Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions; Guidance for Industry and Food and Drug Administration Staff; Availability, 66458-66460 [2023-20955]
Download as PDF
<![CDATA[
66458
Federal Register / Vol. 88, No. 186 / Wednesday, September 27, 2023 / Notices
SUPPLEMENTARY INFORMATION:
I. Background
We are announcing the availability of
two draft chapters entitled ‘‘Chapter
11—Food Allergen Program’’ and
‘‘Chapter 16—Acidified Foods’’ of a
multichapter draft guidance for industry
entitled ‘‘Hazard Analysis and Risk-
Based Preventive Controls for Human
Food.’’ We previously announced the
availability of several chapters of that
draft guidance as shown in table 1.
TABLE 1—AVAILABLE DRAFT CHAPTERS IN HAZARD ANALYSIS AND RISK-BASED PREVENTIVE CONTROLS FOR HUMAN
FOOD
Chapter No.
Chapter title
N/A ..................
1 ......................
2 ......................
3 ......................
Introduction ............................................................................................................................
The Food Safety Plan ...........................................................................................................
Conducting a Hazard Analysis ..............................................................................................
Potential Hazards Associated with the Manufacturing, Processing, Packing, and Holding
of Human Food.
Preventive Controls ...............................................................................................................
Application of Preventive Controls and Preventive Control Management Components ......
Use of Heat Treatments as a Process Control ....................................................................
Recall plan ............................................................................................................................
Supply-Chain Program for Human Food Products ...............................................................
Potential Hazards for Foods and Processes ........................................................................
Food Safety Plan Forms .......................................................................................................
Bacterial Pathogen Growth and Inactivation ........................................................................
ddrumheller on DSK120RN23PROD with NOTICES1
4 ......................
5 ......................
6 ......................
14 ....................
15 ....................
Appendix 1 .....
Appendix 2 .....
Appendix 3 .....
We also are announcing changes to
the expected table of contents for the
complete multichapter guidance.
We are issuing these chapters of the
draft guidance consistent with our good
guidance practices regulation (21 CFR
10.115). The draft guidance, when
finalized, will represent the current
thinking of FDA on how to comply with
the requirements for hazard analysis
and risk-based preventive controls
under part 117 (21 CFR part 117),
principally in subparts C and G. It does
not establish any rights for any person
and is not binding on FDA or the public.
You can use an alternative approach if
it satisfies the requirements of the
applicable statutes and regulations.
The FDA Food Safety Modernization
Act (FSMA) (Pub. L. 111–353) enables
FDA to better protect public health by
helping to ensure the safety and security
of the food supply. FSMA enables FDA
to focus more on preventing food safety
problems rather than relying primarily
on reacting to problems after they occur.
FSMA recognizes the important role
industry plays in ensuring the safety of
the food supply, including the adoption
of modern systems of preventive
controls in food production.
Section 103 of FSMA amended the
Federal Food, Drug, and Cosmetic Act
(FD&C Act) by adding section 418 (21
U.S.C. 350g) with requirements for
hazard analysis and risk-based
preventive controls for establishments
that are required to register as food
facilities under our regulations in 21
CFR part 1, subpart H, in accordance
with section 415 of the FD&C Act (21
U.S.C. 350d). We have established
regulations to implement these
requirements within part 117.
VerDate Sep<11>2014
18:44 Sep 26, 2023
Jkt 259001
Publication
We intend to announce the
availability for public comment of
additional chapters of the draft guidance
as we complete them. The titles of the
additional chapters that we expect to
make available for public comment are
included in the table of contents for the
complete multichapter guidance.
III. Paperwork Reduction Act of 1995
While this guidance contains no
collection of information, it does refer to
previously approved FDA collections of
information. The previously approved
collections of information are subject to
review by the Office of Management and
Budget (OMB) under the Paperwork
Reduction Act of 1995 (PRA) (44 U.S.C.
3501–3521). The collections of
information in part 117 have been
approved under OMB control number
0910–0751.
IV. Electronic Access
Persons with access to the internet
may obtain the draft guidance at https://
www.fda.gov/FoodGuidances, https://
www.fda.govregulatory-information/
search-fda-guidance-documents, or
https://www.regulations.gov. Use the
FDA website listed in the previous
sentence to find the most current
version of the guidance.
Dated: September 20, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2023–20738 Filed 9–26–23; 8:45 am]
BILLING CODE 4164–01–P
PO 00000
Frm 00098
Fmt 4703
Sfmt 4703
81
81
81
81
FR
FR
FR
FR
57816,
57816,
57816,
57816,
August
August
August
August
24,
24,
24,
24,
2016.
2016.
2016.
2016.
81
81
82
84
83
81
81
81
FR
FR
FR
FR
FR
FR
FR
FR
57816, August 24, 2016.
57816, August 24, 2016.
41364, August 31, 2017.
53347, October 7, 2019.
3449, January 25, 2018.
57816, August 24, 2016.
57816, August 24, 2016.
57816, August 24, 2016.
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA–2021–D–1158]
Cybersecurity in Medical Devices:
Quality System Considerations and
Content of Premarket Submissions;
Guidance for Industry and Food and
Drug Administration Staff; Availability
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
Notice of availability.
The Food and Drug
Administration (FDA or Agency) is
announcing the availability of a final
guidance entitled ‘‘Cybersecurity in
Medical Devices: Quality System
Considerations and Content of
Premarket Submissions.’’ As more
medical devices are becoming
interconnected, cybersecurity threats
have become more numerous, more
frequent, more severe, and more
clinically impactful. As a result,
ensuring medical device safety and
effectiveness includes adequate medical
device cybersecurity, as well as its
security as part of the larger system.
This final guidance supersedes the final
guidance ‘‘Content of Premarket
Submissions for Management of
Cybersecurity in Medical Devices,’’
issued October 2, 2014.
DATES: The announcement of the
guidance is published in the Federal
Register on September 27, 2023.
ADDRESSES: You may submit either
electronic or written comments on
Agency guidances at any time as
follows:
SUMMARY:
E:\FR\FM\27SEN1.SGM
27SEN1
Federal Register / Vol. 88, No. 186 / Wednesday, September 27, 2023 / Notices
Electronic Submissions
Submit electronic comments in the
following way:
• Federal eRulemaking Portal:
https://www.regulations.gov. Follow the
instructions for submitting comments.
Comments submitted electronically,
including attachments, to https://
www.regulations.gov will be posted to
the docket unchanged. Because your
comment will be made public, you are
solely responsible for ensuring that your
comment does not include any
confidential information that you or a
third party may not wish to be posted,
such as medical information, your or
anyone else’s Social Security number, or
confidential business information, such
as a manufacturing process. Please note
that if you include your name, contact
information, or other information that
identifies you in the body of your
comments, that information will be
posted on https://www.regulations.gov.
• If you want to submit a comment
with confidential information that you
do not wish to be made available to the
public, submit the comment as a
written/paper submission and in the
manner detailed (see ‘‘Written/Paper
Submissions’’ and ‘‘Instructions’’).
ddrumheller on DSK120RN23PROD with NOTICES1
Written/Paper Submissions
Submit written/paper submissions as
follows:
• Mail/Hand Delivery/Courier (for
written/paper submissions): Dockets
Management Staff (HFA–305), Food and
Drug Administration, 5630 Fishers
Lane, Rm. 1061, Rockville, MD 20852.
• For written/paper comments
submitted to the Dockets Management
Staff, FDA will post your comment, as
well as any attachments, except for
information submitted, marked and
identified, as confidential, if submitted
as detailed in ‘‘Instructions.’’
Instructions: All submissions received
must include the Docket No. FDA–
2021–D–1158 for ‘‘Cybersecurity in
Medical Devices: Quality System
Considerations and Content of
Premarket Submissions.’’ Received
comments will be placed in the docket
and, except for those submitted as
‘‘Confidential Submissions,’’ publicly
viewable at https://www.regulations.gov
or at the Dockets Management Staff
between 9 a.m. and 4 p.m., Monday
through Friday, 240–402–7500.
