FDA final guidance explains its cybersecurity RTA policy for devices

Corrected 6 April to clarify aspects of the refuse to accept policy*

The US Food and Drug Administration (FDA) has issued a final guidance explaining its approach to exercising its new authority to require certain cybersecurity information in medical device submissions.

On 29 March, FDA published a much-anticipated cybersecurity final guidance that explains its policy to issue refuse to accept (RTA) decisions to medical device sponsors if the agency is concerned their product doesn’t meet its cybersecurity requirements. The agency said it does not intend to issue RTA decisions prior to 1 October 2023 solely based on missing cybersecurity information and “will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.”

It also published an FAQ for sponsors to get more information on when the agency plans to issue RTAs. The guidance was mandated by the 2023 Consolidated Appropriations Act, also known as the Omnibus budget bill, passed by Congress last year.

The policy does not affect products already on the market unless a manufacturer is making a change to the device that necessitates a premarket review.

"The refuse to accept policy is a threshold decision-making policy for FDA," an agency official told Focus. "It is a way for the FDA to protect the time and efforts of the reviewers and the manufacturers... to ask, ‘Is this submission complete, does it contain everything it needs to contain?’ It doesn't actually look at the quality of the various pieces of the submission."

The guidance applies to products FDA defines as a cyber device, which could mean software that is validated, installed or authorized by the sponsor as a device or in a device. It also includes devices that have the ability to connect to the internet and have characteristics that could make it vulnerable to cybersecurity threats.

Sponsors of such devices should submit a plan to monitor, identify and address cybersecurity vulnerabilities and exploits, according to FDA. The agency said sponsors should “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems.”

Sponsors are also asked to submit a software bill of materials (SBOM) in their product application which could include commercial, open-source, and off-the-shelf software components. FDA pointed to the 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)" for sponsors who want to understand what that entails.

“The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure,” the agency added.

For more general information about its RTA policy, FDA recommends sponsors read up on its guidances Refuse to Accept Policy for 510(k)s, Acceptance and Filing Reviews for Premarket Approval Applications (PMAs) and Acceptance Review for De Novo Classification Requests.

When submitting a premarket application for a cyber device the agency also recommends sponsors read up on its 2014 guidance entitled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" and its 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices."

A previous version of the story misstated that the policy enabled FDA to reject submissions based on cybersecurity information. Regulatory Focus regrets the error.

Guidance, FAQ

FDA final guidance explains its cybersecurity RTA policy for devices

Related topics

Recommended content

Welcome to the new RAPS Digital Experience