Blue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · FDA Compliance

    Unresolved Anomalies in FDA Cybersecurity Submissions

    What the FDA's Feb 2026 guidance expects in the unresolved cybersecurity anomalies assessment, how to document residual risk, and the deficiency pattern that follows when this section is missing or thin.

    Hero illustration for the FDA Compliance article: Unresolved Anomalies in FDA Cybersecurity Submissions
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: June 11, 2026

    Published June 11, 2026

    Direct answer

    The FDA's February 3, 2026 final premarket cybersecurity guidance expects every submission to include an assessment of unresolved cybersecurity anomalies — known issues, findings, or vulnerabilities that exist at the time of submission and were not fully remediated. The assessment must identify each item, characterize its cybersecurity impact, justify why it remains unresolved, describe any compensating controls, and tie it to the residual-risk argument. Reviewers expect this even when the answer is "none." Missing or hand-waved anomaly assessments are one of the most common deficiency patterns reviewers cite.

    Key Takeaways

    • The Feb 2026 final guidance expects an explicit unresolved-anomalies assessment, not silence.
    • "None known" is acceptable — if the assessment process behind it is documented.
    • Each unresolved anomaly must include: identifier, description, cybersecurity impact, compensating controls, residual-risk justification, planned resolution.
    • Common sources: third-party CVEs with under_investigation VEX status, pen test findings deferred to next release, known suppression of static analysis findings.
    • The assessment lives in eSTAR v7.0 Slot 7 (Testing), referenced from Slot 4 (Risk Assessment) and Slot 5 (SBOM).

    Table of Contents

    Why this matters

    Reviewers know that no real device ships with zero open findings. A clean submission acknowledges what is open, characterizes the risk, and shows that the residual is acceptable. The Feb 2026 guidance is explicit:

    FDA language

    "The submission should include an assessment of the cybersecurity impact of any unresolved anomalies, identified by the manufacturer or known from third-party sources, that remain in the device at the time of submission."

    Submissions that omit the section, or include a one-liner saying "no unresolved anomalies," draw the same deficiency pattern: "Provide the manufacturer's assessment process and the results, including any items identified and the rationale for leaving them unresolved." That request stops the review clock on PMA / De Novo and triggers an AI request on 510(k).

    What counts as an unresolved anomaly

    Reviewers treat the following as in-scope for the anomaly assessment:

    • Known CVEs in third-party components that are present in the SBOM but not yet patched, including those VEX-marked under_investigation or affected with a deferred fix
    • Static analysis findings that have been triaged and suppressed (with rationale) but remain in the codebase
    • Dynamic analysis / DAST findings that were accepted as low-risk or deferred to a future release
    • Penetration test findings that were not remediated before submission
    • Fuzz testing crashes that have been triaged but not yet fixed
    • Architectural decisions that introduce known residual risk (e.g., legacy protocol support required for interoperability)
    • Configuration items that are not at the cybersecurity ideal (e.g., a logging level that is reduced for performance)

    This is not a list of failures. It is a list of decisions. Reviewers credit explicit decisions and penalize silence.

    What every anomaly entry must contain

    A compliant entry has six elements:

    1. Identifier — internal tracking ID, plus CVE / CWE where applicable.
    2. Description — what the anomaly is, in language a reviewer can understand without internal context.
    3. Cybersecurity impact — the threat(s) it relates to (referenced by Slot 3 threat model ID), the patient-harm pathway it could enable, and the CVSS or equivalent severity.
    4. Compensating controls — what is in place that reduces the practical risk (network isolation, authentication requirement, off-by-default configuration, monitoring detection).
    5. Residual-risk justification — why the remaining risk is acceptable, tied to the Slot 4 risk assessment thresholds.
    6. Planned resolution — when and how the anomaly will be addressed (next minor release, next major release, monitored indefinitely with rationale).

    For VEX-driven CVE entries, the VEX statement and the entry above must agree. Reviewers cross-check.

