Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff; Availability, 52835-52837 [2018-22697]
Download as PDF
<![CDATA[
52835
Federal Register / Vol. 83, No. 202 / Thursday, October 18, 2018 / Notices
Title: Child Care and Development
Fund (CCDF) State Monitoring
Compliance Demonstration Packet.
OMB No.: New.
Description: The proposed data
collection form is designed as part of the
evidence collection process of the
Onsite Monitoring system and provides
states with an opportunity to propose
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
Proposed Information Collection
Activity; Comment Request
Proposed Projects: Office of Child
Care CCDF Onsite Monitoring.
how they, as block-grant recipients, will
choose to demonstrate compliance.
Respondents: 51 States and Territories
triennially.
ANNUAL BURDEN ESTIMATES
Number of
respondents
Instrument
khammond on DSK30JT082PROD with NOTICES
Compliance Demonstration Chart ....................................................................
Document Submission Chart ...........................................................................
Estimated Total Annual Burden
Hours: 1,632 hours.
In compliance with the requirements
of the Paperwork Reduction Act of 1995
(Pub. L. 104–13, 44 U.S.C. chap 35), the
Administration for Children and
Families is soliciting public comment
on the specific aspects of the
information collection described above.
Copies of the proposed collection of
information can be obtained and
comments may be forwarded by writing
to the Administration for Children and
Families, Office of Planning, Research
and Evaluation, 330 C Street SW,
Washington DC 20201. Attn: ACF
Reports Clearance Officer. Email
address: infocollection@acf.hhs.gov. All
requests should be identified by the title
of the information collection.
The Department specifically requests
comments on: (a) Whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information shall have
practical utility; (b) the accuracy of the
agency’s estimate of the burden of the
proposed collection of information; (c)
the quality, utility, and clarity of the
information to be collected; and (d)
ways to minimize the burden of the
collection of information on
respondents, including through the use
of automated collection techniques or
other forms of information technology.
Consideration will be given to
comments and suggestions submitted
within 60 days of this publication.
Robert Sargis,
Reports Clearance Officer.
[FR Doc. 2018–22700 Filed 10–17–18; 8:45 am]
BILLING CODE 4184–43–P
VerDate Sep<11>2014
17:28 Oct 17, 2018
Jkt 247001
17
17
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA–2018–D–3443]
Content of Premarket Submissions for
Management of Cybersecurity in
Medical Devices; Draft Guidance for
Industry and Food and Drug
Administration Staff; Availability
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
Notice of availability.
The Food and Drug
Administration (FDA or Agency) is
announcing the availability of the draft
guidance entitled ‘‘Content of Premarket
Submissions for Management of
Cybersecurity in Medical Devices.’’ As
more medical devices are becoming
interconnected, cybersecurity threats
have become more numerous, more
frequent, more severe, and more
clinically impactful. There is a need to
provide manufacturers with specific
technical recommendations (e.g.,
appropriate threat modeling and other
premarket testing) to help ensure device
cybersecurity. The updates to the
existing ‘‘Content of Premarket
Submissions for Management of
Cybersecurity in Medical Devices’’
guidance is anticipated to better protect
against risks, such as ransomware
campaigns, that could disrupt clinical
operations and delay patient care and
risks, such as exploiting a vulnerability
that enables attacks on multiple
patients. This draft guidance is not final
nor is it in effect at this time.
DATES: Submit either electronic or
written comments on the draft guidance
by March 18, 2019 to ensure that the
Agency considers your comment on this
SUMMARY:
PO 00000
Frm 00036
Fmt 4703
Sfmt 4703
Number of
responses per
respondent
1
1
Average
burden hours
per response
16
80
Total burden
hours
272
1,360
draft guidance before it begins work on
the final version of the guidance.
ADDRESSES: You may submit comments
on any guidance at any time as follows:
Electronic Submissions
Submit electronic comments in the
following way:
• Federal eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
Comments submitted electronically,
including attachments, to https://
www.regulations.gov will be posted to
the docket unchanged. Because your
comment will be made public, you are
solely responsible for ensuring that your
comment does not include any
confidential information that you or a
third party may not wish to be posted,
such as medical information, your or
anyone else’s Social Security number, or
confidential business information, such
as a manufacturing process. Please note
that if you include your name, contact
information, or other information that
identifies you in the body of your
comments, that information will be
posted on https://www.regulations.gov.
• If you want to submit a comment
with confidential information that you
do not wish to be made available to the
public, submit the comment as a
written/paper submission and in the
manner detailed (see ‘‘Written/Paper
Submissions’’ and ‘‘Instructions’’).
