Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Guide · FDA

    eSTAR v6.2 vs v7.0 Cybersecurity: What Actually Changed

    Honest template-level diff of FDA eSTAR v6.2 and v7.0 for cybersecurity: the new Controls field, the August 3, 2026 retirement date, and what's template-enforced vs. guidance expectation.

    Hero illustration for the FDA article: eSTAR v6.2 vs v7.0 Cybersecurity: What Actually Changed
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Key Takeaways

    • eSTAR v7.0 expands the cybersecurity section to align with the Feb 2026 final premarket guidance, new prompts cover SBOM machine-readability, CVD policy, and postmarket monitoring cadence.
    • v7 splits the security risk assessment attachment from the threat model attachment, so uploading them as a single PDF now fails the technical screen.
    • Postmarket cybersecurity management plan is a required attachment in v7; in v6 it was frequently embedded in the SPDF narrative and accepted.
    • v7 introduces explicit fields for third-party component vulnerability disclosure processes, align these to AAMI TIR97 language.
    • Any submission drafted against v6 after October 1, 2026 must be migrated to v7 or it will be returned before review.
    TL;DR

    An honest, template-level diff of FDA eSTAR v6.2 and v7.0 for cybersecurity content: what the new template actually adds, the August 3, 2026 retirement date, and what's guidance expectation vs. template-enforced.

    On June 1, 2026 the FDA released eSTAR v7.0 (nIVD and IVD) and PreSTAR v3.0; v6.2 - the prior Updated Version - will be retired on August 3, 2026. If you read other write-ups, you may see claims that v7.0 introduced "8 named cybersecurity attachment slots", a "Metrics slot", or required "Architecture Views" fields. That overstates what the template actually does. We diffed the two templates field-by-field. This is the honest version.

    eSTAR v6.2 vs v7.0 cybersecurity subform side-by-side comparison
    eSTAR v6.2 vs v7.0 cybersecurity subform side-by-side comparison

    Last reviewed: June 2026 against the FDA eSTAR Program page, the v6.2 and v7.0 nIVD eSTAR PDFs, and the FDA February 2026 final guidance.

    Source documents

    The two PDFs below are the recommended starting point. They contain only the cybersecurity portions of each eSTAR template - every non-cyber section (clinical, biocompatibility, sterility, labeling logistics, etc.) has been stripped out, and the remaining content is grouped into clearly named buckets (Overview, Threat Modeling, SBOM, Security Controls, Testing, Patching, Risk Assessment, Labeling, Interoperability, Standards). Both open directly in any browser.

    If you need the surrounding template (every section, not just cyber) or the official files for filing, the long-form sources are still available:

    Cybersecurity section at a glance

    Each card below summarizes one cybersecurity topic area inside the eSTAR template - what reviewers expect, and whether v7.0 actually changed anything at the template level versus v6.2. Jump to a card:

