Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Guide · FDA

    Combination Product Cybersecurity: When CDER Meets CDRH §524B

    Drug-device combination products (auto-injectors, on-body delivery, connected inhalers, prefilled pumps) trigger FDA cybersecurity requirements the drug side rarely sees. Here is how Section 524B, the Feb 2026 premarket guidance, and the CDER/CDRH lead-center split actually apply.

    Hero illustration for the FDA article: Combination Product Cybersecurity: When CDER Meets CDRH §524B
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Key Takeaways

    • Combination products (drug + device, biologic + device) are cyber devices under Section 524B whenever the device constituent is software-containing and internet-capable.
    • The lead center (CDER, CBER, or CDRH) is determined by primary mode of action, but CDRH cybersecurity requirements apply to the device constituent regardless.
    • Cybersecurity documentation must cover the device constituent's SPDF, SBOM, threat model, and postmarket plan, not just the drug-delivery mechanism.
    • Harm analysis has to include dose-integrity impacts (over/under delivery from a cyber event), which most vendor templates miss.
    • Coordinate premarket cybersecurity evidence with the constituent-part filings so the reviewer can trace one traceability matrix across the whole product.
    TL;DR

    Drug-device combination products (auto-injectors, on-body delivery, connected inhalers, prefilled pumps) trigger FDA cybersecurity requirements the drug side rarely sees. Here is how Section 524B, the Feb 2026 premarket guidance, and the CDER/CDRH lead-center split actually apply.

    Drug-device combination products do not get a cybersecurity discount. If the device constituent has software and any electronic interface, FD&C Act Section 524B applies - lead center notwithstanding.

    Last reviewed: June 2026 against the FDA "Cybersecurity in Medical Devices" final guidance (Feb 3, 2026), FD&C Act Section 524B, 21 CFR Part 3 (combination products), and the Office of Combination Products (OCP) jurisdictional framework.

    At a glance

    A combination product is a single therapeutic entity made of two or more regulated constituents - typically a drug and a device, sometimes a biologic and a device. Auto-injectors, on-body drug delivery systems, prefilled connected inhalers, drug-eluting pump platforms, and combo diagnostic-therapeutic patches are the common shapes. FDA assigns a lead center based on the product's primary mode of action (PMOA): CDER or CBER for drug/biologic-led, CDRH for device-led. That assignment governs review pathway, fee schedules, and labeling rules. It does not govern whether Section 524B cybersecurity requirements apply. §524B follows the device constituent. If the device contains software and has any electronic interface capable of connecting to or transferring data from another device or network, it is a "cyber device" under the statute - and the sponsor owes the full premarket cybersecurity package.

    What counts as a combination product (and what doesn't)

    21 CFR §3.2(e) defines four classes:

    Type Example
    3.2(e)(1) Single-entity Prefilled syringe; transdermal patch; drug-eluting stent
    3.2(e)(2) Co-packaged Kit with vial + injector in one box
    3.2(e)(3) Cross-labeled drug + device Drug whose labeling specifies a particular device (e.g. specific inhaler)
    3.2(e)(4) Cross-labeled investigational Same as (3) but in trials

    The cybersecurity question turns on one thing: does the device constituent contain software and have an electronic interface?

    • Yes - connected auto-injector with BLE pairing to a phone app; on-body infusor with cellular telemetry; smart inhaler logging actuations to the cloud; digital pill with ingestible sensor; drug-pump platform with Wi-Fi: §524B applies. Full cyber package required.
    • No - purely mechanical autoinjector with no electronics; standard prefilled syringe; passive transdermal patch: §524B does not apply. Traditional 21 CFR 820/QSR-equivalent device controls only.

    The fastest way to get this wrong is to assume "the drug is the point, the injector is just a delivery mechanism." If the injector phones home, it is a cyber device.

    How lead-center designation actually works

    The Office of Combination Products (OCP) assigns the lead center via a Request for Designation (RFD) or pre-RFD. PMOA controls. A drug-led product reviews under CDER's BLA/NDA pathway; a device-led product reviews under CDRH's 510(k)/De Novo/PMA pathway. Either way, the non-lead center is consulted.

