Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    All infographics
    FDA submissions

    FDA Premarket Cybersecurity Submission Flow

    How the eighteen cybersecurity deliverables of an eSTAR premarket submission map to FDA guidance sections and eSTAR v7.0 fields under the February 3, 2026 final guidance.

    Last reviewed 2026-06-28

    What the diagram shows

    1. Risk Management Report (V & VI.B)

    Umbrella report aligned to ISO 14971 / AAMI SW96 that links cybersecurity hazards to patient harm and carries the traceability matrix across every deliverable.

    2. Threat Model (V.A.1)

    STRIDE-based model plus MITRE ATT&CK for ICS technique coverage; identifies threats, mitigations, and architecture-views linkage.

    3. Cybersecurity Risk Assessment (V.A.2)

    Exploitability-not-probability scoring (CVSS + rubric) that justifies the chosen controls and residual risk acceptance.

    4. SBOM (V.A.4) — §524B(b)(3) statutory

    Machine-readable SPDX 2.3+ or CycloneDX 1.6+ with full transitive components, NTIA minimum fields, license, and CVE/VEX cross-references.

    5. Component Support & End-of-Support (V.A.4) — §524B(b)(2)

    Per-component support level + EOS date with vulnerability assessment; underpins the patch/update obligation.

    6–9. Anomalies, Metrics, Controls, Architecture Views

    Unresolved anomalies assessment (V.A.5), cybersecurity metrics (V.A.6), security requirements + control coverage (V.B.1 / App. 1), and architecture views (V.B.2 / App. 2).

    10–13. Testing (V.C)

    SAST plus pen test plan, test cases, and report. FDA V.C requires the report to cover all five elements: scope, objectives, methodology, results, and remediation.

    14–15. Labeling (VI.A)

    Cybersecurity labeling and MDS2 — customer-facing security documentation, configuration guidance, and end-of-support dates.

    16. Cybersecurity Management Plan (VI.B) — §524B(b)(1) statutory

    Postmarket monitoring cadence, CVD intake, patch SLAs, and update mechanism.

    17–18. Interoperability (V.A.3 / VI.A)

    Interoperability risk assessment with V&V plus interoperability labeling — HL7/FHIR and network trust considerations.

    Embed this diagram

    Use this on your blog, internal wiki, or training deck. We only ask that the credit line and link back stay intact.

    <!-- FDA Premarket Cybersecurity Submission Flow, Blue Goat Cyber -->
    <figure>
      <a href="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow">
        <img src="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow.svg" alt="Two-column 18-deliverable grid mapping each premarket cybersecurity item to its FDA Feb 2026 guidance section and eSTAR v7.0 field." loading="lazy" />
      </a>
      <figcaption>
        <a href="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow">FDA Premarket Cybersecurity Submission Flow</a> by
        <a href="https://bluegoatcyber.com">Blue Goat Cyber</a>
      </figcaption>
    </figure>

    Related reading

    tagged · FDA · Premarket · Section 524B

    In-depth guides

    FDA Premarket Cybersecurity Submission Checklist (2026)

    A 15-section checklist for a 510(k), De Novo, or PMA cybersecurity submission under Section 524B and the FDA's February 2026 final guidance.

    12 Reasons the FDA Rejects Medical Device Cybersecurity Submissions

    The most common cybersecurity deficiencies in 510(k), De Novo, and PMA submissions, what triggers each one and how to fix it before you file. Aligned to the FDA February 2026 final guidance and Section 524B.

    FDA Cybersecurity Deficiency Letter Response Checklist

    A step-by-step, 11-stage checklist for organizing and resolving FDA cybersecurity deficiency letters across 510(k), PMA, De Novo, and HDE submissions. Aligned to the FDA February 2026 final guidance and Section 524B.

    FDA Cybersecurity Guidance 2026: Transition Guide and Summary

    Plain-language summary of the FDA's Feb 3, 2026 final premarket cybersecurity guidance: what changed from the 2023 final, the 8-slot eSTAR v7.0 checklist, Section 524B requirements, and a sponsor transition plan.

    From the blog

    Where this fits

    FDA Premarket Cybersecurity hubFDA premarket serviceFDA 2026 guidance explainer

    More infographics

    See all

    Anatomy of an FDA-Ready SBOM

    FDA Deficiency Letter Response Decision Tree

    STRIDE Applied to a Connected Medical Device

    The SPDF Lifecycle: Premarket to Postmarket

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.