    Overview & Scope
    When the section applies
    Required for any 510(k), De Novo, PMA, or HDE where the device has network/wireless/USB/cloud connectivity or processes patient data. Tied to FD&C Act §524B.
    v6.2 → v7.0: unchanged trigger criteria.
    Cybersecurity Management Plan
    Plan for Continuing Support
    How you'll monitor, identify, assess, and respond to post-market vulnerabilities across the device's supported life, including coordinated disclosure.
    v6.2 → v7.0: same attachment slot, unchanged caption.
    Threat Model
    Threats, boundaries, assumptions, risk controls
    Identify threats and corresponding risk controls; document boundary assumptions, trust zones, and data flows. Drives the Cybersecurity Risk Assessment.
    v6.2 → v7.0: attachment slot and caption unchanged.
    Architecture Views
    Four views from the Feb 2026 guidance
    Global system, multi-patient harm, updatability & patchability, and security use case views. May be embedded in the Threat Model attachment or filed as standalone documents.
    v6.2 → v7.0: no dedicated Architecture Views field added in v7.0 - still goes inside the Cybersecurity attachment area.
    SBOM
    Machine-readable, NTIA minimum elements (now stewarded by CISA)
    SPDX or CycloneDX, covering first-party + third-party + open-source + transitive dependencies. Pair with vulnerability assessment (VEX-style) per the guidance.
    v6.2 → v7.0: no separate VEX upload field; both still attach to the SBOM slot.
    Security Controls (Appendix 1)
    Auth, crypto, integrity, confidentiality, resiliency
    The eight Appendix 1 control families (A-H): authentication, authorization, cryptography, code/data/execution integrity, confidentiality, event detection & logging, resiliency & recovery, updatability & patchability.
    v6.2 → v7.0: only template change - a new Controls free-text field inside the Cybersecurity subform for an inline summary.
    Cybersecurity Testing
    Security requirements, threat mitigation, vulnerability, penetration
    Abuse/misuse, [fuzzing](/services/medical-device-penetration-testing "device security testing services"), attack-surface analysis, SCA on binaries, static/dynamic analysis, credential checks, and an independent pen-test report with scope/methods/findings.
    v6.2 → v7.0: caption unchanged.
    [Vulnerability Management](/services/fda-compliant-sbom-services-for-medtech "SBOM generation and management") & Patching
    Controlled vs uncontrolled risk timelines
    Justify update/patch cadence: scheduled deployment for controlled-risk vulns, out-of-cycle ASAP for uncontrolled-risk vulns. CISA KEV items must be designed out.
    v6.2 → v7.0: unchanged template field.
    Cybersecurity Risk Assessment
    Separate from safety risk management
    Exploitability-based (not probability-based), with traceability from controls to vulnerabilities and risks. Distinct from the ISO 14971 safety risk file.
    v6.2 → v7.0: no change at the template level.
    Cybersecurity Metrics
    Postmarket KPIs
    Report metrics for monitoring the device's security posture in the field - e.g. percentage of identified vulnerabilities updated/patched, time from disclosure to patch, percentage of fleet on the current supported version.
    v6.2 → v7.0: literal Cybersecurity | Metrics label exists in both; no new dedicated KPI field added in v7.0.
    Unresolved Anomalies
    Known issues shipped with the device
    List of cybersecurity-relevant known anomalies present at clearance, with assessment of safety/effectiveness impact and rationale for not implementing or deferring fixes to future releases.
    v6.2 → v7.0: same subsection, unchanged.
    Change Impacts / Level of Support
    Lifecycle commitment for the cleared version
    How long the device version is supported, what changes (firmware, third-party components, OS) will be supported under what process, and how cyber impacts of those changes are evaluated.
    v6.2 → v7.0: literal Cybersecurity | Change Impacts and | Level of Support labels in both; captions unchanged.
    Cybersecurity Labeling
    Connectivity risks + update process
    User-facing description of connectivity, general cyber risks, and how the device receives updates. Lives in device labeling, referenced from the cyber package.
    v6.2 → v7.0: unchanged.
    Interoperability
    Now paired with Cybersecurity
    Covers wireless (Bluetooth, Wi-Fi, RF), AAMI TIR69 / ANSI C63.27 testing, and device-to-device data exchange surfaces that intersect with security.
    v6.2 → v7.0: Digital Health Resources list now pairs Cybersecurity and Interoperability explicitly.
    AI/ML Cybersecurity
    ML-enabled device considerations
    Model-specific threats (data poisoning, evasion, model extraction, inference attacks), training data integrity/provenance, model update pathway, and how PCCP changes are evaluated for cyber impact.
    v6.2 → v7.0: v7.0 Recognized Standards list adds AAMI CR515:2025 (ML cybersecurity); ML help text updated on the Software Description attachment.
    Standards & References
    What the eSTAR + Feb 2026 guidance point to
    AAMI SW96, AAMI TIR57, AAMI CR515:2025, IEC 81001-5-1, NIST SSDF (SP 800-218), ANSI/ISA 62443-4-1, AAMI TIR69, ANSI C63.27, IMDRF N60. Pick consensus standards in the Recognized Standards section.
    v6.2 → v7.0: Recognized Consensus Standards list refreshed - re-pick your standards in v7.0 rather than carrying values over.

