Is your device a 'cyber device' under §524B?

The 2022 Omnibus changed which submissions need a full cybersecurity package. Answer six questions to find out whether yours is in scope.

Question 1 of 6

Does the device include or depend on software validated by you (the manufacturer)?

Question 2 of 6

Can the device connect to the internet - directly, or through a paired phone, gateway, or cloud backend?

Question 3 of 6

Could a software vulnerability in the device be exploited (locally or remotely) to affect safety, effectiveness, or data integrity?

Question 4 of 6

Are you planning a 510(k), De Novo, or PMA submission on or after March 29, 2023?

Question 5 of 6

Does the device contain third-party / open-source software components?

Question 6 of 6

Does it use wireless protocols (Wi-Fi, Bluetooth, cellular, RF, NFC) or USB for non-charging purposes?

After your six answers, you get a one-page verdict packet

• DecisionRing infographic: each numbered dot is one of your answers, color-coded yes/no/unsure, with the §524B verdict at the center.
• Plain-English verdict (cyber device / probably / not in scope) with the statutory reasoning spelled out.
• Answer recap table you can print to PDF and drop into your regulatory rationale memo.
• Next-step links to the SBOM, premarket, and postmarket programs that match your verdict.

What teams usually get wrong

• Myth: If my device doesn't have Wi-Fi, §524B doesn't apply.

  Reality: §524B covers any 'ability to connect to the internet' - including through a paired phone, a USB tether to a clinical workstation, or a cloud-bound gateway. Wireless is not the bar.

• Myth: We submitted before March 29, 2023, so the rule never applies.

  Reality: Any new submission (510(k), De Novo, PMA, supplement) on or after that date triggers §524B for the new version, even for a long-marketed device family.

• Myth: Only Class II and Class III software needs an SBOM.

  Reality: §524B is keyed to 'cyber device,' not classification. A Class I device with software and a network path owes the same SBOM, monitoring plan, and CVD process as a Class III.

• Myth: If a third party operates the cloud, we're off the hook.

  Reality: The premarket submitter is accountable for the entire system, including SaaS components. You must show contractual evidence the cloud is patched, monitored, and disclosed.

Primary sources behind this tool

1. FD&C Act §524B - Ensuring Cybersecurity of Devices (text of the statute) - U.S. Congress
2. The Minimum Elements For a Software Bill of Materials (NTIA, July 2021) - the SBOM definition FDA points to - NTIA / U.S. Dept. of Commerce
3. AAMI TIR57:2016/(R)2023 + ANSI/AAMI SW96:2023 - threat modeling & security risk management for medical devices - AAMI
4. Refuse-to-Accept Policy for 510(k)s - cyber-device acceptance checklist - FDA
5. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Sept 2023) - FDA

Build the §524B package the right way.