Cybersecurity in Medical Devices: Refuse To Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act; Guidance for Industry and Food and Drug Administration Staff; Availability, 19148-19150 [2023-06646]
Download as PDF
<![CDATA[
19148
Federal Register / Vol. 88, No. 61 / Thursday, March 30, 2023 / Notices
Comments on the collection(s) of
information must be received by the
OMB desk officer by May 1, 2023.
ADDRESSES: Written comments and
recommendations for the proposed
information collection should be sent
within 30 days of publication of this
notice to www.reginfo.gov/public/do/
PRAMain. Find this particular
information collection by selecting
‘‘Currently under 30-day Review—Open
for Public Comments’’ or by using the
search function.
To obtain copies of a supporting
statement and any related forms for the
proposed collection(s) summarized in
this notice, please access the CMS PRA
website by copying and pasting the
following web address into your web
browser: https://www.cms.gov/
Regulations-and-Guidance/Legislation/
PaperworkReductionActof1995/PRAListing.
FOR FURTHER INFORMATION CONTACT:
William Parham at (410) 786–4669.
SUPPLEMENTARY INFORMATION: Under the
Paperwork Reduction Act of 1995 (PRA)
(44 U.S.C. 3501–3520), federal agencies
must obtain approval from the Office of
Management and Budget (OMB) for each
collection of information they conduct
or sponsor. The term ‘‘collection of
information’’ is defined in 44 U.S.C.
3502(3) and 5 CFR 1320.3(c) and
includes agency requests or
requirements that members of the public
submit reports, keep records, or provide
information to a third party. Section
3506(c)(2)(A) of the PRA (44 U.S.C.
3506(c)(2)(A)) requires federal agencies
to publish a 30-day notice in the
Federal Register concerning each
proposed collection of information,
including each proposed extension or
reinstatement of an existing collection
of information, before submitting the
collection to OMB for approval. To
comply with this requirement, CMS is
publishing this notice that summarizes
the following proposed collection(s) of
information for public comment:
1. Type of Information Collection
Request: Extension of a currently
approved collection; Title of
Information Collection: The Home
Health Care CAHPS® Survey
(HHCAHPS); Use: The national
implementation of the Home Health
Care CAHPS Survey is designed to
collect ongoing data from samples of
home health care patients who receive
skilled services from Medicare-certified
home health agencies. The survey is
necessary because it fulfills the goal of
transparency with the public about
home health patient experiences.
The survey is used by Medicarecertified home health agencies to
lotter on DSK11XQN23PROD with NOTICES1
DATES:
VerDate Sep<11>2014
17:22 Mar 29, 2023
Jkt 259001
improve their internal quality assurance
in the care that they provide in home
health. The HHCAHPS survey is also
used in a Medicare payment program.
Medicare-certified home health agencies
(HHAs) must contract with CMSapproved survey vendors that conduct
the HHCAHPS on behalf of the HHAs to
meet their requirements in the Home
Health Quality Reporting Program Form
Number: CMS–10275 (OMB control
number: 0938–1066); Frequency:
Quarterly; Affected Public: Individuals
and Households; Number of
Respondents: 1,052,966; Total Annual
Responses: 1,149,975; Total Annual
Hours: 420,576. (For policy questions
regarding this collection contact Lori
Luria at 410–786–6684).
2. Type of Information Collection
Request: Revision of a currently
approved collection; Title of
Information Collection: Collection of
Diagnostic Data in the Abbreviated
RAPS Format from Medicare Advantage
Organizations for Risk Adjusted
Payments; Use: Under section 1894(d) of
the Act, CMS must make prospective
monthly capitated payments to PACE
organizations in the same manner and
from the same sources as payments to
organizations under section 1853.
Section 1894(e)(3)(A)(i) requires in part
that PACE organizations collect data
and make available to the Secretary
reports necessary to monitor the cost,
operation, and effectiveness of the PACE
program.
