FDA Premarket Cybersecurity Submission Flow
How the eighteen cybersecurity deliverables of an eSTAR premarket submission map to FDA guidance sections and eSTAR v7.0 fields under the February 3, 2026 final guidance.
What the diagram shows
1. Risk Management Report (V & VI.B)
Umbrella report aligned to ISO 14971 / AAMI SW96 that links cybersecurity hazards to patient harm and carries the traceability matrix across every deliverable.
2. Threat Model (V.A.1)
STRIDE-based model plus MITRE ATT&CK for ICS technique coverage; identifies threats, mitigations, and architecture-views linkage.
3. Cybersecurity Risk Assessment (V.A.2)
Exploitability-not-probability scoring (CVSS + rubric) that justifies the chosen controls and residual risk acceptance.
4. SBOM (V.A.4) — §524B(b)(3) statutory
Machine-readable SPDX 2.3+ or CycloneDX 1.6+ with full transitive components, NTIA minimum fields, license, and CVE/VEX cross-references.
5. Component Support & End-of-Support (V.A.4) — §524B(b)(2)
Per-component support level + EOS date with vulnerability assessment; underpins the patch/update obligation.
6–9. Anomalies, Metrics, Controls, Architecture Views
Unresolved anomalies assessment (V.A.5), cybersecurity metrics (V.A.6), security requirements + control coverage (V.B.1 / App. 1), and architecture views (V.B.2 / App. 2).
10–13. Testing (V.C)
SAST plus pen test plan, test cases, and report. FDA V.C requires the report to cover all five elements: scope, objectives, methodology, results, and remediation.
14–15. Labeling (VI.A)
Cybersecurity labeling and MDS2 — customer-facing security documentation, configuration guidance, and end-of-support dates.
16. Cybersecurity Management Plan (VI.B) — §524B(b)(1) statutory
Postmarket monitoring cadence, CVD intake, patch SLAs, and update mechanism.
17–18. Interoperability (V.A.3 / VI.A)
Interoperability risk assessment with V&V plus interoperability labeling — HL7/FHIR and network trust considerations.
Embed this diagram
Use this on your blog, internal wiki, or training deck. We only ask that the credit line and link back stay intact.
<!-- FDA Premarket Cybersecurity Submission Flow, Blue Goat Cyber -->
<figure>
<a href="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow">
<img src="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow.svg" alt="Two-column 18-deliverable grid mapping each premarket cybersecurity item to its FDA Feb 2026 guidance section and eSTAR v7.0 field." loading="lazy" />
</a>
<figcaption>
<a href="https://bluegoatcyber.com/resources/infographics/fda-premarket-submission-flow">FDA Premarket Cybersecurity Submission Flow</a> by
<a href="https://bluegoatcyber.com">Blue Goat Cyber</a>
</figcaption>
</figure>
Related reading
tagged · FDA · Premarket · Section 524BIn-depth guides
FDA Premarket Cybersecurity Submission Checklist (2026)
A 15-section checklist for a 510(k), De Novo, or PMA cybersecurity submission under Section 524B and the FDA's February 2026 final guidance.
12 Reasons the FDA Rejects Medical Device Cybersecurity Submissions
The most common cybersecurity deficiencies in 510(k), De Novo, and PMA submissions, what triggers each one and how to fix it before you file. Aligned to the FDA February 2026 final guidance and Section 524B.
FDA Cybersecurity Deficiency Letter Response Checklist
A step-by-step, 11-stage checklist for organizing and resolving FDA cybersecurity deficiency letters across 510(k), PMA, De Novo, and HDE submissions. Aligned to the FDA February 2026 final guidance and Section 524B.
FDA Cybersecurity Guidance 2026: Transition Guide and Summary
Plain-language summary of the FDA's Feb 3, 2026 final premarket cybersecurity guidance: what changed from the 2023 final, the 8-slot eSTAR v7.0 checklist, Section 524B requirements, and a sponsor transition plan.
From the blog
- Does Device Class Decide FDA Cybersecurity Requirements?2026-06-04
- Letter to File vs New 510(k) for Cybersecurity Changes2026-06-02
- Special vs Traditional 510(k) for Cybersecurity Changes2026-06-02
- Does FDA Section 524B Apply to Legacy Devices?2026-06-23
- eSTAR v7.0 Cybersecurity for IVDs vs nIVD Submissions2026-06-11
Where this fits
More infographics
See allGet FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.