Section 524B of the FD&C Act: The Complete Cyber Device Guide

Pillar Guide · Updated 2026 · 10 min read

Section 524B of the Federal Food, Drug, and Cosmetic Act is the single most important sentence of US law for any team building a connected medical device. It is also the source of more confusion - and more rejected submissions - than any other cybersecurity provision FDA enforces. This guide explains the statute in plain English, defines what a cyber device is under FDA's rules, walks through the three things every 524B submission must include, and ends with the FAQs we get asked most often.

Talk to a Regulatory Consultant · Our FDA Premarket Service →

TL;DR

• Section 524B was added to the FD&C Act on December 29, 2022 by the Consolidated Appropriations Act of 2023.
• It gives FDA explicit authority to refuse to accept any premarket submission for a cyber device that does not include the required cybersecurity information.
• A cyber device is software-containing, internet-capable, and has technological characteristics that could be vulnerable to cybersecurity threats.
• Every 524B submission must include three things: a postmarket vulnerability and patch plan, a Secure Product Development Framework (SPDF) narrative, and a Software Bill of Materials (SBOM).
• FDA's February 2026 final guidance is the operational standard reviewers apply.

1. What Section 524B actually says

Section 524B was inserted into the FD&C Act by the Consolidated Appropriations Act of 2023 and signed into law on December 29, 2022. It is short - under 500 words - but it does three things at once:

1. Defines a 'cyber device.' Section 524B(c) sets out the three-part test (see Section 2 below).
2. Lists required submission content. Section 524B(b) requires sponsors to demonstrate cybersecurity through three deliverables.
3. Authorizes refusal. Section 524B(a) authorizes FDA to refuse any premarket submission for a cyber device that does not meet these requirements.

FDA began enforcing Section 524B through its Refuse-to-Accept (RTA) authority on October 1, 2023. Since that date, missing or incomplete cybersecurity content is one of the fastest ways to have a 510(k), De Novo, PMA, or HDE bounced before substantive review even begins.

How Section 524B relates to the FDA guidance

It is important to keep two things separate:

• Section 524B is the statute. It is binding law passed by Congress.
• FDA's 2026 final guidance is FDA's interpretation of how to comply with the statute. Guidance documents are technically non-binding, but reviewers treat the February 2026 cybersecurity guidance as the de facto compliance standard.

If your submission deviates from the guidance, you can defend it - but you bear the burden of explaining why your alternative satisfies Section 524B.

2. What is a 'cyber device' under FDA's definition?

Search volume for cyber device FDA has tripled since 524B took effect, mostly because the term sounds narrower than it actually is. The statutory definition in Section 524B(c) has three prongs, and a device must meet all three to qualify:

1. Software. The device includes software validated, installed, or authorized by the sponsor as a device or in a device.
2. Internet capability. The device has the ability to connect to the internet - actual connection in the field is not required.
3. Vulnerability. The device contains technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

In practice, this captures the vast majority of modern medical devices: anything with embedded firmware that exposes a wired or wireless interface, anything paired with a companion mobile app, anything that talks to a cloud back-end, and anything that can be updated over the air. Even many devices that are 'rarely' connected in clinical use still meet the definition because they could connect.

Edge cases worth flagging

• Air-gapped devices with no internet capability at all are typically out of scope. But if the device has a Bluetooth radio that talks to a phone that talks to the cloud, that chain may bring it back in.
• Devices with software but no network interface (e.g., simple programmable infusion pumps with no wireless or USB) may fall outside Section 524B but still face cybersecurity expectations under the broader 2026 guidance.
• AI/ML-enabled devices are explicitly within scope when they meet the three prongs, with additional considerations under FDA's predetermined change control plan framework.

When in doubt, document the analysis. FDA reviewers want to see that you considered the cyber device determination - not that you assumed the answer.

3. The three things every 524B submission must include

Section 524B(b)(1)–(3) defines three categories of cybersecurity content. The 2026 guidance fleshes out what 'complete' looks like for each one.

(1) Postmarket vulnerability and patch plan - 524B(b)(1)

Sponsors must submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.

What FDA wants to see:

• Named vulnerability monitoring sources (NVD, CISA, vendor advisories, ISAC feeds)
• Severity-based remediation timelines with documented justifications
• A coordinated vulnerability disclosure (CVD) policy with a published security contact and intake process
• Patch delivery, authentication, integrity verification, and rollback mechanisms
• Coverage for both currently marketed and fielded legacy devices

(2) Secure Product Development Framework (SPDF) - 524B(b)(2)

Sponsors must design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems.

FDA expects an SPDF narrative that maps to your QMS - not a one-off marketing document. Required elements typically include:

• A written SPDF policy integrated with your QMSR / 21 CFR 820 and ISO 13485 processes
• Threat modeling tied to design inputs
• Security risk assessment integrated with the ISO 14971 safety risk file
• Security architecture views (global system, multi-patient harm, updateability)
• Cybersecurity testing including manual penetration testing of every interface
• Cybersecurity labeling and transparency

(3) Software Bill of Materials (SBOM) - 524B(b)(3)

Sponsors must provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.

FDA expects a machine-readable SBOM in SPDX or CycloneDX format that includes:

• Component name, version, supplier, and unique identifier for every dependency (including transitive)
• Dependency relationships
• Known vulnerabilities mapped per component (CVE status)
• Support end-of-life dates
• A documented SBOM regeneration process tied to your build pipeline

4. Timeline: how Section 524B got here

• December 29, 2022. Section 524B signed into law as part of the Consolidated Appropriations Act of 2023.
• March 29, 2023. Section 524B becomes effective. FDA begins evaluating submissions against it.
• October 1, 2023. FDA begins issuing Refuse-to-Accept decisions for non-conforming submissions.
• September 2023. First major draft of revised cybersecurity guidance.
• February 3, 2026. Updated final guidance issued.
• February 3, 2026. Current final cybersecurity guidance issued, supersedes prior versions.
• February 2, 2026. QMSR (21 CFR Part 820) takes effect, incorporating ISO 13485:2016 by reference and tightening cybersecurity QMS expectations.

5. What happens if your submission doesn't meet 524B

Two failure modes:

1. Refuse-to-Accept (RTA). Within roughly 15 days of filing, FDA returns the submission with an Acceptance Checklist showing what is missing. You have 180 days to fix and resubmit.
2. Additional Information Needed (AINN). Mid-review, FDA pauses the clock and issues a letter with numbered cybersecurity deficiencies. You have 180 days to respond with a complete package or the submission is withdrawn.

If you have a letter on your desk, the tactical companion to this pillar is our FDA Cybersecurity Deficiency Response Checklist and the broader AINN, Deficiency, and Hold Letter pillar.

6. Frequently asked questions

What is Section 524B of the FD&C Act? Section 524B is the cybersecurity provision added to the FD&C Act in December 2022. It gives FDA explicit authority to require cybersecurity content in any premarket submission for a cyber device, and to refuse submissions that do not comply.

What is a 'cyber device' under FDA? A device that (1) includes software, (2) has the ability to connect to the internet, and (3) contains technological characteristics that could be vulnerable to cybersecurity threats. All three prongs must be met.

Which submissions does Section 524B apply to? 510(k), De Novo, PMA, PMA supplements, HDE, and BLA submissions for any device that meets the cyber device definition. The 2026 guidance also covers IDE and Q-Sub interactions when cybersecurity is in scope.

What three things must a 524B submission include? (1) A postmarket vulnerability and patch plan including coordinated vulnerability disclosure; (2) a Secure Product Development Framework (SPDF) narrative; (3) a machine-readable Software Bill of Materials (SBOM).

When does Section 524B take effect? It became effective March 29, 2023. FDA began enforcing it through Refuse-to-Accept decisions on October 1, 2023. The current operational standard is the February 2026 final guidance.

Is an SBOM mandatory under Section 524B? Yes. Section 524B(b)(3) explicitly requires a Software Bill of Materials, and FDA expects it in machine-readable SPDX or CycloneDX format.

What happens if my submission doesn't meet Section 524B? FDA can issue a Refuse-to-Accept decision early, or an Additional Information Needed letter mid-review with numbered deficiencies. You have 180 days to respond before the submission is withdrawn.

Does Section 524B apply to legacy devices already on the market? Section 524B applies whenever you file a new premarket submission for a cyber device, even if the underlying platform is legacy. Postmarket cybersecurity obligations apply to fielded legacy devices under FDA's broader authorities.

How long does a 524B-aligned cybersecurity package take? For a typical Class II connected device, a complete package - threat model, SBOM, security risk assessment, architecture views, pen testing, and SPDF narrative - runs 4 to 8 weeks once design artifacts are available.

Where can I read Section 524B in full? The text is in 21 USC 360n-2 and FDA's interpretation is in the February 2026 cybersecurity guidance.

Need help meeting Section 524B?

Blue Goat Cyber works exclusively on medical-device cybersecurity for FDA submissions. We have authored 524B-aligned packages for 250+ premarket submissions with zero rejections - across 510(k), De Novo, PMA, and HDE pathways.

If you are scoping a new submission, responding to an RTA, or preparing for an AINN, the most useful first step is a 30-minute discovery call. We will read your situation, identify the highest-risk gaps under 524B, and quote a fixed-fee engagement within 24 hours.

Request Regulatory Consulting →

Or explore the related guides: Responding to FDA AINN, Deficiency, and Hold Letters → · FDA Cybersecurity Deficiency Response Checklist → · The MedTech Cybersecurity Standards Decoder →