On June 1, 2026 the FDA released eSTAR v7.0 (nIVD and IVD) and PreSTAR v3.0; v6.2 - the prior Updated Version - will be retired on August 3, 2026. If you read other write-ups, you may see claims that v7.0 introduced "8 named cybersecurity attachment slots", a "Metrics slot", or required "Architecture Views" fields. That overstates what the template actually does. We diffed the two templates field-by-field. This is the honest version.
Last reviewed: June 2026 against the FDA eSTAR Program page, the v6.2 and v7.0 nIVD eSTAR PDFs, and the FDA February 2026 final guidance.
Source documents
The two PDFs below are the recommended starting point. They contain only the cybersecurity portions of each eSTAR template - every non-cyber section (clinical, biocompatibility, sterility, labeling logistics, etc.) has been stripped out, and the remaining content is grouped into clearly named buckets (Overview, Threat Modeling, SBOM, Security Controls, Testing, Patching, Risk Assessment, Labeling, Interoperability, Standards). Both open directly in any browser.
- nIVD eSTAR v6.2 - Cybersecurity Section (readable extract, PDF) - cyber-only content from the retiring v6.2 template, grouped by topic.
- nIVD eSTAR v7.0 - Cybersecurity Section (readable extract, PDF) - cyber-only content from the current v7.0 template, grouped by topic.
If you need the surrounding template (every section, not just cyber) or the official files for filing, the long-form sources are still available:
- Cybersecurity structural diff - v6.2 vs v7.0 (PDF) - the side-by-side subform diff (the new
Controlschild in v7.0, the Digital Health Resources bullet change, etc.). - FDA nIVD eSTAR v6.2 - original XFA PDF and v7.0 - the official FDA templates. Required for actual filing; only Adobe Reader/Acrobat will render them.
Cybersecurity section at a glance
Each card below summarizes one cybersecurity topic area inside the eSTAR template - what reviewers expect, and whether v7.0 actually changed anything at the template level versus v6.2. Jump to a card:
Overview & Scope
When the section applies
Required for any 510(k), De Novo, PMA, or HDE where the device has network/wireless/USB/cloud connectivity or processes patient data. Tied to FD&C Act §524B.
v6.2 → v7.0: unchanged trigger criteria.
Cybersecurity Management Plan
Plan for Continuing Support
How you'll monitor, identify, assess, and respond to post-market vulnerabilities across the device's supported life, including coordinated disclosure.
v6.2 → v7.0: same attachment slot, unchanged caption.
Threat Model
Threats, boundaries, assumptions, risk controls
Identify threats and corresponding risk controls; document boundary assumptions, trust zones, and data flows. Drives the Cybersecurity Risk Assessment.
v6.2 → v7.0: attachment slot and caption unchanged.
Architecture Views
Four views from the Feb 2026 guidance
Global system, multi-patient harm, updatability & patchability, and security use case views. May be embedded in the Threat Model attachment or filed as standalone documents.
v6.2 → v7.0: no dedicated Architecture Views field added in v7.0 - still goes inside the Cybersecurity attachment area.
SBOM
Machine-readable, NTIA minimum elements
SPDX or CycloneDX, covering first-party + third-party + open-source + transitive dependencies. Pair with vulnerability assessment (VEX-style) per the guidance.
v6.2 → v7.0: no separate VEX upload field; both still attach to the SBOM slot.
Security Controls (Appendix 1)
Auth, crypto, integrity, confidentiality, resiliency
The eight Appendix 1 control families (A–H): authentication, authorization, cryptography, code/data/execution integrity, confidentiality, event detection & logging, resiliency & recovery, updatability & patchability.
v6.2 → v7.0: only template change - a new
Controls free-text field inside the Cybersecurity subform for an inline summary.Cybersecurity Testing
Security requirements, threat mitigation, vulnerability, penetration
Abuse/misuse, [fuzzing](/services/medical-device-penetration-testing "medical device penetration testing"), attack-surface analysis, SCA on binaries, static/dynamic analysis, credential checks, and an independent pen-test report with scope/methods/findings.
v6.2 → v7.0: caption unchanged.
[Vulnerability Management](/services/fda-compliant-sbom-services-for-medtech "FDA-compliant SBOM services") & Patching
Controlled vs uncontrolled risk timelines
Justify update/patch cadence: scheduled deployment for controlled-risk vulns, out-of-cycle ASAP for uncontrolled-risk vulns. CISA KEV items must be designed out.
v6.2 → v7.0: unchanged template field.
