
On this page
Key Takeaways
- Section 524B of the FD&C Act, effective March 29, 2023, authorizes the FDA to refuse any premarket submission for a cyber device that lacks required cybersecurity information.
- A cyber device is any device that is software-containing, internet-capable, and has technological characteristics that could be vulnerable to cybersecurity threats.
- Every 524B submission must include a postmarket vulnerability and patch plan, an SPDF-aligned design process, and a Software Bill of Materials.
- The Feb 2026 final guidance is the operational standard reviewers use to judge 524B compliance.
- RTA enforcement began October 1, 2023, missing 524B evidence is now the fastest way to a rejected submission.
Master FDA 524B cybersecurity requirements. Learn how to meet SBOM, vulnerability monitoring, and patch management standards for medical device submissions.
This guide is written for medical device manufacturers navigating FDA 524B cybersecurity requirements. It is built from real submissions, FDA correspondence, and the standards reviewers actually cite. Use it as a working reference: read straight through, jump to the section that matches your current gap, or hand it to your engineering and regulatory leads as a checklist.
Understanding Section 524B of the FD&C Act
Understanding Section 524B of the FD&C Act is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.
The Legislative Origin: Consolidated Appropriations Act of 2023
The Legislative Origin: Consolidated Appropriations Act of 2023. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Who is a 'Cyber Device'? Defining the Scope
Who is a 'Cyber Device'? Defining the Scope. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
The Three Pillars of 524B Cybersecurity Compliance
The Three Pillars of 524B Cybersecurity Compliance is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.
Pillar 1: Plan to Monitor, Identify, and Address Vulnerabilities
Pillar 1: Plan to Monitor, Identify, and Address Vulnerabilities. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Pillar 2: Design, Develop, and Maintain Processes for Security Updates
Pillar 2: Design, Develop, and Maintain Processes for Security Updates. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Pillar 3: The Software Bill of Materials (SBOM) Requirement
Pillar 3: The Software Bill of Materials (SBOM) Requirement. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Premarket Submission Requirements Under 524B
Premarket Submission Requirements Under 524B is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.
Integration with the Secure Product Development Framework (SPDF)
Integration with the Secure Product Development Framework (SPDF). Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Required Documentation for eSTAR and Traditional Submissions
Required Documentation for eSTAR and Traditional Submissions. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Postmarket Obligations: Beyond the Initial Submission
Postmarket Obligations: Beyond the Initial Submission is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.
Coordinated Vulnerability Disclosure (CVD) Programs
Coordinated Vulnerability Disclosure (CVD) Programs. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Timeline for Security Patches and Regular Updates
Timeline for Security Patches and Regular Updates. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
FDA’s 'Refuse to Accept' (RTA) Authority under 524B
FDA’s 'Refuse to Accept' (RTA) Authority under 524B is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.
How to Avoid Deficiency Leads and Submission Delays
How to Avoid Deficiency Leads and Submission Delays. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.
Practical Steps for Achieving 524B Compliance
Practical Steps for Achieving 524B Compliance is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.
How Blue Goat Cyber Approaches FDA 524B cybersecurity requirements
We treat FDA 524B cybersecurity requirements as a regulated engineering workstream, not a one-time document drop. Every engagement is led by senior medical-device security engineers who have shipped 250+ FDA cybersecurity submissions across 510(k), De Novo, PMA, and EU MDR pathways. Here is how we run it end to end:
- Scoping against your device profile. We baseline connectivity, interfaces, data flows, and intended use before we touch a template - because reviewer expectations for a Class II wearable are not the same as a networked hospital platform.
- Standards mapping in writing. Every deliverable is traced to the February 2026 FDA premarket cybersecurity guidance, AAMI SW96, AAMI TIR57 / TIR97, IEC 81001-5-1, and ISO 14971 - with the citation in the artifact itself so reviewers do not have to guess.
- Evidence generated inside your QMS. Threat models, SBOMs, security risk assessments, and test reports are versioned under design controls so the traceability from requirement → test → residual risk holds up under audit.
- Independent testing where it counts. Penetration testing and vulnerability analysis are executed by a testing team that does not also write the design - the separation FDA reviewers increasingly expect on cyber devices.
- Deficiency-ready posture. We anticipate the RTA, AI-letter, and Major deficiency patterns FDA has issued over the past 24 months and pre-empt them in the initial submission, cutting the odds of a second review cycle.
- Postmarket handoff, not abandonment. Every premarket package leaves you with a working postmarket monitoring plan, CVD process, and update cadence so the evidence you shipped stays defensible after clearance.
If you want that treatment applied to your FDA 524B cybersecurity requirements package, our FDA Premarket Cybersecurity Services and FDA Cybersecurity Deficiency Response engagements are the two most common entry points.
524B deliverable to premarket checklist crosswalk
Each Section 524B requirement maps to a specific artifact in the FDA Premarket Cybersecurity Submission Checklist. Use this crosswalk to confirm nothing in the statute is unmapped in your submission package.
| Section 524B requirement | Checklist deliverable |
|---|---|
| 524B(b)(1) - Plan to monitor, identify, and address postmarket vulnerabilities and exploits | Cybersecurity Management Plan (CMP) + Vulnerability Disclosure Policy (VDP) + Patch Management and Distribution Plan |
| 524B(b)(2)(A) - Design, develop, and maintain processes and procedures to provide reasonable assurance of cybersecurity | Secure Product Development Framework (SPDF) narrative + Security Architecture and Design Documentation |
| 524B(b)(2)(B) - Make available postmarket updates and patches on a reasonably justified regular cycle, and out-of-cycle for critical vulnerabilities | Patch Management and Distribution Plan (cadence + out-of-cycle criteria) |
| 524B(b)(3) - Provide a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf components | Machine-readable SBOM (CycloneDX 1.5+ or SPDX 2.3+) with SBOM Requirements section |
| 524B(b)(4) - Comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance of cybersecurity | Security Risk Management Report (SRMR), Threat Model (STRIDE/HEC), Vulnerability Assessment + CVSS scoring, Penetration Testing Summary, Fuzzing/Robustness Testing, Cybersecurity Interface Control Document |
If any row above has no corresponding artifact in your submission, that is your RTA risk.
