117 S3983 IS: PATCH Act
U.S. Senate
2022-03-31
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the PATCH Act
.2.Ensuring cybersecurity of medical devices(a)Subchapter A of chapter V of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351 et seq.) is amended by adding at the end the following:524B.Ensuring cybersecurity of devices(a)For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness, including at a minimum the cybersecurity requirements under subsection (b). The Secretary may establish exemptions to the requirements under this subsection. (b)Cybersecurity requirementsAt a minimum, the manufacturer of a cyber device shall meet the following cybersecurity requirements:(1)The manufacturer shall have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits.(2)The manufacturer shall—(A)have a plan and procedures for a Coordinated Vulnerability Disclosure to be part of submissions to the Food and Drug Administration; and(B)collect and maintain such other information as the Secretary may (by order published in the Federal Register or by other process) require to demonstrate a reasonable assurance of the safety and effectiveness of the cyber device.(3)The manufacturer shall design, develop, and maintain processes and procedures to make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device to address—(A)on a reasonably justified regular cycle, known unacceptable vulnerabilities; and(B)as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.(4)The manufacturer shall furnish to the Secretary a software bill of materials, including commercial, open-sourced, and off-the-shelf software components that will be provided to users.(c)In making a determination of substantial equivalence under section 513(i) for a cyber device, the Secretary may—(1)find that cybersecurity information for the cyber device described in the relevant premarket submission in the cyber device’s use environment is inadequate; and(2)issue a nonsubstantial equivalence determination based on this finding.(d)In this section:(1)The term cyber device means a device that—(A)includes software; or(B)is intended to connect to the internet.(2)The term lifecycle of the cyber device includes the postmarket lifecycle of the cyber device.(3)The term premarket submission means any submission under section 510(k), 513, 515(c), 515(f), or 520(m)..(b)Section 301(q) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 331(q)) is amended by adding at the end the following:(3)The failure to comply with any requirement under section 524B (relating to ensuring the cybersecurity)..(c)Section 501 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351) is amended by adding at the end the following:(k)If it is a device with respect to which the sponsor is in violation of section 524B (relating to ensuring cybersecurity)..(d)Section 502(t) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 352(t)) is amended—(1)by striking or (3)
and inserting (3)
; and(2)by inserting before the period at the end the following: , or (4) to furnish a software bill of materials as required under section 524B (relating to ensuring the cybersecurity)
.