21 U.S.C. § 360n–2 | Ensuring cybersecurity of devices

(a)

In general

A person who submits an application or submission under section 360(k), 360c, 360e(c), 360e(f), or 360j(m) of this title for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).

(b)

Cybersecurity requirements

The sponsor of an application or submission described in subsection (a) shall—

(1)

submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;

(2)

design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—

(A)

on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

(B)

as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;

(3)

provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and

(4)

comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

(c)

Definition

In this section, the term “cyber device” means a device that—

(1)

includes software validated, installed, or authorized by the sponsor as a device or in a device;

(2)

has the ability to connect to the internet; and

(3)

contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

(d)

Exemption

The Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cybersecurity requirements established by this section and regulations promulgated pursuant to this section. The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices, or categories or types of devices, so identified by the Secretary.

June 25, 1938, ch. 675, § 524B Pub. L. 117–328, div. FF, title III, § 3305(a)Dec. 29, 2022136 Stat. 5832(, as added , , .)

Statutory Notes and Related Subsidiaries

Effective Date

Dec. 29, 2022section 3305(d) of Pub. L. 117–328 section 331 of this titleSection effective 90 days after , see , set out as an Effective Date of 2022 Amendment note under .

Construction

section 3305(a) of Pub. L. 117–328Dec. 29, 2022section 3305(c) of Pub. L. 117–328 section 331 of this titleNothing in , which enacted this section, to be construed to affect the Secretary’s of Health and Human Services authority related to ensuring that there is a reasonable assurance of the safety and effectiveness of devices, which may include ensuring that there is a reasonable assurance of the cybersecurity of certain cyber devices, including for devices approved or cleared prior to , see , set out as a Construction of 2022 Amendment note under .

Guidance for Industry and FDA Staff on Device Cybersecurity

Pub. L. 117–328, div. FF, title III, § 3305(e)Dec. 29, 2022136 Stat. 5833

Dec. 29, 2022“Not later than 2 years after the date of enactment of this Act [], and periodically thereafter as appropriate, the Secretary [of Health and Human Services], in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review and, as appropriate and after soliciting and receiving feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders, update the guidance entitled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ (or a successor document).”

, , , provided that:

section 3305(e) of Pub. L. 117–328 section 321(h) of this title section 3305(h) of Pub. L. 117–328[For definition of “device” as used in , set out above, see , as made applicable by , which is set out below.]

Resources Regarding Cybersecurity of Devices

Pub. L. 117–328, div. FF, title III, § 3305(f)Dec. 29, 2022136 Stat. 5834

Dec. 29, 2022“Not later than 180 days after the date of enactment of this Act [], and not less than annually thereafter, the Secretary [of Health and Human Services] shall update public information provided by the Food and Drug Administration, including on the website of the Food and Drug Administration, with information regarding improving cybersecurity of devices. Such information shall include information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through the Cybersecurity and Infrastructure Security Agency and other Federal entities, including the Department of Health and Human Services, to improve the cybersecurity of devices.”

, , , provided that:

section 3305(f) of Pub. L. 117–328 section 321(h) of this title section 3305(h) of Pub. L. 117–328[For definition of “device” as used in , set out above, see , as made applicable by , which is set out below.]

Definition

Pub. L. 117–328, div. FF, title III, § 3305(h)Dec. 29, 2022136 Stat. 5834

section 331 of this title section 331 of this title 21 U.S.C. 321(h)“In this section [enacting this section, amending , and enacting provisions set out as notes under this section and ], the term ‘device’ has the meaning given such term in section 201(h) of the Federal Food, Drug, and Cosmetic Act ().”

, , , provided that: