What Is Required for an FDA Premarket Cyber Submission?

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa, Founder, and Trevor Slattery, CTO of Blue Goat Cyber, provide a detailed breakdown of the requirements for an FDA cybersecurity premarket submission. The central focus is on clarifying a common area of confusion: the 18 specific deliverables required by the FDA and how they map to the 13 cybersecurity sections in the eSTAR (Electronic Submission Template and Resource) template. The hosts begin by debunking the major misconception that the documentation requirements change based on the medical device's risk level. They emphasize that every device, from a low-risk oxygen pump to a high-risk surgical robot or pacemaker, must produce the same 18 types of documents. The difference, they explain, lies not in the what but in the how much; the complexity, depth, and level of scrutiny for each deliverable scale directly with the device's risk profile and complexity. A simple device might have a concise set of documents, whereas a highly complex, life-sustaining device will require significantly more extensive and detailed documentation, potentially spanning hundreds of pages.

The discussion then unpacks the structure of these 18 deliverables and their relationship to the eSTAR template, explaining the "many-to-one" mapping. For example, the overarching "Risk Management Report" deliverable actually comprises four distinct sub-documents: the Threat Model (often using the STRIDE framework), the Cybersecurity Risk Assessment, the Software Bill of Materials (SBOM), and SBOM supporting materials which detail component support and maintenance plans. Similarly, the single "Cybersecurity Testing" section in eSTAR is satisfied by four separate deliverables: the Static Application Security Testing (SAST) report, the overall test plan, the specific test cases, and the final test report. This modular approach, they argue, provides a more structured and review-friendly process for both the manufacturer and the FDA. The hosts also touch upon cybersecurity labeling, which itself consists of multiple documents tailored to different audiences, including the JSP2 for end-users and the MDS2 for hospital IT departments, as well as specific interoperability risk assessments for connected devices that influence clinical decisions.

The overarching advice from Espinosa and Slattery is for manufacturers to "begin with the end in mind." They strongly advocate for integrating the creation of these 18 deliverables into the product development lifecycle from the outset. Rushing to generate this comprehensive documentation package just before a submission deadline is inefficient and difficult, as it relies on source materials and analysis that should be conducted throughout the development process. By understanding these requirements early, manufacturers can build a robust, defensible, and compliant submission package that demonstrates a commitment to security, rather than treating cybersecurity as a last-minute checkbox. This proactive methodology not only streamlines the regulatory process but also results in a more secure and trustworthy medical device.

Key Takeaways

• The 18 cybersecurity deliverables for an FDA premarket submission are the same for all medical devices, regardless of their risk classification.

• The required documentation does not change, but the level of detail and complexity scales based on the device's risk profile and intricacy.

• The 18 deliverables map to the 13 cybersecurity sections of the FDA's eSTAR template in a "many-to-one" structure.

• Major deliverable categories include a comprehensive Risk Management Report (with threat model and SBOM), extensive Cybersecurity Testing documentation, and specific Cybersecurity Labeling.

• Risk assessment for medical devices should focus on the actual worst-case scenarios related to patient harm, not just hypothetical data breaches.

• Manufacturers are advised to "begin with the end in mind," incorporating documentation creation throughout the entire product development lifecycle.

• The Cybersecurity Management Plan (CSMP) is a crucial document detailing the strategy for post-market security management, including vulnerability monitoring and patching.

• For unresolved anomalies or residual risks, manufacturers must provide a thorough assessment of their potential safety and security impact.

Listen on mdcpodcast.com · Watch on YouTube