FDA Cybersecurity Premarket Documentation: What eSTAR Requires in 2026

Compliance and Regulation

Summary

With the FDA's final cybersecurity guidance now in full effect and the new Quality Management System Regulation (QMSR) aligned to ISO 13485 taking hold in February 2026, medical device manufacturers face the most rigorous cybersecurity submission requirements to date. If your device qualifies as a "cyber device" under Section 524B of the FD&C Act, your premarket submission must include a comprehensive set of cybersecurity documentation uploaded through the eSTAR (Electronic Submission Template and Resource) system.

With the FDA’s final cybersecurity guidance now in full effect and the new Quality Management System Regulation (QMSR) aligned to ISO 13485 taking hold in February 2026, medical device manufacturers face the most rigorous cybersecurity submission requirements to date. If your device qualifies as a “cyber device” under Section 524B of the FD&C Act, your premarket submission must include a comprehensive set of cybersecurity documentation uploaded through the eSTAR (Electronic Submission Template and Resource) system.

This post breaks down every cybersecurity deliverable required within the eSTAR cybersecurity section so your team knows exactly what to prepare.

What Is eSTAR and Why Does It Matter?

eSTAR is the FDA’s standardized electronic submission template used for 510(k) premarket submissions. It structures the entire submission into defined sections, each with specific attachment slots and guided questions. The cybersecurity section of eSTAR is where all cybersecurity-related documentation is uploaded alongside responses to targeted questions from FDA reviewers.

Per FDA guidance, a submission will be placed on Technical Screening hold if it does not contain accurate responses and relevant attachments in the cybersecurity section. In other words, incomplete or inaccurate cybersecurity documentation can stop your submission before a reviewer even evaluates the substance of your device.

The 11 Cybersecurity Deliverables Required by eSTAR

The eSTAR cybersecurity section is organized into distinct attachment categories. Below is every category and the specific documentation you need to prepare for each.

1. Risk Management – Report

Deliverable: Cybersecurity Risk Management Report

The eSTAR requires you to attach your security risk management report detailing a separate, parallel, and interconnected security risk management process. This is explicitly called out as different from your safety risk management process. Manufacturers must demonstrate that cybersecurity risk management operates as its own discipline, even though it connects to the broader product safety risk framework.

2. Risk Management – Threat Model

Deliverable: Threat Model and Architectural Views

You must attach your threat model addressing all end-to-end elements of the system. The eSTAR also requires you to list the Threat Methodology you used, such as STRIDE, Attack Trees, Kill Chain, or DREAD. Your threat model should decompose the system into its constituent elements and systematically evaluate threats against each one.

3. Risk Management – Cybersecurity Risk Assessment

Deliverable: Cybersecurity Failure Modes and Effects Analysis (or equivalent risk assessment)

The eSTAR requires you to attach your Cybersecurity Risk Assessment and cite where your methodology and acceptance criteria are documented. Critically, the eSTAR specifically asks whether your cybersecurity risk assessment avoids using probabilities for likelihood assessment and uses exploitability instead. This reflects FDA’s clear expectation that cybersecurity risk scoring should be rooted in exploitability metrics (such as CVSS-based scoring) rather than traditional probability-based approaches used in safety risk management.

4. Risk Management – Software Bill of Materials (SBOM) and Related Information

Deliverables:

  • Software Bill of Materials (SBOM) – A complete inventory of all software components in the device. Section 524B of the FD&C Act makes this a statutory requirement. The FDA expects machine-readable formats such as SPDX or CycloneDX.
  • Software Support and End-of-Support Documentation – A document providing the software level of support and end-of-support date for each software component (including OTS/SOUP software) identified in the SBOM. For any component where this information is not available, you must provide a justification.
  • Supported Operating Systems List – You must list the supported operating system(s) and associated version(s) your device uses. The eSTAR warns that listing operating systems that are no longer supported (such as Windows 7 or Mac OS 9) or nearing end of support will generally be considered an inaccurate response.
  • Cybersecurity Vulnerability Assessment – A safety and security assessment of cybersecurity vulnerabilities in the component software used by the device for all software components in the SBOM, along with a description of any controls that address each vulnerability.

5. Assessment of Unresolved Anomalies

Deliverable: Unresolved Anomalies Cybersecurity Impact Assessment

You must attach an assessment of any unresolved anomalies (known bugs or defects) evaluated for cybersecurity impact. If no unresolved anomalies exist, you are still required to attach a document explicitly stating that fact. The FDA wants confirmation that every known defect has been evaluated through a cybersecurity lens, not just a functional one.

