Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)

This page provides answers to frequently asked questions (FAQs) related to cybersecurity in medical devices.

On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus—"Ensuring Cybersecurity of Medical Devices"—amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. The information provided on this page may be useful for sponsors in preparing their premarket submissions.

Q1: Who is required to comply with section 524B of the FD&C Act? What types of premarket submissions does this apply to?

A: Under section 524B(a) of the FD&C Act, a person who submits a premarket application or submission— including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE)— for a device that meets the definition of a cyber device, as defined under section 524B(c), is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b). This includes Special and Abbreviated 510(k) applications as well as PMA and HDE supplements.

Q2: What is a cyber device?

A: Section 524B(c) of the FD&C Act defines "cyber device" as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device, they may contact the FDA.

Q3: Does this law only apply to future medical devices, rather than retroactively?

A: As provided by the Omnibus, the cybersecurity requirements do not apply to an application or submission submitted to the Food and Drug Administration (FDA) before March 29, 2023. If a cyber device was previously authorized, and the manufacturer is making a change to the device that requires premarket review by the agency, the law would apply for the new premarket submission.

Q4: What requirements apply to manufacturers of cyber devices under section 524B of the FD&C Act?

A: Section 524B(a) of the FD&C Act provides that the sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in section 524B(b) of the FD&C Act. The requirements in section 524B(b) of the FD&C Act are:

Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components

The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure. See FAQs 6 through 9 for additional details on ways manufacturers might demonstrate that their devices are cybersecure.

Q5: When do manufacturers of cyber devices have to submit the information described in section 524B?

A: Manufacturers of cyber devices are required to submit this information starting March 29, 2023, in premarket submissions including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE). This includes Abbreviated and Special 510(k) submissions and PMA/HDE supplements. Premarket submissions that were received prior to March 29, 2023, and are under review or currently on hold are not subject to these requirements.

The Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions final guidance does not supersede the previously issued guidance Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems, however, the policy in the latter guidance expired on October 1, 2023. Beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act.

Additionally, as part of the FDA’s efforts to modernize the 510(k) Program and implement MDUFA V, starting October 1, 2023, all 510(k) submissions, unless exempted, must be submitted as electronic submissions using eSTAR, as noted in the Electronic Submission Template for Medical Device 510(k) Submissions final guidance. For eSTAR submissions, an eSTAR will be put on a Technical Screening hold if it does not contain accurate responses and relevant attachments in the Cybersecurity section of eSTAR.

Q6: Section 524B(b)(1) of the FD&C Act requires manufacturers of cyber devices to submit plans to manage vulnerabilities and exploits as part of their premarket submissions. What resources are available to manufacturers?

A: : The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and the 2016 guidance Postmarket Management of Cybersecurity in Medical Devices describe recommendations for managing cybersecurity after the device has been introduced into the market.

Q7: Section 524B(b)(2) of the FD&C Act requires, among other aspects, that manufacturers of cyber devices design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. What resources are available to manufacturers?

A: The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions provides recommendations on cybersecurity considerations for devices and provides recommendations for documentation in device premarket submissions that may help manufacturers meet their obligations with the 524B(b)(2) requirements.

Q8: Section 524B(b)(2) of the FD&C Act also requires manufacturers of cyber devices to make available postmarket updates and patches to the device and related systems to address vulnerabilities. What resources are available to manufacturers?

A: The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses throughout plans for patches and updates across the total product life cycle (TPLC). The 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices" discusses cybersecurity routine updates and patches and describes patching in the context of remediating cybersecurity vulnerabilities.

Q9: Section 524B(b)(3) of the FD&C Act requires that manufacturers of cyber devices provide a software bill of materials (SBOM) for the commercial, open-source, and off-the-shelf software components contained within the device. What resources are available to manufacturers?

A: The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses SBOMs in Section V.A.4(b). Additional information about SBOMs can be found in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM).