[Federal Register Volume 88, Number 61 (Thursday, March 30, 2023)]
[Notices]
[Pages 19148-19150]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-06646]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

[Docket No. FDA-2023-D-1030]


Cybersecurity in Medical Devices: Refuse To Accept Policy for 
Cyber Devices and Related Systems Under Section 524B of the FD&C Act; 
Guidance for Industry and Food and Drug Administration Staff; 
Availability

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of availability.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA, Agency, or we) is 
announcing the availability of a final guidance entitled 
``Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber 
Devices and Related Systems Under section 524B of the FD&C Act of the 
FD&C Act.'' FDA generally intends not to issue ``refuse to accept'' 
(RTA) decisions for premarket submissions submitted for cyber devices 
based solely on information required by the new amendments to the FD&C 
Act for ensuring cybersecurity of devices before October 1, 2023, but 
instead, work collaboratively with sponsors of such premarket 
submissions as part of the interactive and/or deficiency review 
process.

DATES: The announcement of the guidance is published in the Federal 
Register on March 30, 2023.

ADDRESSES: You may submit either electronic or written comments on

[[Page 19149]]

Agency guidances at any time as follows:

Electronic Submissions

    Submit electronic comments in the following way:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Comments submitted 
electronically, including attachments, to https://www.regulations.gov 
will be posted to the docket unchanged. Because your comment will be 
made public, you are solely responsible for ensuring that your comment 
does not include any confidential information that you or a third party 
may not wish to be posted, such as medical information, your or anyone 
else's Social Security number, or confidential business information, 
such as a manufacturing process. Please note that if you include your 
name, contact information, or other information that identifies you in 
the body of your comments, that information will be posted on https://www.regulations.gov.
     If you want to submit a comment with confidential 
information that you do not wish to be made available to the public, 
submit the comment as a written/paper submission and in the manner 
detailed (see ``Written/Paper Submissions'' and ``Instructions'').

Written/Paper Submissions

    Submit written/paper submissions as follows:
     Mail/Hand Delivery/Courier (for written/paper 
submissions): Dockets Management Staff (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
     For written/paper comments submitted to the Dockets 
Management Staff, FDA will post your comment, as well as any 
attachments, except for information submitted, marked and identified, 
as confidential, if submitted as detailed in ``Instructions.''
    Instructions: All submissions received must include the Docket No. 
FDA-2023-D-1030 for ``Cybersecurity in Medical Devices: Refuse to 
Accept Policy for Cyber Devices and Related Systems Under Section 524B 
of the FD&C Act.'' Received comments will be placed in the docket and, 
except for those submitted as ``Confidential Submissions,'' publicly 
viewable at https://www.regulations.gov or at the Dockets Management 
Staff between 9 a.m. and 4 p.m., Monday through Friday, 240-402-7500.
     Confidential Submissions--To submit a comment with 
confidential information that you do not wish to be made publicly 
available, submit your comments only as a written/paper submission. You 
should submit two copies total. One copy will include the information 
you claim to be confidential with a heading or cover note that states 
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will 
review this copy, including the claimed confidential information, in 
its consideration of comments. The second copy, which will have the 
claimed confidential information redacted/blacked out, will be 
available for public viewing and posted on https://www.regulations.gov. 
Submit both copies to the Dockets Management Staff. If you do not wish 
your name and contact information to be made publicly available, you 
can provide this information on the cover sheet and not in the body of 
your comments and you must identify this information as 
``confidential.'' Any information marked as ``confidential'' will not 
be disclosed except in accordance with 21 CFR 10.20 and other 
applicable disclosure law. For more information about FDA's posting of 
comments to public dockets, see 80 FR 56469, September 18, 2015, or 
access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
    Docket: For access to the docket to read background documents or 
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in 
the heading of this document, into the ``Search'' box and follow the 
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, 
Rm. 1061, Rockville, MD 20852, 240-402-7500.
    You may submit comments on any guidance at any time (see 21 CFR 
10.115(g)(5)).
    An electronic copy of the guidance document is available for 
download from the internet. See the SUPPLEMENTARY INFORMATION section 
for information on electronic access to the guidance. Submit written 
requests for a single hard copy of the guidance document entitled 
``Cybersecurity in Medical Devices Refuse to Accept Policy for Cyber 
Devices and Related Systems Under Section 524B of the FD&C Act'' to the 
Office of Policy, Center for Devices and Radiological Health, Food and 
Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431, 
Silver Spring, MD 20993-0002. Send one self-addressed adhesive label to 
assist that office in processing your request.

FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices 
and Radiological Health, Food and Drug Administration, 10903 New 
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937 or Diane Maloney, Center for Biologics Evaluation and 
Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 
71, Rm. 7301, Silver Spring, MD 20993, 240-402-8113.

SUPPLEMENTARY INFORMATION:

I. Background

    On December 29, 2022, the Consolidated Appropriations Act, 2023 
(``Omnibus'') was signed into law. Section 3305 of the Omnibus--
``Ensuring Cybersecurity of Medical Devices''--amended the Federal 
Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, 
Ensuring Cybersecurity of Devices. The Omnibus states that the 
amendments to the FD&C Act shall take effect 90 days after the 
enactment of the Consolidated Appropriations Act on March 29, 2023. As 
provided by the Omnibus, the cybersecurity requirements do not apply to 
an application or submission submitted to FDA before March 29, 2023.
    FDA generally intends not to issue RTA decisions for premarket 
submissions submitted for cyber devices based solely on information 
required by section 524B of the FD&C Act before October 1, 2023, but 
instead, work collaboratively with sponsors of such premarket 
submissions as part of the interactive and/or deficiency review 
process. Beginning October 1, 2023, FDA expects that such sponsors will 
have had sufficient time to prepare premarket submissions that contain 
information required by section 524B of the FD&C Act, and FDA may RTA 
premarket submissions that do not.
    We are implementing this guidance without prior public comment 
because the Agency has determined that prior public participation is 
not feasible or appropriate (see section 701(h)(1)(C) of the Federal 
Food, Drug, and Cosmetic Act (21 U.S.C. 371(h)(1)(C)) and Sec.  10.115 
(21 CFR 10.115(g)(2))). We made this determination because it is not 
feasible to obtain public comment prior to the 90-day statutory 
timeframe for the effective date of section 524B of the FD&C Act. This 
provision establishes new cybersecurity requirements for cyber devices, 
which includes information that a sponsor of a premarket submission for 
a cyber device must provide in its submission. This guidance 
communicates the Agency's policy regarding RTA decisions for premarket 
submissions submitted for such cyber devices, which is important to 
communicate before the effective date

[[Page 19150]]

of the statutory provision, which is March 29, 2023. Although this 
policy is being implemented immediately without prior comment, FDA will 
consider all comments received and revise the guidance document as 
appropriate.
    This guidance is being issued consistent with FDA's good guidance 
practices regulation (Sec.  10.115). The guidance represents the 
current thinking of FDA on ``Cybersecurity in Medical Devices: Refuse 
to Accept Policy for Cyber Devices and Related Systems Under Section 
524B of the FD&C Act.'' It does not establish any rights for any person 
and is not binding on FDA or the public. You can use an alternative 
approach if it satisfies the requirements of the applicable statutes 
and regulations.

II. Electronic Access

    Persons interested in obtaining a copy of the guidance may do so by 
downloading an electronic copy from the internet. A search capability 
for all Center for Devices and Radiological Health guidance documents 
is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This guidance document is also 
available at https://www.regulations.gov, https://www.fda.gov/regulatory-information/search-fda-guidance-documents, or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics. Persons unable to download an electronic copy of 
``Cybersecurity in Medical Devices: Premarket Submission Considerations 
for Cyber Devices and Related Systems Under Section 524B of the FD&C 
Act'' may send an email request to [email protected] to receive 
an electronic copy of the document. Please use the document number 
GUI00007021 and complete title to identify the guidance you are 
requesting.

III. Paperwork Reduction Act of 1995

    While this guidance contains no new collection of information, it 
does refer to previously approved FDA collections of information. 
Therefore, clearance by the Office of Management and Budget (OMB) under 
the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-3521) is not 
required for this guidance. The previously approved collections of 
information are subject to review by OMB under the PRA. The collections 
of information in the following FDA regulations and guidance have been 
approved by OMB as listed in the following table:

------------------------------------------------------------------------
                                                            OMB control
    21 CFR part or guidance               Topic                 No.
------------------------------------------------------------------------
807, subpart E.................  Premarket notification.       0910-0120
814, subparts A through E......  Premarket approval.....       0910-0231
814, subpart H.................  Humanitarian Device           0910-0332
                                  Exemption.
860, subpart D.................  De Novo classification        0910-0844
                                  process.
``Requests for Feedback and      Q-submissions..........       0910-0756
 Meetings for Medical Device
 Submissions: The Q-Submission
 Program''.
------------------------------------------------------------------------


    Dated: March 27, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2023-06646 Filed 3-29-23; 8:45 am]
BILLING CODE 4164-01-P