PMA Supplement vs Real-Time vs 30

Founder & CEO · Blue Goat Cyber

Published: June 3, 2026 · Last reviewed: May 1, 2026

Direct answer

Cybersecurity changes to an approved PMA device route through five submission types: a 180-day PMA supplement (the default for changes affecting safety, effectiveness, or the cybersecurity risk profile), a Real-Time supplement (narrow design changes the FDA can review in a single meeting), a Special PMA supplement (changes-being-effected that strengthen safety), a 30-day notice (manufacturing-only changes), and an annual report (administrative changes that do not affect safety, effectiveness, or the cleared design). Picking the wrong path on a cybersecurity change is the single most common cause of postmarket enforcement on Class III devices.

PMA is unforgiving about post-approval changes. Unlike 510(k), where the letter-to-file decision is largely internal, every meaningful PMA change goes back to the FDA in some form. Cybersecurity changes are no exception - and under Section 524B, the FDA's tolerance for misclassified cyber changes is now near zero.

This post is the PMA companion to our Letter to File vs New 510(k) for Cybersecurity Changes breakdown. It covers which PMA submission type each kind of cybersecurity change requires, the decision logic, and the gray zones.

Key takeaways

The 180-day PMA supplement is the default for any cybersecurity change that affects safety, effectiveness, or the cybersecurity risk profile.
Real-Time supplements compress review to a single meeting but are only available for narrow design changes.
Special PMA supplements (changes-being-effected) let you ship the change before the FDA finishes review - but only for changes that strengthen safety, never for new functionality.
30-day notices are manufacturing-only. They are almost never the right path for substantive cybersecurity changes.
Annual reports are for administrative changes - typos, labeling cleanup. A cybersecurity change buried in an annual report is an enforcement risk.
Section 524B does not change which path applies, but it makes misclassification far more visible.

The five PMA change paths at a glance

Path	What it's for	Review timeline	Cyber use case
180-day PMA supplement	Changes affecting safety, effectiveness, design, performance, or labeling	180 days	Default for substantive cyber changes
Real-Time supplement	Narrow design or labeling changes appropriate for a single review meeting	~90 days	Crypto algorithm bump, focused interface change
Special PMA supplement (CBE)	Changes that strengthen safety; can ship before review completes	30 days FDA acknowledgment, full review later	Adding MFA, adding signature verification, removing a vulnerable feature
30-day notice	Manufacturing process changes only	30 days	Almost never appropriate for cyber
Annual report	Changes not affecting safety, effectiveness, or cleared design	Annual filing	VEX status updates, documentation-only refreshes

1. The 180-day PMA supplement - the default

If a cybersecurity change affects safety, effectiveness, or the cybersecurity risk profile, the default path is a 180-day PMA supplement. This is the analog of filing a new 510(k) on a change.

Cybersecurity changes that almost always require a 180-day supplement:

New cryptographic algorithms or key management infrastructure.
New authentication or authorization mechanisms.
New wireless or remote-access paths (BLE, Wi-Fi, cellular, cloud sync).
New third-party components that materially change the attack surface.
Replacing an end-of-support OS or runtime.
Any change that alters the threat model, trust boundaries, or intended use.
Adding cloud backend dependencies the device's security claims now rely on.

The supplement must include a delta threat model, a delta security risk assessment, updated SBOM and VEX, and a focused security testing summary. The FDA reviewer expects the same depth of cybersecurity documentation as the original PMA, scoped to the change.

2. The Real-Time supplement

A Real-Time supplement compresses review to a single meeting with the FDA. It is available for design and labeling changes the FDA judges appropriate for that format - typically narrow, well-bounded changes with clear test data.

Cyber changes that can sometimes go Real-Time:

A single cryptographic algorithm upgrade with full test evidence and no other change.
A focused interface change that doesn't introduce new trust boundaries.
A labeling change reflecting a security postmarket commitment.

The decision is the FDA's, not yours. Sponsors pre-coordinate via a Pre-Sub before committing. Getting a Real-Time supplement rejected mid-process forces you back to a 180-day supplement and resets the clock.

3. The Special PMA supplement (CBE - Changes Being Effected)

Special PMA supplements are the most misunderstood path in PMA change management. They let you ship the change immediately on submission, with full FDA review happening afterward.

The constraint: Special supplements are only for changes that strengthen safety or effectiveness. They are not a fast track for new functionality or new features.

Cybersecurity changes that legitimately qualify:

Adding multi-factor authentication where none existed.
Adding signature verification to a previously unsigned update mechanism.
Removing or disabling a vulnerable feature without functional replacement.
Tightening cryptographic minimums (e.g., raising TLS minimum version, removing weak ciphers).
Pushing a patch that closes a specific known vulnerability with no functional change.

What disqualifies a Special supplement:

Adding a new feature, even one with security in mind.
Migrating to a new component that introduces functional changes.
Any change that could plausibly reduce safety in some scenario.

The trap: sponsors use Special supplements for "security improvements" that actually add features. The FDA notices, and the postmarket enforcement consequence is high.

4. The 30-day notice

30-day notices are limited to manufacturing process changes - moving production sites, changing suppliers, modifying manufacturing equipment. They are not a path for design or software changes.

The only cyber-adjacent case for a 30-day notice is when the manufacturing change affects how cryptographic keys are provisioned at the factory (HSM swap, key ceremony change, certificate authority change). Even then, a Pre-Sub to confirm the path is cheaper than guessing wrong.

If you are tempted to file a substantive cybersecurity change as a 30-day notice, the answer is almost certainly that it needs a 180-day or Special supplement instead.

