FDA Deficiency Letter Triage

Paste the cybersecurity section of an FDA deficiency letter (AI request, hold letter, or RTA). We categorize each ask and outline a structured response with required evidence.

Paste the letter - get categorized asks and an evidence checklist

• StatTile summary: number of distinct asks, categories detected, evidence items to gather.
• Per-ask cards (SBOM, threat model, pen test, monitoring, architecture, CVD) with response language.
• Evidence-to-gather checklist organized by document so your team can divide and conquer.
• Cover-letter outline that addresses each deficiency in the order the reviewer raised it.

What teams usually get wrong

• Myth: An AI letter is just a request for more information.

  Reality: AI (Additional Information) letters pause the review clock and require a response within 180 days, or the submission is withdrawn. Treat them as hard deadlines.

• Myth: We can answer cybersecurity asks with a narrative.

  Reality: Reviewers want artifacts - SBOM files, threat model documents, pen test reports, VEX statements. Narratives without traceable evidence become a second AI letter.

• Myth: Each ask should be answered separately and shipped as it's ready.

  Reality: FDA expects one consolidated response that addresses every ask. Partial responses restart confusion and extend the clock.

• Myth: If we disagree with a deficiency, we should push back.

  Reality: Disagreement is fine, but it must be written as a rationale with cited guidance - not as a refusal. Reviewers respond to evidence, not pushback.

Primary sources behind this tool

1. FDA Q-Submission Program (including 510(k) AI letter process) - FDA
2. Refuse-to-Accept Policy for 510(k)s - FDA
3. Cybersecurity in Medical Devices: Premarket Submissions (Sept 2023) - FDA
4. 510(k) Submission Process Overview - FDA

Don't burn weeks on a deficiency response.