FDA Deficiency Letter Response Decision Tree
Decide in minutes whether an FDA reply is an RTA, a deficiency letter, or a hold letter, and what your response clock looks like for each.
What the diagram shows
Refuse To Accept (RTA)
Triggered when the submission is structurally incomplete. The review clock has not started. Fix the gap and re-submit, you have 180 days before the file is withdrawn.
Additional information (AI) request
Substantive cybersecurity question, often about threat model depth, SBOM completeness, or testing rationale. Standard response window is 180 days; the review clock pauses until you respond.
Major deficiency letter
Reviewer believes a control is missing or inadequate. Treat as a re-design conversation, not a documentation patch, weak responses become hold letters.
Hold letter
Submission cannot proceed without substantive changes. Common after a weak response to an AI request. Re-engage with reviewer; consider pre-submission meeting before re-filing.
Common response patterns
Cite the FDA 2026 guidance section the reviewer is invoking, link your existing evidence, and, if anything in the design changed, update the SBOM, threat model, and labeling in lockstep.
Embed this diagram
Use this on your blog, internal wiki, or training deck. We only ask that the credit line and link back stay intact.
<!-- FDA Deficiency Letter Response Decision Tree, Blue Goat Cyber -->
<figure>
<a href="https://bluegoatcyber.com/resources/infographics/deficiency-letter-decision-tree">
<img src="https://bluegoatcyber.com/resources/infographics/deficiency-letter-decision-tree.svg" alt="Decision tree branching from an inbound FDA letter into Refuse To Accept, additional information request, and hold letter response paths." loading="lazy" />
</a>
<figcaption>
<a href="https://bluegoatcyber.com/resources/infographics/deficiency-letter-decision-tree">FDA Deficiency Letter Response Decision Tree</a> by
<a href="https://bluegoatcyber.com">Blue Goat Cyber</a>
</figcaption>
</figure>
Related reading
tagged · FDA · Premarket · 510(k)In-depth guides
FDA Cybersecurity Technical Screening Checklist (2026)
A reviewer's-eye technical screening checklist for FDA cyber-device submissions: artifacts, formats, traceability, and the failure modes that turn a soft deficiency into a hold.
Cybersecurity Management Plan for FDA Submissions: A 2026 Guide
What goes in the Cybersecurity Management Plan reviewers expect in eSTAR v7.0 Slot 1: scope, governance, QMS integration, postmarket commitments, and the most common deficiency patterns under the FDA's February 2026 final guidance.
FDA Cybersecurity Deficiency Letter Examples & Analysis
Analyze real-world FDA cybersecurity deficiency letter examples. Learn how to address RTA and AI deficiency requests for 510(k) and PMA submissions.
ISO 14971 vs AAMI TIR57: Hazard Analysis Meets Cybersecurity Risk
How safety hazard analysis (ISO 14971) and security risk analysis (AAMI TIR57 / ANSI/AAMI SW96) run as parallel processes that must converge at the patient-harm column. With a side-by-side mapping table and the one thing FDA reviewers flag.
From the blog
- Letter to File vs New 510(k) for Cybersecurity Changes2026-06-02
- Special vs Traditional 510(k) for Cybersecurity Changes2026-06-02
- Preparing Your eSTAR 510(k) Cybersecurity Documentation2026-05-10
- FDA Section 524B Explained Subsection by Subsection: What Each Requirement Means in 20262026-06-18
- eSTAR v7.0 Cybersecurity for IVDs vs nIVD Submissions2026-06-11
Where this fits
More infographics
See allGet FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.