The Submission Readiness Review is a two-to-three week, fixed-fee engagement that reads your premarket cybersecurity documentation the way FDA reviewers read it, and produces a written gap report with a prioritized remediation roadmap against the February 2026 guidance.
Reading submissions the way a reviewer reads them means reading the guidance the way the reviewer reads it—including the footnotes. What follows is excerpted from an ongoing analysis of AI letters issued after the February 2026 premarket cybersecurity guidance took effect. Four of the most common findings appear below; the full analysis tracks twelve, ranked by frequency.
The footnote requires that the interval between scheduled updates be justified against device risk. Most Cybersecurity Management Plans state a patch cadence without referencing the footnote, without tying the cadence to the device's risk profile, and without acknowledging that the justification is required at all.
This is the single most common finding in AI letters issued after the guidance took effect. It is also the cheapest to remediate before filing and the most expensive to remediate after.
The guidance is explicit that cybersecurity risk is assessed on a non-probabilistic, exploitability-based framing. Most risk assessments still carry probability scoring inherited from safety risk management under ISO 14971—frequency × severity matrices, likelihood categories, and so on.
The reviewer reads the scoring, recognizes the inherited framework, and writes the finding. The underlying analysis may be sound. The framing is not.
The guidance names the CISA Known Exploited Vulnerabilities catalog by reference. Most risk assessments do not document the cross-reference with a dated result—the paragraph that says "the SBOM components were checked against the CISA KEV catalog on [date], with the following results."
A narrow procedural finding. Easy to check in your own work. Common enough to appear in most AI letters.
Nine penetration test findings require nine manufacturer assessments, each with a rationale for any accepted residual risk. The common pattern: a consolidated risk table listing the findings with "accepted" in the disposition column and no rationale in the adjacent column.
What the reviewer expects is the rationale paragraph for each accepted residual: why the risk is accepted, which compensating controls reduce it, and how the acceptance is documented in the design history file.
A two-to-three week engagement. A single deliverable. One advisor on the work. A clear terminal point at which the work is done. No retainer commitment, no recurring fees, no ambiguity about what you are buying.
At the kickoff: your draft 524B package as it currently stands, whether in eSTAR, in a working folder, or in fragments across teams.
Two to three weeks of reviewer-perspective reading against the February 2026 premarket cybersecurity guidance and the adjacent standards ecosystem.
A written gap report with findings classified by severity and a remediation roadmap prioritized against your filing window. One 60-minute readout call to walk the report with your team.
Engagements are bounded by a Statement of Work with a per-SOW liability cap, a mutual consequential-damages exclusion, and a regulatory outcome disclaimer. 524B Partner is an independent advisor—the work informs your filing; it does not guarantee its acceptance. Your team remains the submitter of record.
The field notes are short, specific, and citation-dense. They demonstrate the kind of reading this practice does, from the inside. A representative sample appears below; more are published on LinkedIn and to subscribers.
"Four findings account for half of the total. The first three are procedural and narrow. The fourth—the one that costs the most remediation time when surfaced late—is structural, and not at all obvious from a read of the eSTAR form alone."
"The footnote says what the body of the section does not: the patch cadence must be justified against device risk. Most CMPs state the cadence. Very few justify it. The finding writes itself, and it is almost always avoidable."
"Ask them to walk their interpretation of § V.A.2's exploitability requirement. Ask which specific AI-letter patterns they've seen repeated in the last twelve months. Ask what they would not take on. The answers will separate the practitioners from the generalists."
The Submission Readiness Review is not for every manufacturer. The practice is deliberately narrow because specialty depth is only preserved by saying no to work outside its range. The list below is plainer than most consulting sites make it.
The practice is solo on purpose. The work that matters in a Submission Readiness Review—reading, interpreting, recognizing reviewer-facing patterns—is not divisible into task-level pieces that junior staff can assemble. It is the product of a single practitioner reading your submission the way one reviewer would.
Prior to 524B Partner, I spent a decade as a CISO and Chief Privacy Officer building ISO 27001, ISO 27701, HIPAA, and GDPR programs from scratch—the work of translating regulatory text into organizational practice and back again. The doctoral research was on IoT and SIP security; the practitioner path has been connected-systems architecture and medical device-adjacent work. The specialty now is the February 2026 FDA premarket cybersecurity guidance, close-read against the standards ecosystem it references: ISO 13485/QMSR, IEC 62304, ISO 14971, IEC 81001-5-1, AAMI SW96/TIR57/TIR97.
The contractual role is Independent Product Security Advisor—deliberately distinct from "fractional CPSO" or "consultant." Advisory is a different kind of work: analytical, interpretive, bounded by a scope of work, and terminal rather than ongoing. When the engagement ends, it ends cleanly.
The Submission Readiness Call is a free 30-minute diagnostic. No slide deck, no pitch. We walk five areas of your current package and end with a candid answer to a single question: does a Submission Readiness Review actually make sense for you right now, and if so, on what timeline?
Book a Submission Readiness Call →