Written/Paper Submissions
Submit written/paper submissions as
follows:
• Mail/Hand delivery/Courier (for
written/paper submissions): Dockets
Management Staff (HFA–305), Food and
Drug Administration, 5630 Fishers
Lane, Rm. 1061, Rockville, MD 20852.
• For written/paper comments
submitted to the Dockets Management
Staff, FDA will post your comment, as
E:\FR\FM\18OCN1.SGM
18OCN1
khammond on DSK30JT082PROD with NOTICES
52836
Federal Register / Vol. 83, No. 202 / Thursday, October 18, 2018 / Notices
well as any attachments, except for
information submitted, marked and
identified, as confidential, if submitted
as detailed in ‘‘Instructions.’’
Instructions: All submissions received
must include the Docket No. FDA–
2018–D–3443 for ‘‘Content of Premarket
Submissions for Management of
Cybersecurity in Medical Devices.’’
Received comments will be placed in
the docket and, except for those
submitted as ‘‘Confidential
Submissions,’’ publicly viewable at
https://www.regulations.gov or at the
Dockets Management Staff between 9
a.m. and 4 p.m., Monday through
Friday.
• Confidential Submissions—To
submit a comment with confidential
information that you do not wish to be
made publicly available, submit your
comments only as a written/paper
submission. You should submit two
copies total. One copy will include the
information you claim to be confidential
with a heading or cover note that states
‘‘THIS DOCUMENT CONTAINS
CONFIDENTIAL INFORMATION.’’ The
Agency will review this copy, including
the claimed confidential information, in
its consideration of comments. The
second copy, which will have the
claimed confidential information
redacted/blacked out, will be available
for public viewing and posted on
https://www.regulations.gov. Submit
both copies to the Dockets Management
Staff. If you do not wish your name and
contact information to be made publicly
available, you can provide this
information on the cover sheet and not
in the body of your comments and you
must identify this information as
‘‘confidential.’’ Any information marked
as ‘‘confidential’’ will not be disclosed
except in accordance with 21 CFR 10.20
and other applicable disclosure law. For
more information about FDA’s posting
of comments to public dockets, see 80
FR 56469, September 18, 2015, or access
the information at: https://www.gpo.gov/
fdsys/pkg/FR-2015-09-18/pdf/201523389.pdf.
Docket: For access to the docket to
read background documents or the
electronic and written/paper comments
received, go to https://
www.regulations.gov and insert the
docket number, found in brackets in the
heading of this document, into the
‘‘Search’’ box and follow the prompts
and/or go to the Dockets Management
Staff, 5630 Fishers Lane, Rm. 1061,
Rockville, MD 20852.
You may submit comments on any
guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance
document is available for download
VerDate Sep<11>2014
17:28 Oct 17, 2018
Jkt 247001
from the internet. See the
section for
information on electronic access to the
guidance. Submit written requests for a
single hard copy of the draft guidance
document entitled ‘‘Content of
Premarket Submissions for Management
of Cybersecurity in Medical Devices’’ to
the Office of the Center Director,
Guidance and Policy Development,
Center for Devices and Radiological
Health, Food and Drug Administration,
10903 New Hampshire Ave., Bldg. 66,
Rm. 5431, Silver Spring, MD 20993–
0002 or the Office of Communication,
Outreach, and Development, Center for
Biologics Evaluation and Research,
Food and Drug Administration, 10903
New Hampshire Ave., Bldg. 71, Rm.
3128, Silver Spring, MD 20993–0002.
Send one self-addressed adhesive label
to assist that office in processing your
request.
FOR FURTHER INFORMATION CONTACT:
Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug
Administration, 10903 New Hampshire
Ave., Bldg. 66, Rm. 5434, Silver Spring,
MD 20993–0002, 301–796–6937, or
Stephen Ripley, Center for Biologics
Evaluation and Research, Food and
Drug Administration, 10903 New
Hampshire Ave., Bldg. 71, Rm. 7301,
Silver Spring, MD 20993, 240–402–
7911.
SUPPLEMENTARY INFORMATION:
SUPPLEMENTARY INFORMATION
I. Background
The need for effective cybersecurity to
assure medical device functionality and
safety has become more important with
the increasing use of wireless, internetand network-connected devices, and the
frequent electronic exchange of medical
device-related health information. In
addition, cybersecurity threats to the
healthcare sector have become more
frequent, more severe, and more
clinically impactful. Cybersecurity
incidents have rendered medical
devices and hospital networks
inoperable, disrupting the delivery of
patient care across healthcare facilities
in the United States and globally. Such
cyberattacks and exploits can delay
diagnoses and/or treatment and may
lead to patient harm.