CMS makes advance monthly perenrollee payments to organizations, and
is required to risk-adjust the payments
based on predicted relative health care
costs for each enrollee, as determined by
enrollee-specific diagnoses and other
factors, such as age. CMS has collected
diagnosis data from organizations in two
formats: (1) comprehensive data
equivalent to Medicare fee-for-service
claims data (often referred to as
encounter data) and (2) data in an
abbreviated format known as RAPS
data, named for the Risk Adjustment
Processing System (RAPS). The subject
of this PRA package is collection of
RAPS data. Encounter data collection is
addressed in a separate PRA package
(OMB 0938–1152).
Risk adjustment allows CMS to pay
plans for the health risk of the
beneficiaries they enroll, instead of
paying an identical an average amount
for each enrollee Medicare beneficiaries.
By risk adjusting plan payments, CMS is
able to make appropriate and accurate
payments for enrollees with differences
in expected costs. Risk adjustment is
used to adjust bidding and payment
based on the health status and
demographic characteristics of an
PO 00000
Frm 00098
Fmt 4703
Sfmt 4703
enrollee. Risk scores measure individual
beneficiaries’ relative risk and the risk
scores are used to adjust payments for
each beneficiary’s expected
expenditures. By risk adjusting plan
bids, CMS is able to also use
standardized bids as base payments to
plans. Form Number: CMS–10062 (OMB
control number: 0938–0878); Frequency:
Quarterly; Affected Public: Private
Sector, Business or other for-profit and
Not-for-profit institutions; Number of
Respondents: 284; Total Annual
Responses: 80,235,720; Total Annual
Hours: 2,674,524. (For policy questions
regarding this collection contact
Amanda Johnson at 410–786–4161.
Dated: March 24, 2023.
William N. Parham, III,
Director, Paperwork Reduction Staff, Office
of Strategic Operations and Regulatory
Affairs.
[FR Doc. 2023–06564 Filed 3–29–23; 8:45 am]
BILLING CODE 4120–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA–2023–D–1030]
Cybersecurity in Medical Devices:
Refuse To Accept Policy for Cyber
Devices and Related Systems Under
Section 524B of the FD&C Act;
Guidance for Industry and Food and
Drug Administration Staff; Availability
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
Notice of availability.
The Food and Drug
Administration (FDA, Agency, or we) is
announcing the availability of a final
guidance entitled ‘‘Cybersecurity in
Medical Devices: Refuse to Accept
Policy for Cyber Devices and Related
Systems Under section 524B of the
FD&C Act of the FD&C Act.’’ FDA
generally intends not to issue ‘‘refuse to
accept’’ (RTA) decisions for premarket
submissions submitted for cyber devices
based solely on information required by
the new amendments to the FD&C Act
for ensuring cybersecurity of devices
before October 1, 2023, but instead,
work collaboratively with sponsors of
such premarket submissions as part of
the interactive and/or deficiency review
process.
DATES: The announcement of the
guidance is published in the Federal
Register on March 30, 2023.
ADDRESSES: You may submit either
electronic or written comments on
SUMMARY:
E:\FR\FM\30MRN1.SGM
30MRN1
Federal Register / Vol. 88, No. 61 / Thursday, March 30, 2023 / Notices
Agency guidances at any time as
follows:
lotter on DSK11XQN23PROD with NOTICES1
Electronic Submissions
Submit electronic comments in the
following way:
• Federal eRulemaking Portal:
https://www.regulations.gov. Follow the
instructions for submitting comments.
Comments submitted electronically,
including attachments, to https://
www.regulations.gov will be posted to
the docket unchanged. Because your
comment will be made public, you are
solely responsible for ensuring that your
comment does not include any
confidential information that you or a
third party may not wish to be posted,
such as medical information, your or
anyone else’s Social Security number, or
confidential business information, such
as a manufacturing process. Please note
that if you include your name, contact
information, or other information that
identifies you in the body of your
comments, that information will be
posted on https://www.regulations.gov.
• If you want to submit a comment
with confidential information that you
do not wish to be made available to the
public, submit the comment as a
written/paper submission and in the
manner detailed (see ‘‘Written/Paper
Submissions’’ and ‘‘Instructions’’).
Written/Paper Submissions
Submit written/paper submissions as
follows:
• Mail/Hand Delivery/Courier (for
written/paper submissions): Dockets
Management Staff (HFA–305), Food and
Drug Administration, 5630 Fishers
Lane, Rm. 1061, Rockville, MD 20852.
• For written/paper comments
submitted to the Dockets Management
Staff, FDA will post your comment, as
well as any attachments, except for
information submitted, marked and
identified, as confidential, if submitted
as detailed in ‘‘Instructions.’’
Instructions: All submissions received
must include the Docket No. FDA–
2023–D–1030 for ‘‘Cybersecurity in
Medical Devices: Refuse to Accept
Policy for Cyber Devices and Related
Systems Under Section 524B of the
FD&C Act.’’ Received comments will be
placed in the docket and, except for
those submitted as ‘‘Confidential
Submissions,’’ publicly viewable at
https://www.regulations.gov or at the
Dockets Management Staff between 9
a.m. and 4 p.m., Monday through
Friday, 240–402–7500.
• Confidential Submissions—To
submit a comment with confidential
information that you do not wish to be
made publicly available, submit your
comments only as a written/paper
VerDate Sep<11>2014
17:22 Mar 29, 2023
Jkt 259001
submission. You should submit two
copies total. One copy will include the
information you claim to be confidential
with a heading or cover note that states
‘‘THIS DOCUMENT CONTAINS
CONFIDENTIAL INFORMATION.’’ The
Agency will review this copy, including
the claimed confidential information, in
its consideration of comments. The
second copy, which will have the
claimed confidential information
redacted/blacked out, will be available
for public viewing and posted on
https://www.regulations.gov. Submit
both copies to the Dockets Management
Staff. If you do not wish your name and
contact information to be made publicly
available, you can provide this
information on the cover sheet and not
in the body of your comments and you
must identify this information as
‘‘confidential.’’ Any information marked
as ‘‘confidential’’ will not be disclosed
except in accordance with 21 CFR 10.20
and other applicable disclosure law. For
more information about FDA’s posting
of comments to public dockets, see 80
FR 56469, September 18, 2015, or access
the information at: https://
www.govinfo.gov/content/pkg/FR-201509-18/pdf/2015-23389.pdf.
Docket: For access to the docket to
read background documents or the
electronic and written/paper comments
received, go to https://
www.regulations.gov and insert the
docket number, found in brackets in the
heading of this document, into the
‘‘Search’’ box and follow the prompts
and/or go to the Dockets Management
Staff, 5630 Fishers Lane, Rm. 1061,
Rockville, MD 20852, 240–402–7500.
You may submit comments on any
guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance
document is available for download
from the internet. See the
SUPPLEMENTARY INFORMATION section for
information on electronic access to the
guidance. Submit written requests for a
single hard copy of the guidance
document entitled ‘‘Cybersecurity in
Medical Devices Refuse to Accept
Policy for Cyber Devices and Related
Systems Under Section 524B of the
FD&C Act’’ to the Office of Policy,
Center for Devices and Radiological
Health, Food and Drug Administration,
10903 New Hampshire Ave., Bldg. 66,
Rm. 5431, Silver Spring, MD 20993–
0002. Send one self-addressed adhesive
label to assist that office in processing
your request.
FOR FURTHER INFORMATION CONTACT:
Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug
Administration, 10903 New Hampshire
PO 00000
Frm 00099
Fmt 4703
Sfmt 4703
19149
Ave., Bldg. 66, Rm. 5410, Silver Spring,
MD 20993–0002, 301–796–6937 or
Diane Maloney, Center for Biologics
Evaluation and Research, Food and
Drug Administration, 10903 New
Hampshire Ave., Bldg. 71, Rm. 7301,
Silver Spring, MD 20993, 240–402–
8113.
SUPPLEMENTARY INFORMATION:
I. Background
On December 29, 2022, the
Consolidated Appropriations Act, 2023
(‘‘Omnibus’’) was signed into law.
