(a) In generalA person who submits an application or submission under section 360(k), 360c, 360e(c), 360e(f), or 360j(m) of this title for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).
(b) Cybersecurity requirementsThe sponsor of an application or submission described in subsection (a) shall—(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
(4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
(c) DefinitionIn this section, the term “cyber device” means a device that—(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;
(2) has the ability to connect to the internet; and
(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
(d) ExemptionThe Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cybersecurity requirements established by this section and regulations promulgated pursuant to this section. The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices, or categories or types of devices, so identified by the Secretary.
Structure US Code
CHAPTER 9— FEDERAL FOOD, DRUG, AND COSMETIC ACT
SUBCHAPTER V— DRUGS AND DEVICES
§ 351. Adulterated drugs and devices
§ 352. Misbranded drugs and devices
§ 353. Exemptions and consideration for certain drugs, devices, and biological products
§ 353a–1. Enhanced communication
§ 353b. Outsourcing facilities
§ 353c. Prereview of television advertisements
§ 353d. Process to update labeling for certain generic drugs
§ 354. Veterinary feed directive drugs
§ 355–1. Risk evaluation and mitigation strategies
§ 355–2. Actions for delays of generic drugs and biosimilar biological products
§ 355a. Pediatric studies of drugs
§ 355b. Adverse-event reporting
§ 355c. Research into pediatric uses for drugs and biological products
§ 355e. Pharmaceutical security
§ 355f. Extension of exclusivity period for new qualified infectious disease products
§ 355g. Utilizing real world evidence
§ 356. Expedited approval of drugs for serious or life-threatening diseases or conditions
§ 356–1. Accelerated approval of priority countermeasures
§ 356–2. Accelerated approval Council
§ 356b. Reports of postmarketing studies
§ 356c. Discontinuance or interruption in the production of life-saving drugs
§ 356c–1. Annual reporting on drug shortages
§ 356d. Coordination; task force and strategic plan
§ 356f. Hospital repackaging of drugs in shortage
§ 356g. Standards for regenerative medicine and regenerative advanced therapies
§ 356h. Competitive generic therapies
§ 356i. Prompt reports of marketing status
§ 356j. Discontinuance or interruption in the production of medical devices
§ 356l. Advanced manufacturing technologies designation program
§ 357. Qualification of drug development tools
§ 358. Authority to designate official names
§ 359. Nonapplicability of subchapter to cosmetics
§ 360. Registration of producers of drugs or devices
§ 360a. Clinical trial guidance for antibiotic drugs
§ 360a–2. Susceptibility test interpretive criteria for microorganisms
§ 360b–1. Priority zoonotic animal drugs
§ 360c. Classification of devices intended for human use
§ 360e–1. Pediatric uses of devices
§ 360e–3. Breakthrough devices
§ 360e–4. Predetermined change control plans for devices
§ 360g–1. Agency documentation and review of significant decisions regarding devices
§ 360g–2. Third party data transparency
§ 360h. Notification and other remedies
§ 360h–1. Program to improve the device recall system
§ 360i. Records and reports on devices
§ 360j. General provisions respecting control of devices intended for human use
§ 360k. State and local requirements respecting devices
§ 360l. Postmarket surveillance
§ 360n. Priority review to encourage treatments for tropical diseases
§ 360n–1. Priority review for qualified infectious disease products