
On this page
Key Takeaways
- The eSTAR cybersecurity section has six required cybersecurity attachments mapped to Section 524B(b).
- Each field expects a specific artifact, reviewers do not accept combined PDFs across fields.
- Cross-references between attachments must be explicit; implicit links are treated as missing evidence.
- The walkthrough mirrors the technical-screen checklist so authors can validate field mapping before upload.
- Final review inside the eSTAR portal, not offline, catches substitution errors that trigger RTA rejection.
The hub for FDA Section 524B cybersecurity and eSTAR submissions. Statute, the February 3, 2026 guidance, eSTAR v6.2 to v7.0 cybersecurity fields, deliverables, and the order to build them.
Use this page as the single entry point to our Section 524B and eSTAR cybersecurity content. The statute, the February 3, 2026 final guidance, and the eSTAR fields where the artifacts get attached are all linked from here in the order a submission team actually works through them.
Section 524B of the FD&C Act, the FDA's February 3, 2026 final premarket cybersecurity guidance, and the eSTAR template are not three separate workstreams. They are one stack: 524B sets the obligation, the guidance defines the artifacts that prove it, and eSTAR is where those artifacts attach in the submission. This page links to the deep-dive guide for each layer in the order a submission team works through them.
1. Start with the statute
- FDA 524B Cybersecurity Requirements: Full Compliance Guide - the statute walkthrough.
- FDA Section 524B Subsections Index - directory of every (a), (b)(1)-(4), and (c) subsection.
- Section 524B Compliance Checklist - clause-by-clause submission deliverables.
2. Read the guidance the FDA actually applies
- FDA Cybersecurity Guidance Summary 2026 - what the February 3, 2026 final guidance changed.
- eSTAR v7.0 Cybersecurity Mapping to the 2026 Guidance - which guidance sections map to which eSTAR fields.
3. Build the eSTAR-ready package
- FDA Premarket Cybersecurity Deliverables & eSTAR v7.0 Map - the 18 deliverables mapped to eSTAR fields.
- eSTAR v6 vs v7 Cybersecurity Comparison - what changed and what carries over.
- eSTAR Cybersecurity Readiness Checklist - the pre-submission gate we run on every package.
4. Operationalize postmarket
- Postmarket Cybersecurity Readiness Plan - the 524B(b)(1) plan reviewers expect.
- SBOM Vulnerability Management for Medical Devices - SBOM monitoring, VEX, and KEV triage in production.
- FDA Cybersecurity Deficiency Response Checklist - close a hold without a second round.
eSTAR cybersecurity documentation: where each artifact lives {#estar-cybersecurity-documentation}
"eSTAR cybersecurity documentation" is not one deliverable, it is the set of artifacts the template requires across the cybersecurity subform. Use the map below to jump straight to the guide that covers each piece.
- Field-by-field mapping (which artifact fills which eSTAR v7.0 slot): eSTAR v7.0 Cybersecurity Mapping to the 2026 Guidance.
- Full deliverables list (the 18 documents reviewers expect): FDA Premarket Cybersecurity Deliverables & eSTAR v7.0 Map.
- Porting v6.2 packages to v7.0: eSTAR v6 vs v7 Cybersecurity Comparison.
- Pre-submission gate (the checklist we run before upload): eSTAR Cybersecurity Readiness Checklist.
- Fixing reviewer holds on documentation: FDA Cybersecurity Deficiency Response Checklist.
If you were looking for a single "eSTAR cybersecurity documentation guide," start with the field-by-field mapping and use the deliverables map as the packing list.
Frequently asked questions
Which sections of the FD&C Act does 524B(a) actually cover?
Section 524B(a) enumerates FD&C Act sections 510(k), 513, 515(c), 515(f), and 520(m). In plain terms: 510(k), De Novo, PMA, Product Development Protocol (PDP), and Humanitarian Device Exemption (HDE). Investigational Device Exemptions under 520(g) are not a 524B pathway, but the February 3, 2026 final guidance still applies cybersecurity expectations to IDE submissions.
Is the February 2026 guidance legally binding?
No. The guidance carries the standard "Contains Nonbinding Recommendations" header. What makes it operative is that reviewers use it as the interpretation of the binding statute (Section 524B). Failing to follow it produces real RTAs and deficiencies. Treat the statute as the obligation and the guidance as the standard the FDA measures against.
What are the four requirements in Section 524B(b)?
Four discrete obligations for every cyber device: (1) a cybersecurity plan to monitor, identify, and address postmarket vulnerabilities and exploits, (2) design, develop, and maintain processes to provide a reasonable assurance of cybersecurity, (3) a Software Bill of Materials (SBOM), and (4) any other requirements the FDA may add by regulation. The February 2026 guidance describes how (1) through (3) are demonstrated.
What is the definition of a "cyber device" under Section 524B(c)?
A device that (i) includes software validated, installed, or authorized by the sponsor, (ii) has the ability to connect to the internet, and (iii) contains any technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats. All three conditions must be met. Most modern connected Class II devices qualify.
How does the eSTAR template enforce Section 524B?
The eSTAR cybersecurity subform contains discrete required fields mapped to each 524B(b) obligation. The template blocks submission if required fields are empty. This is why cybersecurity RTA holds are mechanical rather than discretionary: the eSTAR either accepts the package or it does not.
Do we need a Predetermined Change Control Plan (PCCP) for cybersecurity updates?
A PCCP is required when you want to make specific modifications post-clearance without a new 510(k). For pure cybersecurity patches that fall within the existing letter-to-file thresholds, a PCCP is not typically required. For AI/ML devices with periodic retraining or firmware devices with planned functional changes, include cybersecurity impact in the PCCP scope.
How Blue Goat Cyber helps
We map your device to every applicable 524B subsection, draft the artifacts the February 2026 guidance expects, and assemble the eSTAR-ready package. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. See FDA premarket cybersecurity services.
Sources & primary references
- Section 524B of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 360n-2)
- FDA, Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (final guidance, February 3, 2026)
- FDA eSTAR templates (non-IVD v7.0, IVD v7.0)



