On 8 April 2022, the FDA (Center for Devices and Radiological Health - CDRH in collaboration with the Center for Biologics Evaluation and Research - CBER) published a "Draft Guidance for Industry and Food and Drug Administration Staff - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions". The draft is open for comment during 90 days at the "Dockets Management Staff, Food and Drug Admininstration".
Once finalised, the draft will replace the previous Guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" of 2 October 2014.
Structure of the Guidance
The very comprehensive document is divided into 6 chapters and 4 appendices:
Using SPDF to Manage Cybersecurity Risks (SPDF = Secure Product Development Framework)
Appendix 1: Security Control Categories and Associated Recommendations
Appendix 2: Submission Documentation for Security Architecture Flows
Appendix 3: Submission Documentation for Investigational Device Exemptions
Appendix 4: Terminology
To whom does this Guidance apply?
This guidance applies to devices containing software (including firmware) or programmable logic, and to software as a medical device. The guidance is not limited to devices that are networkable or contain other networked functions. See "Scope" for further explanation.
Why a new Guidance?
The Guidance published in 2014 was supplemented in 2016 by the Guidance "Postmarket Management of Cybersecurity in Medical Devices". From the FDA's point of view, the rapidly changing landscape with increased threat scenarios, but also the growing understanding of these threats and the recognition of the need for appropriate defence measures throughout the product life cycle, necessitated the revision of this guidance. Even before market launch, cybersecurity risks should be sufficiently considered on the part of manufacturers and security measures should be integrated into the development.