[Federal Register Volume 87, Number 68 (Friday, April 8, 2022)]
[Notices]
[Pages 20873-20875]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-07614]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

[Docket No. FDA-2021-D-1158]


Cybersecurity in Medical Devices: Quality System Considerations 
and Content of Premarket Submissions; Draft Guidance for Industry and 
Food and Drug Administration Staff; Availability

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of availability.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing 
the availability of the draft guidance entitled ``Cybersecurity in 
Medical Devices: Quality System Considerations and Content of Premarket 
Submissions.'' As more medical devices are becoming interconnected, 
cybersecurity threats have become more numerous, more frequent, more 
severe, and more clinically impactful. As a result, ensuring medical 
device safety and effective includes adequate medical device 
cybersecurity, as well as its security as part of the larger system. In 
2018, FDA proposed updates to the final guidance, ``Content of 
Premarket Submissions for Management of Cybersecurity in Medical 
Devices,'' and issued a draft guidance of the same name. This draft 
guidance replaces the 2018 draft guidance. This draft guidance is 
intended to further emphasize the importance of ensuring that devices 
are designed securely, are designed to be capable of mitigating 
emerging cybersecurity risks throughout the Total Product Life Cycle, 
and to clearly outline FDA's recommendations for premarket submission 
content to address cybersecurity concerns. This draft guidance is not 
final nor is it for implementation at this time.

DATES: Submit either electronic or written comments on the draft 
guidance by July 7, 2022 to ensure that the Agency considers your 
comment on this draft guidance before it begins work on the final 
version of the guidance.

ADDRESSES: You may submit comments on any guidance at any time as 
follows:

Electronic Submissions

    Submit electronic comments in the following way:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Comments submitted 
electronically, including attachments, to https://www.regulations.gov 
will be posted to

[[Page 20874]]

the docket unchanged. Because your comment will be made public, you are 
solely responsible for ensuring that your comment does not include any 
confidential information that you or a third party may not wish to be 
posted, such as medical information, your or anyone else's Social 
Security number, or confidential business information, such as a 
manufacturing process. Please note that if you include your name, 
contact information, or other information that identifies you in the 
body of your comments, that information will be posted on https://www.regulations.gov.
     If you want to submit a comment with confidential 
information that you do not wish to be made available to the public, 
submit the comment as a written/paper submission and in the manner 
detailed (see ``Written/Paper Submissions'' and ``Instructions'').

Written/Paper Submissions

    Submit written/paper submissions as follows:
     Mail/Hand Delivery/Courier (for written/paper 
submissions): Dockets Management Staff (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
     For written/paper comments submitted to the Dockets 
Management Staff, FDA will post your comment, as well as any 
attachments, except for information submitted, marked and identified, 
as confidential, if submitted as detailed in ``Instructions.''
    Instructions: All submissions received must include the Docket No. 
FDA-2021-D-1158 for ``Cybersecurity in Medical Devices: Quality System 
Considerations and Content of Premarket Submissions.'' Received 
comments will be placed in the docket and, except for those submitted 
as ``Confidential Submissions,'' publicly viewable at https://www.regulations.gov or at the Dockets Management Staff between 9 a.m. 
and 4 p.m., Monday through Friday, 240-402-7500.
     Confidential Submissions--To submit a comment with 
confidential information that you do not wish to be made publicly 
available, submit your comments only as a written/paper submission. You 
should submit two copies total. One copy will include the information 
you claim to be confidential with a heading or cover note that states 
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will 
review this copy, including the claimed confidential information, in 
its consideration of comments. The second copy, which will have the 
claimed confidential information redacted/blacked out, will be 
available for public viewing and posted on https://www.regulations.gov. 
Submit both copies to the Dockets Management Staff. If you do not wish 
your name and contact information to be made publicly available, you 
can provide this information on the cover sheet and not in the body of 
your comments and you must identify this information as 
``confidential.'' Any information marked as ``confidential'' will not 
be disclosed except in accordance with 21 CFR 10.20 and other 
applicable disclosure law. For more information about FDA's posting of 
comments to public dockets, see 80 FR 56469, September 18, 2015, or 
access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
    Docket: For access to the docket to read background documents or 
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in 
the heading of this document, into the ``Search'' box and follow the 
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, 
Rm. 1061, Rockville, MD 20852, 240-402-7500.
    You may submit comments on any guidance at any time (see 21 CFR 
10.115(g)(5)).
    An electronic copy of the guidance document is available for 
download from the internet. See the SUPPLEMENTARY INFORMATION section 
for information on electronic access to the guidance. Submit written 
requests for a single hard copy of the draft guidance document entitled 
``Cybersecurity in Medical Devices: Quality System Considerations and 
Content of Premarket Submissions'' to the Office of Policy, Guidance 
and Policy Development, Center for Devices and Radiological Health, 
Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 
5431, Silver Spring, MD 20993-0002 or the Office of Communication, 
Outreach and Development, Center for Biologics Evaluation and Research 
(CBER), Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 
71, Rm. 3128, Silver Spring, MD 20993-0002. Send one self-addressed 
adhesive label to assist that office in processing your request.

FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices 
and Radiological Health, Food and Drug Administration, 10903 New 
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937; or Stephen Ripley, Center for Biologics Evaluation and 
Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 
71, Rm. 7301, Silver Spring, MD 20993, 240-402-7911.

SUPPLEMENTARY INFORMATION:

I. Background

    The need for effective cybersecurity to reasonably ensure medical 
device safety and effectiveness has become more important with the 
increasing use of wireless, internet- and network-connected devices, 
portable media (e.g., USB or CD), and the frequent electronic exchange 
of medical device-related health information. In addition, 
cybersecurity threats to the healthcare sector have become more 
frequent, more severe, and carry increased potential for clinical 
impact. Cybersecurity incidents have rendered medical devices and 
hospital networks inoperable, disrupting the delivery of patient care 
across healthcare facilities in the United States and globally. Such 
cyber attacks and exploits can delay diagnoses and/or treatment and may 
lead to patient harm.
    Although FDA issued guidance providing recommendations for device 
cybersecurity information in premarket submissions in 2014,\1\ the 
rapidly evolving landscape, and the increased understanding of the 
threats and their potential mitigations, necessitate an updated 
approach. As such, FDA issued a draft guidance in 2018 entitled 
``Content of Premarket Submissions for Management of Cybersecurity in 
Medical Devices.''
---------------------------------------------------------------------------

    \1\ Content of Premarket Submissions for Management of 
Cybersecurity in Medical Devices--Guidance for Industry and Food and 
Drug Administration Staff at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-submissions-management-cybersecurity-medical-devices-0.
---------------------------------------------------------------------------

    Given the rapidly evolving device cybersecurity landscape, FDA is 
issuing this draft guidance, which replaces the 2018 draft guidance, to 
further emphasize the importance of ensuring that devices are designed 
securely, are designed to be capable of mitigating emerging 
cybersecurity risks throughout the Total Product Life Cycle, and to 
clearly outline FDA's recommendations for premarket submission content 
to address cybersecurity concerns, including device labeling. These 
recommendations can facilitate an efficient premarket review process 
and help ensure that marketed medical devices are sufficiently 
resilient to cybersecurity threats.
    This draft guidance supplants the draft guidance entitled, 
``Content of Premarket Submissions for Management of Cybersecurity in 
Medical Devices'' issued October 18, 2018, and takes into consideration 
comments received on the 2018 draft guidance (83 FR 52835;

[[Page 20875]]

https://www.govinfo.gov/content/pkg/FR-2018-10-18/pdf/2018-22697.pdf) 
and input gained from the public workshop entitled, ``Content of 
Premarket Submissions for Management of Cybersecurity in Medical 
devices'' held on January 29-30, 2019.\2\ Several changes were made in 
this draft guidance, including a change in title to better capture the 
scope of the current draft guidance, document structure change to align 
with use of a Secure Product Framework, removal of risk tiers, 
replacement of the Cybersecurity Bill of Materials with Software Bill 
of Materials, additional clarification regarding premarket submission 
document requests throughout the draft guidance, and addition of 
Investigational Device Exemptions to the scope.
---------------------------------------------------------------------------

    \2\ https://wayback.archive-it.org/7993/20201222110245/https://www.fda.gov/medical-devices/workshops-conferences-medical-devices/public-workshop-content-premarket-submissions-management-cybersecurity-medical-devices-january-29-30.
---------------------------------------------------------------------------

    This draft guidance is being issued consistent with FDA's good 
guidance practices regulation (21 CFR 10.115). The draft guidance, when 
finalized, will represent the current thinking of FDA on 
``Cybersecurity in Medical Devices: Quality System Considerations and 
Content of Premarket Submissions.'' It does not establish any rights 
for any person and is not binding on FDA or the public. You can use an 
alternative approach if it satisfies the requirements of the applicable 
statutes and regulations.

II. Electronic Access

    Persons interested in obtaining a copy of the draft guidance may do 
so by downloading an electronic copy from the internet. A search 
capability for all Center for Devices and Radiological Health guidance 
documents is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This draft guidance is also 
available at https://www.regulations.gov and at https://www.fda.gov/regulatory-information/search-fda-guidance-documents or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics/biologics-guidances. Persons unable to download 
an electronic copy of ``Cybersecurity in Medical Devices: Quality 
System Considerations and Content of Premarket Submissions'' may send 
an email request to [email protected] to receive an electronic 
copy of the document. Please use the document number 1825-R1 and 
complete title to identify the guidance you are requesting.

III. Paperwork Reduction Act of 1995

    While this guidance contains no collection of information, it does 
refer to previously approved FDA collections of information. Therefore, 
clearance by the Office of Management and Budget (OMB) under the 
Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-3521) is not 
required for this guidance. The previously approved collections of 
information are subject to review by OMB under the PRA. The collections 
of information in the following FDA regulations, guidance, and forms 
have been approved by OMB as listed in the following table:

------------------------------------------------------------------------
                                                            OMB control
    21 CFR part or guidance               Topic                 No.
------------------------------------------------------------------------
807, subpart E.................  Premarket notification.       0910-0120
814, subparts A through E......  Premarket approval.....       0910-0231
814, subpart H.................  Humanitarian Device           0910-0332
                                  Exemption.
812............................  Investigational Device        0910-0078
                                  Exemption.
860, subpart D.................  De Novo classification        0910-0844
                                  process.
``Requests for Feedback on       Q-submissions..........       0910-0756
 Medical Device Submissions:
 The Pre-Submission Program and
 Meetings with Food and Drug
 Administration Staff''.
800, 801, and 809..............  Medical Device Labeling       0910-0485
                                  Regulations.
820............................  Current Good                  0910-0073
                                  Manufacturing Practice
                                  (CGMP); Quality System
                                  (QS) Regulation.
------------------------------------------------------------------------


    Dated: April 5, 2022.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2022-07614 Filed 4-7-22; 8:45 am]
BILLING CODE 4164-01-P