Is your cybersecurity evidence ready for FDA submission?

We independently audit your 524B documentation readiness in 18 working days so your FDA submission timeline stays on track.

Book a 30-minute fit call

Cybersecurity activity is not the same as FDA-ready cybersecurity evidence.

Your engineering team may have security controls. Your software team may have an SBOM. Your testing vendor may have produced a report. But RA/QA still needs to know whether the evidence is complete, traceable, and defensible.

Scattered artifacts

Security work may exist across engineering, software, testing, QMS, and labeling without a clear submission evidence map.

Weak traceability

Threats, risks, controls, requirements, tests, residual risk, and labeling may not connect in a reviewer-friendly way.

Late rework risk

Cybersecurity gaps found late may trigger rework across design controls, risk management, testing, labeling, and postmarket processes.

FDA 524B Submission Readiness Review

A 3-week independent review of your cybersecurity documentation against FDA 524B, FDA premarket cybersecurity guidance, Appendix 4 Table 1, and eSTAR cybersecurity attachment expectations.

The review gives RA/QA a clear verdict on whether the cybersecurity evidence package is ready for U.S. submission — and a practical roadmap if it is not.

What you receive

  • FDA 524B Readiness Matrix mapped to submission expectations.
  • Evidence Inventory showing what exists and which attachment areas it supports.
  • Gap Register prioritised by submission risk.
  • Readiness Verdict: Ready, Partially Ready, or Not Ready.
  • Remediation Roadmap for RA/QA, engineering, software, testing, and leadership.
  • Executive Readout explaining submission risk and recommended next steps.
Founding rate NZD $15,000 3 weeks from kickoff to readiness verdict
Book a 30-minute fit call

Built for NZ medtech teams preparing for U.S. launch.

The Submission Readiness Review is best suited to small-to-medium medical device companies that have cybersecurity-relevant products but do not have full-time product-security leadership on staff.

U.S. submission ahead

510(k), De Novo, PMA, major software update, AI-enabled device submission, or U.S. market expansion.

Cyber-relevant product

Software, firmware, cloud, mobile app, AI, remote monitoring, network connectivity, portal, or update capability.

RA/QA uncertainty

You have some cybersecurity documentation but are not sure whether it is submission-ready.

Method

A strong cybersecurity evidence package should show a clear line from threats to risks, controls, requirements, architecture, tests, residual risk, labeling, and postmarket monitoring.

Evidence intake

We collect existing cybersecurity, QMS, software, risk, testing, architecture, SBOM, vulnerability, and labeling evidence.

Evidence mapping

We map documents to FDA 524B and eSTAR cybersecurity expectations.

Readiness verdict

We deliver the readiness matrix, gap register, remediation roadmap, and executive readout.

Evidence areas reviewed

  1. Cybersecurity risk management plan
  2. Cybersecurity risk management report
  3. Threat model
  4. Cybersecurity risk assessment
  5. Software Bill of Materials
  6. Software support and end-of-support information
  7. Safety and security assessment of vulnerabilities
  8. Assessment of unresolved anomalies
  9. Cybersecurity metrics
  10. Security controls documentation
  11. Security architecture views
  12. Cybersecurity testing documentation
  13. Cybersecurity management plan
  14. Cybersecurity labeling and customer documentation

Independent. Specialist. Evidence-focused.

CISO.nz provides Chief Information Security Officer (CISO)-level cybersecurity judgment for NZ MedTech companies — without selling tools, managed security services, or penetration testing.

  • We do not replace your regulatory consultant.
  • We do not replace your QMS consultant.
  • We do not replace your engineering or testing teams.
  • We focus on whether your cybersecurity evidence package is defensible for FDA 524B submission.

For select clients with material gaps, CISO.nz may offer a private follow-on engagement to help build missing cybersecurity evidence through ISO 13485 / QMSR-aligned processes.

About

Aldo Febro

The practice is led by Aldo Febro PhD CISSP, an independent cybersecurity advisor based in New Zealand.

LinkedIn

Want to know if your cybersecurity evidence is ready?

Book a 30-minute fit call to discuss your device, U.S. submission timeline, current cybersecurity evidence, and whether the Submission Readiness Review is appropriate for your team.

Book a 30-minute fit call