FDA Deficiency Letter Response Decision Tree
Decide in minutes whether an FDA reply is an RTA, a deficiency letter, or a hold letter — and what your response clock looks like for each.
What the diagram shows
Refuse To Accept (RTA)
Triggered when the submission is structurally incomplete. The review clock has not started. Fix the gap and re-submit — you have 180 days before the file is withdrawn.
Additional information (AI) request
Substantive cybersecurity question, often about threat model depth, SBOM completeness, or testing rationale. Standard response window is 180 days; the review clock pauses until you respond.
Major deficiency letter
Reviewer believes a control is missing or inadequate. Treat as a re-design conversation, not a documentation patch — weak responses become hold letters.
Hold letter
Submission cannot proceed without substantive changes. Common after a weak response to an AI request. Re-engage with reviewer; consider pre-submission meeting before re-filing.
Common response patterns
Cite the FDA 2026 guidance section the reviewer is invoking, link your existing evidence, and — if anything in the design changed — update the SBOM, threat model, and labeling in lockstep.
Embed this diagram
Use this on your blog, internal wiki, or training deck. We only ask that the credit line and link back stay intact.
<!-- FDA Deficiency Letter Response Decision Tree — Blue Goat Cyber -->
<figure>
<a href="https://bluegoatcyber.com/resources/infographics/deficiency-letter-decision-tree">
<img src="https://bluegoatcyber.com/resources/infographics/deficiency-letter-decision-tree.svg" alt="Decision tree branching from an inbound FDA letter into Refuse To Accept, additional information request, and hold letter response paths." loading="lazy" />
</a>
<figcaption>
<a href="https://bluegoatcyber.com/resources/infographics/deficiency-letter-decision-tree">FDA Deficiency Letter Response Decision Tree</a> by
<a href="https://bluegoatcyber.com">Blue Goat Cyber</a>
</figcaption>
</figure>Related reading
tagged · FDA · Premarket · 510(k)In-depth guides
FDA Cybersecurity Technical Screening Checklist (2026)
A reviewer's-eye technical screening checklist for FDA cyber-device submissions: artifacts, formats, traceability, and the failure modes that turn a soft deficiency into a hold.
FDA Cybersecurity Deficiency Letter Examples & Analysis
Analyze real-world FDA cybersecurity deficiency letter examples. Learn how to address RTA and AI deficiency requests for 510(k) and PMA submissions.
FDA Cybersecurity RTA Prevention Checklist: Avoid Refuse-to-Accept Holds
A practitioner's checklist of the cybersecurity triggers that cause FDA Refuse-to-Accept (RTA) holds under Section 524B, and how to clear each one before you submit.
eSTAR Cybersecurity Readiness Checklist (510(k) & De Novo)
Map every cybersecurity control to the exact eSTAR section reviewers expect. A practical readiness checklist for 510(k) and De Novo submissions under the FDA's February 2026 final guidance.
From the blog
- Letter to File vs New 510(k) for Cybersecurity Changes2026-06-02
- Special vs Traditional 510(k) for Cybersecurity Changes2026-06-02
- Preparing Your eSTAR 510(k) Cybersecurity Documentation2026-05-10
- eSTAR v7.0 Cybersecurity for IVDs vs nIVD Submissions2026-06-11
- Patch and Update Mechanism Testing for FDA Section 524B(b)(1)2026-06-11
Where this fits
More infographics
See allGet FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.