eSTAR Submission Documentation
This chapter details the specific cybersecurity documentation required for FDA's enhanced Security and Technology Architecture Review (eSTAR) process.
This chapter covers how to turn the security work you did during development into the documentation package FDA actually reviews. It starts by separating what's legally required from what's expected. Under Section 524B of the FD&C Act, cyber devices must include a cybersecurity management plan, a software bill of materials, and evidence of security controls. Beyond that, FDA expects every device with software to submit security architecture views, a threat model, a security risk assessment, security controls documentation, a safety and security risk integration analysis, security test reports, and cybersecurity labeling. Skip any of these and you can expect a deficiency letter.
The recurring theme across sections 6.3 through 6.11 is evolution, not recreation. Each artifact you need for eSTAR should grow out of a document you already built during development: architecture views from Chapter 3.5, the threat model from Chapter 3.6, the risk assessment from Chapter 3.7, controls and testing from Chapter 4, and the postmarket management plan from Chapter 5. What changes for submission is the audience. You add clinical impact analysis to every significant threat and risk, expand explanatory text so a reviewer who has never seen your device can follow it, and build traceability that links threat IDs to risk IDs to control IDs to test cases across every document.
The closing sections deal with the review itself. Section 6.12 walks through the ten most common submission pitfalls, things like inconsistent cross-references, generic boilerplate, and missing clinical context, all of which delay clearance even when the underlying security work is solid. Section 6.13 covers organizing the package for efficient reviewer navigation and using the Q-Submission program to get FDA feedback on novel approaches before you file. The chapter ends with the success factors that separate smooth clearances from multi-cycle reviews: early integration of documentation planning, consistent IDs, and writing for the reviewer rather than for your own team.
- Section 6.1 · 1 minIntroduction: Your Cybersecurity Story for FDAImagine you're telling FDA the complete story of how your device stays secure. Every document you submit is a chapter in that story - from how you identified threats to how you'll handle problems afte…
- Section 6.2 · 1 minUnderstanding eSTAR RequirementseSTAR requires three legally mandated cybersecurity documents for cyber devices under Section 524B: a cybersecurity management plan, a software bill of materials, and evidence of security controls. In…
- Section 6.3 · 5 minSecurity Architecture Views for eSTAR SubmissionFDA expects at least four security architecture views in your submission: a global system view, a multi-patient harm view, an updateability and patchability view, and security use case views. The effi…
- Section 6.4 · 7 minThreat Model Documentation for eSTAR SubmissionThreat model documentation for eSTAR must show systematic coverage of your device's attack surface, link each significant threat to potential patient harm, and map every threat to a mitigation and a r…
- Section 6.5 · 9 minCybersecurity Risk Assessment Documentation for eSTAR SubmissionYour cybersecurity risk assessment for eSTAR must show every threat from the threat model converted to a risk, scored with medical device context, evaluated before and after mitigation, and tied to sp…
- Section 6.6 · 10 minSecurity Controls Documentation for eSTAR SubmissionSecurity controls documentation for eSTAR must cover FDA's eight control categories: authentication, authorization, cryptography, code and data integrity, confidentiality, event detection and logging,…
- Section 6.7 · 10 minSafety and Security Risk Integration Documentation for eSTAR SubmissionSafety and security risk integration documentation shows FDA how your cybersecurity risk process connects to ISO 14971 safety risk management: which security risks could cause patient harm, how those …
- Section 6.8 · 11 minSBOM Analysis and Documentation for eSTAR SubmissionSection 524B legally requires a machine-readable SBOM covering all commercial, open-source, and off-the-shelf software in your device, with the NTIA minimum elements(https://www.ntia.gov/report/2021/m…
- Section 6.9 · 16 minSecurity Testing Documentation for eSTAR SubmissionFDA expects four categories of security testing evidence in an eSTAR submission: security requirements testing, threat mitigation testing, vulnerability testing per ANSI/ISA 62443-4-1, and penetration…
- Section 6.10 · 19 minCybersecurity Management Plan Documentation for eSTAR SubmissionA cybersecurity management plan is legally required for cyber devices under Section 524B(b)(1) of the FD&C Act(https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity). It m…
- Section 6.11 · 18 minCybersecurity Labeling Documentation for eSTAR SubmissionCybersecurity labeling gives users the information they need to deploy and maintain your device securely, and FDA treats it as part of "adequate directions for use" under Section 502(f). Effective lab…
- Section 6.12 · 12 minCommon eSTAR Submission Pitfalls and How to Avoid ThemThe most common eSTAR cybersecurity pitfalls are documentation problems rather than security problems: inconsistent IDs across documents, missing clinical context, generic boilerplate, and submissions…
- Section 6.13 · 9 minFDA Review Preparation and Q-Submission StrategyThe best way to prepare for FDA review is to organize your submission so a reviewer can follow your security story without hunting, and to use the Q-Submission program for early FDA feedback on novel …
- Section 6.14 · 8 minKey Takeaways and Success FactorsThis chapter has guided you through the complete journey from cybersecurity development work to FDA submission success. The key insight is that excellent technical cybersecurity implementation alone i…
See how your device measures up
Take the free FDA 524B readiness assessment and get a personalized gap report covering this chapter and more.
Check Your Readiness