6. Cybersecurity Metrics

Deliverable: Cybersecurity Metrics Data (or Justification)

The eSTAR requires you to attach data from monitoring cybersecurity metrics. If metric data are unavailable, you must attach a justification explaining why. This deliverable reflects the FDA’s expectation that manufacturers are actively measuring and tracking cybersecurity posture throughout the development lifecycle, not simply performing a one-time assessment.

7. Cybersecurity Controls

Deliverable: Cybersecurity Controls Documentation

You must attach information on the security control categories included in the device. The eSTAR then requires you to cite exactly where in your documentation you address each of the following eight specific control categories:

  • A) Authentication Controls
  • B) Authorization Controls
  • C) Cryptography Controls
  • D) Code, Data, and Execution Integrity Controls
  • E) Confidentiality Controls
  • F) Event Detection and Logging Controls
  • G) Resiliency and Recovery Controls
  • H) Firmware and Software Update Controls

Each of these categories must be explicitly addressed and traceable within your documentation.

8. Architecture Views

Deliverable: Cybersecurity Architecture Views Document

The eSTAR requires a document containing four specific architectural views:

  • Global System View – showing how the device fits within its broader network and data ecosystem
  • Multi-Patient Harm View – illustrating scenarios where a cybersecurity compromise could affect multiple patients
  • Updatability/Patchability View – demonstrating how the device receives security updates and patches
  • Security Use Case Views – depicting how security functions operate in practice

These views may be included within the Threat Model documentation. If so, you must cite exactly where each view appears.

9. Cybersecurity Testing

Deliverable: Cybersecurity Testing Documentation and Test Reports

You must attach documentation describing all cybersecurity testing performed along with the associated test reports. The eSTAR specifies that cybersecurity testing includes, but may not be limited to:

  • Security Requirements Testing
  • Threat Mitigation Testing
  • Vulnerability Testing
  • Penetration Testing

If security testing was performed by a third party, you must provide the original third-party test report along with your own assessment of any findings. If particular testing was not performed, you must provide a justification explaining why.

10. Cybersecurity Labeling

Deliverable: Cybersecurity Labeling / Security Guide

The eSTAR requires you to cite the specific attachment(s) and page number(s) where cybersecurity information is documented in your product labeling. This typically takes the form of a Security Guide or cybersecurity-specific labeling document that communicates to end users the security capabilities, configuration requirements, and recommended practices for the device.

11. Cybersecurity Management Plan

Deliverable: Cybersecurity Management Plan

The Cybersecurity Management Plan is the postmarket-facing companion to all of the premarket documentation above. You must attach your plan and then cite specific page numbers where you address each of the following elements:

  • Personnel responsible for cybersecurity
  • Sources, methods, and frequency for monitoring and identifying vulnerabilities
  • Process to identify and address vulnerabilities from the CISA Known Exploited Vulnerabilities Catalog
  • Periodic security testing cadence
  • Timeline to develop and release patches
  • Update and patch deployment processes
  • Patching capability, including the rate at which updates can be delivered to devices
  • Coordinated vulnerability disclosure process
  • How the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers
  • Description of and justification for timelines to make patches on a regular cycle and out of cycle

Why This Matters in 2026

Several factors make 2026 a pivotal year for cybersecurity premarket submissions. The QMSR, effective February 2026, harmonizes FDA’s quality system requirements with ISO 13485 and directly maps cybersecurity risk management into your quality management system. The FDA’s final guidance from June 2025 codified all of the expectations above and added Section VII specifically addressing Section 524B statutory requirements for cyber devices.

Submissions that fail to address these eSTAR cybersecurity sections completely and accurately face Technical Screening holds, Refuse to Accept decisions, or outright denial based solely on cybersecurity deficiencies. The days of treating cybersecurity documentation as an afterthought are over.

Getting Started

The scope of documentation required is substantial, but it is also well-defined. Manufacturers who build these deliverables into their design and development process from the earliest phases will find the eSTAR cybersecurity section far less daunting than those who try to retrofit documentation at the end.

Start by confirming whether your device meets the Section 524B definition of a “cyber device” (software-enabled, internet-connectable, and containing characteristics vulnerable to cybersecurity threats). Then map each of the 11 eSTAR attachment categories above to owners within your organization and begin building the documentation alongside your product development, not after it.

Insights

Get the Latest Security Insights

Our security experts regularly share insights and updates from the field. View More Insights

ELTON vulnerability identifier

Intelligence is Compliance

ELTON is powered by insights from over a decade of medical device expertise and 600+ FDA-approved submissions.

Meet ELTON