. It is governed by 21 CFR 314.110 (drugs) and 21 CFR 601.3 (biologics), and it is not the standard letter type for a pure device PMA reviewed under CDRH.
Where CRLs become relevant for cybersecurity work is in combination products - a device plus a drug or biologic in one submission - when the FDA assigns the lead review center as CDER or CBER rather than CDRH. In that case:
- The application is a NDA, BLA, or 505(b)(2), not a PMA.
- The decision letter is either an Approval Letter or a Complete Response Letter.
- A CRL can carry cybersecurity findings if the device constituent has electronic interfaces, software, or network connectivity. Drug delivery devices (smart inhalers, connected injectors, smart pumps that ship with a specific drug) are the most common case.
- The CRL response window is typically one year, after which the application is considered withdrawn unless the sponsor requests an extension.
The substantive bar for cybersecurity in a CRL response is identical to a PMA Major Deficiency response: full Section 524B alignment, threat model, SBOM, VEX, security risk assessment, security testing summary.
What does NOT change between 510(k), PMA, and CRL
The letter name changes. The substantive cybersecurity bar does not. Across all three:
- Section 524B applies. It is statute. Pathway and letter type are irrelevant.
- The Feb 3, 2026 FDA premarket cybersecurity guidance applies. The 2023 guidance is superseded.
- AAMI SW96 and IEC 81001-5-1 are the controlling consensus standards. Sponsors are expected to map their deliverables to these.
- SBOM in CycloneDX or SPDX with an accompanying VEX is mandatory. PDF screenshots of dependency lists are not acceptable.
- A security testing summary with traceability from threat model to test cases is mandatory. A penetration test report alone is insufficient.
If your response is built to the highest of these standards, it will satisfy any of the letter types.
How to respond - a PMA-specific checklist
For cyber findings inside a PMA Major Deficiency, Approvable, or CRL response:
- Triage the findings into threat model, SBOM/VEX, risk assessment, security testing, and labeling categories.
- Identify the root cause for each. If three findings all trace to a single trust boundary you missed in the threat model, the threat model is the work item - not the three individual responses.
- Rebuild artifacts in this order: threat model → security risk assessment → SBOM with VEX → security testing summary → labeling. Earlier artifacts feed later ones.
- Write the cover response with a numbered point-by-point structure matching the FDA's letter, plus pointers into the amended submission.
- Include a delta summary at the top showing exactly what changed between the original and amended submission, by section. PMA reviewers expect this. CRL reviewers under CDER expect a similar "Response to CRL" cover document.
- Senior cyber review before the package leaves your office. PMA and CRL responses are not training material.
Frequently asked questions
Is a Complete Response Letter the same as a PMA Major Deficiency Letter?
No. A CRL is a CDER/CBER mechanism for drug and biologic applications, governed by 21 CFR 314.110 and 21 CFR 601.3. A PMA Major Deficiency Letter is the CDRH mechanism for Class III device applications. The substantive cybersecurity expectations overlap heavily, but the legal framework, response timelines, and review divisions differ.
Can a pure device PMA ever get a CRL?
In standard CDRH practice, no. CDRH issues Approval Orders, Approvable Letters, and Not Approvable Letters on PMAs. CRLs appear only when a combination product is reviewed with CDER or CBER as the lead center - meaning the drug or biologic constituent drives the regulatory pathway.
How is the cybersecurity bar different for a PMA vs a 510(k)?
The bar itself is the same - Section 524B and the Feb 3, 2026 guidance apply to both. What differs is reviewer scrutiny. PMA reviewers spend more time on each artifact, expect more depth in the threat model, and are less tolerant of incomplete VEX documents. The work effort to clear PMA cyber review is typically 1.5-2x what the same device would require for 510(k).
How long do I have to respond to each letter type?
PMA RTF: 180 days to refile. PMA Major Deficiency: 180 days. PMA Not Approvable: typically 180 days to respond with an amendment. CDER CRL: 1 year, with extension possible on request. Missing any of these windows means the application is considered withdrawn.
Do I need a new threat model for a CRL on a combination product?
If the device constituent is software-driven, networked, or wireless, yes. The threat model must cover the device-as-delivered (not just the drug delivery mechanism), the patient-facing app if any, the cloud backend if any, and the trust boundaries between the device, the drug, and the network.
Where does the postmarket cybersecurity expectation fit in for PMA?
The cybersecurity management plan, postmarket vulnerability monitoring, and coordinated vulnerability disclosure (CVD) program are expected as part of the original PMA, not as a postmarket add-on. They typically become Approval Order conditions when approval issues.
Have a PMA or CRL cyber finding?
The clock is shorter than you think and the FDA's substantive expectations are higher for PMA than for 510(k). We've shipped responses across both pathways and into CDER-led combination product reviews.
- PMA Major Deficiency on cyber? → FDA Cybersecurity Deficiency Response service
- Combination product CRL with a device cyber finding? → Book a discovery call
- Want the standards mapping first? → FDA PMA Cybersecurity Requirements guide