New Requirements 2023: Cybersecurity for Medical Devices, Your Questions Answered 


At the end of 2022, the Consolidated Appropriations Act, 2023 (“Omnibus”) was signed into law and with it, a significant change to how premarket submissions are prepared for medical devices. 

The Consolidated Appropriations Act, 2023 is a $1.7 trillion omnibus spending bill which funds the U.S. federal government for the 2023 fiscal year. The Omnibus spending bill details how much funding is being allocated to different federal agencies (for example the FDA received a total of $3.5 billion in discretionary funding). It also includes measures that are being introduced to tackle pressing issues such as climate change, and other regulatory changes. One such regulatory change is detailed below. 

Section 3305 of the Omnibus, titled ‘Ensuring Cybersecurity of Medical Devices’ amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding a new section titled ‘Ensuring Cybersecurity of Devices’ (524B).

Changes to the FD&C Act are of particular interest to medical device manufacturers as all medical devices are subject to this act. What is even more significant is that the new section includes 4 minimum security requirements that not only impacts premarket submissions but will affect how cybersecurity is incorporated into the entire lifecycle of a medical device.

In this blog post we will explain what the change means and answer all the top questions that medical device manufacturers might have. We will also look at how the FDA’s new Refuse-to-Accept policy is connected to this. We hope this provides you with a full understanding of the new security requirements and what you need to do to maintain compliance. 

What Does the New Law Say?

A new section added to the FD&C Act (Section 524B., Ensuring Cybersecurity of Devices) mandates that all regulatory submissions for medical devices include information regarding 4 new cybersecurity requirements.

If you are a company building a medical “cyber device”, you are now required to take the following actions when preparing premarket submissions: 

                        1. Submit a plan to monitor, identify, and address, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; 
                        2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address— on a reasonably justified regular cycle, known unacceptable vulnerabilities; and  as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
                        3. Provide a software bill of materials (SBOM); 
                        4. Ensure compliance with other requirements that the FDA may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure. 

Exact wording can be found in this guidance document

Who does the New Law Apply to? 

According to section 524B of the FD&C Act — ‘Ensuring Cybersecurity of Devices’, the new law applies to the following:

“IN GENERAL.—A person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m) for a device that meets the definition of a cyber device…”


What Exactly are Cyber Devices?

This new set of security requirements affects ‘cyber devices’, and there has been some confusion as to what exactly are ‘cyber devices’. Cyber devices are medical devices that connect to the internet. The FD&C Act itself defines cyber devices in the following way:

“Section 524B(c) of the FD&C Act defines “cyber device” as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device, they may contact the FDA.” 

When Does the Law Come into Effect?

The new section was signed into law on the 29th of December 2022, with the law coming into effect 90 days after passing the bill — i.e. 29th of March 2023. As of this date, all medical device manufacturers must now include these four core cybersecurity requirements in all premarket submissions.  

That said, there is a 6-month grace period where the FDA will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. 

However, after the six-month grace period has passed on October 1st, a Refuse to Accept Policy comes into force, where submissions will be immediately rejected if they do not meet certain security requirements.    

“Beginning October 1, 2023, FDA expects that sponsors of such cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.” (Source)

What is FDA’s Refuse-to-Accept Policy for Cyber Devices?

On March 29th, the FDA issued its final guidance that explains its policy to refuse-to-accept (RTA) submissions made by medical device sponsors if their product doesn’t meet its cybersecurity requirements. 

The 6-page final guidance document titled ‘Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act’ details the changes that are being made to the FD&C Act and the 4 new cybersecurity requirements. It also defines what a cyber device is and who the new law applies to. 

It finishes by saying the following about its RTA policy:

“For premarket submissions submitted for cyber devices before October 1, 2023, FDA generally intends not to issue “refuse to accept” (RTA) decisions based solely on information required by section 524B of the FD&C Act. Instead, FDA intends to work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. 

Beginning October 1, 2023, FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.”

One of the New Requirements is That Medical Device Manufacturers Provide an SBOM With All Premarket Submissions. What Exactly is an SBOM?

An SBOM, or software bill of materials, provides a list of all software components within a given device. Items listed within an SBOM include libraries, drivers, firmware, licenses, and operating systems. Given the obvious similarities, an SBOM is often depicted as a nutrition label or ‘ingredients list’ for software. 

At Nova Leah, we have put together our ‘Ultimate Guide to SBOMs’. This guide includes answers to the following questions :

                      • What is an SBOM?
                      • What’s included in a Software Bill of Materials?
                      • Who Uses SBOMs?
                      • What are the security benefits of a Software Bill of Materials?
                      • What is the role of SBOMs in medical device risk management?
                      • Why is it important to share your SBOM

With Less Than 5 Months Until the Refuse-to-Accept Policy Comes into Place, What Do I Need to Do to Prepare?

Earlier, we mentioned that the new section added to the FD&C Act mandates that all regulatory submissions for medical devices include information regarding four new cybersecurity requirements. 

All of these requirements can be met by using SelectEvidence from Nova Leah. SelectEvidence™ is a cybersecurity risk management solution for connected medical devices that automates the continuous monitoring of vulnerabilities and the identification of related mitigations, while generating live regulatory reports.  

The law that came into effect on March 29th 2023 is a big change for all medical device manufacturers, and it’s understandable that it might be causing some concern. However, our team of experts at Nova Leah can guide you through the entire process. 

Our team can walk you through what needs to be done to comply. We can then help you design and establish a workflow that is specific to your needs, and take care of the entire onboarding process.

If you’d like to set up a demo, you can do so here

Book a demo