[Federal Register Volume 90, Number 122 (Friday, June 27, 2025)]
[Notices]
[Pages 27634-27635]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2025-11669]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA-2021-D-1158]
Cybersecurity in Medical Devices: Quality System Considerations
and Content of Premarket Submissions; Guidance for Industry and Food
and Drug Administration Staff; Availability
AGENCY: Food and Drug Administration, HHS.
ACTION: Notice of availability.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing
the availability of a final guidance entitled ``Cybersecurity in
Medical Devices: Quality System Considerations and Content of Premarket
Submissions.'' This guidance updates the previous version of the
guidance, of the same title, issued on September 27, 2023, and
finalizes the draft guidance entitled ``Select Updates for the
Premarket Cybersecurity Guidance: Section 524B of the FD&C Act'' issued
on March 13, 2024. This guidance provides FDA's recommendations to
industry regarding cybersecurity device design, labeling, and the
documentation that FDA recommends be included in premarket submissions
for devices with cybersecurity risk. Additionally, this guidance has
been updated to identify the information FDA generally considers to be
necessary for cyber devices to support obligations under the new
amendments to the Federal Food, Drug, and Cosmetic Act (FD&C Act) for
ensuring cybersecurity of devices.
DATES: The announcement of the guidance is published in the Federal
Register on June 27, 2025.
ADDRESSES: You may submit either electronic or written comments on
Agency guidances at any time as follows:
Electronic Submissions
Submit electronic comments in the following way:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Comments submitted
electronically, including attachments, to https://www.regulations.gov
will be posted to the docket unchanged. Because your comment will be
made public, you are solely responsible for ensuring that your comment
does not include any confidential information that you or a third party
may not wish to be posted, such as medical information, your or anyone
else's Social Security number, or confidential business information,
such as a manufacturing process. Please note that if you include your
name, contact information, or other information that identifies you in
the body of your comments, that information will be posted on https://www.regulations.gov.
If you want to submit a comment with confidential
information that you do not wish to be made available to the public,
submit the comment as a written/paper submission and in the manner
detailed (see ``Written/Paper Submissions'' and ``Instructions'').
Written/Paper Submissions
Submit written/paper submissions as follows:
Mail/Hand Delivery/Courier (for written/paper
submissions): Dockets Management Staff (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
For written/paper comments submitted to the Dockets
Management Staff, FDA will post your comment, as well as any
attachments, except for information submitted, marked and identified,
as confidential, if submitted as detailed in ``Instructions.''
Instructions: All submissions received must include the Docket No.
FDA-2021-D-1158 for ``Cybersecurity in Medical Devices: Quality System
Considerations and Content of Premarket Submissions.'' Received
comments will be placed in the docket and, except for those submitted
as ``Confidential Submissions,'' publicly viewable at https://www.regulations.gov or at the Dockets Management Staff between 9 a.m.
and 4 p.m., Monday through Friday, 240-402-7500.
Confidential Submissions--To submit a comment with
confidential information that you do not wish to be made publicly
available, submit your comments only as a written/paper submission. You
should submit two copies total. One copy will include the information
you claim to be confidential with a heading or cover note that states
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will
review this copy, including the claimed confidential information, in
its consideration of comments. The second copy, which will have the
claimed confidential information redacted/blacked out, will be
available for public viewing and posted on https://www.regulations.gov.
Submit both copies to the Dockets Management Staff. If you do not wish
your name and contact information to be made publicly available, you
can provide this information on the cover sheet and not in the body of
your comments and you must identify this information as
``confidential.'' Any information marked as ``confidential'' will not
be disclosed except in accordance with 21 CFR 10.20 and other
applicable disclosure law. For more information about FDA's posting of
comments to public dockets, see 80 FR 56469, September 18, 2015, or
access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
Docket: For access to the docket to read background documents or
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in
the heading of this document, into the ``Search'' box and follow the
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane,
Rm. 1061, Rockville, MD 20852, 240-402-7500.
You may submit comments on any guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance document is available for
download from the internet. See the SUPPLEMENTARY INFORMATION section
for information on electronic access to the guidance. Submit written
requests for a single hard copy of the guidance document entitled
``Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions'' to the Office of Policy, Center for
Devices and Radiological Health, Food and Drug Administration, 10903
New Hampshire Ave., Bldg. 66, Rm. 5441, Silver Spring, MD 20993-0002.
Send one self-addressed adhesive label to assist that office in
processing your request.
FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug Administration, 10903 New
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937; or Phillip Kurs, Center for Biologics Evaluation and
Research, Food and Drug Administration, 240-402-7911.
