FDA Premarket Cybersecurity Submission Flow
How the seven cybersecurity sections of an eSTAR premarket submission fit together under the FDA's February 2026 final guidance.
What the diagram shows
1. Security risk management
ISO 14971-aligned analysis that identifies cybersecurity hazards and links them to patient harm. Feeds every downstream section.
2. Security architecture
Architectural views (global system, multi-patient harm, updateability) showing trust boundaries, data flows, and security controls.
3. Cybersecurity risk assessment
Threat model + scoring (CVSS, rubric) that justifies the chosen controls and residual risk acceptance.
4. SBOM
Machine-readable SPDX 2.3+ or CycloneDX 1.4+ with full transitive components, known vulnerabilities, and support status.
5. Security testing
Vulnerability scanning, static analysis, fuzz testing, and penetration test evidence with rationale for coverage.
6. Cybersecurity labeling
Customer-facing security documentation: configuration guidance, end-of-support dates, MDS2/SBOM access path.
7. Vulnerability management plan
Postmarket monitoring cadence, disclosure policy, patch SLAs, and update mechanism that satisfies Section 524B(b).
Bundled into eSTAR → Reviewer
All seven sections drop into the eSTAR cybersecurity attachments. Missing or malformed sections trigger Refuse To Accept; weak content triggers deficiency letters.
Embed this diagram
Use this on your blog, internal wiki, or training deck. We only ask that the credit line and link back stay intact.
<!-- FDA Premarket Cybersecurity Submission Flow — Blue Goat Cyber -->
<figure>
<a href="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow">
<img src="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow.svg" alt="Horizontal flowchart of the seven FDA premarket cybersecurity submission sections feeding into an eSTAR package and reviewer evaluation." loading="lazy" />
</a>
<figcaption>
<a href="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow">FDA Premarket Cybersecurity Submission Flow</a> by
<a href="https://bluegoatcyber.com">Blue Goat Cyber</a>
</figcaption>
</figure>Related reading
tagged · FDA · Premarket · Section 524BIn-depth guides
FDA Premarket Cybersecurity Submission Checklist (2026)
A 15-section checklist for a 510(k), De Novo, or PMA cybersecurity submission under Section 524B and the FDA's February 2026 final guidance.
12 Reasons the FDA Rejects Medical Device Cybersecurity Submissions
The most common cybersecurity deficiencies in 510(k), De Novo, and PMA submissions, what triggers each one and how to fix it before you file. Aligned to the FDA February 2026 final guidance and Section 524B.
FDA Cybersecurity Deficiency Letter Response Checklist
A step-by-step, 11-stage checklist for organizing and resolving FDA cybersecurity deficiency letters across 510(k), PMA, De Novo, and HDE submissions. Aligned to the FDA February 2026 final guidance and Section 524B.
FDA Cybersecurity Guidance 2026: Transition Guide and Summary
Plain-language summary of the FDA's Feb 3, 2026 final premarket cybersecurity guidance: what changed from the 2023 final, the 8-slot eSTAR v7.0 checklist, Section 524B requirements, and a sponsor transition plan.
From the blog
- Does Device Class Decide FDA Cybersecurity Requirements?2026-06-04
- Letter to File vs New 510(k) for Cybersecurity Changes2026-06-02
- Special vs Traditional 510(k) for Cybersecurity Changes2026-06-02
- eSTAR v7.0 Cybersecurity for IVDs vs nIVD Submissions2026-06-11
- FDA Penetration Testing Requirements for Medical Devices2026-06-02
Where this fits
More infographics
See allGet FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.