Although FDA issued guidance
addressing recommendations for device
cybersecurity information in premarket
submissions in 2014, 1 the rapidly
evolving landscape, and the increased
1 ‘‘Content of Premarket Submissions for
Management of Cybersecurity in Medical Devices—
Guidance for Industry and Food and Drug
Administration Staff’’ at https://www.fda.gov/
MedicalDevices/DeviceRegulationandGuidance/
GuidanceDocuments/UCM356190.
PO 00000
Frm 00037
Fmt 4703
Sfmt 4703
understanding of the threats and their
potential mitigations necessitates an
updated approach. This draft guidance
is intended to provide recommendations
to industry regarding cybersecurity
device design, labeling, and the
documentation that FDA recommends
be included in premarket submissions
for devices with cybersecurity risk.
These recommendations can facilitate
an efficient premarket review process
and help ensure that marketed medical
devices are sufficiently resilient to
cybersecurity threats.
FDA plans to hold a public workshop
on January 29th and January 30th,
2019.2 FDA seeks to bring together
diverse stakeholders to discuss, indepth, the draft guidance, ‘‘Content of
Premarket Submissions for Management
of Cybersecurity in Medical Devices’’
and the subtopic of the draft guidance
regarding a Cybersecurity Bill of
Materials (CBOM), which can be a
critical element in identifying assets,
threats, and vulnerabilities.
II. Significance of Guidance
This draft guidance is being issued
consistent with FDA’s good guidance
practices regulation (21 CFR 10.115).
The draft guidance, when finalized, will
represent the current thinking of FDA
on Content of Premarket Submissions
for Management of Cybersecurity in
Medical Devices. It does not establish
any rights for any person and is not
binding on FDA or the public. You can
use an alternative approach if it satisfies
the requirements of the applicable
statutes and regulations. This guidance
is not subject to Executive Order 12866.
III. Electronic Access
Persons interested in obtaining a copy
of the draft guidance may do so by
downloading an electronic copy from
the internet. A search capability for all
Center for Devices and Radiological
Health guidance documents is available
at https://www.fda.gov/MedicalDevices/
DeviceRegulationandGuidance/
GuidanceDocuments/default.htm. This
guidance document is also available at
https://www.regulations.gov or https://
www.fda.gov/BiologicsBloodVaccines/
GuidanceComplianceRegulatory
Information/default.htm. Persons
unable to download an electronic copy
of ‘‘Content of Premarket Submissions
for Management of Cybersecurity in
Medical Devices’’ may send an email
request to CDRH-Guidance@fda.hhs.gov
to receive an electronic copy of the
document. Please use the document
2 https://www.fda.gov/MedicalDevices/
NewsEvents/WorkshopsConferences/default.htm.
E:\FR\FM\18OCN1.SGM
18OCN1
Federal Register / Vol. 83, No. 202 / Thursday, October 18, 2018 / Notices
number 1825 to identify the guidance
you are requesting.
IV. Paperwork Reduction Act of 1995
This draft guidance refers to
previously approved collections of
collections of information in the
following FDA regulations and guidance
have been approved by OMB as listed in
the following table:
OMB control
No.
21 CFR part or guidance
Topic
807, subpart E .................................
814, subparts A through E ..............
814, subpart H .................................
812 ...................................................
‘‘De Novo Classification Process
(Evaluation of Automatic Class III
Designation)’’.
801 ...................................................
820 ...................................................
Premarket notification ...........................................................................................................
Premarket approval ...............................................................................................................
Humanitarian Device Exemption ...........................................................................................
Investigational Device Exemption .........................................................................................
De Novo classification process .............................................................................................
0910–0120
0910–0231
0910–0332
0910–0078
0910–0844
Medical Device Labeling Regulations ...................................................................................
Current Good Manufacturing Practice (CGMP); Quality System (QS) Regulation ..............
0910–0485
0910–0073
V. Other Issues for Consideration
• Type of information and level of
detail that should be included in a
CBOM
• Effective mechanisms for sharing
CBOM information
• Format the CBOM should take:
Æ Available formats that could be
leveraged
Æ Whether multiple formats would be
able to co-exist
• Appropriate frequency for updating
the CBOM
• Features of a CBOM that would
make it automatically consumable
Dated: October 12, 2018.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2018–22697 Filed 10–17–18; 8:45 am]
BILLING CODE 4164–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket Nos. FDA–2017–E–6698 and FDA–
2017–E–6699]
Determination of Regulatory Review
Period for Purposes of Patent
Extension; OCREVUS
AGENCY:
ACTION:
Electronic Submissions
Food and Drug Administration,
HHS.