Cybersecurity Risk Assessment
Separate from safety risk management
Exploitability-based (not probability-based), with traceability from controls to vulnerabilities and risks. Distinct from the ISO 14971 safety risk file.
v6.2 → v7.0: no change at the template level.
Cybersecurity Metrics
Postmarket KPIs
Report metrics for monitoring the device's security posture in the field - e.g. percentage of identified vulnerabilities updated/patched, time from disclosure to patch, percentage of fleet on the current supported version.
v6.2 → v7.0: literal
Cybersecurity | Metrics label exists in both; no new dedicated KPI field added in v7.0.Unresolved Anomalies
Known issues shipped with the device
List of cybersecurity-relevant known anomalies present at clearance, with assessment of safety/effectiveness impact and rationale for not implementing or deferring fixes to future releases.
v6.2 → v7.0: same subsection, unchanged.
Change Impacts / Level of Support
Lifecycle commitment for the cleared version
How long the device version is supported, what changes (firmware, third-party components, OS) will be supported under what process, and how cyber impacts of those changes are evaluated.
v6.2 → v7.0: literal
Cybersecurity | Change Impacts and | Level of Support labels in both; captions unchanged.Cybersecurity Labeling
Connectivity risks + update process
User-facing description of connectivity, general cyber risks, and how the device receives updates. Lives in device labeling, referenced from the cyber package.
v6.2 → v7.0: unchanged.
Interoperability
Now paired with Cybersecurity
Covers wireless (Bluetooth, Wi-Fi, RF), AAMI TIR69 / ANSI C63.27 testing, and device-to-device data exchange surfaces that intersect with security.
v6.2 → v7.0: Digital Health Resources list now pairs Cybersecurity and Interoperability explicitly.
AI/ML Cybersecurity
ML-enabled device considerations
Model-specific threats (data poisoning, evasion, model extraction, inference attacks), training data integrity/provenance, model update pathway, and how PCCP changes are evaluated for cyber impact.
v6.2 → v7.0: v7.0 Recognized Standards list adds AAMI CR515:2025 (ML cybersecurity); ML help text updated on the Software Description attachment.
Standards & References
What the eSTAR + Feb 2026 guidance point to
AAMI SW96, AAMI TIR57, AAMI CR515:2025, IEC 81001-5-1, NIST SSDF (SP 800-218), ANSI/ISA 62443-4-1, AAMI TIR69, ANSI C63.27, IMDRF N60. Pick consensus standards in the Recognized Standards section.
v6.2 → v7.0: Recognized Consensus Standards list refreshed - re-pick your standards in v7.0 rather than carrying values over.
The headline
| Dimension | eSTAR v6.2 | eSTAR v7.0 |
|---|---|---|
| Status | Retiring August 3, 2026 | Updated Version (current) |
| Released | Earlier 2026 | June 1, 2026 |
| Submission types | 510(k), De Novo, PMA (nIVD and IVD) | 510(k), De Novo, PMA (nIVD and IVD) |
| Cybersecurity subform structure | Cybersecurity (single block) |
Cybersecurity → Controls (new nested child with one text field) |
| Digital Health Resources list | "…Software as a Medical Device; and Cybersecurity." | "…Cloud Computing; Cybersecurity and Interoperability, and; Wireless Technologies." |
| Human Factors content | Pre-May 2026 guidance | Incorporates May 29, 2026 Human Factors Content Guidance (effective Aug 1, 2026) |
| FDA Recognized Consensus Standards list | Pre-2026 refresh | Updated 2025/2026 entries (e.g. AAMI CR515:2025 ML cybersecurity) |
What we verified by diffing the templates
We extracted the XFA form definitions from both nIVD eSTAR PDFs and compared them directly. The actual changes inside the Cybersecurity area are:
- New
Controlschild subform inside Cybersecurity. v6.2 has<subform name="Cybersecurity"/>followed by a sibling<subform name="Interoperability"/>. v7.0 nests a newControlsblock inside Cybersecurity containing one new free-text field. In practice this is a place to describe security controls inline rather than only via attachment. - Digital Health Resources bullet list reorganized. The list that used to end "Software as a Medical Device; and Cybersecurity." is now broader and pairs Cybersecurity with Interoperability ("Cybersecurity and Interoperability, and; Wireless Technologies."), and adds MMA, SaMD, AI/ML, MDDS, CDS, and Cloud Computing as explicit categories.