Relationship to 21 CFR 807.81 (510(k) premarket notification)
Section 524B applies whenever you submit a premarket submission for a cyber device, no matter which pathway. For most devices, the procedural trigger, and the timing gate, is 21 CFR 807.81, which requires the 510(k) to be submitted at least 90 days before commercial distribution. In practice, 807.81 sets when the filing is due, and Section 524B sets what it must contain. See the full 524B deliverables in our FDA Premarket Cybersecurity Submission Checklist. Read 807.81 as the "do I need to file, and by when?" test and Section 524B as the "what cybersecurity content the filing must include" requirement.
How the 90-day 807.81 timing works, step by step:
- Trigger event. You intend to introduce a device into commercial distribution for the first time, reintroduce it after removal, or make a change that could significantly affect safety or effectiveness (including a change in intended use). 21 CFR 807.81(a) makes any of these the moment your 510(k) clock starts.
- T-minus 90 days: submission due. 807.81(a) requires the 510(k) to be on file with the FDA at least 90 days before you begin commercial distribution. That 90 days is a floor, not a target; real FDA review time is typically longer.
- Cyber content must be complete on day one. Because Section 524B applies at submission, every 524B(b) deliverable (SPDF, SBOM, threat model, security testing, postmarket plan) must be inside the 510(k) when it is filed. Missing cyber content triggers a Refuse to Accept (RTA) hold before substantive review even starts, which resets your 90-day countdown to distribution.
- FDA acceptance review (day 1 to 15). The FDA runs the RTA checklist, including the cybersecurity checklist items driven by 524B. If accepted, substantive review begins. If refused, you fix the gaps and resubmit, and the 90-day distribution gate slips accordingly.
- Substantive review and decision. The FDA issues Additional Information (AI) requests as needed. You cannot ship until you receive a substantially equivalent (SE) determination, and even then not before the 807.81 90-day window has elapsed from the accepted submission.
- Commercial distribution. Once cleared and past the 90-day mark, you can distribute, at which point the 524B postmarket obligations (monitoring, patching cadence, out-of-cycle patches for critical vulnerabilities) take over.
Bottom line: 807.81 sets the calendar, and 524B decides whether that calendar ever starts running.
Frequently asked questions
What devices are considered 'cyber devices' under Section 524B?
Short answer: It depends on the device classification, intended use, and connectivity profile. But the controlling references are FDA's February 2026 premarket guidance, AAMI SW96, and IEC 81001-5-1. The sections above walk through how each applies. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.
What are the SBOM requirements for FDA 524B compliance?
Short answer: FDA 524B cybersecurity requirements is a discrete deliverable inside the Secure Product Development Framework (SPDF). FDA expects it documented, traceable, and version-controlled inside your QMS. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.
How does Section 524B change the FDA's authority to reject submissions?
Short answer: Treat it as a process, not a one-off document: own the requirement in design controls, map it to a current standard, generate evidence during V&V, and surface the residual risk in your postmarket plan. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.
Does 524B apply to legacy medical devices or only new submissions?
Short answer: Yes. Under Section 524B and the February 2026 final guidance, every cyber device requires the artifact in question. Skipping it is the fastest way to an RTA hold. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.
What postmarket cybersecurity activities are mandated by Section 524B?
Short answer: It depends on the device classification, intended use, and connectivity profile. But the controlling references are FDA's February 2026 premarket guidance, AAMI SW96, and IEC 81001-5-1. The sections above walk through how each applies. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.
Where this fits in the cluster
This page sits downstream of our pillar resources on FDA 524B cybersecurity requirements. If you arrived here from a different starting point, these are the most useful adjacent pages:
- FDA Premarket Cybersecurity Services
- FDA Cybersecurity Deficiency Response
- 12 Reasons the FDA Rejects Medical Device Cybersecurity Submissions
- The MedTech Cybersecurity Standards Decoder
Related from Blue Goat Cyber
- FDA-Compliant SBOM Services
- Medical Device Threat Modeling
- Medical Device Penetration Testing
- FDA Postmarket Cybersecurity Services
- The SPDF Playbook for FDA-Ready Medical Devices
- The Postmarket Cybersecurity Readiness Plan
Sources & primary references
- Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. U.S. Food and Drug Administration (FDA)
- Consolidated Appropriations Act, 2023 - Section 524B Ensuring Cybersecurity of Medical Devices. U.S. Congress (GovInfo)
- Secure Software Development Framework (SSDF) Version 1.1. NIST
- Draft Guidance: Select Updates for Cybersecurity in Medical Devices: Data Types and Formats for SBOMs. U.S. Food and Drug Administration (FDA)
Talk to a regulatory cybersecurity team
If you are working through FDA 524B cybersecurity requirements and want a second pair of eyes on your submission package, we ship cybersecurity deliverables for medical device manufacturers across 510(k), De Novo, PMA, and EU MDR pathways. Book a discovery session and we will walk your evidence with you.
Sources & references
Primary sources cited in this article. Links open in a new tab.