Notice.
VerDate Sep<11>2014
17:28 Oct 17, 2018
Jkt 247001
The Food and Drug
Administration (FDA or the Agency) has
determined the regulatory review period
for OCREVUS and is publishing this
notice of that determination as required
by law. FDA has made the
determination because of the
submission of applications to the
Director of the U.S. Patent and
Trademark Office (USPTO), Department
of Commerce, for the extension of a
patent which claims that human
biological product.
DATES: Anyone with knowledge that any
of the dates as published (see the
SUPPLEMENTARY INFORMATION section) are
incorrect may submit either electronic
or written comments and ask for a
redetermination by December 17, 2018.
Furthermore, any interested person may
petition FDA for a determination
regarding whether the applicant for
extension acted with due diligence
during the regulatory review period by
April 16, 2019. See ‘‘Petitions’’ in the
SUPPLEMENTARY INFORMATION section for
more information.
ADDRESSES: You may submit comments
as follows. Please note that late,
untimely filed comments will not be
considered. Electronic comments must
be submitted on or before December 17,
2018. The https://www.regulations.gov
electronic filing system will accept
comments until 11:59 p.m. Eastern Time
at the end of December 17, 2018.
Comments received by mail/hand
delivery/courier (for written/paper
submissions) will be considered timely
if they are postmarked or the delivery
service acceptance receipt is on or
before that date.
SUMMARY:
The Agency invites comments on the
‘‘Content of Premarket Submissions for
Management of Cybersecurity in
Medical Devices’’ draft guidance, in
general, and on the following topics, in
particular:
• Definition of CBOM:
Æ Whether a CBOM should include
both software and hardware
components
khammond on DSK30JT082PROD with NOTICES
information. These collections of
information are subject to review by the
Office of Management and Budget
(OMB) under the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501–3520). The
52837
Submit electronic comments in the
following way:
• Federal eRulemaking Portal:
https://www.regulations.gov. Follow the
PO 00000
Frm 00038
Fmt 4703
Sfmt 4703
instructions for submitting comments.
Comments submitted electronically,
including attachments, to https://
www.regulations.gov will be posted to
the docket unchanged. Because your
comment will be made public, you are
solely responsible for ensuring that your
comment does not include any
confidential information that you or a
third party may not wish to be posted,
such as medical information, your or
anyone else’s Social Security number, or
confidential business information, such
as a manufacturing process. Please note
that if you include your name, contact
information, or other information that
identifies you in the body of your
comments, that information will be
posted on https://www.regulations.gov.
• If you want to submit a comment
with confidential information that you
do not wish to be made available to the
public, submit the comment as a
written/paper submission and in the
manner detailed (see ‘‘Written/Paper
Submissions’’ and ‘‘Instructions’’).
Written/Paper Submissions
Submit written/paper submissions as
follows:
• Mail/Hand delivery/Courier (for
written/paper submissions): Dockets
Management Staff (HFA–305), Food and
Drug Administration, 5630 Fishers
Lane, Rm. 1061, Rockville, MD 20852.
• For written/paper comments
submitted to the Dockets Management
Staff, FDA will post your comment, as
well as any attachments, except for
information submitted, marked and
identified, as confidential, if submitted
as detailed in ‘‘Instructions.’’
Instructions: All submissions received
must include the Docket Nos. FDA–
2017–E–6698 and FDA–2017–E–6699
for ’’Determination of Regulatory
Review Period for Purposes of Patent
Extension; OCREVUS.’’ Received
comments, those filed in a timely
E:\FR\FM\18OCN1.SGM
18OCN1
]]>Agencies
[Federal Register Volume 83, Number 202 (Thursday, October 18, 2018)]
[Notices]
[Pages 52835-52837]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-22697]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA-2018-D-3443]
Content of Premarket Submissions for Management of Cybersecurity
in Medical Devices; Draft Guidance for Industry and Food and Drug
Administration Staff; Availability
AGENCY: Food and Drug Administration, HHS.
ACTION: Notice of availability.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing
the availability of the draft guidance entitled ``Content of Premarket
Submissions for Management of Cybersecurity in Medical Devices.'' As
more medical devices are becoming interconnected, cybersecurity threats
have become more numerous, more frequent, more severe, and more
clinically impactful. There is a need to provide manufacturers with
specific technical recommendations (e.g., appropriate threat modeling
and other premarket testing) to help ensure device cybersecurity. The
updates to the existing ``Content of Premarket Submissions for
Management of Cybersecurity in Medical Devices'' guidance is
anticipated to better protect against risks, such as ransomware
campaigns, that could disrupt clinical operations and delay patient
care and risks, such as exploiting a vulnerability that enables attacks
on multiple patients. This draft guidance is not final nor is it in
effect at this time.
DATES: Submit either electronic or written comments on the draft
guidance by March 18, 2019 to ensure that the Agency considers your
comment on this draft guidance before it begins work on the final
version of the guidance.
ADDRESSES: You may submit comments on any guidance at any time as
follows:
Electronic Submissions
Submit electronic comments in the following way:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Comments submitted
electronically, including attachments, to https://www.regulations.gov
will be posted to the docket unchanged. Because your comment will be
made public, you are solely responsible for ensuring that your comment
does not include any confidential information that you or a third party
may not wish to be posted, such as medical information, your or anyone
else's Social Security number, or confidential business information,
such as a manufacturing process. Please note that if you include your
name, contact information, or other information that identifies you in
the body of your comments, that information will be posted on https://www.regulations.gov.
If you want to submit a comment with confidential
information that you do not wish to be made available to the public,
submit the comment as a written/paper submission and in the manner
detailed (see ``Written/Paper Submissions'' and ``Instructions'').
Written/Paper Submissions
Submit written/paper submissions as follows:
Mail/Hand delivery/Courier (for written/paper
submissions): Dockets Management Staff (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
For written/paper comments submitted to the Dockets
Management Staff, FDA will post your comment, as
[[Page 52836]]
well as any attachments, except for information submitted, marked and
identified, as confidential, if submitted as detailed in
``Instructions.''
Instructions: All submissions received must include the Docket No.
FDA-2018-D-3443 for ``Content of Premarket Submissions for Management
of Cybersecurity in Medical Devices.'' Received comments will be placed
in the docket and, except for those submitted as ``Confidential
Submissions,'' publicly viewable at https://www.regulations.gov or at
the Dockets Management Staff between 9 a.m. and 4 p.m., Monday through
Friday.
Confidential Submissions--To submit a comment with
confidential information that you do not wish to be made publicly
available, submit your comments only as a written/paper submission. You
should submit two copies total. One copy will include the information
you claim to be confidential with a heading or cover note that states
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will
review this copy, including the claimed confidential information, in
its consideration of comments. The second copy, which will have the
claimed confidential information redacted/blacked out, will be
available for public viewing and posted on https://www.regulations.gov.
Submit both copies to the Dockets Management Staff. If you do not wish
your name and contact information to be made publicly available, you
can provide this information on the cover sheet and not in the body of
your comments and you must identify this information as
``confidential.'' Any information marked as ``confidential'' will not
be disclosed except in accordance with 21 CFR 10.20 and other
applicable disclosure law. For more information about FDA's posting of
comments to public dockets, see 80 FR 56469, September 18, 2015, or
access the information at: https://www.gpo.gov/fdsys/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
Docket: For access to the docket to read background documents or
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in
the heading of this document, into the ``Search'' box and follow the
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane,
Rm. 1061, Rockville, MD 20852.
You may submit comments on any guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance document is available for
download from the internet. See the SUPPLEMENTARY INFORMATION section
for information on electronic access to the guidance. Submit written
requests for a single hard copy of the draft guidance document entitled
``Content of Premarket Submissions for Management of Cybersecurity in
Medical Devices'' to the Office of the Center Director, Guidance and
Policy Development, Center for Devices and Radiological Health, Food
and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431,
Silver Spring, MD 20993-0002 or the Office of Communication, Outreach,
and Development, Center for Biologics Evaluation and Research, Food and
Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 3128,
Silver Spring, MD 20993-0002. Send one self-addressed adhesive label to
assist that office in processing your request.
FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug Administration, 10903 New
Hampshire Ave., Bldg. 66, Rm. 5434, Silver Spring, MD 20993-0002, 301-
796-6937, or Stephen Ripley, Center for Biologics Evaluation and
Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg.
71, Rm. 7301, Silver Spring, MD 20993, 240-402-7911.
