Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Guide · FDA

    FDA Section 524B Subsections: Index of Every Topic

    Index of every Section 524B subsection with short descriptions and links - §524B(a) applicability, (b)(1)-(4) requirements, (c) cyber device definition, and combination products (BLA/IND).

    Hero illustration for the article: FDA Section 524B Subsections: Index of Every Topic
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Key Takeaways

    • Section 524B has three operative subsections: (a) refusal authority, (b) required submission content, and (c) the cyber-device definition.
    • 524B(a) grants the FDA explicit authority to refuse-to-accept any noncompliant cyber device submission.
    • 524B(b) enumerates three required deliverables: postmarket plan, SPDF narrative, and SBOM.
    • 524B(c) sets the three-part cyber-device test: software-containing, internet-capable, cybersecurity-vulnerable technological characteristics.
    • Every submission section should cite the exact subsection it addresses so reviewers can map artifact to statute.
    TL;DR

    Index of every Section 524B subsection with short descriptions and links - 524B(a) applicability, (b)(1)-(4) requirements, (c) cyber device definition, and combination products (BLA/IND).

    Use this page as a directory to every Section 524B subsection. Each entry has a short description and a link to the deep-dive content. Combination products are included at the end because the device cybersecurity work is the same scope even when it lands in a BLA or IND.

    Section 524B of the Federal Food, Drug, and Cosmetic Act is the binding cyber device statute. The FDA's February 3, 2026 final premarket cybersecurity guidance is the operative interpretation reviewers apply when measuring a submission against it. Both are referenced throughout the entries below.

    Diagram: 524B (the law) sets the obligation across subsections (a), (b)(1)-(4), and (c); the FDA's February 3, 2026 guidance defines the artifacts that prove compliance.
    Diagram: 524B (the law) sets the obligation across subsections (a), (b)(1)-(4), and (c); the FDA's February 3, 2026 guidance defines the artifacts that prove compliance.

    Section 524B timeline

    Section 524B subsections

    Section 524B at a glance: subsection (a) scope, (b) four requirements, (c) cyber device definition
    Section 524B at a glance: subsection (a) scope, (b) four requirements, (c) cyber device definition

    524B(a): Applicability

    Section 524B(a) attaches 524B's requirements to marketing submissions filed under FD&C Act sections 510(k), 513, 515(c), 515(f), and 520(m) - in plain language, 510(k), De Novo, PMA, PDP, and HDE. IDE submissions (520(g)) are not enumerated. Reviewers determine applicability from the device description and the 524B(c) cyber device test.

    524B(b)(1): Postmarket vulnerability plan

    Requires a written plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and timely patch release. The plan ships with the premarket submission and must be operational at clearance, not a placeholder.

    524B(b)(2): Processes, updates, and patchability

    Requires designed-in processes to provide reasonable assurance that the device and related systems are cybersecure, plus the ability to make security updates and patches available. This is the SPDF requirement in operational form: secure design, patchable architecture, authenticated update channels, rollback, and the operational link to incident response.

    524B(b)(3): Software Bill of Materials

    Requires a software bill of materials covering commercial, open-source, and off-the-shelf components. The FDA expects an SBOM in a machine-readable standard format (CycloneDX or SPDX), accompanied by VEX statements for known vulnerabilities and a monitoring plan.

    524B(b)(4): Additional requirements by regulation

    Authorizes the FDA to add cybersecurity requirements through regulation (rulemaking), not guidance. As of June 2026 no (b)(4) regulations have been issued. The February 3, 2026 guidance is nonbinding and interprets the existing (b)(1)-(3) obligations; it is not the (b)(4) expression.

    524B(c): Cyber device definition

    A "cyber device" is a device that (1) includes software validated, installed, or authorized by the sponsor, (2) has the ability to connect to the internet, and (3) contains technological characteristics that could be vulnerable to cybersecurity threats. The connectivity prong is broad - any interface to device software counts (Wi-Fi, BLE, NFC, USB service port, companion app, gateway-mediated cloud path).

    Combination products: BLA and IND

    Section 524B is a device statute. It does not reach Biologics License Applications (BLA) or Investigational New Drug applications (IND). But the FDA's February 3, 2026 final premarket cybersecurity guidance is broader than 524B - it covers devices with cybersecurity considerations generally, including 510(k)-exempt devices, IDE, BLA, and IND submissions. For combination products, the cybersecurity content for the device constituent (delivery device, connected manufacturing system, dosing companion app) lives inside the BLA or IND, scoped and rigored the same way as any other device cybersecurity package.

    Where this fits in our content

    Frequently asked questions

    What are the three main parts of Section 524B?

    524B(a) enumerates which FD&C Act pathways the cybersecurity requirements apply to. 524B(b) lists the four substantive obligations: cybersecurity plan, secure design and maintenance processes, SBOM, and any additional requirements added by regulation. 524B(c) defines what makes a device a "cyber device" (software plus internet-connectable plus vulnerable technological characteristics, all three).

    Does Section 524B apply to devices already on the market?

    Only for the postmarket obligations that flow from Section 524B(b)(2) via the February 3, 2026 final guidance. Devices cleared before Section 524B took effect (March 2023 for the statutory obligation) do not need to be resubmitted, but manufacturers of legacy connected devices still carry ongoing postmarket cybersecurity responsibilities under existing FDA authority.

    Which subsection carries the "refuse to accept" teeth?

    Section 524B does not itself grant RTA authority; 21 U.S.C. 360c(a)(3) and the FDA's existing acceptance-review authorities do. What Section 524B does is add cybersecurity to the mandatory content list, so an incomplete cybersecurity package now triggers the same RTA machinery that missing 510(k) elements have always triggered.

    Is 524B(b)(4) already in effect?

    524B(b)(4) authorizes the FDA to add additional cybersecurity requirements through rulemaking. As of publication no formal rulemaking under (b)(4) has been finalized. The February 2026 guidance is not (b)(4) rulemaking; it interprets the existing (b)(1) through (b)(3) obligations. Any (b)(4) expansion would go through notice-and-comment rulemaking with its own effective date.

    Does 524B(c)'s "cyber device" definition include BLAs and INDs?

    The definition itself is device-facing, but the February 2026 guidance clarifies that its cybersecurity expectations apply to combination products submitted under BLAs and INDs where the device constituent meets the cyber device definition. Sponsors of drug-device combination products should treat the cyber device analysis as required for the device constituent.

    Where do the 524B statutory citations live in the FD&C Act?

    Section 524B is codified at 21 U.S.C. 360n-2. Subsection (a) covers scope, (b) covers requirements, and (c) covers definitions. The full statutory text is publicly available on the House Office of the Law Revision Counsel's site and on the FDA's Section 524B resource page. Cite by both the FD&C Act section (524B) and the U.S. Code citation (360n-2) in formal submissions.

    How Blue Goat Cyber helps

    We map your device to every applicable 524B subsection, draft the artifacts each one requires, and stay through deficiency response. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. See FDA premarket cybersecurity services.

    Sources & primary references

    • Section 524B of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 360n-2)
    • FDA, Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (final guidance, February 3, 2026)
    • Consolidated Appropriations Act, 2023, Section 3305

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. FDA "Refuse to Accept Policy for Cyber Devices" guidance (March 30, 2023)- U.S. FDA
    Suggested reading

    Related guides

    Guide
    Cybersecurity for IVD Devices: The FDA & Section 524B Guide
    Guide
    FDA Section 524B & eSTAR Cybersecurity: The Walkthrough
    Guide
    Section 524B Compliance Checklist: FDA Cybersecurity Requirements for Cyber Devices
    Guide
    Section 524B Post-Market Retrofit Guide
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.