SUPPLEMENTARY INFORMATION:
I. Background
Section 3305 of the Food and Drug Omnibus Reform Act of 2022,
enacted on December 29, 2022, added section 524B ``Ensuring
Cybersecurity of Medical Devices'' to the FD&C Act. Under section
524B(a) of the FD&C Act
[[Page 27635]]
(21 U.S.C. 360n-2(a)), a person who submits a 510(k), premarket
approval application (PMA), product development protocol (PDP), De
Novo, or humanitarian device exemption (HDE) for a device that meets
the definition of a cyber device, as defined under section 524B(c) of
the FD&C Act, is required to submit information to ensure that cyber
devices meet the cybersecurity requirements under section 524B(b) of
the FD&C Act.
FDA has updated the final guidance ``Cybersecurity in Medical
Devices: Quality System Considerations and Content of Premarket
Submissions'' to identify the cybersecurity information FDA considers
to generally be necessary to support obligations under section 524B of
the FD&C Act for cyber devices. Specifically, the new section in this
guidance discusses who is required to comply with section 524B, the
devices subject to section 524B, and the documentation recommendations
for applicable premarket submissions. Additionally, FDA provides
recommendations regarding premarket submissions for changes to cyber
devices that had been previously authorized by FDA through 510(k), PMA,
PDP, De Novo, and HDE submission pathways, and that require premarket
submission. The new section also discusses FDA's review of whether
there is a reasonable assurance that the device and related systems are
cybersecure for marketing authorizations submitted for cyber devices.
The new section of the guidance provides recommendations specifically
for cyber devices, however, the recommendations throughout the guidance
may help manufacturers of cyber devices meet their obligations under
section 524B of the FD&C Act.
This guidance updates the final guidance ``Cybersecurity in Medical
Devices: Quality System Considerations and Content of Premarket
Submissions.'' This guidance also finalizes the draft guidance entitled
``Select Updates for the Premarket Cybersecurity Guidance: Section 524B
of the FD&C Act.'' FDA considered the applicability of Executive Order
14192, per OMB guidance in M-25-20, and finds this action to be
deregulatory in nature.
A notice of availability of the draft guidance appeared in the
Federal Register of March 13, 2024 (89 FR 18421). FDA considered
comments received and revised the draft guidance as appropriate in
response to the comments, including providing additional examples to
help clarify new terminology used as a result of the requirements in
section 524B of the FD&C Act. Additionally, FDA has provided additional
clarity regarding the recommended documentation manufacturers should
submit when submitting a premarket submission for a device modification
that is unlikely to impact the cybersecurity of the device.
This guidance is being issued consistent with FDA's good guidance
practices regulation (21 CFR 10.115). The guidance represents the
current thinking of FDA on Cybersecurity in Medical Devices: Quality
System Considerations and Content of Premarket Submissions. It does not
establish any rights for any person and is not binding on FDA or the
public. You can use an alternative approach if it satisfies the
requirements of the applicable statutes and regulations.
II. Electronic Access
Persons interested in obtaining a copy of the guidance may do so by
downloading an electronic copy from the internet. A search capability
for all Center for Devices and Radiological Health guidance documents
is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This guidance document is also
available at https://www.regulations.gov, https://www.fda.gov/regulatory-information/search-fda-guidance-documents or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics. Persons unable to download an electronic copy of
``Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions'' may send an email request to [email protected] to receive an electronic copy of the document.
Please use the document number GUI00001825 and complete title to
identify the guidance you are requesting.
III. Paperwork Reduction Act of 1995
While this guidance contains no new collection of information, it
does refer to previously approved FDA collections of information. The
previously approved collections of information are subject to review by
the Office of Management and Budget (OMB) under the Paperwork Reduction
Act of 1995 (PRA) (44 U.S.C. 3501-3521). The collections of information
in the following table have been approved by OMB:
------------------------------------------------------------------------
21 CFR part or guidance Topic OMB Control No.
------------------------------------------------------------------------
807, subpart E................ Premarket 0910-0120
notification.
814, subparts A through E..... Premarket approval... 0910-0231
814, subpart H................ Humanitarian Use 0910-0332
Devices;
Humanitarian Device
Exemption.
812........................... Investigational 0910-0078
Device Exemption.
860, subpart D................ De Novo 0910-0844
classification
process.
``Requests for Feedback and Q-submissions and 0910-0756
Meetings for Medical Device Early Payor Feedback
Submissions: The Q-Submission Request Programs for
Program''. Medical Devices.
800, 801, 809, and 830........ Medical Device 0910-0485
Labeling
Regulations; Unique
Device
Identification.
820........................... Current Good 0910-0073
Manufacturing
Practice (CGMP);
Quality System (QS)
Regulation.
------------------------------------------------------------------------
Dated: June 20, 2025.
Grace R. Graham,
Deputy Commissioner for Policy, Legislation, and International Affairs.
[FR Doc. 2025-11669 Filed 6-26-25; 8:45 am]
BILLING CODE 4164-01-P