• Confidential Submissions—To
submit a comment with confidential
information that you do not wish to be
made publicly available, submit your
comments only as a written/paper
submission. You should submit two
copies total. One copy will include the
information you claim to be confidential
VerDate Sep<11>2014
18:44 Sep 26, 2023
Jkt 259001
with a heading or cover note that states
‘‘THIS DOCUMENT CONTAINS
CONFIDENTIAL INFORMATION.’’ The
Agency will review this copy, including
the claimed confidential information, in
its consideration of comments. The
second copy, which will have the
claimed confidential information
redacted/blacked out, will be available
for public viewing and posted on
https://www.regulations.gov. Submit
both copies to the Dockets Management
Staff. If you do not wish your name and
contact information to be made publicly
available, you can provide this
information on the cover sheet and not
in the body of your comments and you
must identify this information as
‘‘confidential.’’ Any information marked
as ‘‘confidential’’ will not be disclosed
except in accordance with 21 CFR 10.20
and other applicable disclosure law. For
more information about FDA’s posting
of comments to public dockets, see 80
FR 56469, September 18, 2015, or access
the information at: https://
www.govinfo.gov/content/pkg/FR-201509-18/pdf/2015-23389.pdf.
Docket: For access to the docket to
read background documents or the
electronic and written/paper comments
received, go to https://
www.regulations.gov and insert the
docket number, found in brackets in the
heading of this document, into the
‘‘Search’’ box and follow the prompts
and/or go to the Dockets Management
Staff, 5630 Fishers Lane, Rm. 1061,
Rockville, MD 20852, 240–402–7500.
You may submit comments on any
guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance
document is available for download
from the internet. See the
SUPPLEMENTARY INFORMATION section for
information on electronic access to the
guidance. Submit written requests for a
single hard copy of the guidance
document entitled ‘‘Cybersecurity in
Medical Devices: Quality System
Considerations and Content of
Premarket Submissions’’ to the Office of
Policy, Center for Devices and
Radiological Health, Food and Drug
Administration, 10903 New Hampshire
Ave., Bldg. 66, Rm. 5431, Silver Spring,
MD 20993–0002. Send one selfaddressed adhesive label to assist that
office in processing your request.
FOR FURTHER INFORMATION CONTACT:
Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug
Administration, 10903 New Hampshire
Ave., Bldg. 66, Rm. 5410, Silver Spring,
MD 20993–0002, 301–796–6937; or
Anne Taylor, Center for Biologics
Evaluation and Research, Food and
PO 00000
Frm 00099
Fmt 4703
Sfmt 4703
66459
Drug Administration, 10903 New
Hampshire Ave., Bldg. 71, Rm. 7301,
Silver Spring, MD 20993, 240–402–
7911.
SUPPLEMENTARY INFORMATION:
I. Background
With the increasing integration of
wireless, internet- and networkconnected capabilities, portable media
(e.g., USB or CD), and the frequent
electronic exchange of medical devicerelated health information and other
information, the need for robust
cybersecurity controls to ensure medical
device safety and effectiveness has
become more important. In addition,
cybersecurity threats to the healthcare
sector have become more frequent and
more severe, carrying increased
potential for clinical impact.
Cybersecurity incidents have rendered
medical devices and hospital networks
inoperable, disrupting the delivery of
patient care across healthcare facilities
in the United States and globally. Such
cyberattacks and exploits may lead to
patient harm as a result of clinical
hazards, such as delay in diagnoses and/
or treatment. As a result, ensuring
device safety and effectiveness includes
adequate device cybersecurity, as well
as its security as part of the larger
system.
Additionally, section 3305 of the
Consolidated Appropriations Act, 2023,
enacted on December 29, 2022, added
section 524B ‘‘Ensuring Cybersecurity of
Medical Devices’’ to the Federal Food,
Drug, and Cosmetic Act (FD&C Act).
