Skip to main content
    MedTech Cyber Tips
    The Ultimate Guide
    Updates
    FDA

    Mid-2026 field notes: what's tripping up 524B submissions right now

    Five months into the Feb 3, 2026 guidance, a clear pattern of deficiencies has emerged around SBOM depth, VEX handling, and AI/ML threat modeling. Here's what reviewers are flagging most this quarter.

    Reviewed by ·Published ·Last reviewed July 2026

    Now that the February 3, 2026 premarket cybersecurity guidance has been in force for a full submission cycle, we're seeing consistent deficiency themes in recent CDRH feedback:

    1. SBOM 'depth-of-field' - reviewers want transitive dependencies, not just top-level components. A CycloneDX file that stops at direct imports is being flagged as incomplete.

    2. VEX statements without justification - a VEX that marks CVEs 'not affected' without a machine-readable justification code is treated as unsupported. Use the standard status justifications (component_not_present, vulnerable_code_not_in_execute_path, etc.).

    3. AI/ML threat models missing adversarial ML - for cyber devices with ML components, evasion, poisoning, and model-extraction threats are now expected line items, not optional appendices.

    4. CVD intake evidence - a policy page is not enough; reviewers are asking for the intake address, triage SLA, and at least a redacted example of a coordinated disclosure workflow.

    5. End-of-support labeling - devices without a documented security-support horizon and communication plan are getting cited under the expanded labeling expectations.

    If your submission is queued for Q3 or Q4 2026, pressure-test these five areas before you file.

    More updates