    The headline

    Dimension eSTAR v6.2 eSTAR v7.0
    Status Retiring August 3, 2026 Updated Version (current)
    Released Earlier 2026 June 1, 2026
    Submission types 510(k), De Novo, PMA (nIVD and IVD) 510(k), De Novo, PMA (nIVD and IVD)
    Cybersecurity subform structure Cybersecurity (single block) Cybersecurity → Controls (new nested child with one text field)
    Digital Health Resources list "…Software as a Medical Device; and Cybersecurity." "…Cloud Computing; Cybersecurity and Interoperability, and; Wireless Technologies."
    Human Factors content Pre-May 2026 guidance Incorporates May 29, 2026 Human Factors Content Guidance (effective Aug 1, 2026)
    FDA Recognized Consensus Standards list Pre-2026 refresh Updated 2025/2026 entries (e.g. AAMI CR515:2025 ML cybersecurity)

    What we verified by diffing the templates

    We extracted the XFA form definitions from both nIVD eSTAR PDFs and compared them directly. The actual changes inside the Cybersecurity area are:

    1. New Controls child subform inside Cybersecurity. v6.2 has <subform name="Cybersecurity"/> followed by a sibling <subform name="Interoperability"/>. v7.0 nests a new Controls block inside Cybersecurity containing one new free-text field. In practice this is a place to describe security controls inline rather than only via attachment.
    2. Digital Health Resources bullet list reorganized. The list that used to end "Software as a Medical Device; and Cybersecurity." is now broader and pairs Cybersecurity with Interoperability ("Cybersecurity and Interoperability, and; Wireless Technologies."), and adds MMA, SaMD, AI/ML, MDDS, CDS, and Cloud Computing as explicit categories.
    3. Recognized Consensus Standards list refreshed. v7.0 updates several cybersecurity-relevant standards entries (for example AAMI CR515:2025 on ML cybersecurity, IEEE 11073-40101/40102 vulnerability assessment and mitigation entries reformatted). These are dropdown list updates, not new question fields.

    That is the full template-level cybersecurity diff between v6.2 and v7.0.

    What did not change at the template level

    • The Cybersecurity section is not broken into 8 named attachment slots in v7.0. There is one Cybersecurity subform with attachments, the same packaging model as v6.2.
    • There is no new Metrics field dedicated to postmarket KPIs.
    • There is no Architecture Views field.
    • There is no separate VEX upload field next to the SBOM.
    • AAMI SW96:2023 is not explicitly named in a template caption as the required risk-management standard.

    These are all reasonable expectations under the FDA's February 3, 2026 final premarket cybersecurity guidance - but they live in the guidance, not in v7.0 template fields. Submissions get held when those expectations aren't met regardless of whether the template asks for them.

    What did change outside the Cybersecurity subform

    These v7.0 changes still affect cybersecurity teams even though they are not in the Cybersecurity section:

    • Human Factors subsection added to Performance Testing. Cybersecurity-relevant human-factors content (usable authentication, alarm/notification handling, secure-update UX) now has a home in the Performance Testing section per the May 29, 2026 Human Factors Content Guidance (effective August 1, 2026).
    • Standards / Additional Information ordering adjusted in several sections, including Cybersecurity-adjacent ones.
    • PMA Facility Information added (relevant if your cybersecurity package is going into a PMA).
    • Adobe-specific rendering bug fix so attachments behave more consistently - useful when you have many cybersecurity attachments.

    Transition timing

    • v7.0 released: June 1, 2026
    • v6.2 retirement date: August 3, 2026
    • After August 3, 2026, v6.2 submissions are still accepted but the FDA says they may draw additional information requests for content covered by v7.0 changes
    • Grandfathering: once you receive an FDA acknowledgment letter, your submission is locked to the eSTAR version you submitted on. AI and Technical Screening responses must use that same version

    Should you refile?

    Scenario Recommendation
    Submission already acknowledged on v6.2 Do not refile. Grandfathered to v6.2. Respond to deficiencies in the v6.2 template.
    Drafted on v6.2, not yet submitted before Aug 3 Migrate to v7.0 unless you can file in days. The new Controls free-text field is trivial to populate, and the Recognized Standards list is fresher.
    New submission starting now Use v7.0.
    In RTA hold on v6.2 Resolve on v6.2. The submission is grandfathered.
    AI or Technical Screening response on v6.2 Must respond on v6.2.

    Cybersecurity migration checklist (v6.2 → v7.0)

    If you are moving an in-progress v6.2 package to v7.0:

    1. Populate the new Controls free-text field inside the Cybersecurity subform with a one-paragraph summary of your security-controls attachment (auth, crypto, patch/update, logging) so reviewers see the map inline.
    2. Re-check Recognized Consensus Standards selections. Some cybersecurity-relevant entries were refreshed in v7.0 - re-pick your standards in the new dropdowns rather than carrying over assumed values.
    3. Move any human-factors content that touches authentication, alarms, or secure-update UX into the new Performance Testing → Human Factors subsection and reference it from your cybersecurity controls write-up.
    4. Keep your attachment package intact. v7.0 did not change the Cybersecurity attachment slot - your existing Management Plan, Security Risk file, Threat Model, SBOM, Controls, Testing, and Postmarket Plan attachments all still go in the same place.
    5. Build to the Feb 2026 guidance, not just to the template. The template will let you submit a thin package; the guidance is what reviewers grade against.

    How Blue Goat Cyber approaches the v6.2 to v7.0 migration

    We migrate active submissions from eSTAR v6.2 to v7.0 as a fixed-fee, two-week engagement. Your existing cybersecurity artifacts get re-mapped to the v7.0 subform fields, gaps are flagged against the February 3, 2026 final guidance, and the updated package ships back ready to attach. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

    For teams starting a new v7.0 submission from scratch, our FDA premarket cybersecurity service authors the full package to the v7.0 template.

    Frequently asked questions

    Is eSTAR v7.0 mandatory now?

    The FDA has published v7.0 as the current template and expects new submissions to use it. Submissions authored on v6.2 are still accepted through the FDA's stated transition window, but net-new packages should be built on v7.0. Confirm the current mandatory date in the FDA's eSTAR resource page before finalizing your submission plan.

    Do the cybersecurity artifacts themselves change between v6.2 and v7.0?

    The underlying artifacts (threat model, SBOM, security risk assessment, pen test report, postmarket monitoring plan) do not change in substance. What changes is how they are attached and cross-referenced inside the eSTAR subform. Content built to the February 2026 guidance is portable across versions; the mapping just needs re-work.

    Will content built for v6.2 be rejected if we submit on v7.0?

    Not for content reasons, but the v7.0 subform expects specific attachments in specific slots. If your v6.2-era package uses a single monolithic cybersecurity document, v7.0 will require you to split it into the discrete files the new subform expects. Otherwise the RTA screen will hold the submission on missing subform entries.

    How long does a v6.2 to v7.0 migration typically take?

    Two to four weeks for a submission with a complete v6.2-era package. Most of the time goes into re-splitting the security risk assessment, threat model, and SBOM into the specific attachment slots v7.0 expects, plus updating labeling and MDS2 references. Migrations that also require closing 2026-guidance gaps take longer.

    Does v7.0 require anything new that was not in v6.2 at all?

    Yes on emphasis, not on substance. v7.0 explicitly surfaces fields for SBOM format (CycloneDX vs SPDX), vulnerability disclosure policy URL, and postmarket monitoring plan version, all of which were expected under v6.2 but not always required as discrete fields. If those were embedded in narrative in a v6.2 package, they need to be pulled out.

    Should we resubmit a cleared v6.2 device to bring it onto v7.0?

    No. eSTAR version applies to new submissions and material changes. A cleared device does not need to be resubmitted just because the template updated. Your postmarket cybersecurity obligations under Section 524B(b)(2) run against the current guidance regardless of which template your original submission used.

    Where to go next

    Need help migrating an in-flight v6.2 package to v7.0? Talk to Blue Goat Cyber - we resolve any FDA cybersecurity deficiency raised on a submission we authored, at no additional cost.

    References

    Primary sources cited or relied on in this guide:

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. FDA eSTAR Program page- U.S. FDA
    2. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Feb 2026 final)- U.S. FDA
    3. ANSI/AAMI SW96:2023, Standard for Medical Device Security- AAMI
    Suggested reading

    Related guides

    Guide
    eSTAR Cybersecurity Readiness Checklist (510(k) & De Novo)
    Guide
    eSTAR v7.0 Cybersecurity Attachments: How the 8 Slots Map to the FDA's 2026 Guidance
    Guide
    FDA Premarket Cybersecurity Deliverables & eSTAR v7.0 Map
    Guide
    FDA Section 524B & eSTAR Cybersecurity: The Walkthrough
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.