SUPPLEMENTARY INFORMATION:
I. Background
The need for effective cybersecurity to assure medical device
functionality and safety has become more important with the increasing
use of wireless, internet- and network-connected devices, and the
frequent electronic exchange of medical device-related health
information. In addition, cybersecurity threats to the healthcare
sector have become more frequent, more severe, and more clinically
impactful. Cybersecurity incidents have rendered medical devices and
hospital networks inoperable, disrupting the delivery of patient care
across healthcare facilities in the United States and globally. Such
cyberattacks and exploits can delay diagnoses and/or treatment and may
lead to patient harm.
Although FDA issued guidance addressing recommendations for device
cybersecurity information in premarket submissions in 2014, \1\ the
rapidly evolving landscape, and the increased understanding of the
threats and their potential mitigations necessitates an updated
approach. This draft guidance is intended to provide recommendations to
industry regarding cybersecurity device design, labeling, and the
documentation that FDA recommends be included in premarket submissions
for devices with cybersecurity risk. These recommendations can
facilitate an efficient premarket review process and help ensure that
marketed medical devices are sufficiently resilient to cybersecurity
threats.
---------------------------------------------------------------------------
\1\ ``Content of Premarket Submissions for Management of
Cybersecurity in Medical Devices--Guidance for Industry and Food and
Drug Administration Staff'' at https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.
---------------------------------------------------------------------------
FDA plans to hold a public workshop on January 29th and January
30th, 2019.\2\ FDA seeks to bring together diverse stakeholders to
discuss, in-depth, the draft guidance, ``Content of Premarket
Submissions for Management of Cybersecurity in Medical Devices'' and
the subtopic of the draft guidance regarding a Cybersecurity Bill of
Materials (CBOM), which can be a critical element in identifying
assets, threats, and vulnerabilities.
---------------------------------------------------------------------------
\2\ https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/default.htm.
---------------------------------------------------------------------------
II. Significance of Guidance
This draft guidance is being issued consistent with FDA's good
guidance practices regulation (21 CFR 10.115). The draft guidance, when
finalized, will represent the current thinking of FDA on Content of
Premarket Submissions for Management of Cybersecurity in Medical
Devices. It does not establish any rights for any person and is not
binding on FDA or the public. You can use an alternative approach if it
satisfies the requirements of the applicable statutes and regulations.
This guidance is not subject to Executive Order 12866.
III. Electronic Access
Persons interested in obtaining a copy of the draft guidance may do
so by downloading an electronic copy from the internet. A search
capability for all Center for Devices and Radiological Health guidance
documents is available at https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/default.htm. This
guidance document is also available at https://www.regulations.gov or
https://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInformation/default.htm. Persons unable to
download an electronic copy of ``Content of Premarket Submissions for
Management of Cybersecurity in Medical Devices'' may send an email
request to [email protected] to receive an electronic copy of
the document. Please use the document
[[Page 52837]]
number 1825 to identify the guidance you are requesting.
IV. Paperwork Reduction Act of 1995
This draft guidance refers to previously approved collections of
information. These collections of information are subject to review by
the Office of Management and Budget (OMB) under the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501-3520). The collections of information in
the following FDA regulations and guidance have been approved by OMB as
listed in the following table:
------------------------------------------------------------------------
OMB control
21 CFR part or guidance Topic No.
------------------------------------------------------------------------
807, subpart E............... Premarket notification... 0910-0120
814, subparts A through E.... Premarket approval....... 0910-0231
814, subpart H............... Humanitarian Device 0910-0332
Exemption.
812.......................... Investigational Device 0910-0078
Exemption.
``De Novo Classification De Novo classification 0910-0844
Process (Evaluation of process.
Automatic Class III
Designation)''.
801.......................... Medical Device Labeling 0910-0485
Regulations.
820.......................... Current Good 0910-0073
Manufacturing Practice
(CGMP); Quality System
(QS) Regulation.
------------------------------------------------------------------------
V. Other Issues for Consideration
The Agency invites comments on the ``Content of Premarket
Submissions for Management of Cybersecurity in Medical Devices'' draft
guidance, in general, and on the following topics, in particular:
Definition of CBOM:
[cir] Whether a CBOM should include both software and hardware
components
Type of information and level of detail that should be
included in a CBOM
Effective mechanisms for sharing CBOM information
Format the CBOM should take:
[cir] Available formats that could be leveraged
[cir] Whether multiple formats would be able to co-exist
Appropriate frequency for updating the CBOM
Features of a CBOM that would make it automatically
consumable
Dated: October 12, 2018.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2018-22697 Filed 10-17-18; 8:45 am]
BILLING CODE 4164-01-P
