Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)
This page provides answers to frequently asked questions (FAQs) related to cybersecurity in medical devices.
On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus -- "Ensuring Cybersecurity of Medical Devices" -- amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices (section 3305). As provided by the Omnibus, the requirements of section 524B do not apply to an application or submission submitted to the Food and Drug Administration (FDA) before March 29, 2023. For devices submitted after March 29, 2023, the FDA generally intends not to issue "refuse to accept" (RTA) decisions for premarket submissions for cyber devices that are submitted before October 1, 2023, based solely on information required by section 524B of the FD&C Act. Instead, the FDA will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. The information provided on this page may be useful for sponsors in preparing their submissions.
A: Under section 524B(a) of the FD&C Act, a person who submits a premarket application or submission – including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) -- for a device that meets the definition of a cyber device, as defined under section 524B(c), is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b).
A: Section 524B(c) of the FD&C Act defines "cyber device" as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device, they may contact the FDA.
A: As provided by the Omnibus, the cybersecurity requirements do not apply to an application or submission submitted to the Food and Drug Administration (FDA) before March 29, 2023. If a cyber device was previously authorized, and the manufacturer is making a change to the device that requires premarket review by the agency, the law would apply for the new premarket submission.
A: Section 524B(a) of the FD&C Act provides that the sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in section 524B(b) of the FD&C Act. The requirements in section 524B(b) of the FD&C Act are:
- Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
- Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
- Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components
The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure. See FAQs 6 through 10 for additional details on ways manufacturers might demonstrate that their devices are cybersecure.
Q5: When do manufacturers of cyber devices have to submit the information described in section 524B?
A: Manufacturers of cyber devices are required to submit this information starting on March 29, 2023, in premarket submissions including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE). This includes Abbreviated and Special 510(k) submissions and PMA/HDE supplements. Premarket submissions that were received prior to March 29, 2023 and are under review or currently on hold are not subject to these requirements.
We note that for premarket submissions submitted for cyber devices that are submitted before October 1, 2023, the FDA generally intends not to issue "refuse to accept" (RTA) decisions based solely on information required by section 524B of the FD&C Act. Instead, the FDA will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. For more information read the FDA Issues Guidance on Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices Under Section 524B of the FD&C Act.
A: The 2014 guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" and the 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices" describe recommendations for managing cybersecurity after the device has been introduced into the market.
A: The 2014 FDA guidance titled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" includes discussion of cybersecurity risk analysis, cybersecurity functions to include in the device design, and cybersecurity documentation for premarket submissions.
In addition, the FDA has recognized consensus standards, including AAMI/UL 2900-1:2017 and IEC 810001-5-1: 2021, which may be helpful to support cybersecurity documentation in submissions.
A: The 2014 guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" discusses plans for patches and updates across the total product life cycle (TPLC). The 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices" discusses cybersecurity routine updates and patches and describes patching in the context of remediating cybersecurity vulnerabilities.
A: Information regarding SBOMs is included in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)." Other resources may also be available.