Background A late-stage medical device manufacturer faced a major regulatory setback after the FDA questioned their premarket cybersecurity submission. Their Software Bill of Materials (SBOM) listed nearly 100 unfixed vulnerabilities spanning embedded firmware, cloud...
What Happens When the FDA Flags a Cybersecurity Deficiency in Your Submission
Summary
When the FDA flags a cybersecurity deficiency in a medical device submission, manufacturers are typically given 180 days to respond through an Additional Information (AI) process often citing missing eSTAR documentation such as a threat model, cybersecurity views, risk management plan, or testing reports. If clarification is needed, a Submission Issue Request (SIR) can be filed to resolve disagreements before resubmission. ELTON streamlines this entire process by producing submission-ready vulnerability assessments, CVSS scoring, and digital twin architecture views that directly satisfy FDA documentation expectations. Beyond submission support, ELTON operationalizes these same workflows within the Cybersecurity Risk Management Plan to ensure continuous vulnerability monitoring and postmarket compliance.
What Happens When the FDA Flags a Cybersecurity Deficiency in Your Submission
When a medical device submission includes cybersecurity documentation, such as an SBOM, threat model, or vulnerability assessment, it undergoes detailed review by the FDA’s cybersecurity team. Increasingly, that review results in cybersecurity deficiencies, which require manufacturers to provide additional evidence, justification, or documentation before the submission can proceed.
Step 1: The “Additional Information” (AI) Request
When deficiencies are identified, the FDA issues an Additional Information (AI) Request. This letter lists the areas where the submission does not yet meet FDA expectations, often organized by deficiency type or related eSTAR section.
Common cybersecurity deficiencies include:
-
Missing or incomplete Threat Model that fails to define assets, interfaces, or attack vectors.
-
Absent or outdated Cybersecurity Risk Management Plan outlining how risk controls are defined and verified throughout the lifecycle.
-
Lack of a Cybersecurity Risk Assessment that ties vulnerabilities and mitigations back to patient safety or essential performance.
-
Missing Cybersecurity Risk Management Report summarizing the effectiveness of implemented controls.
-
Insufficient Cybersecurity Testing Reports (e.g., penetration testing, vulnerability scanning, fuzz testing) or lack of traceability between test results and risk controls.
-
Missing or incomplete Cybersecurity Views (architecture, data flow, or system-level representations).
-
SBOMs without traceable vulnerability assessments or justification for residual risk.
Each of these elements is now explicitly referenced within the eSTAR template and expected to be included in all 510(k), De Novo, or PMA submissions involving software or connectivity.
Step 2: Understanding the Response Timeline
After receiving an AI letter, the manufacturer has 180 calendar days to respond. This timeframe includes any additional testing, documentation updates, and clarifications required to close out the deficiencies.
Failure to respond within this period results in automatic withdrawal of the submission.
Step 3: Using a Submission Issue Request (SIR)
If a sponsor believes a cybersecurity deficiency is unclear, duplicative, or not aligned with prior FDA feedback, they may file a Submission Issue Request (SIR) through the Q-Submission (Q-Sub) process.
A SIR allows the sponsor to ask the FDA for clarification or reconsideration of specific issues in the AI letter.
The FDA typically provides a written response within 21 days, helping ensure that any follow-up actions are based on a shared understanding before significant rework begins.
Step 4: How ELTON Simplifies Cybersecurity Deficiency Responses
ELTON was designed to help manufacturers avoid, and quickly resolve, cybersecurity deficiencies. The platform automates the most time-consuming parts of the process:
-
Streamlined vulnerability testing and analysis provides defensible evidence that can be directly included in FDA submissions.
-
Automated CVSS scoring and justification ensure every vulnerability in the SBOM is appropriately rated, traceable, and supported by documentation.
-
Digital twin architecture mapping creates the required “cybersecurity views” and establishes a traceable foundation for the threat model and risk management report.
-
Continuous vulnerability monitoring operationalizes the Cybersecurity Risk Management Plan, ensuring postmarket obligations are met through ongoing surveillance and re-scoring of new vulnerabilities.
Step 5: Closing the Loop
Once deficiencies are resolved—either through an AI response or successful SIR, the FDA resumes review. Submissions that incorporate defensible, automated evidence (like ELTON’s vulnerability assessments) typically move faster and require fewer clarifications, since all cybersecurity documentation is internally consistent and traceable.
Why It Matters
Cybersecurity deficiencies are increasingly common as regulators raise expectations for transparency, traceability, and lifecycle management. A clear, evidence-driven approach, supported by tools like ELTON, helps teams stay ahead of those expectations while reducing the time, cost, and uncertainty of remediation. ELTON bridges the gap between testing and compliance by transforming cybersecurity evidence into structured, submission-ready outputs—and by embedding those same processes into your Cybersecurity Risk Management Plan for ongoing postmarket compliance.