Under section 524B(a) of the FD&C Act,
a person who submits a 510(k),
premarket approval application (PMA),
product development protocol, De
Novo, or Humanitarian Device
Exemption for a device that meets the
definition of a cyber device, as defined
under section 524B(c) of the FD&C Act,
is required to submit information to
ensure that cyber devices meet the
cybersecurity requirements under
section 524B(b) of the FD&C Act.
Section 524B(c) of the FD&C Act defines
‘‘cyber device’’ as a device that includes
software validated, installed, or
authorized by the sponsor as a device or
in a device; has the ability to connect to
the internet; and contains any such
technological characteristics validated,
installed, or authorized by the sponsor
that could be vulnerable to
cybersecurity threats. The
recommendations in this guidance are
intended to help manufacturers meet
their obligations under section 524B of
the FD&C Act.
This final guidance supersedes the
final guidance ‘‘Content of Premarket
E:\FR\FM\27SEN1.SGM
27SEN1
66460
Federal Register / Vol. 88, No. 186 / Wednesday, September 27, 2023 / Notices
Submissions for Management of
Cybersecurity in Medical Devices,’’
issued October 2, 2014. The changes
since the 2014 guidance are intended to
further emphasize the importance of
ensuring that devices are designed
securely and are designed to be capable
of mitigating emerging cybersecurity
risks throughout the total product
lifecycle (TPLC), and to clearly outline
FDA’s recommendations for premarket
submission information to address
cybersecurity concerns. As discussed in
the guidance, one way these TPLC
considerations for devices can be
achieved is through the implementation
and adoption of the Secure Product
Development Framework. The
recommendations in this guidance are
intended to promote consistency,
facilitate efficient premarket review, and
help ensure that marketed medical
devices are sufficiently resilient to
cybersecurity threats.
A notice of availability of the draft
guidance appeared in the Federal
Register of April 8, 2022 (87 FR 20873).
FDA considered comments received and
revised the guidance as appropriate in
response to the comments, including
aligning with industry best practices, as
well as further clarifying the level of
documentation recommended.
Additionally, we have clarified
interoperability considerations and that
cybersecurity controls should not be
intended to prohibit a user from
accessing their device data.
This guidance is being issued
consistent with FDA’s good guidance
practices regulation (21 CFR 10.115).
The guidance represents the current
thinking of FDA on ‘‘Cybersecurity in
Medical Devices: Quality System
Considerations and Content of
Premarket Submissions.’’ It does not
establish any rights for any person and
is not binding on FDA or the public.
You can use an alternative approach if
it satisfies the requirements of the
applicable statutes and regulations.
guidance document is also available at
https://www.regulations.gov, https://
www.fda.gov/regulatory-information/
search-fda-guidance-documents or
https://www.fda.gov/vaccines-bloodbiologics/guidance-complianceregulatory-information-biologics.
Persons unable to download an
electronic copy of ‘‘Cybersecurity in
Medical Devices: Quality System
Considerations and Content of
Premarket Submissions’’ may send an
email request to CDRH-Guidance@
fda.hhs.gov to receive an electronic
copy of the document. Please use the
document number GUI00001825 and
complete title to identify the guidance
you are requesting.
II. Electronic Access
While this guidance contains no new
collection of information, it does refer to
previously approved FDA collections of
information. The previously approved
collections of information are subject to
review by the Office of Management and
Budget under the Paperwork Reduction
Act of 1995. The collections of
information in the following FDA
regulations, guidance, and forms have
been approved by OMB as listed in the
following table:
Persons interested in obtaining a copy
of the guidance may do so by
downloading an electronic copy from
the internet. A search capability for all
Center for Devices and Radiological
Health guidance documents is available
at https://www.fda.gov/medical-devices/
device-advice-comprehensiveregulatory-assistance/guidancedocuments-medical-devices-andradiation-emitting-products. This
OMB Control
No.
21 CFR part or guidance
Topic
807, subpart E ............................................................................
814, subparts A through E .........................................................
814, subpart H ............................................................................
812 ..............................................................................................
860, subpart D ............................................................................
