Section 524B Cybersecurity Requirements: What Medical Device Companies Must Know Before FDA Submission

The Cybersecurity Mandate That Is Holding Up FDA Submissions

Since March 29, 2023, the FDA has had the authority to refuse to accept submissions for devices that do not include adequate cybersecurity documentation. That authority comes from Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act), enacted under the Consolidated Appropriations Act of 2023. If your device connects to the internet, a network, another device, or any external software environment, this section applies to you — and ignoring it is one of the fastest ways to earn an Refuse to Accept (RTA) decision before your submission ever reaches a substantive reviewer.

At ADB Consulting & CRO Inc., we work directly with startup founders and regulatory teams navigating this new landscape. The goal of this post is to give you a clear, actionable picture of what Section 524B actually requires, how it maps to FDA's current guidance, and what your submission package needs to look like.

What Section 524B Actually Requires

Section 524B mandates that manufacturers of cyber devices submit specific cybersecurity information as part of any premarket submission — whether that is a 510(k), De Novo request, PMA, or Humanitarian Device Exemption (HDE). A cyber device is defined under the statute as one that includes software validated, installed, or authorized by the manufacturer; has the ability to connect to the internet; and contains any technological characteristics that could be vulnerable to cybersecurity threats.

The law requires manufacturers to submit:

• A plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits on a reasonably justified and ongoing basis
• Processes and procedures designed to ensure the device and associated systems are cybersecure upon deployment and throughout the total product lifecycle (TPLC)
• A Software Bill of Materials (SBOM), including commercial, open-source, and off-the-shelf software components
• Any other information the FDA determines necessary

This is not a checkbox exercise. The FDA's review of these elements is substantive, and deficiencies in cybersecurity documentation are increasingly common grounds for Additional Information (AI) requests.

How FDA Guidance Translates the Statute Into Practice

The primary reference document is FDA's final guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (September 2023). This guidance operationalizes Section 524B and should be treated as a mandatory framework for any cyber device submission going forward.

The guidance introduces a tiered approach based on cybersecurity risk. Higher Cybersecurity Risk devices — those with greater connectivity, more sensitive data handling, or more direct patient impact — require a more rigorous documentation package. Standard Cybersecurity Risk devices require a streamlined but still substantive set of deliverables. Determining which tier applies to your device is one of the first decisions your regulatory team needs to make, and it requires honest assessment of your threat landscape.

Key Documentation Elements the FDA Expects to See

For most submissions, FDA reviewers will look for evidence of the following:

• Threat Modeling: A systematic analysis of potential threats, attack vectors, and impact to device safety and effectiveness. STRIDE and PASTA are commonly used methodologies.
• Cybersecurity Risk Assessment: Mapped to a recognized framework such as NIST SP 800-30 or the MITRE ATT&CK for ICS framework. This should document residual risk and link directly to your device's risk management file under ISO 14971.
• Security Architecture Documentation: Network diagrams, data flow maps, authentication and authorization mechanisms, encryption standards, and interface controls.
• SBOM: A comprehensive inventory of all software components. The FDA expects this in a machine-readable format, such as SPDX or CycloneDX, and it must include version information sufficient to identify known vulnerabilities.
• Vulnerability Management Plan: How you will monitor for emerging CVEs, assess their applicability, and communicate with customers and FDA when a vulnerability is identified postmarket.
• Software Lifecycle Documentation: Evidence that security is integrated into your SDLC, consistent with secure development practices outlined in IEC 62443-4-1.

Where Startups Get Into Trouble

The most common failure mode we see at ADB Consulting is treating cybersecurity as a documentation afterthought rather than a design input. If your engineering team builds the device and then you ask your regulatory consultant to write a cybersecurity section around it, you are building toward an AI request or, worse, a Not Substantially Equivalent (NSE) decision.

Cybersecurity must be a design control. Under 21 CFR Part 820 and the Quality Management System Regulation (QMSR) effective February 2026 — which aligns Part 820 with ISO 13485 — your cybersecurity requirements belong in the design input record. Threat models should inform architecture decisions. Your risk management file under ISO 14971 should explicitly reference and integrate cybersecurity risks.

A second common gap is the SBOM. Many startups using commercial off-the-shelf software or open-source libraries have never fully inventoried their software stack. When FDA asks for a complete SBOM, discovering that gap mid-submission is an expensive problem.

Postmarket Obligations Are Not Optional

Section 524B does not stop at premarket. The statute explicitly requires an ongoing postmarket cybersecurity program. FDA's postmarket guidance, Postmarket Management of Cybersecurity in Medical Devices (2016, updated in scope by the 2023 guidance), outlines expectations for vulnerability disclosure, patch management, and communication with healthcare delivery organizations (HDOs). You need a published vulnerability disclosure policy and a coordinated vulnerability disclosure (CVD) process before your device ships.

Build Cybersecurity Into Your Regulatory Strategy From Day One

Section 524B has permanently changed the regulatory calculus for connected medical devices. Compliance is not optional, and the documentation burden is significant — but it is entirely manageable when addressed systematically and early. The companies that build cybersecurity into their design controls, risk management, and quality systems from the start will move through FDA review faster and with fewer surprises than those who treat it as a late-stage deliverable.

If you are preparing a submission for a cyber device, or if you are concerned your existing device program is not positioned to meet Section 524B requirements, book a free discovery call with ADB Consulting & CRO Inc. We will assess where you stand, identify gaps, and build a practical path forward. Visit adbccro.com to schedule your call today.