Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Part ofFDA Premarket Cybersecurity
    Guide · FDA

    FDA 524B & 21 CFR 807.81: Cybersecurity Compliance Guide

    FDA Section 524B cybersecurity requirements and how 21 CFR 807.81 sets the 90-day 510(k) timing floor: SBOM, vulnerability monitoring, and patch standards.

    Hero illustration for the article: FDA 524B & 21 CFR 807.81: Cybersecurity Compliance Guide
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Key Takeaways

    • Section 524B of the FD&C Act, effective March 29, 2023, authorizes the FDA to refuse any premarket submission for a cyber device that lacks required cybersecurity information.
    • A cyber device is any device that is software-containing, internet-capable, and has technological characteristics that could be vulnerable to cybersecurity threats.
    • Every 524B submission must include a postmarket vulnerability and patch plan, an SPDF-aligned design process, and a Software Bill of Materials.
    • The Feb 2026 final guidance is the operational standard reviewers use to judge 524B compliance.
    • RTA enforcement began October 1, 2023, missing 524B evidence is now the fastest way to a rejected submission.

    Master FDA 524B cybersecurity requirements. Learn how to meet SBOM, vulnerability monitoring, and patch management standards for medical device submissions.

    This guide is written for medical device manufacturers navigating FDA 524B cybersecurity requirements. It is built from real submissions, FDA correspondence, and the standards reviewers actually cite. Use it as a working reference: read straight through, jump to the section that matches your current gap, or hand it to your engineering and regulatory leads as a checklist.

    Understanding Section 524B of the FD&C Act

    Understanding Section 524B of the FD&C Act is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.

    The Legislative Origin: Consolidated Appropriations Act of 2023

    The Legislative Origin: Consolidated Appropriations Act of 2023. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Who is a 'Cyber Device'? Defining the Scope

    Who is a 'Cyber Device'? Defining the Scope. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    The Three Pillars of 524B Cybersecurity Compliance

    The Three Pillars of 524B Cybersecurity Compliance is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.

    Pillar 1: Plan to Monitor, Identify, and Address Vulnerabilities

    Pillar 1: Plan to Monitor, Identify, and Address Vulnerabilities. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Pillar 2: Design, Develop, and Maintain Processes for Security Updates

    Pillar 2: Design, Develop, and Maintain Processes for Security Updates. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Pillar 3: The Software Bill of Materials (SBOM) Requirement

    Pillar 3: The Software Bill of Materials (SBOM) Requirement. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Premarket Submission Requirements Under 524B

    Premarket Submission Requirements Under 524B is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.

    Integration with the Secure Product Development Framework (SPDF)

    Integration with the Secure Product Development Framework (SPDF). Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Required Documentation for eSTAR and Traditional Submissions

    Required Documentation for eSTAR and Traditional Submissions. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Postmarket Obligations: Beyond the Initial Submission

    Postmarket Obligations: Beyond the Initial Submission is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.

    Coordinated Vulnerability Disclosure (CVD) Programs

    Coordinated Vulnerability Disclosure (CVD) Programs. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Timeline for Security Patches and Regular Updates

    Timeline for Security Patches and Regular Updates. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    FDA’s 'Refuse to Accept' (RTA) Authority under 524B

    FDA’s 'Refuse to Accept' (RTA) Authority under 524B is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.

    How to Avoid Deficiency Leads and Submission Delays

    How to Avoid Deficiency Leads and Submission Delays. Make sure your design history file documents the rationale, the standard you mapped to, and the objective evidence that closes the loop. Reviewers expect to trace the requirement, the test, and the residual risk in a single thread.

    Practical Steps for Achieving 524B Compliance

    Practical Steps for Achieving 524B Compliance is one of the areas FDA reviewers probe hardest in modern submissions. The points below summarize what we ship in client packages and what we have seen FDA accept and reject across 250+ device submissions.

