FDA Submission AI Questions

The FDA’s 2023 and 2025 cybersecurity guidance highlight recurring deficiencies, including missing threat models, inadequate testing evidence, unsupported software, and lack of traceability. ELTON addresses these challenges through digital twin driven vulnerability management, comprehensive cybersecurity testing, and documentation that links risks, SBOM components, and controls to enable defensible FDA-ready submissions. With more than a decade supporting manufacturers, ELTON has repeatedly seen the same boilerplate deficiency questions. ELTON was built to pre-empt these issues, allowing customers to de-risk submissions by applying SOPs that automate advanced activities FDA expects work that would otherwise require significant manual effort.

Threat Modeling

FDA Question:
“Based on the information provided in your submission, your device meets the definition of a cyber device under Section 524B(c) of the Federal Food, Drug, and Cosmetic Act. However, you did not provide threat modeling documentation. Threat modeling documentation is important to comply with the requirement specified in section 524B(b)(2) of the FD&C Act to provide a reasonable assurance that the device and related systems are cybersecure. Therefore, please provide threat modeling documentation that includes an assessment of your assets, threats, vulnerabilities, and controls, as described in Section V.A.1 of FDA’s cybersecurity guidance. When submitting, please also include the following:

a. Identification of and justification for the methodology used (e.g., STRIDE, Attack Trees, Kill Chain, DREAD).
b. Consideration of all end-to-end system elements, including networks and update infrastructure.
c. Architecture or sequence diagrams showing how threats and mitigations apply.”

ELTON Response:
ELTON creates a digital twin of the device, integrating SBOM data, vulnerabilities, and architecture into machine-readable models. Threat modeling is layered on this foundation, aligning regulatory documentation with post-market vulnerability disposition. Outputs include exploitable path analysis, vulnerability chaining, and mitigations, all with traceability across assets and controls.

Authorization Controls

FDA Question:
“You provided documentation on cybersecurity controls; however, you did not provide adequate information on authorization controls. While you reference that there are different levels of privileging, you do not describe these levels or how permissions are granted and controlled. Please provide a description of how authorization is addressed in the design and define the privileges each role has on the device, including any differences in connectivity. Additionally, please provide the authentication processes associated with each authorization level.”

ELTON Response:
ELTON testing identifies weaknesses in privilege boundaries. Findings are linked back to system controls and roles, creating traceable outputs that demonstrate compliance.

Confidentiality Controls

FDA Question:
“You referenced the use of Transport Layer Security (TLS) or Secure Shell (SSH) as well as asymmetric encryption, but you did not provide details describing these controls nor clearly describe where in your system architecture they are implemented. Some versions of TLS and SSH are no longer secure. Please provide a description of confidentiality controls implemented for data transfer and justify why the encryption algorithms provide sufficient security.”

ELTON Response:
ELTON vulnerability management identifies outdated cryptographic libraries and configurations. Testing confirms implementation details, and results are tied back to scope and confidentiality controls.

Integrity Controls

FDA Question:
“You referenced the use of TLS, SSH, and checksums but did not describe how integrity is enforced or validated. Non-cryptographic checksums are not considered security integrity controls. Please provide a description of the integrity controls used to secure data transfer and justify why they are sufficient. Update design documentation if necessary.”

ELTON Response:
ELTON’s testing confirms whether integrity protections are cryptographic and effective. Findings are documented and linked directly to integrity controls within scope.

Device Hardening

FDA Question:
“You stated that multiple USB and external interface ports are enabled but did not describe how they are secured by default. You also rely on directory accounts but did not specify whether hardcoded or local accounts are used. Adequate hardening includes removing default passwords, disabling unused services, and restricting unnecessary interfaces. Please provide detailed hardening measures and updated design documentation and testing.”

ELTON Response:
ELTON testing evaluates exposed interfaces, default accounts, and unused functionality. Results are linked to system architecture and controls, producing FDA-ready traceability.

Event Detection and Incident Response

FDA Question:
“Your device relies upon networking for intended use; however, you did not provide information on detection, response, and recovery in the event of a cybersecurity incident. Please describe the incident response plan for the device, including how you will detect, respond to, and recover from incidents such as denial of service, ransomware, or malware. Provide testing that demonstrates the effectiveness of the plan.”

ELTON Response:
ELTON functions as a managed product security operations center. When a vulnerability is detected in a specific release, ELTON alerts the manufacturer to act and notify affected customers, enabling automated detection, response, and incident recovery

Antivirus and Malware Protections

FDA Question:
“Your device uses operating systems capable of supporting antivirus and anti-malware protections. Please detail the antivirus/anti-malware capabilities implemented. If such protections are not used, update the device to add them or provide a rationale for why they are unnecessary.”

ELTON Response:
ELTON vulnerability management highlights unsupported or unprotected OS components. Test results confirm mitigation and are linked back to system-level controls.

Cybersecurity Testing

FDA Question:
“You provided cybersecurity testing; however, the documentation is inadequate. A summary was provided rather than a full report with methodologies, scope, and results. Penetration testing is expected for this type of device, and test reports should include:

a. Independence and expertise of testers.
b. Scope of testing.
c. Duration of testing.
d. Methods employed.
e. Results, findings, and observations.”

ELTON Response:
ELTON incorporates penetration testing, fuzzing, and static/dynamic analysis into the vulnerability discovery process during both premarket and annual evaluations. Reports document methodology, scope, and results, with each finding traceable to risks and system controls. To date, ELTON has delivered more than 600 FDA-accepted cybersecurity reports supporting successful submissions.