Section 3305 of the Omnibus—
‘‘Ensuring Cybersecurity of Medical
Devices’’—amended the Federal Food,
Drug, and Cosmetic Act (FD&C Act) by
adding section 524B, Ensuring
Cybersecurity of Devices. The Omnibus
states that the amendments to the FD&C
Act shall take effect 90 days after the
enactment of the Consolidated
Appropriations Act on March 29, 2023.
As provided by the Omnibus, the
cybersecurity requirements do not apply
to an application or submission
submitted to FDA before March 29,
2023.
FDA generally intends not to issue
RTA decisions for premarket
submissions submitted for cyber devices
based solely on information required by
section 524B of the FD&C Act before
October 1, 2023, but instead, work
collaboratively with sponsors of such
premarket submissions as part of the
interactive and/or deficiency review
process. Beginning October 1, 2023,
FDA expects that such sponsors will
have had sufficient time to prepare
premarket submissions that contain
information required by section 524B of
the FD&C Act, and FDA may RTA
premarket submissions that do not.
We are implementing this guidance
without prior public comment because
the Agency has determined that prior
public participation is not feasible or
appropriate (see section 701(h)(1)(C) of
the Federal Food, Drug, and Cosmetic
Act (21 U.S.C. 371(h)(1)(C)) and § 10.115
(21 CFR 10.115(g)(2))). We made this
determination because it is not feasible
to obtain public comment prior to the
90-day statutory timeframe for the
effective date of section 524B of the
FD&C Act. This provision establishes
new cybersecurity requirements for
cyber devices, which includes
information that a sponsor of a
premarket submission for a cyber device
must provide in its submission. This
guidance communicates the Agency’s
policy regarding RTA decisions for
premarket submissions submitted for
such cyber devices, which is important
to communicate before the effective date
E:\FR\FM\30MRN1.SGM
30MRN1
19150
Federal Register / Vol. 88, No. 61 / Thursday, March 30, 2023 / Notices
of the statutory provision, which is
March 29, 2023. Although this policy is
being implemented immediately
without prior comment, FDA will
consider all comments received and
revise the guidance document as
appropriate.
This guidance is being issued
consistent with FDA’s good guidance
practices regulation (§ 10.115). The
guidance represents the current thinking
of FDA on ‘‘Cybersecurity in Medical
Devices: Refuse to Accept Policy for
Cyber Devices and Related Systems
Under Section 524B of the FD&C Act.’’
It does not establish any rights for any
person and is not binding on FDA or the
public. You can use an alternative
approach if it satisfies the requirements
of the applicable statutes and
regulations.
the FD&C Act’’ may send an email
request to CDRH-Guidance@fda.hhs.gov
to receive an electronic copy of the
document. Please use the document
number GUI00007021 and complete
title to identify the guidance you are
requesting.
III. Paperwork Reduction Act of 1995
While this guidance contains no new
collection of information, it does refer to
previously approved FDA collections of
information. Therefore, clearance by the
Office of Management and Budget
(OMB) under the Paperwork Reduction
Act of 1995 (PRA) (44 U.S.C. 3501–
3521) is not required for this guidance.
The previously approved collections of
information are subject to review by
OMB under the PRA. The collections of
information in the following FDA
regulations and guidance have been
approved by OMB as listed in the
following table:
OMB control
No.
21 CFR part or guidance
Topic
807, subpart E ............................................................................
814, subparts A through E ..........................................................
814, subpart H ............................................................................
860, subpart D ............................................................................
‘‘Requests for Feedback and Meetings for Medical Device
Submissions: The Q-Submission Program’’.
Premarket notification ................................................................
Premarket approval ....................................................................
Humanitarian Device Exemption ...............................................
De Novo classification process ..................................................
Q-submissions ...........................................................................
Dated: March 27, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
award of the priority review voucher.
FDA has determined that DAYBUE
(trofinetide), approved March 10, 2023,
and manufactured by Acadia
Pharmaceuticals, Inc., meets the criteria
for a priority review voucher.