    Where sponsors get burned:

    1. CDER-led, software-rich device - CDER reviewers do not own cybersecurity expertise the way CDRH does. They consult CDRH, which means cyber comments often arrive late in review, compress timelines, and surface deficiencies that should have been caught at the threat-modeling phase a year earlier.
    2. Late-binding device decisions - the drug program defines the device constituent late in development. Cybersecurity scope (SBOM, secure boot, key management) cannot be designed in retroactively. Doing so adds 6-12 months.
    3. Platform reuse - sponsors reuse a device platform across multiple drug indications and assume the original cyber package carries forward. It does, but only if the threat model, SBOM, and CVD program are kept current. A 2-year-old SBOM with unpatched criticals is a deficiency every time.

    What the cyber package looks like for a combination product

    Identical in content to a CDRH-only submission. The deliverables map straight to the FDA premarket cybersecurity deliverables and eSTAR v7.0 map:

    [KEY REQUIREMENT] Combination product sponsors must produce, for the device constituent:

    • Security Risk Management Report aligned to AAMI TIR57 / ANSI/AAMI SW96 and converged with the safety RMF per ISO 14971 vs AAMI TIR57.
    • SBOM in SPDX or CycloneDX (machine-readable), with VEX statements for known vulnerabilities.
    • Threat model (STRIDE or equivalent) tied to patient harm.
    • Architecture views - global system, multi-patient harm, updateability, security use case.
    • Cybersecurity testing - vulnerability scanning, penetration testing, software composition analysis, fuzz testing of communication interfaces.
    • Postmarket plan - monitoring, CVD intake, patch cadence, end-of-life.
    • Cybersecurity Management Plan under §524B(b)(1). [/KEY REQUIREMENT]

    In a BLA/NDA, this lives in Module 3.2.R (regional information) or a dedicated cybersecurity section the sponsor builds and cross-references from the device description module. In a 510(k)/De Novo/PMA, it lives in the standard eSTAR cybersecurity attachments.

    The CDER-led trap: budget cyber early

    If a drug program lead is reading this, the single most consequential decision is when to engage cybersecurity expertise. The right answer is at the same point you lock the device constituent's bill of materials - typically during late-stage formulation work. Engaging at the BLA prep stage is too late: threat model, SBOM, and any required cryptographic key management need to influence device firmware before design freeze.

    Sponsors who learn this the hard way share three regrets:

    1. Treating the connected device as a marketing feature (real-time adherence dashboards!) without scoping cyber budget for it.
    2. Outsourcing the device constituent to a contract manufacturer (CDMO/CMO) without contractually obligating SBOM delivery, secure SDLC evidence, and ongoing vulnerability monitoring.
    3. Pairing with a third-party companion app and assuming the app vendor owns app-side cybersecurity. The submission holder owns it. Period.

    How Blue Goat approaches combination product cybersecurity

    We start where most sponsors don't: at the device-constituent design freeze, not at submission prep. Our team's prior work on connected drug-delivery systems, on-body infusors, and smart inhalers means we walk in knowing the typical attack surface (BLE pairing flaws, OTA update key management, app-to-device authentication, telemetry endpoint exposure) and the deficiency patterns that follow.

    We deliver the full premarket package - SBOM, threat model, security risk management report, architecture views, testing - in a form that drops into either a CDER Module 3 or a CDRH eSTAR. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Start with our FDA premarket cybersecurity services page or our secure MedTech product design consulting if you are pre-design-freeze.

    FAQ

    Get a combination product cyber scope

    If you are pre-submission on a connected drug-delivery product, get a scoped cybersecurity plan before the device design freezes. We will tell you what §524B requires, what your reviewers will ask for, and what your CDMO needs to deliver - in writing, in one call.

    Book a combination product cyber scope


    Reviewed by the Blue Goat Cyber medical device team. Christian Espinosa (CISSP, OSCP) leads our combination-product engagements; the team's prior work spans connected auto-injectors, on-body delivery, and smart inhalers.

    References

    Primary sources cited or relied on in this guide:

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. Combination Products (FDA)- U.S. FDA
    2. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Feb 2026 final)- U.S. FDA
    3. ANSI/AAMI SW96:2023, Standard for Medical Device Security- AAMI
    4. IMDRF Principles and Practices for Medical Device Cybersecurity- IMDRF
    Suggested reading

    Related guides

    Guide
    Cyber Device Decision Tree (Are You In Scope of §524B?)
    Guide
    Cybersecurity for IVD Devices: The FDA & Section 524B Guide
    Guide
    FDA 524B & 21 CFR 807.81: Cybersecurity Compliance Guide
    Guide
    FDA Section 524B & eSTAR Cybersecurity: The Walkthrough
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.