Navigating Cybersecurity during FDA eSTAR Submissions
1.0 Purpose
With the introduction of the FDA’s Electronic Submission Template (eSTAR), the FDA has established a standardized, structured approach to medical device submissions. This process requires manufacturers to submit well-organized, detailed artifacts that demonstrate the security and risk management measures implemented in their devices. This guide will walk through eSTAR cybersecurity requirements for premarket application (PMA), de novo, and premarket notification 510(k) submissions, as well as device modifications to previously authorized devices.
2.0 Getting Started with eSTAR
eSTAR can be downloaded from the following website: https://www.fda.gov/medical-devices/how-study-and-market-your-device/estar-program. Once downloaded and opened, and a submission type is selected, many non-security prompts must be responded to. The first prompt in eSTAR for cybersecurity addresses whether the sponsored device being submitted has been authorized before or not. Device modifications, such as a letter to file, are now submitted via eSTAR in addition to new submissions. The submission requirements for modifications depend on whether the changes made to the system impact security or not.
For new 510(k), de novo, and PMA submissions, select “No, the device was not previously authorized”, and proceed to Section 3.0 of this document for guidance on completing the cybersecurity portion of eSTAR.
For previously authorized devices with changes impacting security, select “No, the cybersecurity of the authorized device is affected”, and proceed to Section 3.0 of this document for guidance on completing the cybersecurity portion of eSTAR.
Per the FDA Premarket Guidance and eSTAR: “Changes that may impact cybersecurity and may require premarket submission could include changes to authentication or encryption algorithms, new connectivity features, or changing software update process/mechanisms.”
For previously authorized devices with changes not impacting security, select “Yes, the cybersecurity of the authorized device is unaffected”, and proceed to Section 4.0 of this document for guidance on completing the cybersecurity portion of eSTAR.
Per the FDA Premarket Guidance and eSTAR: “Changes unlikely to impact cybersecurity could include changes in materials, sterilization method changes, or a change to an algorithm without change to architecture/software structure/connectivity.”
3.0 eSTAR Cybersecurity Requirements for New Submissions and Device Modifications with Changes Impacting Security
This section details the prompts within the Cybersecurity Section of the FDA eSTAR Submission System version 5.6. Artifacts required to be attached to an eSTAR submission, along with references to sections within the FDA’s Premarket Cybersecurity Guidance that cover these artifacts and related processes, are listed below (with FDA Premarket section references in parentheses):
Security Risk Management Plan (VI.B)
Threat Modeling and Security Architecture Report V.A.1, V.B.2)
Cybersecurity Risk Assessment Report (V.A.2, V.A.3)
Software Bill of Materials (SBOM) (V.A.4, VI.A)
SBOM Support Report (V.A.4.a)
Software Component Risk Management Report (V.A.4)
Unresolved Anomalies Risk Management Report (V.A.5)
Cybersecurity Metrics Report (V.A.6)
Cybersecurity Control Report (V.B.1)
Cybersecurity Testing Report (V.C)
Cybersecurity Labeling Report (VI.A)
Security Risk Management Report (V.A, VI.B)
3.1 Security Risk Management Report
The Security Risk Management Report summarizes all security activities performed during the premarket development process and includes cybersecurity traceability, justifications for any residual risks, and deviations from the Security Risk Management Plan.
3.2 Threat Modeling and Security Architecture Report
A Threat Model captures cybersecurity vulnerabilities and the mitigations necessary to control said vulnerabilities. Security Architecture Views similarly summarize and communicate the security mitigations and controls with diagrams and textual descriptions. At Velentium Medical, we include several threat models and architecture views in the Threat Modeling and Security Architecture Report.
3.3 Cybersecurity Risk Assessment Report
A Cybersecurity Risk Assessment must be performed on the vulnerabilities (or risks) identified during threat modeling. This assessment includes a pre-mitigation and post-mitigation evaluation based upon exploitability and severity.
3.4 Software Bill of Materials (SBOM) and Related Reports
SBOMs contain lists of third-party software components included in the first-party software within the medical device system. Additional reports must also be generated that describe support information for the listed third-party components and an assessment of vulnerabilities affecting the same third-party components.
3.5 Unresolved Anomalies Risk Management Report
Following Verification and Validation, any unresolved software bugs in the final release of the system must be assessed for security.
3.6 Cybersecurity Metrics Report
Cybersecurity metrics must be gathered during update and patching events in fielded products, and these metrics must be documented in a Cybersecurity Metrics Report. This report pertains to all products and systems developed by the manufacturer, including devices already on the market. The report must include past metric information if available and applicable, and it must define the metrics that will be gathered for the product being submitted in the future.
3.7 Cybersecurity Controls Report
A Cybersecurity Controls Report summarizes all security mitigations and controls implemented in the system per Appendix 1 of the FDA’s Premarket Cybersecurity Guidance.
