Navigating FDA Cyber Rules for Medical Devices

Frequently asked questions

Q: Who is required to comply with Amendment 524B of the Food Drug & Cosmetic (FD&C) Act? What types of premarket submissions does this apply to?

A: FDA: Under section 524B(a) of the FD&C Act, a person who submits a premarket application or submission — including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for a device that meets the definition of a cyber device, as defined under section 524B(c), is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b). This includes Special and Abbreviated 510(k) applications as well as PMA and HDE supplements.

UL Solutions: UL Solutions can help you develop the submission information that is required by the FDA if the FD&C Act’s Amendment 524B is applicable to you.

Q: What is a cyber device?

A: FDA: Section 524B(c) of the FD&C Act defines "cyber device" as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. Further, the final guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions includes Section VII "Cyber Devices" to address section 524B of the FD&C Act for cyber devices. If manufacturers are unsure as to whether their device is a cyber device, they may contact the Food and Drug Administration (FDA).

UL Solutions: UL Solutions can train your staff on how to determine if your products are “cyber devices” following the FDA cybersecurity requirements. If they are determined to be “cyber devices,” we can help your organization navigate the implementation of the principles embodied in the FDA Final Guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”

Q: Does this law apply to future medical devices, rather than retroactively?

A: FDA: As provided by the Omnibus, the cybersecurity requirements do not apply to an application or submission submitted to the FDA before March 29, 2023. If a cyber device was previously authorized, and the manufacturer is making a change to the device that requires premarket review by the agency, the law applies to the new premarket submission.

UL Solutions: If your organization is struggling to bring a legacy medical device into compliance with these newer FDA requirements, we can collaborate with your engineering, security and compliance teams to help develop project plans and processes.

Q: What requirements apply to manufacturers of cyber devices under section 524B of the FD&C Act?

A: FDA: Section 524B(a) of the FD&C Act provides that the sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in section 524B(b) of the FD&C Act. The requirements in section 524B(b) of the FD&C Act are:

• Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
• Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
• Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components

The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure. See FAQs 6 through 9 for additional details on ways manufacturers might demonstrate that their devices are cybersecure.

UL Solutions: We can help you develop the necessary plans, processes and procedures for AM 524B compliance in your FDA submission. If you can provide us with your software binary images, we can even generate a software bill of materials (SBOM) for you in a variety of FDA-sanctioned formats. 

Q: When do manufacturers of cyber devices have to submit the information described in section 524B?

A: FDA: Manufacturers of cyber devices are required to submit this information starting March 29, 2023, in premarket submissions including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE). This includes Abbreviated and Special 510(k) submissions and PMA/HDE supplements.

The Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions final guidance does not supersede the previously issued guidance Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems External Link Disclaimer, however, the policy in the latter guidance expired on October 1, 2023. Beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act.

Additionally, as part of the FDA’s efforts to modernize the 510(k) Program and implement MDUFA V, starting October 1, 2023, all 510(k) submissions, unless exempted, must be submitted as electronic submissions using eSTAR, as noted in the Electronic Submission Template for Medical Device 510(k) Submissions final guidance. An eSTAR submission will be put on a Technical Screening hold if it does not contain accurate responses and relevant attachments in the Cybersecurity section of eSTAR. 

UL Solutions: If your organization is concerned that missing information in eSTAR could delay your product's launch, we can help with preparations and provide a second set of experienced eyes to minimize that risk.

Q: Section 524B (b) (1) of the FD&C Act requires manufacturers of cyber devices to submit plans to manage vulnerabilities and exploits as part of their premarket submissions. What resources are available to manufacturers?

A: FDA: The guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and the guidance Postmarket Management of Cybersecurity in Medical Devices describe recommendations for managing cybersecurity after the device has been introduced into the market.

UL Solutions: Vulnerability management can be a challenging multistakeholder process with many shared responsibilities between you (the MDM), your customer (the  Healthcare Delivery Organization (HDO)) and others who may be involved in the technology stack of your medical device or system. As a third party, we can support information arbitrage efforts around the specific vulnerability information needs of the different stakeholders sharing cybersecurity vulnerabilities in your part of the healthcare value chain.

Q: Section 524B (b) (2) of the FD&C Act requires, among other aspects, that manufacturers of cyber devices design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. What resources are available to manufacturers?

A: FDA: The guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions provides recommendations on cybersecurity considerations for devices and provides recommendations for documentation in device premarket submissions that may help manufacturers meet their obligations with the 524B(b)(2) requirements.

UL Solutions: Although this FDA guidance can seem intimidating and overwhelming, our staff can help simplify what’s needed and help you communicate it in a form that’s readily consumable in different parts of your organization, from your C-Suite executives to your front-line engineering and sales teams.

Q: Section 524B (b) (2) of the FD&C Act also requires manufacturers of cyber devices to make available postmarket updates and patches to the device and related systems to address vulnerabilities. What resources are available to manufacturers?

A: FDA: The guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses throughout plans for patches and updates across the total product life cycle (TPLC). The guidance "Postmarket Management of Cybersecurity in Medical Devices" discusses cybersecurity routine updates and patches and describes patching in the context of remediating cybersecurity vulnerabilities.

UL Solutions: With the constant changes that are needed for software generally — now amplified by the pervasiveness of dynamic cloud technologies and AI in its various forms — software change management has gone from being difficult to being nearly impossible. For security in particular, some of these new technologies, like agentic AI, can lead to entirely new types of vulnerabilities arising within established trust boundaries, much like “insider attacks” that may require significant changes in software to address via implementation of product-level security controls. So, vulnerability identification, patch validation and deployment at scale can be even more challenging in this new context. UL Solutions staff can help you identify new approaches and tools, such as employing the FDA’s Predetermined Change Control Plan guidance to build a technology-driven regulatory strategy for vulnerability management.

Q: Section 524B (b) (3) of the FD&C Act requires that manufacturers of cyber devices provide a software bill of materials (SBOM) for the commercial, open-source, and off-the-shelf software components contained within the device. What resources are available to manufacturers?

A: FDA: The guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses SBOMs in Section V.A.4(b). Additional information about SBOMs can be found in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM).

UL Solutions: As mentioned above, if you can provide UL Solutions with your software binary images, we can generate your SBOM for you in a variety of FDA-sanctioned formats. However, it’s important to recognize that SBOM’s only look at the potential security problems that may be coming up to your product or system from the lower tiers of the supply chain (your suppliers and their suppliers in turn). This doesn’t address your own in-house developed software and how it might introduce new vulnerabilities into your customers’ environments. Yet, when vulnerability management is needed, this could be a significant area of interaction between you and your customers. Our expert staff can help you by introducing ways of managing not only the known vulnerabilities that arise through the supply chain, but also how you can be a better partner to your customers in the event that any of your residual software weaknesses are exploited and turn into vulnerabilities.

Q: Do I need to submit information to demonstrate that I comply with the requirements in section 524B for all device modifications?

A: FDA: In keeping with least burdensome principles, the information we recommend that manufacturers of cyber devices provide will generally differ based on the type of change and whether such change impacts the cybersecurity of the device. The guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses the different changes that are likely or unlikely to impact cybersecurity and what documentation is required and recommended in Section VII.D, “Modifications.”

UL Solutions: If you are uncertain about whether your software changes affect the cybersecurity posture of your cyber device, we can help you build a security assurance case to support your regulatory strategy and tactical approach.