Responding to FDA AINN, Deficiency, and Hold Letters: The Complete Guide

Pillar Guide · Updated 2026 · 12 min read

An FDA letter just landed in your inbox and the clock is now running. Additional Information Needed (AINN), Major Deficiency, Hold - they look similar, they cite similar regulations, but they trigger different timelines and different response strategies. This pillar walks you through every variant FDA sends to medical-device sponsors, how to read it correctly, and exactly how to respond without losing your submission window.

Talk to a Regulatory Consultant · Our Deficiency Response Service →

What this guide covers

• The full FDA letter taxonomy: AINN, AI request, Major / Minor Deficiency, Substantive Interaction, Not Substantially Equivalent, Refuse-to-Accept, and Clinical Hold
• The 180-day response clock and what actually pauses it
• A repeatable triage framework for the first 72 hours after the letter arrives
• Cybersecurity-specific deficiencies under Section 524B and the February 2026 final guidance
• A response-package skeleton you can lift directly into your eSTAR
• When to bring in outside regulatory consulting and what to ask for

1. AINN, AI, and the FDA letter taxonomy

FDA reviewers pause a submission whenever the package in front of them is missing information they need to complete review. The mechanism they use depends on the submission pathway and the severity of the gap.

Additional Information Needed (AINN) / AI Request

An Additional Information Needed notification - sometimes still called an AI letter or Additional Information request - is the workhorse of FDA premarket review. It pauses the review clock and lists the specific deliverables FDA needs before they can continue.

• Pathways: 510(k), De Novo, HDE, PMA supplements, and increasingly Q-Subs
• Clock impact: the FDA review clock stops on the day the letter is issued and restarts only when a complete response is accepted
• Sponsor deadline: 180 calendar days to respond - see 21 CFR 807.87(l) for 510(k) and Section V of the Acceptance and Filing Reviews guidance
• What happens if you miss it: the submission is withdrawn and you start over from the beginning

Major vs. Minor Deficiency

Within an AINN letter, FDA reviewers tag each item as Major or Minor:

• Major Deficiency. A gap that, on its own, prevents FDA from making a substantial-equivalence or safety/effectiveness determination. Threat-model gaps, missing SBOM elements, and absent penetration-test evidence are almost always Major.
• Minor Deficiency. Editorial corrections, mislabeled exhibits, or clarifying questions. Easy to fix but still must be addressed in the response package.

Substantive Interaction (Day 60)

For 510(k)s, FDA targets a Substantive Interaction by day 60. This is either an email saying review is on track, or the AINN letter itself. If you're past day 60 with no contact, call the lead reviewer.

Not Substantially Equivalent (NSE) and Refuse-to-Accept (RTA)

Two letters you do not want:

• RTA comes early in the cycle (within 15 days) and means the submission failed the Acceptance Checklist. You have 180 days to fix and resubmit. Cyber RTA findings are now common - incomplete SBOM, missing SPDF narrative, no security architecture views.
• NSE is a final decision. The only path forward is De Novo, PMA, or a new 510(k) with a different predicate.

Clinical or Regulatory Hold

For PMAs and IDEs, FDA can place the submission or trial on Hold - Major Deficiency Letter for PMA, or Clinical Hold Order for IDE under 21 CFR 812.42. Holds are the highest-severity outcome short of denial and require a full corrective response, often including new testing or design changes.

2. The 180-day clock and what actually pauses it

Sponsors lose submissions over clock confusion more often than over technical findings. Three rules to internalize:

1. The clock starts the day the AINN letter is issued, not the day you read it. Build a process that flags new FDA correspondence within 24 hours.
2. The clock runs continuously through holidays and weekends. There is no automatic extension.
3. Withdrawal-extension requests under 21 CFR 807.87(l) are rarely granted and never assumed. If you need more than 180 days, you are almost certainly going to refile.

Treat 180 days as a hard deadline, then back-plan to a 120-day internal deadline. The last 60 days are buffer for FDA pre-review questions and a final QA pass.

3. The first 72 hours: triage framework

What the team does in the first three days drives the next six months. A repeatable triage looks like this:

Hour 0–8: log and classify

• File the letter in your eQMS / DHF with the receipt date stamped
• Assign a single response owner - usually the regulatory lead, sometimes a fractional consultant
• Number every distinct deficiency. A typical cyber AINN has 6 to 18 items
• Tag each item: Major / Minor, technical / regulatory, cyber / clinical / mechanical

Day 1: gap analysis

For each numbered item, answer four questions:

1. What is FDA actually asking for? (Restate in plain English.)
2. Which artifact in our submission was supposed to address this?
3. What is the gap - missing content, weak evidence, or wrong framework?
4. Who owns the fix and how long will it realistically take?

