Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the Federal Food, Drug, and Cosmetic Act; Draft Guidance for Industry and Food and Drug Administration Staff; Availability

<NOTICE> DEPARTMENT OF HEALTH AND HUMAN SERVICES <SUBAGY>Food and Drug Administration</SUBAGY> <DEPDOC>[Docket No. FDA-2021-D-1158]</DEPDOC> <SUBJECT>Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the Federal Food, Drug, and Cosmetic Act; Draft Guidance for Industry and Food and Drug Administration Staff; Availability</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Food and Drug Administration, HHS. <HD SOURCE="HED">ACTION:</HD> Notice of availability. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Food and Drug Administration (FDA or Agency) is announcing the availability of the draft guidance entitled “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act.” This draft guidance proposes select updates to the final guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This draft guidance, when finalized, will identify the information FDA generally considers to be necessary for cyber devices to support obligations under the new amendments to the Federal Food, Drug, and Cosmetic Act (FD&C Act) for ensuring cybersecurity of devices. This draft guidance is not final nor is it for implementation at this time. </SUM> <DATES> <HD SOURCE="HED">DATES:</HD> Submit either electronic or written comments on the draft guidance by May 13, 2024 to ensure that the Agency considers your comment on this draft guidance before it begins work on the final version of the guidance. </DATES> <HD SOURCE="HED">ADDRESSES:</HD> You may submit comments on any guidance at any time as follows: <HD SOURCE="HD2">Electronic Submissions</HD> Submit electronic comments in the following way: • <E T="03">Federal eRulemaking Portal: https://www.regulations.gov.</E> Follow the instructions for submitting comments. Comments submitted electronically, including attachments, to <E T="03">https://www.regulations.gov</E> will be posted to the docket unchanged. Because your comment will be made public, you are solely responsible for ensuring that your comment does not include any confidential information that you or a third party may not wish to be posted, such as medical information, your or anyone else's Social Security number, or confidential business information, such as a manufacturing process. Please note that if you include your name, contact information, or other information that identifies you in the body of your comments, that information will be posted on <E T="03">https://www.regulations.gov.</E> • If you want to submit a comment with confidential information that you do not wish to be made available to the public, submit the comment as a written/paper submission and in the manner detailed (see “Written/Paper Submissions” and “Instructions”). <HD SOURCE="HD2">Written/Paper Submissions</HD> Submit written/paper submissions as follows: • <E T="03">Mail/Hand Delivery/Courier (for written/paper submissions):</E> Dockets Management Staff (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852. • For written/paper comments submitted to the Dockets Management Staff, FDA will post your comment, as well as any attachments, except for information submitted, marked and identified, as confidential, if submitted as detailed in “Instructions.” <E T="03">Instructions:</E> All submissions received must include the Docket No. FDA-2021-D-1158 for “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act.” Received comments will be placed in the docket and, except for those submitted as “Confidential Submissions,” publicly viewable at <E T="03">https://www.regulations.gov</E> or at the Dockets Management Staff between 9 a.m. and 4 p.m., Monday through Friday, 240-402-7500. • Confidential Submissions—To submit a comment with confidential information that you do not wish to be made publicly available, submit your comments only as a written/paper submission. You should submit two copies total. One copy will include the information you claim to be confidential with a heading or cover note that states “THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.” The Agency will review this copy, including the claimed confidential information, in its consideration of comments. The second copy, which will have the claimed confidential information redacted/blacked out, will be available for public viewing and posted on <E T="03">https://www.regulations.gov.</E> Submit both copies to the Dockets Management Staff. If you do not wish your name and contact information to be made publicly available, you can provide this information on the cover sheet and not in the body of your comments and you must identify this information as “confidential.” Any information marked as “confidential” will not be disclosed except in accordance with 21 CFR 10.20 and other applicable disclosure law. For more information about FDA's posting of comments to public dockets, see 80 FR 56469, September 18, 2015, or access the information at: <E T="03">https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.</E> <E T="03">Docket:</E> For access to the docket to read background documents or the electronic and written/paper comments received, go to <E T="03">https://www.regulations.gov</E> and insert the docket number, found in brackets in the heading of this document, into the “Search” box and follow the prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852, 240-402-7500. You may submit comments on any guidance at any time (see 21 CFR 10.115(g)(5)). An electronic copy of the guidance document is available for download from the internet. See the <E T="02">SUPPLEMENTARY INFORMATION</E> section for information on electronic access to the guidance. Submit written requests for a single hard copy of the draft guidance document entitled “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act” to the Office of Policy, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-0002. Send one self-addressed adhesive label to assist that office in processing your request. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-796-6937; or James Myers, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 7301, Silver Spring, MD 20993, 240-402-7911. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> Section 3305 of the Food and Drug Omnibus Reform Act of 2022 (FDORA), enacted on December 29, 2022, added section 524B “Ensuring Cybersecurity of Medical Devices” to the FD&C Act. Under section 524B(a) of the FD&C Act (21 U.S.C. 360n-2(a)), a person who submits a 510(k), premarket approval application (PMA), product development protocol (PDP), De Novo, or humanitarian device exemption (HDE) for a device that meets the definition of a cyber device, as defined under section 524B(c) of the FD&C Act, is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b) of the FD&C Act. FDA is proposing to selectively update the final guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This draft guidance, when finalized, will identify the information FDA generally considers to be necessary to support obligations under section 524B of the FD&C Act. Specifically, this draft guidance discusses who is required to comply with section 524B, the devices subject to section 524B, and the documentation recommendations for applicable premarket submissions. Additionally, FDA provides recommendations regarding premarket submissions for changes to cyber devices that had been previously authorized by FDA through 510(k), De Novo, HDE, PDP, and PMA submission pathways, and that require premarket submission. This draft guidance also discusses FDA's review of whether there is a reasonable assurance that the device and related systems are cybersecure for marketing authorizations submitted for cyber devices. This draft guidance is being issued consistent with FDA's good guidance practices regulation (21 CFR 10.115). The draft guidance, when finalized, will represent the current thinking of FDA on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” It does not establish any rights for any person and is not binding on FDA or the public. You can use an alternative approach if it satisfies the requirements of the applicable statutes and regulations. <HD SOURCE="HD1">II. Electronic Access</HD> Persons interested in obtaining a copy of the draft guidance may do so by downloading an electronic copy from the internet. A search capability for all Center for Devices and Radiological Health guidance documents is available at <E T="03">https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products.</E> This guidance document is also available at <E T="03">https://www.regulations.gov, https://www.fda.gov/regulatory-information/search-fda-guidance-documents</E> , or <E T="03">https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics.</E> Persons unable to download an electronic copy of “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act” may send an email request to <E T="03">CDRH-Guidance@fda.hhs.gov</E> to receive an electronic copy of the document. Please use the document numbe ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 12k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━