[FR Doc. 2023–06646 Filed 3–29–23; 8:45 am]
BILLING CODE 4164–01–P
FOR FURTHER INFORMATION CONTACT:
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA–2020–N–0026]
Issuance of Priority Review Voucher;
Rare Pediatric Disease Product
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
Notice.
The Food and Drug
Administration (FDA) is announcing the
issuance of a priority review voucher to
the sponsor of a rare pediatric disease
product application. The Federal Food,
Drug, and Cosmetic Act (FD&C Act), as
amended by the Food and Drug
Administration Safety and Innovation
Act (FDASIA), authorizes FDA to award
priority review vouchers to sponsors of
approved rare pediatric disease product
applications that meet certain criteria.
FDA is required to publish notice of the
SUMMARY:
lotter on DSK11XQN23PROD with NOTICES1
II. Electronic Access
Persons interested in obtaining a copy
of the guidance may do so by
downloading an electronic copy from
the internet. A search capability for all
Center for Devices and Radiological
Health guidance documents is available
at https://www.fda.gov/medical-devices/
device-advice-comprehensiveregulatory-assistance/guidancedocuments-medical-devices-andradiation-emitting-products. This
guidance document is also available at
https://www.regulations.gov, https://
www.fda.gov/regulatory-information/
search-fda-guidance-documents, or
https://www.fda.gov/vaccines-bloodbiologics/guidance-complianceregulatory-information-biologics.
Persons unable to download an
electronic copy of ‘‘Cybersecurity in
Medical Devices: Premarket Submission
Considerations for Cyber Devices and
Related Systems Under Section 524B of
VerDate Sep<11>2014
17:22 Mar 29, 2023
Jkt 259001
Cathryn Lee, Center for Drug Evaluation
and Research, Food and Drug
Administration, 10903 New Hampshire
Ave., Silver Spring, MD 20993–0002,
301–796–1394, email: Cathryn.Lee@
fda.hhs.gov.
FDA is
announcing the issuance of a priority
review voucher to the sponsor of an
approved rare pediatric disease product
application. Under section 529 of the
FD&C Act (21 U.S.C. 360ff), which was
added by FDASIA, FDA will award
priority review vouchers to sponsors of
approved rare pediatric disease product
applications that meet certain criteria.
FDA has determined that DAYBUE
(trofinetide), manufactured by Acadia
Pharmaceuticals, Inc., meets the criteria
for a priority review voucher. DAYBUE
(trofinetide) solution is for the treatment
of Rett Syndrome in adults and
pediatric patients 2 years of age and
older.
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00100
Fmt 4703
Sfmt 4703
0910–0120
0910–0231
0910–0332
0910–0844
0910–0756
For further information about the Rare
Pediatric Disease Priority Review
Voucher Program and for a link to the
full text of section 529 of the FD&C Act,
go to https://www.fda.gov/ForIndustry/
DevelopingProductsforRareDiseases
Conditions/RarePediatricDiseasePriority
VoucherProgram/default.htm. For
further information about DAYBUE
(trofinetide), go to the ‘‘Drugs@FDA’’
website at https://www.accessdata.
fda.gov/scripts/cder/daf/.
Dated: March 27, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2023–06593 Filed 3–29–23; 8:45 am]
BILLING CODE 4164–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA–2023–D–0266]
Identification of Medicinal Products—
Implementation and Use; Guidance for
Industry; Availability
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
E:\FR\FM\30MRN1.SGM
Notice of availability.
30MRN1
]]>Agencies
[Federal Register Volume 88, Number 61 (Thursday, March 30, 2023)]
[Notices]
[Pages 19148-19150]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-06646]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA-2023-D-1030]
Cybersecurity in Medical Devices: Refuse To Accept Policy for
Cyber Devices and Related Systems Under Section 524B of the FD&C Act;
Guidance for Industry and Food and Drug Administration Staff;
Availability
AGENCY: Food and Drug Administration, HHS.
ACTION: Notice of availability.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA, Agency, or we) is
announcing the availability of a final guidance entitled
``Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber
Devices and Related Systems Under section 524B of the FD&C Act of the
FD&C Act.'' FDA generally intends not to issue ``refuse to accept''
(RTA) decisions for premarket submissions submitted for cyber devices
based solely on information required by the new amendments to the FD&C
Act for ensuring cybersecurity of devices before October 1, 2023, but
instead, work collaboratively with sponsors of such premarket
submissions as part of the interactive and/or deficiency review
process.
DATES: The announcement of the guidance is published in the Federal
Register on March 30, 2023.
ADDRESSES: You may submit either electronic or written comments on
[[Page 19149]]
Agency guidances at any time as follows:
Electronic Submissions
Submit electronic comments in the following way:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Comments submitted
electronically, including attachments, to https://www.regulations.gov
will be posted to the docket unchanged. Because your comment will be
made public, you are solely responsible for ensuring that your comment
does not include any confidential information that you or a third party
may not wish to be posted, such as medical information, your or anyone
else's Social Security number, or confidential business information,
such as a manufacturing process. Please note that if you include your
name, contact information, or other information that identifies you in
the body of your comments, that information will be posted on https://www.regulations.gov.
If you want to submit a comment with confidential
information that you do not wish to be made available to the public,
submit the comment as a written/paper submission and in the manner
detailed (see ``Written/Paper Submissions'' and ``Instructions'').
Written/Paper Submissions
Submit written/paper submissions as follows:
Mail/Hand Delivery/Courier (for written/paper
submissions): Dockets Management Staff (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
For written/paper comments submitted to the Dockets
Management Staff, FDA will post your comment, as well as any
attachments, except for information submitted, marked and identified,
as confidential, if submitted as detailed in ``Instructions.''
Instructions: All submissions received must include the Docket No.
FDA-2023-D-1030 for ``Cybersecurity in Medical Devices: Refuse to
Accept Policy for Cyber Devices and Related Systems Under Section 524B
of the FD&C Act.'' Received comments will be placed in the docket and,
except for those submitted as ``Confidential Submissions,'' publicly
viewable at https://www.regulations.gov or at the Dockets Management
Staff between 9 a.m. and 4 p.m., Monday through Friday, 240-402-7500.
Confidential Submissions--To submit a comment with
confidential information that you do not wish to be made publicly
available, submit your comments only as a written/paper submission. You
should submit two copies total. One copy will include the information
you claim to be confidential with a heading or cover note that states
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will
review this copy, including the claimed confidential information, in
its consideration of comments. The second copy, which will have the
claimed confidential information redacted/blacked out, will be
available for public viewing and posted on https://www.regulations.gov.
Submit both copies to the Dockets Management Staff. If you do not wish
your name and contact information to be made publicly available, you
can provide this information on the cover sheet and not in the body of
your comments and you must identify this information as
``confidential.'' Any information marked as ``confidential'' will not
be disclosed except in accordance with 21 CFR 10.20 and other
applicable disclosure law. For more information about FDA's posting of
comments to public dockets, see 80 FR 56469, September 18, 2015, or
access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
Docket: For access to the docket to read background documents or
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in
the heading of this document, into the ``Search'' box and follow the
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane,
Rm. 1061, Rockville, MD 20852, 240-402-7500.
You may submit comments on any guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance document is available for
download from the internet. See the SUPPLEMENTARY INFORMATION section
for information on electronic access to the guidance. Submit written
requests for a single hard copy of the guidance document entitled
``Cybersecurity in Medical Devices Refuse to Accept Policy for Cyber
Devices and Related Systems Under Section 524B of the FD&C Act'' to the
Office of Policy, Center for Devices and Radiological Health, Food and
Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431,
Silver Spring, MD 20993-0002. Send one self-addressed adhesive label to
assist that office in processing your request.
FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug Administration, 10903 New
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937 or Diane Maloney, Center for Biologics Evaluation and
Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg.
71, Rm. 7301, Silver Spring, MD 20993, 240-402-8113.
SUPPLEMENTARY INFORMATION:
I. Background
On December 29, 2022, the Consolidated Appropriations Act, 2023
(``Omnibus'') was signed into law. Section 3305 of the Omnibus--
``Ensuring Cybersecurity of Medical Devices''--amended the Federal
Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B,
Ensuring Cybersecurity of Devices. The Omnibus states that the
amendments to the FD&C Act shall take effect 90 days after the
enactment of the Consolidated Appropriations Act on March 29, 2023. As
provided by the Omnibus, the cybersecurity requirements do not apply to
an application or submission submitted to FDA before March 29, 2023.
FDA generally intends not to issue RTA decisions for premarket
submissions submitted for cyber devices based solely on information
required by section 524B of the FD&C Act before October 1, 2023, but
instead, work collaboratively with sponsors of such premarket
submissions as part of the interactive and/or deficiency review
process. Beginning October 1, 2023, FDA expects that such sponsors will
have had sufficient time to prepare premarket submissions that contain
information required by section 524B of the FD&C Act, and FDA may RTA
premarket submissions that do not.
We are implementing this guidance without prior public comment
because the Agency has determined that prior public participation is
not feasible or appropriate (see section 701(h)(1)(C) of the Federal
Food, Drug, and Cosmetic Act (21 U.S.C. 371(h)(1)(C)) and Sec. 10.115
(21 CFR 10.115(g)(2))). We made this determination because it is not
feasible to obtain public comment prior to the 90-day statutory
timeframe for the effective date of section 524B of the FD&C Act. This
provision establishes new cybersecurity requirements for cyber devices,
which includes information that a sponsor of a premarket submission for
a cyber device must provide in its submission. This guidance
communicates the Agency's policy regarding RTA decisions for premarket
submissions submitted for such cyber devices, which is important to
communicate before the effective date
[[Page 19150]]
of the statutory provision, which is March 29, 2023. Although this
policy is being implemented immediately without prior comment, FDA will
consider all comments received and revise the guidance document as
appropriate.
This guidance is being issued consistent with FDA's good guidance
practices regulation (Sec. 10.115). The guidance represents the
current thinking of FDA on ``Cybersecurity in Medical Devices: Refuse
to Accept Policy for Cyber Devices and Related Systems Under Section
524B of the FD&C Act.'' It does not establish any rights for any person
and is not binding on FDA or the public. You can use an alternative
approach if it satisfies the requirements of the applicable statutes
and regulations.
II. Electronic Access
Persons interested in obtaining a copy of the guidance may do so by
downloading an electronic copy from the internet. A search capability
for all Center for Devices and Radiological Health guidance documents
is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This guidance document is also
available at https://www.regulations.gov, https://www.fda.gov/regulatory-information/search-fda-guidance-documents, or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics. Persons unable to download an electronic copy of
``Cybersecurity in Medical Devices: Premarket Submission Considerations
for Cyber Devices and Related Systems Under Section 524B of the FD&C
Act'' may send an email request to [email protected] to receive
an electronic copy of the document. Please use the document number
GUI00007021 and complete title to identify the guidance you are
requesting.
III. Paperwork Reduction Act of 1995
While this guidance contains no new collection of information, it
does refer to previously approved FDA collections of information.
Therefore, clearance by the Office of Management and Budget (OMB) under
the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-3521) is not
required for this guidance. The previously approved collections of
information are subject to review by OMB under the PRA. The collections
of information in the following FDA regulations and guidance have been
approved by OMB as listed in the following table:
------------------------------------------------------------------------
OMB control
21 CFR part or guidance Topic No.
------------------------------------------------------------------------
807, subpart E................. Premarket notification. 0910-0120
814, subparts A through E...... Premarket approval..... 0910-0231
814, subpart H................. Humanitarian Device 0910-0332
Exemption.
860, subpart D................. De Novo classification 0910-0844
process.
``Requests for Feedback and Q-submissions.......... 0910-0756
Meetings for Medical Device
Submissions: The Q-Submission
Program''.
------------------------------------------------------------------------
Dated: March 27, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2023-06646 Filed 3-29-23; 8:45 am]
BILLING CODE 4164-01-P