Cybersecurity Controls Documentation

FDA Question:
“You referenced a traceability table mapping risks to controls, but the controls lacked details. Please provide documentation on cybersecurity controls implemented as recommended in FDA guidance.”

ELTON Response:
ELTON substantiates the presence of risk controls by linking vulnerabilities and test results directly to control objectives, with test cases mapped accordingly. This ensures full traceability across the risk and control framework.

End-of-Life Software Components

FDA Question:
“Your SBOM indicates that you are using software components that have passed their end-of-support date. Unsupported software cannot be patched and accumulates vulnerabilities. Please provide assurance of continued maintenance or upgrade to supported versions.”

ELTON Response:
ELTON continuously monitors SBOM components against lifecycle data. End-of-life vulnerabilities are flagged, and traceable outputs show risk impacts tied to system scope.

Updateability and Patchability

FDA Question:
“You stated that updateability and patchability views were inapplicable and provided only a high-level justification. Please provide a detailed justification or updateability/patchability views as recommended in FDA guidance.”

ELTON Response:
ELTON outputs patchability findings tied to vulnerabilities and controls. Results are mapped to system scope to support FDA-required documentation.

Expanded Threat Model Detail

FDA Question:
“You provided a threat model, but it was not adequate. It did not identify device risks and mitigations, state assumptions about hostile networks, capture supply chain or interoperability risks, or include all end-to-end system elements such as cloud infrastructure and update processes. Please update and provide a complete threat model.”

ELTON Response:
ELTON expands vulnerability management outputs within the digital twin to include hostile assumptions, supply chain risks, and interoperability findings. Each is mapped to scope and controls.

SBOM Format

FDA Question:
“You provided a software bill of materials (SBOM), but it could not be opened or was not in machine-readable format. Please provide an updated SBOM in an accepted format such as CycloneDX, consistent with NTIA minimum elements.”

ELTON Response:
ELTON ingest software and hardware materials, in effect creating a living SBOM, SBOMs are validated CycloneDX formats. Findings are traceable to SBOM entries, vulnerabilities, and system scope.

Cybersecurity Risk Management Report

FDA Question:
“You provided a cybersecurity risk management report, but it did not show a separate security risk assessment or summarize outcomes from threat modeling, SBOM analysis, vulnerability assessments, or anomaly reviews. It also lacked traceability between documents. Please update and provide a comprehensive report.”

ELTON Response:
ELTON integrates findings into a Cybersecurity FMEA, producing reports that summarize vulnerabilities, risks, and mitigations with full traceability to scope and controls.

Software Description

FDA Question:
“You did not provide a comprehensive description of your software or firmware. A software description is necessary to evaluate implementation, risk mitigation, and testing. Please provide a complete overview or reference to supporting documentation.”

ELTON Response:
ELTON ensures SBOM-based vulnerability findings are aligned with software descriptions, maintaining traceability back to testing and scope.

Software Bug and Patch

FDA Question:
“You identified a software bug and proposed a patch, but the submission did not include documentation of the bug, patch, or regression testing. Please provide full documentation including root cause, patch version control, and regression test results.”

ELTON Response:
ELTON captures remediation of vulnerabilities and regression testing evidence (new test results to evidence closure), linking them to scope and controls for FDA-ready traceability.

Continued Support

FDA Question:
“You did not provide adequately detailed information on how you will monitor, identify, and address vulnerabilities once the device is deployed, including end-of-life planning. Please provide a complete cybersecurity management plan.”

ELTON Response:
ELTON monitors SBOMs for new vulnerabilities and produces traceable outputs showing the evolving risk posture, supporting FDA-required continued support documentation.

Coordinated Vulnerability Disclosure

FDA Question:
“You did not provide adequate information on coordinated vulnerability disclosure or how users will be notified of critical vulnerabilities. Please provide an updated cybersecurity management plan with disclosure procedures.”

ELTON Response:
ELTON outputs vulnerability findings traceable to disclosure workflows, ensuring FDA can see how risks are identified and communicated.

Patch Release Timelines

FDA Question:
“You did not provide timelines for releasing patches, including critical updates. Please provide justifications for patch cycles and critical patch handling.”

ELTON Response:
ELTON prioritizes vulnerabilities by exploitability and severity. Findings are linked to patchability controls, supporting FDA justification of patch release timelines.

Labeling

FDA Question:
“You did not provide cybersecurity labeling. Labeling should include device interfaces, update instructions, antivirus requirements, incident response guidance, SBOM information, and infrastructure dependencies.”

ELTON Response:
ELTON supports labeling by automating activities that inform customers of product impact, such as identifying whether a vulnerability does or does not affect the device, helping transition appropriate responsibilities from manufacturer to customer.

Closing

FDA reviewers consistently raise the same issues: missing vulnerability documentation, inadequate testing evidence, and lack of traceability across controls. ELTON helps manufacturers close these gaps with outputs that are submission-ready:

• Vulnerability management evidence from digital twin and SBOM analysis.

• Cybersecurity testing reports including penetration, fuzzing, and static/dynamic analysis.

• Traceability linking vulnerabilities, risks, and controls across the entire system scope.

These three elements ensure FDA questions are met with complete, defensible responses, helping manufacturers move confidently toward clearance.