3.8 Cybersecurity Testing Report
All security testing performed must be summarized in a Cybersecurity Testing Report, which will reference all individual testing reports from each discrete testing activity. These additional reports need to be appended and included with the Cybersecurity Testing Report.
3.9 Cybersecurity Labeling
Manufacturers must communicate specific cybersecurity information to end users in the product labeling and Instructions for Use (IFU).
3.10 Security Risk Management Plan
Although mentioned last, the Security Risk Management Plan (SRMP) should be the first document generated and maintained as part of a secure development process. The SRMP summarizes all plans and procedures for premarket and post-market activities, as well as the security goals for the project, the secure product development framework used for the system with references to QMS and governance structures, roles and responsibilities, and much more.
4.0 eSTAR Cybersecurity Requirements for Device Modifications with Changes Not Impacting Security
This section details the prompts within the Cybersecurity Section of the FDA eSTAR Submission System version 5.6 for device modification submissions that do not impact cybersecurity. The artifacts required to be attached to an eSTAR submission for these scenarios are listed below:
Security Risk Management Plan (VI.B)
Software Bill of Materials (SBOM) (V.A.4, VI.A)
SBOM Support Report (V.A.4.a)
Software Component Risk Management Report (V.A.4)
Uncontrolled Risk Report (VII.D.2)
Uncontrolled Risk Remediation Report (VII.D.2)
4.1 Software Bill of Materials (SBOM) and Related Reports
SBOMs contain lists of third-party software components included in the first-party software within the medical device system. Additional reports must also be generated that describe support information for the listed third-party components and an assessment of vulnerabilities affecting the same third-party components.
4.2 Vulnerabilities with Uncontrolled Risk Documentation
Per the FDA’s Postmarket Cybersecurity Guidance, critical or catastrophic vulnerabilities are those that could cause permanent impairment or life-threatening injury or that could cause patient death, respectively. Uncontrolled risks arise from vulnerabilities that are critical in severity of patient harm and medium or high in exploitability, or uncontrolled risks arise from vulnerabilities that are catastrophic in severity of patient harm. Present uncontrolled risks must be documented in the Uncontrolled Risk Report, and the Uncontrolled Risk Remediation Report must detail any such vulnerabilities that no longer exist due to being mitigated since the previous authorization of the system.
4.3 Security Risk Management Plan
Although mentioned last, the Security Risk Management Plan (SRMP) should be the first document generated and maintained as part of a secure development process. The SRMP summarizes all plans and procedures for premarket and post-market activities, as well as the security goals for the project, the secure product development framework used for the system with references to QMS and governance structures, roles and responsibilities, and much more.
5.0 Optional PreSTAR Submissions for Investigational Device Exemptions
Investigational Device Exemptions (IDEs) and pre-submissions can be submitted or requested using the FDA’s Early Submission Requests eSTAR (PreSTAR). For IDEs, this is currently voluntary. However, it is important for awareness of the pending release of an updated PreSTAR document and future requirements to submit IDE submissions or pre-submission requests via PreSTAR.
Per Appendix 3. Submission Documentation for Investigational Device Exemptions and Appendix 4. General Premarket Submission Documentation Elements and Scaling with Risk of the FDA’s Premarket Cybersecurity Guidance, IDE submissions require a subset of the typical eSTAR submission requirements, including:
Security Architecture Views and Security Use Case Views (included in the Threat Modeling and Security Architecture Report; see Section 3.2)
Machine-readable Software Bill of Materials (see Section 3.4)
Cybersecurity Labeling (see Section 3.9)
Additionally, cybersecurity risk information must be included in the informed consent form for trial participants.
To document architecture views, to communicate security content in the product labeling and IFU, and to determine what cybersecurity risks are present and must be included in the consent form, threat modeling and risk assessment are often also recommended as design practices for IDE submissions and clinical trials. Designing a system right once is much easier than redesigning the system after a trial prior to commercialization.
6.0 Next Steps
The FDA's eSTAR submission process now requires structured and discrete cybersecurity documentation, with numerous artifacts necessary for compliance for both new submissions and device modifications. To accomplish this, medical device manufacturers must generate and provide several cybersecurity-related artifacts created during the Premarket phase.
Velentium Medical offers a comprehensive suite of templates, resources, and expert guidance to support your eSTAR submission. Our structured approach ensures that all required artifacts align with FDA expectations, reducing the complexity of compliance while strengthening the security posture of your medical device. By leveraging Velentium Medical’s cybersecurity templates and resources, manufacturers can confidently navigate the eSTAR submission process, ensuring completeness, accuracy, and regulatory adherence.
See also Velentium Medical’s SEC-GUIDE-07 Total Product Life Cycle Security for Medical Devices for more information on our Total Product Life Cycle Security process that details the activities and phases leading to the generation of the submission artifacts detailed in this guide.
7.0 Appendix A: FDA eSTAR Mind Map
The graphic below shows the twelve FDA eSTAR artifacts and their required contents for successful premarket PMA, de novo, 510(k), and device modification submissions to the US FDA.
