Federal Register, Volume 89 Issue 50 (Wednesday, March 13, 2024)

[Federal Register Volume 89, Number 50 (Wednesday, March 13, 2024)]
[Notices]
[Pages 18421-18423]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-05295]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

[Docket No. FDA-2021-D-1158]


Select Updates for the Premarket Cybersecurity Guidance: Section 
524B of the Federal Food, Drug, and Cosmetic Act; Draft Guidance for 
Industry and Food and Drug Administration Staff; Availability

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of availability.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing 
the availability of the draft guidance entitled ``Select Updates for 
the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act.'' 
This draft guidance proposes select updates to the final guidance 
``Cybersecurity in Medical Devices: Quality System Considerations and 
Content of Premarket Submissions.'' This draft guidance, when 
finalized, will identify the information FDA generally considers to be 
necessary for cyber devices to support obligations under the new 
amendments to the Federal Food, Drug, and Cosmetic Act (FD&C Act) for 
ensuring cybersecurity of devices. This draft guidance is not final nor 
is it for implementation at this time.

DATES: Submit either electronic or written comments on the draft 
guidance by May 13, 2024 to ensure that the Agency considers your 
comment on this draft guidance before it begins work on the final 
version of the guidance.

ADDRESSES: You may submit comments on any guidance at any time as 
follows:

Electronic Submissions

    Submit electronic comments in the following way:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Comments submitted 
electronically, including attachments, to https://www.regulations.gov 
will be posted to the docket unchanged. Because your comment will be 
made public, you are solely responsible for ensuring that your comment 
does not include any confidential information that you or a third party 
may not wish to be posted, such as medical information, your or anyone 
else's Social Security number, or confidential business information, 
such as a manufacturing process. Please note that if you include your 
name, contact information, or other information that identifies you in 
the body of your comments, that information will be posted on https://www.regulations.gov.
     If you want to submit a comment with confidential 
information that you do not wish to be made available to the public, 
submit the comment as a written/paper submission and in the manner 
detailed (see ``Written/Paper Submissions'' and ``Instructions'').

Written/Paper Submissions

    Submit written/paper submissions as follows:
     Mail/Hand Delivery/Courier (for written/paper 
submissions): Dockets Management Staff (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
     For written/paper comments submitted to the Dockets 
Management Staff, FDA will post your comment, as well as any 
attachments, except for information submitted, marked and identified, 
as confidential, if submitted as detailed in ``Instructions.''
    Instructions: All submissions received must include the Docket No. 
FDA-2021-D-1158 for ``Select Updates for the Premarket Cybersecurity 
Guidance: Section 524B of the FD&C Act.'' Received comments will be 
placed in the docket and, except for those submitted as ``Confidential 
Submissions,'' publicly viewable at https://www.regulations.gov or at 
the Dockets Management Staff between 9 a.m. and 4 p.m., Monday through 
Friday, 240-402-7500.
     Confidential Submissions--To submit a comment with 
confidential information that you do not wish to be made publicly 
available, submit your comments only as a written/paper submission. You 
should submit two copies total. One copy will include the information 
you claim to be confidential with a heading or cover note that states 
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will 
review this copy, including the claimed confidential information, in 
its consideration of comments. The second copy, which will have the 
claimed confidential information redacted/blacked out, will be 
available for public viewing and posted on https://www.regulations.gov. 
Submit both copies to the Dockets Management Staff. If you do not wish 
your name and contact information to be made publicly available, you 
can provide this information on the cover sheet and not in the body of 
your comments and you

[[Page 18422]]

must identify this information as ``confidential.'' Any information 
marked as ``confidential'' will not be disclosed except in accordance 
with 21 CFR 10.20 and other applicable disclosure law. For more 
information about FDA's posting of comments to public dockets, see 80 
FR 56469, September 18, 2015, or access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
    Docket: For access to the docket to read background documents or 
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in 
the heading of this document, into the ``Search'' box and follow the 
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, 
Rm. 1061, Rockville, MD 20852, 240-402-7500.
    You may submit comments on any guidance at any time (see 21 CFR 
10.115(g)(5)).
    An electronic copy of the guidance document is available for 
download from the internet. See the SUPPLEMENTARY INFORMATION section 
for information on electronic access to the guidance. Submit written 
requests for a single hard copy of the draft guidance document entitled 
``Select Updates for the Premarket Cybersecurity Guidance: Section 524B 
of the FD&C Act'' to the Office of Policy, Center for Devices and 
Radiological Health, Food and Drug Administration, 10903 New Hampshire 
Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-0002. Send one self-
addressed adhesive label to assist that office in processing your 
request.

FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices 
and Radiological Health, Food and Drug Administration, 10903 New 
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937; or James Myers, Center for Biologics Evaluation and Research, 
Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 
7301, Silver Spring, MD 20993, 240-402-7911.

SUPPLEMENTARY INFORMATION:

I. Background

    Section 3305 of the Food and Drug Omnibus Reform Act of 2022 
(FDORA), enacted on December 29, 2022, added section 524B ``Ensuring 
Cybersecurity of Medical Devices'' to the FD&C Act. Under section 
524B(a) of the FD&C Act (21 U.S.C. 360n-2(a)), a person who submits a 
510(k), premarket approval application (PMA), product development 
protocol (PDP), De Novo, or humanitarian device exemption (HDE) for a 
device that meets the definition of a cyber device, as defined under 
section 524B(c) of the FD&C Act, is required to submit information to 
ensure that cyber devices meet the cybersecurity requirements under 
section 524B(b) of the FD&C Act.
    FDA is proposing to selectively update the final guidance 
``Cybersecurity in Medical Devices: Quality System Considerations and 
Content of Premarket Submissions.'' This draft guidance, when 
finalized, will identify the information FDA generally considers to be 
necessary to support obligations under section 524B of the FD&C Act. 
Specifically, this draft guidance discusses who is required to comply 
with section 524B, the devices subject to section 524B, and the 
documentation recommendations for applicable premarket submissions. 
Additionally, FDA provides recommendations regarding premarket 
submissions for changes to cyber devices that had been previously 
authorized by FDA through 510(k), De Novo, HDE, PDP, and PMA submission 
pathways, and that require premarket submission. This draft guidance 
also discusses FDA's review of whether there is a reasonable assurance 
that the device and related systems are cybersecure for marketing 
authorizations submitted for cyber devices.
    This draft guidance is being issued consistent with FDA's good 
guidance practices regulation (21 CFR 10.115). The draft guidance, when 
finalized, will represent the current thinking of FDA on 
``Cybersecurity in Medical Devices: Quality System Considerations and 
Content of Premarket Submissions.'' It does not establish any rights 
for any person and is not binding on FDA or the public. You can use an 
alternative approach if it satisfies the requirements of the applicable 
statutes and regulations.

II. Electronic Access

    Persons interested in obtaining a copy of the draft guidance may do 
so by downloading an electronic copy from the internet. A search 
capability for all Center for Devices and Radiological Health guidance 
documents is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This guidance document is also 
available at https://www.regulations.gov, https://www.fda.gov/regulatory-information/search-fda-guidance-documents, or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics. Persons unable to download an electronic copy of 
``Select Updates for the Premarket Cybersecurity Guidance: Section 524B 
of the FD&C Act'' may send an email request to [email protected] to receive an electronic copy of the document. 
Please use the document number GUI00001825 and complete title to 
identify the guidance you are requesting.

III. Paperwork Reduction Act of 1995

    While this guidance contains no new collection of information, it 
does refer to previously approved FDA collections of information. The 
previously approved collections of information are subject to review by 
the Office of Management and Budget (OMB) under the Paperwork Reduction 
Act of 1995 (PRA) (44 U.S.C. 3501-3521). The collections of information 
in the following table have been approved by OMB:

------------------------------------------------------------------------
 21 CFR part; guidance; or FDA                              OMB control
              form                        Topic                 No.
------------------------------------------------------------------------
807, subpart E.................  Premarket notification.       0910-0120
814, subparts A through E......  Premarket approval.....       0910-0231
814, subpart H.................  Humanitarian Use              0910-0332
                                  Devices; Humanitarian
                                  Device Exemption.
812............................  Investigational Device        0910-0078
                                  Exemption.
860, subpart D.................  De Novo classification        0910-0844
                                  process.
820............................  Current Good                  0910-0073
                                  Manufacturing Practice
                                  (CGMP); Quality System
                                  (QS) Regulation.
------------------------------------------------------------------------



[[Page 18423]]

    Dated: March 8, 2024.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2024-05295 Filed 3-12-24; 8:45 am]
BILLING CODE 4164-01-P