    How to present a clean assessment

    The cleanest format we have seen accepted is a single appendix to the Slot 7 Testing attachment with two tables and a narrative:

    Table 1 — Anomaly process. How does the manufacturer surface anomalies? What feeds are watched (NVD, GitHub Advisory DB, CISA KEV, EPSS, vendor advisories, internal bug tracker, pen test reports, fuzz harness output)? Who triages? On what cadence?

    See also: eSTAR v7.0 Cybersecurity for IVDs vs nIVD Submissions, Patch and Update Mechanism Testing for FDA Section 524B(b)(1), and Docker Containers in Medical Devices: What the FDA Expects You to Test.

    Table 2 — Open anomalies at submission. One row per anomaly with the six required elements above.

    Narrative. A one- to two-page summary that explains the patterns reviewers should expect to see, calls out the highest-residual items, and links each one back to the Slot 4 residual-risk argument and the postmarket monitoring plan.

    Common deficiency patterns

    1. No assessment at all. "Submission does not contain an assessment of unresolved cybersecurity anomalies. Provide."
    2. "None" without process. "Manufacturer states no unresolved anomalies. Provide the process by which anomalies are identified and triaged, and the evidence supporting the 'none' conclusion."
    3. CVE list without VEX agreement. SBOM shows an applicable CVE; anomaly assessment does not list it; no VEX statement disposes of it. Reviewers flag the inconsistency.
    4. Pen test findings deferred without rationale. Pen test report shows a Medium finding; anomaly list shows the same finding "deferred"; no compensating control listed and no residual-risk argument. Reviewers ask why.
    5. Suppressed SAST findings with stub rationale. "False positive" with no detail. Reviewers want the analysis that supports the suppression.

    How Blue Goat Cyber prepares anomaly assessments

    We treat the anomaly assessment as a synthesis deliverable that draws from the SBOM, the SAST/DAST reports, the pen test report, and the fuzz harness output. Every entry is checked against its source artifact and against the Slot 4 residual-risk thresholds. VEX statements are reconciled with the assessment entries. The assessment goes into the Slot 7 attachment with cross-references that let a reviewer trace any item back to its source in one hop. Where decisions favor deferral, we write the compensating-control narrative before submission, not in response to a deficiency.

    If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. See our cybersecurity submission services.

    FAQ

    Is "no unresolved anomalies" an acceptable answer?

    Yes, if the process behind that answer is documented. Reviewers accept "no unresolved anomalies at the time of submission" when the assessment process is described and the inputs (SBOM scan, SAST, DAST, pen test, fuzz harness output) are summarized. They reject the same sentence when it stands alone.

    How is this different from the SBOM vulnerability analysis?

    The SBOM vulnerability analysis identifies which CVEs in third-party components apply to your device and assigns VEX status. The anomaly assessment is the broader synthesis that also includes first-party findings (SAST, DAST, pen test, fuzz) and architectural decisions. The SBOM analysis feeds the anomaly assessment.

    Do we have to fix every Medium or higher pen test finding before submission?

    No, but every Medium-or-higher finding that remains open at submission belongs in the anomaly assessment with a compensating control and a residual-risk argument. Reviewers credit transparency. They penalize silence.

    Where does the anomaly assessment live in eSTAR?

    Slot 7 (Testing), with cross-references to Slot 4 (Risk Assessment) for the residual-risk thresholds and Slot 5 (SBOM) for the third-party CVE entries.

    How often should the anomaly assessment be updated?

    Before every submission and at every major release postmarket. Many manufacturers maintain a live anomaly register and snapshot it at submission time.

    Need help preparing your anomaly assessment?

    If you are within 4-8 weeks of a 510(k), De Novo, or PMA submission and have not yet built the unresolved anomalies appendix, we will synthesize it from your existing artifacts and write the residual-risk argument. Request a scoping call.

    Christian Espinosa — Founder, Blue Goat Cyber. CISSP, ex-military red team. Has prepared anomaly assessments for more than 250 FDA-submitted medical devices. More on the author.

    Related articles

    Keep reading

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.