    How Blue Goat Cyber Approaches FDA 524B cybersecurity requirements

    We treat FDA 524B cybersecurity requirements as a regulated engineering workstream, not a one-time document drop. Every engagement is led by senior medical-device security engineers who have shipped 250+ FDA cybersecurity submissions across 510(k), De Novo, PMA, and EU MDR pathways. Here is how we run it end to end:

    • Scoping against your device profile. We baseline connectivity, interfaces, data flows, and intended use before we touch a template - because reviewer expectations for a Class II wearable are not the same as a networked hospital platform.
    • Standards mapping in writing. Every deliverable is traced to the February 2026 FDA premarket cybersecurity guidance, AAMI SW96, AAMI TIR57 / TIR97, IEC 81001-5-1, and ISO 14971 - with the citation in the artifact itself so reviewers do not have to guess.
    • Evidence generated inside your QMS. Threat models, SBOMs, security risk assessments, and test reports are versioned under design controls so the traceability from requirement → test → residual risk holds up under audit.
    • Independent testing where it counts. Penetration testing and vulnerability analysis are executed by a testing team that does not also write the design - the separation FDA reviewers increasingly expect on cyber devices.
    • Deficiency-ready posture. We anticipate the RTA, AI-letter, and Major deficiency patterns FDA has issued over the past 24 months and pre-empt them in the initial submission, cutting the odds of a second review cycle.
    • Postmarket handoff, not abandonment. Every premarket package leaves you with a working postmarket monitoring plan, CVD process, and update cadence so the evidence you shipped stays defensible after clearance.

    If you want that treatment applied to your FDA 524B cybersecurity requirements package, our FDA Premarket Cybersecurity Services and FDA Cybersecurity Deficiency Response engagements are the two most common entry points.

    524B deliverable to premarket checklist crosswalk

    Each Section 524B requirement maps to a specific artifact in the FDA Premarket Cybersecurity Submission Checklist. Use this crosswalk to confirm nothing in the statute is unmapped in your submission package.

    Section 524B requirement Checklist deliverable
    524B(b)(1) - Plan to monitor, identify, and address postmarket vulnerabilities and exploits Cybersecurity Management Plan (CMP) + Vulnerability Disclosure Policy (VDP) + Patch Management and Distribution Plan
    524B(b)(2)(A) - Design, develop, and maintain processes and procedures to provide reasonable assurance of cybersecurity Secure Product Development Framework (SPDF) narrative + Security Architecture and Design Documentation
    524B(b)(2)(B) - Make available postmarket updates and patches on a reasonably justified regular cycle, and out-of-cycle for critical vulnerabilities Patch Management and Distribution Plan (cadence + out-of-cycle criteria)
    524B(b)(3) - Provide a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf components Machine-readable SBOM (CycloneDX 1.5+ or SPDX 2.3+) with SBOM Requirements section
    524B(b)(4) - Comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance of cybersecurity Security Risk Management Report (SRMR), Threat Model (STRIDE/HEC), Vulnerability Assessment + CVSS scoring, Penetration Testing Summary, Fuzzing/Robustness Testing, Cybersecurity Interface Control Document

    If any row above has no corresponding artifact in your submission, that is your RTA risk.

    Relationship to 21 CFR 807.81 (510(k) premarket notification)

    Section 524B applies whenever you submit a premarket submission for a cyber device, no matter which pathway. For most devices, the procedural trigger, and the timing gate, is 21 CFR 807.81, which requires the 510(k) to be submitted at least 90 days before commercial distribution. In practice, 807.81 sets when the filing is due, and Section 524B sets what it must contain. See the full 524B deliverables in our FDA Premarket Cybersecurity Submission Checklist. Read 807.81 as the "do I need to file, and by when?" test and Section 524B as the "what cybersecurity content the filing must include" requirement.

    How the 90-day 807.81 timing works, step by step:

    1. Trigger event. You intend to introduce a device into commercial distribution for the first time, reintroduce it after removal, or make a change that could significantly affect safety or effectiveness (including a change in intended use). 21 CFR 807.81(a) makes any of these the moment your 510(k) clock starts.
    2. T-minus 90 days: submission due. 807.81(a) requires the 510(k) to be on file with the FDA at least 90 days before you begin commercial distribution. That 90 days is a floor, not a target; real FDA review time is typically longer.
    3. Cyber content must be complete on day one. Because Section 524B applies at submission, every 524B(b) deliverable (SPDF, SBOM, threat model, security testing, postmarket plan) must be inside the 510(k) when it is filed. Missing cyber content triggers a Refuse to Accept (RTA) hold before substantive review even starts, which resets your 90-day countdown to distribution.
    4. FDA acceptance review (day 1 to 15). The FDA runs the RTA checklist, including the cybersecurity checklist items driven by 524B. If accepted, substantive review begins. If refused, you fix the gaps and resubmit, and the 90-day distribution gate slips accordingly.
    5. Substantive review and decision. The FDA issues Additional Information (AI) requests as needed. You cannot ship until you receive a substantially equivalent (SE) determination, and even then not before the 807.81 90-day window has elapsed from the accepted submission.
    6. Commercial distribution. Once cleared and past the 90-day mark, you can distribute, at which point the 524B postmarket obligations (monitoring, patching cadence, out-of-cycle patches for critical vulnerabilities) take over.

    Bottom line: 807.81 sets the calendar, and 524B decides whether that calendar ever starts running.

    Frequently asked questions

    What devices are considered 'cyber devices' under Section 524B?

    Short answer: It depends on the device classification, intended use, and connectivity profile. But the controlling references are FDA's February 2026 premarket guidance, AAMI SW96, and IEC 81001-5-1. The sections above walk through how each applies. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.

    What are the SBOM requirements for FDA 524B compliance?

    Short answer: FDA 524B cybersecurity requirements is a discrete deliverable inside the Secure Product Development Framework (SPDF). FDA expects it documented, traceable, and version-controlled inside your QMS. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.

    How does Section 524B change the FDA's authority to reject submissions?

    Short answer: Treat it as a process, not a one-off document: own the requirement in design controls, map it to a current standard, generate evidence during V&V, and surface the residual risk in your postmarket plan. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.

    Does 524B apply to legacy medical devices or only new submissions?

    Short answer: Yes. Under Section 524B and the February 2026 final guidance, every cyber device requires the artifact in question. Skipping it is the fastest way to an RTA hold. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.

    What postmarket cybersecurity activities are mandated by Section 524B?

    Short answer: It depends on the device classification, intended use, and connectivity profile. But the controlling references are FDA's February 2026 premarket guidance, AAMI SW96, and IEC 81001-5-1. The sections above walk through how each applies. For the full context, work through the relevant section above and the linked services below. Every answer here is grounded in current FDA guidance and the standards your reviewer is using.

    Where this fits in the cluster

    This page sits downstream of our pillar resources on FDA 524B cybersecurity requirements. If you arrived here from a different starting point, these are the most useful adjacent pages:

    Sources & primary references

    Talk to a regulatory cybersecurity team

    If you are working through FDA 524B cybersecurity requirements and want a second pair of eyes on your submission package, we ship cybersecurity deliverables for medical device manufacturers across 510(k), De Novo, PMA, and EU MDR pathways. Book a discovery session and we will walk your evidence with you.

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions- U.S. FDA
    2. Secure Software Development Framework (SSDF) Version 1.1- NIST
    3. Draft Guidance: Select Updates for Cybersecurity in Medical Devices: Data Types and Formats for SBOMs- U.S. FDA
    Related. FDA Premarket Cybersecurity

    Continue exploring this topic

    Pillar
    FDA Premarket Cybersecurity
    Guide
    De Novo Cybersecurity Submission Guide | Blue Goat Cyber
    Article
    Medcrypt vs Finite State vs Blue Goat Cyber
    Guide
    SaMD Cybersecurity FDA Requirements: 2024 Compliance Guide
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.