Playbook · FDA Premarket

The 2026 FDA Cybersecurity Guidance Decoder

What changed in the Feb 3, 2026 final premarket cybersecurity guidance, what reviewers now expect, and a 90-day path to a fully aligned submission.

All playbooks

Updated April 2026 5 pages 12-min read Download PDF

Why this matters

On Feb 3, 2026 the FDA finalized its updated guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. It supersedes the Sept 27, 2023 version. Submissions filed after that date are reviewed against a higher, more specific bar - especially for SPDF evidence, SBOM machine-readability, and threat modeling rigor.

Key takeaway: If your last submission was before Feb 2026, your existing cybersecurity package is almost certainly out of date in at least three places. Plan a gap review before re-submitting.

What is a 'cyber device' under Section 524B?

Section 524B of the FD&C Act defines a cyber device as one that (a) includes software validated, installed, or authorized by the sponsor as a device or in a device, (b) has the ability to connect to the internet, and (c) contains technological characteristics that could be vulnerable to cybersecurity threats. The 2026 guidance reaffirms the FDA's broad reading of (b) - Bluetooth, cellular, USB tethered to a connected host, and offline devices that periodically sync all qualify.

The four pillars of a 2026-compliant submission

SPDF - documented Secure Product Development Framework with objective evidence of execution.
Threat model - STRIDE-per-element, AAMI TIR57-aligned, mitigations traced to design controls.
SBOM - machine-readable in SPDX 2.3+ or CycloneDX 1.4+ (PDF/spreadsheet not acceptable).
Security testing - manual, exploit-driven penetration testing against actual interfaces.

What changed vs. the 2023 version

SBOM machine-readability is now mandatory; include VEX statements to manage CVE noise.
SPDF evidence requirements are sharper - reviewers want traceability artifacts, not just policy.
Postmarket plan must be in the premarket submission (monitoring, CVD, patch cadence).
Legacy / unsupported software is called out by name and requires compensating-control justification.
AI/ML-enabled SaMD requires model-specific threats (poisoning, inversion, adversarial inputs, prompt injection).

What's in the full PDF

Complete eSTAR cybersecurity artifact checklist
Common deficiency-letter triggers and how to avoid them
Two-column reviewer-perspective tables for every pillar
90-day path from gap review to submission-ready

Want the full 5-page playbook?

Includes every checklist, table, and template - formatted for printing and sharing.

Download PDF

What's inside

Feb 3, 2026 final guidance - what's actually new
Section 524B 'cyber device' definition decoded
The four pillars: SPDF, threat model, SBOM, security testing
eSTAR cybersecurity artifact checklist
90-day path from gap review to submission

Get the next playbook

Subscribe to The Monthly Pulse for new playbooks, FDA updates, and field notes.

Other playbooks

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.

Book strategy session Explore services