%22%3E%0A%20%3Ccircle%20cx%3D%222%22%20cy%3D%222%22%20r%3D%221.2%22%20fill%3D%22rgba(255%2C255%2C255%2C0.18)%22%2F%3E%0A%20%3C%2Fpattern%3E%0A%20%3C%2Fdefs%3E%0A%20%3Crect%20width%3D%22800%22%20height%3D%22450%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%3Crect%20width%3D%22800%22%20height%3D%22450%22%20fill%3D%22url(%23dots)%22%2F%3E%0A%20%3Cg%20font-family%3D%22ui-sans-serif%2Csystem-ui%2C-apple-system%2CSegoe%20UI%2CRoboto%22%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3E%0A%20%3Ctext%20x%3D%2248%22%20y%3D%22380%22%20font-size%3D%2244%22%20font-weight%3D%22700%22%20letter-spacing%3D%22-1%22%3EBlue%20Goat%20Cyber%3C%2Ftext%3E%0A%20%3Ctext%20x%3D%2248%22%20y%3D%22412%22%20font-size%3D%2216%22%20opacity%3D%220.75%22%20letter-spacing%3D%222%22%3EBLUE%20GOAT%20CYBER%3C%2Ftext%3E%0A%20%3C%2Fg%3E%0A%3C%2Fsvg%3E)
Last reviewed: May 1, 2026
Free Guide · Blue Goat Cyber · Updated 2026
CHECKLIST · 1 PAGE · PROSPECT RESOURCE
FDA Cyber Requirements: The Law, the Guidance, the eSTAR A diagnostic for Section 524B compliance and eSTAR readiness.
Use this checklist to determine whether your device meets the 'cyber device' definition under Section 524B of the FD&C Act and whether your eSTAR cybersecurity attachments will pass the Refusal-to-Accept gate.
Statutory applicability (Section 524B) Does the device include software validated, installed, or authorised by the sponsor?
Can the device connect to the internet?
Does it have any wireless interface (Bluetooth, Wi-Fi, NFC, cellular)?
Does it connect to external hardware, removable media, or USB?
Mandatory eSTAR cybersecurity content Software Bill of Materials in a machine-readable format (CycloneDX or SPDX). Threat model covering all system boundaries, trust zones, and assets. Cybersecurity risk assessment aligned with AAMI TIR57 (or equivalent). Security risk management plan and report integrated with the ISO 14971 file. Cybersecurity labelling content for the end user, per current FDA guidance.
Postmarket obligations Documented Coordinated Vulnerability Disclosure (CVD) plan. Process for identifying and addressing postmarket vulnerabilities. Verifiable schedule for releasing security patches and updates.
How to read it. Any 'Yes' in the statutory section means Section 524B applies. Any 'No' in the mandatory eSTAR section is a material RTA risk - FDA rejects submissions that omit these attachments before substantive review begins.
NEXT STEP → Book a 20-minute eSTAR gap analysis to map your current documentation against the mandatory Section 524B fields. Book your discovery call: go.bluegoatcyber.com/meetings/blue-goat-cyber/discovery-session
Page 1 · © Blue Goat Cyber · 250+ FDA submissions, zero rejections, since 2014
Talk to us
This guide is part of Blue Goat Cyber's MedTech cybersecurity library. To apply it to your device program, book a 30-minute strategy session - no cost, no obligation. Or browse all guides.