5. The annual report

Annual reports are for administrative changes that do not affect safety, effectiveness, or the cleared design. Cybersecurity changes that legitimately belong in an annual report:

VEX status updates that change under_investigation to not_affected with documented justification.
SBOM documentation refreshes that reflect no functional change.
Editorial labeling updates with no substantive change to security claims.
Postmarket cybersecurity monitoring summary as a yearly rollup.

What does NOT belong in an annual report:

CVE patches that ship code changes.
Component version bumps that change behavior or interfaces.
Any change that touches crypto, auth, or attack surface.

A cybersecurity change buried in an annual report when it should have been a supplement is the kind of finding that drives Warning Letters under Section 524B.

The decision logic for a cyber change

Ask these questions in order. The first "yes" determines the path.

Does the change strengthen safety with no new functionality and no risk-reducing tradeoff? → Special PMA supplement (CBE).
Does the change affect the threat model, trust boundaries, crypto, auth, attack surface, or intended use? → 180-day PMA supplement. Consider Real-Time only if the change is narrow and bounded enough to review in a single meeting.
Is the change purely a manufacturing process modification with no design or software impact? → 30-day notice.
Is the change administrative or documentation-only with no impact on safety, effectiveness, or design? → Annual report.

Any time the path is unclear, a focused Pre-Sub is the cheapest insurance. The FDA can confirm the right path before you commit.

How Section 524B changed the stakes

Section 524B(b) did not move the change-classification thresholds. It did make the consequences of misclassification far more expensive:

Postmarket cybersecurity monitoring is statutory. A misclassified change is now visible to the FDA without an inspection - it shows up in postmarket data.
The cybersecurity baseline expectation now follows the device. A change that drifts the device away from the Feb 3, 2026 premarket guidance baseline is harder to justify as Special or as an annual report entry.
Enforcement has a clear statutory hook. A misclassified cyber change is not just a guidance violation - it is non-compliance with a specific provision of the FD&C Act.

The practical effect: PMA sponsors who got away with aggressive change-path interpretations in 2022 are getting findings on the same patterns in 2026.

Common gray zones

TLS version bump on a connected Class III device. Usually a 180-day supplement if labeling claims specific cipher support, Special supplement if it's pure tightening with no functional change.
Adding a CVD program postmarket. Process-only change, but if the original PMA didn't describe one, expect the FDA to ask for it as a supplement amendment rather than an annual report entry.
SBOM component swap for an end-of-support library. 180-day supplement if the replacement has different interfaces or trust context. Real-Time if it's a near-drop-in with full test evidence.
Cloud backend changes the device doesn't ship but depends on. If the device's security claims relied on the old backend, the change re-enters device scope and needs a supplement.

For every gray-zone case, document the delta threat model and delta risk assessment regardless of the path chosen. The path you picked needs to be defensible.

Reviewer and inspector red flags

In a postmarket inspection or a Section 524B review, these patterns draw scrutiny:

A run of annual-report entries for cybersecurity changes that altered code.
Special supplements filed for changes that added functionality, not just safety.
30-day notices used for software-touching changes.
No delta threat model accompanying any cybersecurity change, regardless of path.
Long gaps between known upstream CVEs in shipped components and any supplement or annual report acknowledging them.

Frequently asked questions

Is a CVE patch always a 180-day PMA supplement?

No. A patch that strengthens safety with no new functionality can be a Special supplement (CBE). A patch that introduces interface changes, new dependencies, or trust boundary shifts is a 180-day supplement. A patch that is purely documentation/VEX with no code change can be an annual report entry. The intent of the change does not determine the path - the impact does.

Can I use a Real-Time supplement for any cyber change?

No. Real-Time is the FDA's choice, not yours. They use it when a change is narrow, bounded, and reviewable in a single meeting. Sponsors pre-coordinate via a Pre-Sub. A rejected Real-Time forces you to refile as a 180-day supplement.

What's the difference between a Special PMA supplement and a 180-day supplement?

A Special supplement (Changes Being Effected) can ship before the FDA finishes review and is limited to changes that strengthen safety with no new functionality. A 180-day supplement covers any change affecting safety, effectiveness, or the design, and requires FDA approval before shipping. Most substantive cyber changes are 180-day supplements.

Can I bundle multiple cyber changes into one supplement?

Yes, and it is often the right move. A consolidated 180-day supplement with five related cybersecurity changes is cheaper than five separate filings and produces a coherent threat model delta. The risk is that one weak change can drag the others. Bundle only what is logically related.

Where do postmarket cybersecurity commitments live?

Postmarket cybersecurity monitoring, vulnerability disclosure, and patch cadence commitments typically become Approval Order conditions at PMA approval. Updates to those commitments usually require a supplement, not an annual report - they are part of the cleared design's safety profile.

How does this interact with the Feb 3, 2026 FDA premarket cybersecurity guidance?

The 2026 guidance defines the cybersecurity baseline for cleared devices. A PMA change that drifts the device away from that baseline is harder to justify as Special or as an annual report entry, even if the change-classification flowchart would have allowed it before. Treat the 2026 guidance as a ceiling on what lighter paths can absorb.

Picking the right PMA change path?

The wrong PMA submission path on a cybersecurity change is the kind of mistake that turns into a Warning Letter under Section 524B. We help PMA sponsors choose the path, build the supplement, and ship the cyber package.

Have a cyber change and not sure which path? → Book a discovery call
Need the standards mapping first? → FDA PMA Cybersecurity Requirements guide
Already received a PMA deficiency? → FDA Cybersecurity Deficiency Response service

PMA Supplement vs Real-Time vs 30-Day Notice for Cybersecurity Changes