After receiving over 1,800 comments in response to the initial draft, the Food and Drug Administration (FDA) released final cybersecurity guidance for medical devices that applies to devices with cybersecurity considerations, particularly those with a device software function or devices that contain software, including firmware or programmable logic.
The guidance intends to help device developers comply with new cybersecurity requirements for premarket submissions. It also outlines how to use secure product development processes to manage cybersecurity risk and how the requirements apply.
Per the FDA, as of October 1, 2023, filings that exclude cybersecurity information could be rejected. The FDA also stated that they expect sponsors to have sufficient time for preparing premarket submissions containing required information. Specific preparation timelines have yet to be defined.
The published guidance outlines the use of a secure product development framework (SPDF) to control these cybersecurity risks. The SPDF used should address the specific safety and security risk on a per-device basis, but also consider the broader system where the device will operate. The SPDF should be integrated into the device development lifecycle and include a security risk management process that addresses each device’s safety and security risks, define a security architecture, and address how cybersecurity control testing will be completed.
We’re Here to Help
If you have questions about your cybersecurity program or how to integrate this guidance into your device development program, please contact your Moss Adams professional.