- Recognized Consensus Standards list refreshed. v7.0 updates several cybersecurity-relevant standards entries (for example AAMI CR515:2025 on ML cybersecurity, IEEE 11073-40101/40102 vulnerability assessment and mitigation entries reformatted). These are dropdown list updates, not new question fields.
That is the full template-level cybersecurity diff between v6.2 and v7.0.
What did not change at the template level
- The Cybersecurity section is not broken into 8 named attachment slots in v7.0. There is one Cybersecurity subform with attachments, the same packaging model as v6.2.
- There is no new Metrics field dedicated to postmarket KPIs.
- There is no Architecture Views field.
- There is no separate VEX upload field next to the SBOM.
- AAMI SW96:2023 is not explicitly named in a template caption as the required risk-management standard.
These are all reasonable expectations under the FDA's February 3, 2026 final premarket cybersecurity guidance - but they live in the guidance, not in v7.0 template fields. Submissions get held when those expectations aren't met regardless of whether the template asks for them.
What did change outside the Cybersecurity subform
These v7.0 changes still affect cybersecurity teams even though they are not in the Cybersecurity section:
- Human Factors subsection added to Performance Testing. Cybersecurity-relevant human-factors content (usable authentication, alarm/notification handling, secure-update UX) now has a home in the Performance Testing section per the May 29, 2026 Human Factors Content Guidance (effective August 1, 2026).
- Standards / Additional Information ordering adjusted in several sections, including Cybersecurity-adjacent ones.
- PMA Facility Information added (relevant if your cybersecurity package is going into a PMA).
- Adobe-specific rendering bug fix so attachments behave more consistently - useful when you have many cybersecurity attachments.
Transition timing
- v7.0 released: June 1, 2026
- v6.2 retirement date: August 3, 2026
- After August 3, 2026, v6.2 submissions are still accepted but the FDA says they may draw additional information requests for content covered by v7.0 changes
- Grandfathering: once you receive an FDA acknowledgment letter, your submission is locked to the eSTAR version you submitted on. AI and Technical Screening responses must use that same version
Should you refile?
| Scenario | Recommendation |
|---|---|
| Submission already acknowledged on v6.2 | Do not refile. Grandfathered to v6.2. Respond to deficiencies in the v6.2 template. |
| Drafted on v6.2, not yet submitted before Aug 3 | Migrate to v7.0 unless you can file in days. The new Controls free-text field is trivial to populate, and the Recognized Standards list is fresher. |
| New submission starting now | Use v7.0. |
| In RTA hold on v6.2 | Resolve on v6.2. The submission is grandfathered. |
| AI or Technical Screening response on v6.2 | Must respond on v6.2. |
Cybersecurity migration checklist (v6.2 → v7.0)
If you are moving an in-progress v6.2 package to v7.0:
- Populate the new Controls free-text field inside the Cybersecurity subform with a one-paragraph summary of your security-controls attachment (auth, crypto, patch/update, logging) so reviewers see the map inline.
- Re-check Recognized Consensus Standards selections. Some cybersecurity-relevant entries were refreshed in v7.0 - re-pick your standards in the new dropdowns rather than carrying over assumed values.
- Move any human-factors content that touches authentication, alarms, or secure-update UX into the new Performance Testing → Human Factors subsection and reference it from your cybersecurity controls write-up.
- Keep your attachment package intact. v7.0 did not change the Cybersecurity attachment slot - your existing Management Plan, Security Risk file, Threat Model, SBOM, Controls, Testing, and Postmarket Plan attachments all still go in the same place.
- Build to the Feb 2026 guidance, not just to the template. The template will let you submit a thin package; the guidance is what reviewers grade against.
Where to go next
- For our recommended packaging of the 15 February 2026 guidance deliverables into the eSTAR Cybersecurity attachment area, see the eSTAR v7.0 Cybersecurity Attachments mapping guide.
- For the underlying guidance, see The FDA's February 2026 Premarket Cybersecurity Guidance, Summarized.
- For an RTA-prevention walkthrough, see the FDA cybersecurity RTA prevention checklist.
- For the Management Plan deliverable, see the Cybersecurity Management Plan guide.
Need help migrating an in-flight v6.2 package to v7.0? Talk to Blue Goat Cyber - we resolve any FDA cybersecurity deficiency raised on a submission we authored, at no additional cost.
Sources & references
Primary sources cited in this article. Links open in a new tab.
- FDA eSTAR Program page- U.S. FDA