CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesGuideAboutContactBook a CallGet The Guide

Understanding eSTAR Requirements

eSTAR Submission Documentation · 1 min read

eSTAR requires three legally mandated cybersecurity documents for cyber devices under Section 524B: a cybersecurity management plan, a software bill of materials, and evidence of security controls. In practice, FDA also expects nine more artifacts from any device with software, and missing any of them usually draws a deficiency letter.

This distinction is helpful to understand, but in the end, if you want your device cleared, you’ll need to submit everything FDA asks for. Under Section 524B of the FD&C Act, certain documents are legally required for "cyber devices." But FDA expects additional documentation from ALL devices with software.

Legally Required (for Cyber Devices)

According to FDA's 2023 premarket cybersecurity guidance (and 2025 update), if your device meets the definition of a "cyber device" under Section 524B(c), you MUST provide:

  1. Cybersecurity Management Plan
  2. Software Bill of Materials (SBOM)
  3. Evidence of security controls

In reality, however, you’ll need to submit quite a bit more.

FDA Expected (for All Devices with Software)

While technically "recommendations," FDA will likely issue deficiencies if these are missing:

  1. Security Architecture Views (4+ types)
  2. Threat Model
  3. Security Risk Assessment
  4. Security Controls Documentation
  5. Safety and Security Risk Integration Analysis
  6. Unresolved Anomalies Assessment
  7. Software Level of Support
  8. Security Test Reports
  9. Cybersecurity Labeling

6.2.2 The eSTAR Navigation

eSTAR (electronic Submission Template And Resource) is FDA's structured format for device submissions. It has been mandatory for all 510(k) submissions since October 1, 2023. For cybersecurity, you'll primarily work in:

  • Section 17: Software - For software documentation
  • Section 18: Cybersecurity - For security-specific documents
  • Attachments - For detailed artifacts

Each document needs to tell its part of your security story while connecting to the others.

For a document-by-document inventory of both the software and cybersecurity attachments, see The 24+ documents FDA requires for software and cybersecurity. For a condensed overview of the cybersecurity evidence, see What information FDA is expecting for cyber devices.

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness