Ensuring cybersecurity of devices

21 U.S.C. § 360n–2

• Title: 21 — Food and Drugs
• Chapter: 9 — FEDERAL FOOD, DRUG, AND COSMETIC ACT
• Subchapter: V
• Part: A
• Current through: Pub. L. 119-99

Text

(a) In general
A person who submits an application or submission under section 360(k), 360c, 360e(c), 360e(f), or 360j(m) of this title for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).
(b) Cybersecurity requirements
The sponsor of an application or submission described in subsection (a) shall—
(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—
(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
(4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
(c) Definition
In this section, the term "cyber device" means a device that—
(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;
(2) has the ability to connect to the internet; and
(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
(d) Exemption
The Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cybersecurity requirements established by this section and regulations promulgated pursuant to this section. The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices, or categories or types of devices, so identified by the Secretary.

History

(June 25, 1938, ch. 675, §524B, as added Pub. L. 117–328, div. FF, title III, §3305(a), Dec. 29, 2022, 136 Stat. 5832.)

Editorial Notes

Statutory Notes and Related Subsidiaries

Effective Date
Section effective 90 days after Dec. 29, 2022, see section 3305(d) of Pub. L. 117–328, set out as an Effective Date of 2022 Amendment note under section 331 of this title.

Construction
Nothing in section 3305(a) of Pub. L. 117–328, which enacted this section, to be construed to affect the Secretary's of Health and Human Services authority related to ensuring that there is a reasonable assurance of the safety and effectiveness of devices, which may include ensuring that there is a reasonable assurance of the cybersecurity of certain cyber devices, including for devices approved or cleared prior to Dec. 29, 2022, see section 3305(c) of Pub. L. 117–328, set out as a Construction of 2022 Amendment note under section 331 of this title.

Guidance for Industry and FDA Staff on Device Cybersecurity
Pub. L. 117–328, div. FF, title III, §3305(e), Dec. 29, 2022, 136 Stat. 5833, provided that: "Not later than 2 years after the date of enactment of this Act [Dec. 29, 2022], and periodically thereafter as appropriate, the Secretary [of Health and Human Services], in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review and, as appropriate and after soliciting and receiving feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders, update the guidance entitled 'Content of Premarket Submissions for Management of Cybersecurity in Medical Devices' (or a successor document)."
[For definition of "device" as used in section 3305(e) of Pub. L. 117–328, set out above, see section 321(h) of this title, as made applicable by section 3305(h) of Pub. L. 117–328, which is set out below.]

Resources Regarding Cybersecurity of Devices
Pub. L. 117–328, div. FF, title III, §3305(f), Dec. 29, 2022, 136 Stat. 5834, provided that: "Not later than 180 days after the date of enactment of this Act [Dec. 29, 2022], and not less than annually thereafter, the Secretary [of Health and Human Services] shall update public information provided by the Food and Drug Administration, including on the website of the Food and Drug Administration, with information regarding improving cybersecurity of devices. Such information shall include information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through the Cybersecurity and Infrastructure Security Agency and other Federal entities, including the Department of Health and Human Services, to improve the cybersecurity of devices."
[For definition of "device" as used in section 3305(f) of Pub. L. 117–328, set out above, see section 321(h) of this title, as made applicable by section 3305(h) of Pub. L. 117–328, which is set out below.]

Definition
Pub. L. 117–328, div. FF, title III, §3305(h), Dec. 29, 2022, 136 Stat. 5834, provided that: "In this section [enacting this section, amending section 331 of this title, and enacting provisions set out as notes under this section and section 331 of this title], the term 'device' has the meaning given such term in section 201(h) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 321(h))."