Day 2: response strategy

• Group items that share an artifact (e.g., everything that lands in the threat model)
• Identify any item that requires new testing - pen test, fuzz test, SAST/DAST run - and start that work first
• Decide which items get a defended position vs. a corrective change
• Draft the response-package outline (see Section 6)

Day 3: timeline and escalation

• Build a Gantt against the 120-day internal deadline
• Identify dependencies on engineering, clinical, or third-party labs
• Decide whether to engage external regulatory consulting now or hold in reserve

4. Cybersecurity deficiencies under Section 524B

Cyber findings now drive a large share of all AINN letters for connected devices. The February 2026 final guidance and Section 524B(b)(1)–(3) define what FDA expects. The most common cyber deficiencies we see:

• Threat model gaps. Missing trust boundaries, no abuse-case coverage, or methodology not justified
• SBOM defects. Not machine-readable, missing dependency relationships, no support-end dates, or no vulnerability mapping
• Insufficient pen testing. Automated scans only, no manual exploitation, or no testing of wireless / cloud / OTA paths
• Postmarket plan weaknesses. No vulnerability monitoring sources named, no patch SLA, no CVD procedure
• SPDF narrative missing. No description of how cybersecurity activities tie back to the QMS and design controls
• Architecture views absent. No global system view, no multi-patient harm view, no updateability view
• Labeling gaps. Cybersecurity disclosures missing from device labeling and IFU

If you are facing one or more of these, our FDA Cybersecurity Deficiency Response Checklist is the tactical companion to this pillar - eleven steps from triage to resubmission.

5. Hold letters: PMAs, IDEs, and what they really mean

A Hold is not just a longer AINN. It is FDA telling you that the submission, as filed, cannot proceed until specific conditions are met.

• PMA Major Deficiency Letter. Pauses the 180-day PMA clock. Response must address every numbered deficiency, often with new bench or animal testing.
• IDE Clinical Hold. Stops enrollment in the trial. Requires written response addressing the specific safety, design, or cybersecurity concerns FDA cited.
• Partial Clinical Hold. Only a subset of trial activities pause. Common when a cyber concern affects one cohort or one device variant.

Holds almost always benefit from outside regulatory counsel. The cost of a 30-day hold extension on a Class III device dwarfs the cost of a consulting engagement.

6. Response package: a skeleton you can reuse

Every successful AINN response we've helped author follows the same architecture. Use this as your eSTAR / eCopy outline:

1. Cover letter. Acknowledge the AINN by date and number. State the scope of the response. Confirm submission number and contact.
2. Point-by-point response matrix. A table: deficiency number, FDA's exact language, your response summary, page references to the updated artifacts.
3. Updated artifacts. Reissued threat model, SBOM, security risk assessment, pen test report, SPDF narrative, architecture views - each with a revision history page.
4. New evidence. Test reports, lab results, third-party attestations generated specifically to close gaps.
5. Traceability appendix. A matrix tracing every deficiency to the artifact and page that resolves it. FDA reviewers love this.
6. Risk acceptance memo (if applicable). For any residual risk, a clinical justification signed by the responsible engineer and the medical officer.

7. When to bring in outside regulatory consulting

You don't need outside help for every AINN. You almost certainly do when:

• The letter contains three or more cybersecurity deficiencies and your team has never authored a 524B-aligned package
• You're inside 90 days of the response deadline and gap analysis isn't complete
• The deficiency requires new pen testing, SBOM regeneration, or threat model rebuild and you don't have qualified internal capacity
• The submission is a PMA Hold or IDE Clinical Hold - these compound risk fast
• You've already had one rejected response cycle on the same submission

What to ask a consultant for:

• A fixed-fee scope tied to your specific deficiency letter, not hourly billing with no ceiling
• Senior practitioners doing the work - not a partner pitch followed by a junior delivery team
• Unlimited retests until your submission is accepted
• A 24-hour turnaround on quote and a kickoff within the same week

8. Common mistakes that turn an AINN into an NSE

• Responding to FDA's exact wording without addressing the underlying gap. FDA reviewers re-read the original artifact, not your cover letter.
• Submitting a partial response hoping FDA will issue a follow-up. They rarely do - the clock just keeps running.
• Treating Minor Deficiencies as optional. Every numbered item must be addressed.
• Responding without updating the traceability between threat model, risk file, and design history.
• Reusing template language from a prior submission without tailoring to this device. Reviewers spot it.

9. Frequently asked questions

Is an AINN the same as a Major Deficiency Letter? Not exactly. AINN is the broader category - it can contain Major and Minor deficiencies. A Major Deficiency Letter is a specific severity tag inside (or sometimes outside) an AINN.

Can we request an extension to the 180-day deadline? Technically yes via a withdrawal-extension request, but they are rarely granted for clock-pausing letters. Plan as if there is no extension.

Does FDA respond faster to a complete or a partial response? A complete response. Partial responses don't shorten review and they keep your clock running.

Does the cybersecurity guidance apply to my legacy device? If you're filing any premarket submission for a cyber device as defined in Section 524B(c), the February 2026 guidance applies - even if the device platform is a decade old.

What's the cost of a typical deficiency response engagement? For a Class II cyber device with a moderate AINN (8 to 12 items), expect a 4 to 8 week engagement. We quote fixed-fee within 24 hours of a discovery call.

Need help responding to an FDA letter?

Blue Goat Cyber works exclusively on medical-device cybersecurity for FDA submissions. We've supported 250+ premarket packages with zero rejections, including dozens of AINN, deficiency, and hold responses on tight clocks.

If you have a letter on your desk, the most useful next step is a 30-minute discovery call. We'll read the letter with you, identify the highest-risk items, and tell you whether the response is realistic in your remaining window - at no cost.

Request Regulatory Consulting →

Or explore the tactical companion: FDA Cybersecurity Deficiency Response Checklist →