Note: This draft is OBSOLETE and included only for historical reference only. Look for the final draft elsewhere on this site.
To view the guidance click this link: 2016-01-FDA Post market Cybersecurity draft guidance
This guidance references a number of Presidential Executive Orders related to critical infrastructure and cybersecurity as a driving force for FDA’s increased oversight in this area. FDA also specifically recommends that manufacturers exercise “good cyber hygiene” and encourages use of the the NIST document “Framework for Improving Critical Infrastructure Cybersecurity”. This document defines elements to include consisting of “identify, protect, detect, respond, recover”. Since it is referenced in this guidance and the Appendix in this guidance uses its concepts, it may become important for manufacturers to be able to articulate their cybersecurity approach in these terms to FDA investigators or premarket reviewers or at least map their terminology to these elements.
The document also states that ” Irrespective of the originating source, a clear, consistent and reproducible process for intake and handling of vulnerability information should be established and implemented by the manufacturer. FDA has recognized ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes” and “should also adopt a coordinated vulnerability disclosure policy. FDA has recognized ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure”.
There are many terms and concepts in this guidance of interest including:
- the term “compensating control” which is essential manual controls
- exercising good cyber hygiene to lower risk even beyond the acceptable risk limit
- making a binary decision whether the risk after controls is acceptable or unacceptable
- focusing cybersecurity risk evaluation on “essential clinical performance“
- use of a common vulnerability scoring system for probability as part of an exploitability analysis
- reinforcement of the premarket guidance in that product change to strengthen cybersecurity are considered enhancements that would not normally require new premarket submissions and for PMA products would only need inclusion in the annual reports
Lines 581-590 indicate that vulnerabilities that meet all of the following conditions would not require reporting under the Corrections and Removal or Medical Device reporting rule:
- There are no known serious adverse events or deaths associated with the vulnerability
- Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users
- The manufacturer is a participating member of an ISAO, such as NH-ISAC
Executive Order 13691 Feb. 13,2015, encouraged development of Information Sharing Analysis Organizations (ISAOs) and FDA is exempting Manufacturers from certain things if they participate with an ISAO. An ISAO is essentially an organization for sharing of cybersecurity information with specific liability protections under the law. FDA has entered into a memorandum of understanding (MOU) with one ISAO as indicated on line 121.
SoftwareCPR® can assist you in preparing the cybersecurity information for your premarket submissions and help you perform and document the associated risk analyses and testing. We can also help you establish your post market cybersecurity processes and analyze and deal with specific issues. SoftwareCPR® has extensive experience with premarket and postmarket compliance with FDA cybersecurity requirements and expectations and can provide consulting support and training upon request. If you have specific questions or would like to discuss further, complete the form below to send us a message.
Consider becoming a Premium Subscriber to receive all of our bulletins, newsletters, and access to all of our education materials on our website including some Q&A with our experts. More info on subscriptions.