‘‘Requests for Feedback and Meetings for Medical Device
Submissions: The Q-Submission Program’’.
800, 801, 809, and 830 ..............................................................
Premarket notification .................................................................
Premarket approval ....................................................................
Humanitarian Use Devices; Humanitarian Device Exemption ...
Investigational Device Exemption ..............................................
De Novo classification process ..................................................
Q-Submissions and early payor feedback request programs
for medical devices.
Medical device labeling regulations; Unique device identification.
Current good manufacturing practice (CGMP); Quality system
(QS) regulation.
820 ..............................................................................................
Dated: September 21, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
Notice; establishment of a
public docket; request for information
and comments; reopening of the
comment period.
ACTION:
[FR Doc. 2023–20955 Filed 9–26–23; 8:45 am]
BILLING CODE 4164–01–P
The Food and Drug
Administration (FDA or the Agency) is
reopening the comment period for the
notice, published in the Federal
Register of March 1, 2023, establishing
a public docket and requesting
information and comments. FDA is
reopening the comment period to
update comments and to receive any
new information.
SUMMARY:
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
ddrumheller on DSK120RN23PROD with NOTICES1
III. Paperwork Reduction Act of 1995
[Docket No. FDA–2023–N–0487]
Discussion Paper: Artificial
Intelligence in Drug Manufacturing,
Notice; Request for Information and
Comments; Reopening of the
Comment Period
AGENCY:
Food and Drug Administration,
HHS.
VerDate Sep<11>2014
18:44 Sep 26, 2023
Jkt 259001
FDA is reopening the comment
period on the notice published March 1,
2023 (88 FR 12943). Either electronic or
written comments must be submitted by
November 27, 2023.
DATES:
PO 00000
Frm 00100
Fmt 4703
Sfmt 4703
0910–0120
0910–0231
0910–0332
0910–0078
0910–0844
0910–0756
0910–0485
0910–0073
You may submit comments
as follows. Please note that late,
untimely filed comments will not be
considered. The https://
www.regulations.gov electronic filing
system will accept comments until
11:59 p.m. Eastern Time at the end of
November 27, 2023. Comments received
by mail/hand delivery/courier (for
written/paper submissions) will be
considered timely if they are received
on or before that date.
ADDRESSES:
Electronic Submissions
Submit electronic comments in the
following way:
• Federal eRulemaking Portal:
https://www.regulations.gov. Follow the
instructions for submitting comments.
Comments submitted electronically,
E:\FR\FM\27SEN1.SGM
27SEN1
]]>Agencies
[Federal Register Volume 88, Number 186 (Wednesday, September 27, 2023)]
[Notices]
[Pages 66458-66460]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-20955]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA-2021-D-1158]
Cybersecurity in Medical Devices: Quality System Considerations
and Content of Premarket Submissions; Guidance for Industry and Food
and Drug Administration Staff; Availability
AGENCY: Food and Drug Administration, HHS.
ACTION: Notice of availability.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing
the availability of a final guidance entitled ``Cybersecurity in
Medical Devices: Quality System Considerations and Content of Premarket
Submissions.'' As more medical devices are becoming interconnected,
cybersecurity threats have become more numerous, more frequent, more
severe, and more clinically impactful. As a result, ensuring medical
device safety and effectiveness includes adequate medical device
cybersecurity, as well as its security as part of the larger system.
This final guidance supersedes the final guidance ``Content of
Premarket Submissions for Management of Cybersecurity in Medical
Devices,'' issued October 2, 2014.
DATES: The announcement of the guidance is published in the Federal
Register on September 27, 2023.
ADDRESSES: You may submit either electronic or written comments on
Agency guidances at any time as follows:
[[Page 66459]]
Electronic Submissions
Submit electronic comments in the following way:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Comments submitted
electronically, including attachments, to https://www.regulations.gov
will be posted to the docket unchanged. Because your comment will be
made public, you are solely responsible for ensuring that your comment
does not include any confidential information that you or a third party
may not wish to be posted, such as medical information, your or anyone
else's Social Security number, or confidential business information,
such as a manufacturing process. Please note that if you include your
name, contact information, or other information that identifies you in
the body of your comments, that information will be posted on https://www.regulations.gov.
If you want to submit a comment with confidential
information that you do not wish to be made available to the public,
submit the comment as a written/paper submission and in the manner
detailed (see ``Written/Paper Submissions'' and ``Instructions'').
Written/Paper Submissions
Submit written/paper submissions as follows:
Mail/Hand Delivery/Courier (for written/paper
submissions): Dockets Management Staff (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
For written/paper comments submitted to the Dockets
Management Staff, FDA will post your comment, as well as any
attachments, except for information submitted, marked and identified,
as confidential, if submitted as detailed in ``Instructions.''
Instructions: All submissions received must include the Docket No.
FDA-2021-D-1158 for ``Cybersecurity in Medical Devices: Quality System
Considerations and Content of Premarket Submissions.'' Received
comments will be placed in the docket and, except for those submitted
as ``Confidential Submissions,'' publicly viewable at https://www.regulations.gov or at the Dockets Management Staff between 9 a.m.
and 4 p.m., Monday through Friday, 240-402-7500.
Confidential Submissions--To submit a comment with
confidential information that you do not wish to be made publicly
available, submit your comments only as a written/paper submission. You
should submit two copies total. One copy will include the information
you claim to be confidential with a heading or cover note that states
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will
review this copy, including the claimed confidential information, in
its consideration of comments. The second copy, which will have the
claimed confidential information redacted/blacked out, will be
available for public viewing and posted on https://www.regulations.gov.
Submit both copies to the Dockets Management Staff. If you do not wish
your name and contact information to be made publicly available, you
can provide this information on the cover sheet and not in the body of
your comments and you must identify this information as
``confidential.'' Any information marked as ``confidential'' will not
be disclosed except in accordance with 21 CFR 10.20 and other
applicable disclosure law. For more information about FDA's posting of
comments to public dockets, see 80 FR 56469, September 18, 2015, or
access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
Docket: For access to the docket to read background documents or
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in
the heading of this document, into the ``Search'' box and follow the
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane,
Rm. 1061, Rockville, MD 20852, 240-402-7500.
You may submit comments on any guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance document is available for
download from the internet. See the SUPPLEMENTARY INFORMATION section
for information on electronic access to the guidance. Submit written
requests for a single hard copy of the guidance document entitled
``Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions'' to the Office of Policy, Center for
Devices and Radiological Health, Food and Drug Administration, 10903
New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-0002.
Send one self-addressed adhesive label to assist that office in
processing your request.
FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug Administration, 10903 New
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937; or Anne Taylor, Center for Biologics Evaluation and Research,
Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm.
7301, Silver Spring, MD 20993, 240-402-7911.
SUPPLEMENTARY INFORMATION:
I. Background
With the increasing integration of wireless, internet- and network-
connected capabilities, portable media (e.g., USB or CD), and the
frequent electronic exchange of medical device-related health
information and other information, the need for robust cybersecurity
controls to ensure medical device safety and effectiveness has become
more important. In addition, cybersecurity threats to the healthcare
sector have become more frequent and more severe, carrying increased
potential for clinical impact. Cybersecurity incidents have rendered
medical devices and hospital networks inoperable, disrupting the
delivery of patient care across healthcare facilities in the United
States and globally. Such cyberattacks and exploits may lead to patient
harm as a result of clinical hazards, such as delay in diagnoses and/or
treatment. As a result, ensuring device safety and effectiveness
includes adequate device cybersecurity, as well as its security as part
of the larger system.
Additionally, section 3305 of the Consolidated Appropriations Act,
2023, enacted on December 29, 2022, added section 524B ``Ensuring
Cybersecurity of Medical Devices'' to the Federal Food, Drug, and
Cosmetic Act (FD&C Act). Under section 524B(a) of the FD&C Act, a
person who submits a 510(k), premarket approval application (PMA),
product development protocol, De Novo, or Humanitarian Device Exemption
for a device that meets the definition of a cyber device, as defined
under section 524B(c) of the FD&C Act, is required to submit
information to ensure that cyber devices meet the cybersecurity
requirements under section 524B(b) of the FD&C Act. Section 524B(c) of
the FD&C Act defines ``cyber device'' as a device that includes
software validated, installed, or authorized by the sponsor as a device
or in a device; has the ability to connect to the internet; and
contains any such technological characteristics validated, installed,
or authorized by the sponsor that could be vulnerable to cybersecurity
threats. The recommendations in this guidance are intended to help
manufacturers meet their obligations under section 524B of the FD&C
Act.
This final guidance supersedes the final guidance ``Content of
Premarket
[[Page 66460]]
Submissions for Management of Cybersecurity in Medical Devices,''
issued October 2, 2014. The changes since the 2014 guidance are
intended to further emphasize the importance of ensuring that devices
are designed securely and are designed to be capable of mitigating
emerging cybersecurity risks throughout the total product lifecycle
(TPLC), and to clearly outline FDA's recommendations for premarket
submission information to address cybersecurity concerns. As discussed
in the guidance, one way these TPLC considerations for devices can be
achieved is through the implementation and adoption of the Secure
Product Development Framework. The recommendations in this guidance are
intended to promote consistency, facilitate efficient premarket review,
and help ensure that marketed medical devices are sufficiently
resilient to cybersecurity threats.
A notice of availability of the draft guidance appeared in the
Federal Register of April 8, 2022 (87 FR 20873). FDA considered
comments received and revised the guidance as appropriate in response
to the comments, including aligning with industry best practices, as
well as further clarifying the level of documentation recommended.
Additionally, we have clarified interoperability considerations and
that cybersecurity controls should not be intended to prohibit a user
from accessing their device data.
This guidance is being issued consistent with FDA's good guidance
practices regulation (21 CFR 10.115). The guidance represents the
current thinking of FDA on ``Cybersecurity in Medical Devices: Quality
System Considerations and Content of Premarket Submissions.'' It does
not establish any rights for any person and is not binding on FDA or
the public. You can use an alternative approach if it satisfies the
requirements of the applicable statutes and regulations.
II. Electronic Access
Persons interested in obtaining a copy of the guidance may do so by
downloading an electronic copy from the internet. A search capability
for all Center for Devices and Radiological Health guidance documents
is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This guidance document is also
available at https://www.regulations.gov, https://www.fda.gov/regulatory-information/search-fda-guidance-documents or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics. Persons unable to download an electronic copy of
``Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions'' may send an email request to [email protected] to receive an electronic copy of the document.
Please use the document number GUI00001825 and complete title to
identify the guidance you are requesting.
III. Paperwork Reduction Act of 1995
While this guidance contains no new collection of information, it
does refer to previously approved FDA collections of information. The
previously approved collections of information are subject to review by
the Office of Management and Budget under the Paperwork Reduction Act
of 1995. The collections of information in the following FDA
regulations, guidance, and forms have been approved by OMB as listed in
the following table:
------------------------------------------------------------------------
OMB Control
21 CFR part or guidance Topic No.
------------------------------------------------------------------------
807, subpart E.................... Premarket 0910-0120
notification.
814, subparts A through E......... Premarket approval.. 0910-0231
814, subpart H.................... Humanitarian Use 0910-0332
Devices;
Humanitarian Device
Exemption.
812............................... Investigational 0910-0078
Device Exemption.
860, subpart D.................... De Novo 0910-0844
classification
process.
``Requests for Feedback and Q-Submissions and 0910-0756
Meetings for Medical Device early payor
Submissions: The Q-Submission feedback request
Program''. programs for
medical devices.
800, 801, 809, and 830............ Medical device 0910-0485
labeling
regulations; Unique
device
identification.
820............................... Current good 0910-0073
manufacturing
practice (CGMP);
Quality system (QS)
regulation.
------------------------------------------------------------------------
Dated: September 21, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2023-20955 Filed 9-26-23; 8:45 am]
BILLING CODE 4164-01-P
