Published: May 14, 2026
Cybersecurity does not inherently extend the FDA review timeline. Rather, deficiencies in cybersecurity documentation, such as an incomplete Software Bill of Materials (SBOM) or inadequate penetration testing reports, frequently trigger clock stops. These stops, issued as Refuse-to-Accept notifications or Additional Information letters, pause the FDA's review clock, thereby extending the overall calendar time for a medical device submission. Addressing these deficiencies promptly is crucial to minimizing delays.
Cybersecurity rarely extends an FDA submission timeline by itself - but cybersecurity deficiencies are now one of the leading causes of clock stops. This is the realistic timeline for each pathway under Section 524B and the February 2026 final guidance.
Last reviewed: May 2026.
Key Takeaways
- Cybersecurity deficiencies cause submission clock stops.
- RTA for missing SBOM or an inadequate plan.
- AI letters common for pen test scope or threat model needs.
- Q-Subs save time by surfacing reviewer expectations early.
- SBOM, pen test, threat model prevent 80% of clock stops.
- A clean submission package avoids significant delays.
1. The FDA Clock vs. the Calendar Clock
The FDA tracks FDA days (time on the agency's side) separately from sponsor days (time on yours). Statutory MDUFA goals are measured in FDA days. A deficiency letter stops the FDA clock and starts a sponsor clock that runs until you respond.
| Pathway | MDUFA goal (FDA days) | Typical calendar time, clean submission | Typical calendar time, one major deficiency |
|---|---|---|---|
| 510(k) | 90 FDA days | 3–4 months | 6–9 months |
| De Novo | 150 FDA days | 6–9 months | 9–15 months |
| PMA (original) | 180 FDA days | 10–14 months | 14–24 months |
| PMA supplement (180-day) | 180 FDA days | 6–10 months | 10–16 months |
Cybersecurity does not, by itself, change the MDUFA goal. It changes the probability that the clock stops.
2. The RTA Screen - First 15 Days
For 510(k) and De Novo, the Refuse-to-Accept screen happens in the first 15 calendar days. Cybersecurity-specific RTA triggers in 2026:
- No SBOM, or an SBOM that is not machine-readable (CycloneDX or SPDX)
- No vulnerability monitoring / CVD plan
- No documented update mechanism for the device
- A "no" answer on the cyber-device determination for a plainly internet-connected device
An RTA hold typically costs 15–30 calendar days to cure if the underlying artifacts exist; 2–3 months if they have to be built.
3. Substantive Review - Days 16–90 (510(k))
During substantive review, cybersecurity is evaluated against the February 2026 final guidance. The reviewer reads:
- The cyber-device determination
- The security risk file (AAMI SW96)
- The threat model and architecture views
- The SBOM and known-vulnerability assessment
- The pen test report
- The labeling and postmarket plan
Reviewer questions arrive as Interactive Review emails (quick clarifications, no clock stop) or as a formal Additional Information (AI) letter (clock stop).
4. Additional Information (AI) Letters
An AI letter stops the clock and gives the sponsor 180 calendar days to respond. Cybersecurity AI letters typically cluster around:
- SBOM missing fields or stale vulnerability assessment
- Threat model is a bullet list rather than diagram-driven
- Pen test scope missing an interface or protocol
- Labeling missing operating-environment assumptions or support lifecycle
- Postmarket plan lacks a patch SLA
A well-prepared sponsor responds in 30–60 days; teams without an SPDF often use the full 180.
5. eSTAR Mechanics
For 510(k) and De Novo, the eSTAR auto-validates required attachments. Cybersecurity content lives primarily in Section 14; missing attachments here are caught before submission and avoid an RTA. See our eSTAR cybersecurity readiness checklist.
6. PMA Specifics
PMA reviews include a filing review (45 days) analogous to RTA, then substantive review against the 180-day MDUFA goal. PMAs frequently include Major Deficiency letters that stop the clock for 180 days. Cybersecurity deficiencies in PMA are the same content as 510(k), but with higher scrutiny on traceability and postmarket evidence.
7. Pre-Submission (Q-Sub) - The Best Time Investment
A Q-Sub focused on cybersecurity strategy adds ~75 days before submission, but typically saves 90–180 days by surfacing the reviewer's expectations early. Recommended for first-time submitters, novel devices, AI/ML PCCPs, and any device where the SPDF is still being built.
8. What Actually Causes Delay
In the engagements we see, cybersecurity-driven delay decomposes roughly as:
- 40% - SBOM and vulnerability management (missing, stale, or unmaintained)
- 25% - Pen test scope or quality
- 15% - Threat model depth
- 10% - Labeling and operating-environment assumptions
- 10% - Postmarket plan and CVD intake
Three of these (SBOM, pen test, threat model) account for 80% of clock stops. Investing engineering time there pays back fastest.
9. How to Compress the Timeline
- Run the premarket submission checklist end-to-end before eSTAR validation
- Build the SBOM into CI so it is current on submission day
- Use CycloneDX VEX to pre-empt reviewer questions on irrelevant CVEs
- Engage a third-party penetration tester whose report is written for FDA reviewers, not IT auditors
- Pre-write the Section 14 narrative as if you were the reviewer
10. A Realistic 510(k) Calendar With Cybersecurity Done Right
| Week | Activity |
|---|---|
| -12 to -8 | SBOM generation in CI, threat model, security risk file |
| -8 to -4 | Penetration test + remediation |
| -4 to -1 | Labeling, postmarket plan, eSTAR Section 14 packaging |
| 0 | Submit |
| 0–2 | RTA screen passes |
| 2–13 | Substantive review, interactive review emails answered same week |
| 13 | Clearance |
This is achievable. It is also the exception. The work is the work.
Frequently asked questions
Does cybersecurity extend the FDA review clock?
Not directly. A clean cybersecurity package adds zero FDA days. A deficiency letter - which cybersecurity gaps frequently trigger - can add 2–6 months of calendar time.
How long do I have to respond to a cybersecurity AI letter?
180 calendar days. Most sponsors respond in 30–90.
What is the fastest path to clearance?
Submit a clean package the first time. Q-Sub for novel devices, eSTAR for 510(k)/De Novo, and a current SBOM + diagram-driven threat model + third-party pen test are the four highest-leverage investments.
Can the FDA reject my submission for cybersecurity alone?
Yes. An RTA hold for a missing SBOM, missing vulnerability plan, or missing update mechanism will refuse acceptance until cured.
Do interactive review emails stop the clock?
No - only formal Additional Information letters and RTA holds stop the MDUFA clock.
How Blue Goat Cyber helps
Blue Goat Cyber compresses the cybersecurity portion of the timeline by executing the SBOM, threat model, pen test, and submission packaging as a single workstream. See FDA premarket cybersecurity services and deficiency response.
Sources & primary references
- FDA MDUFA V Commitment Letter (FY 2023–2027)
- FDA, Cybersecurity in Medical Devices (final guidance, February 2026)
- Section 524B, Federal Food, Drug, and Cosmetic Act
- FDA, Refuse to Accept Policy for 510(k)s
- FDA, eSTAR program documentation