The new article further elaborates on the scope of documentation to be provided concerning cybersecurity devices intended to be marketed and used in the US.

FDA Guidance

The Food and Drug Administration (FDA or the Agency), the US regulating authority in healthcare products, has published a draft guidance document introducing selected updates for the premarket cybersecurity guidance with particular reference to Section 524B of the FD&C Act.

Once finalized, the guidance will provide additional clarifications regarding the applicable regulatory requirements and recommendations to be taken into consideration by medical device manufacturers and other parties involved to ensure compliance.

At the same time, it is essential to mention that provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations.

Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach is in line with the existing legal framework and has been agreed with the authority in advance.

Introduction to Documentation Requirements

Under the regulatory framework established by Section 524B of the FD&C Act, manufacturers submitting premarket applications for medical devices referred to as “cyber devices” are expected to provide comprehensive documentation pertaining to the product in question.

This documentation is vitally important for demonstrating compliance with the applicable cybersecurity requirements, emphasizing the importance of detailed planning and procedural documentation in mitigating cybersecurity risks.

FDA on assessing credibility of computational modelling2

Comprehensive Planning and Monitoring

First of all, the scope of the guidance covers the aspects related to planning, namely:

  • Strategic Cybersecurity Management
    Manufacturers must submit a detailed plan outlining their strategies for monitoring, identifying, and addressing postmarket cybersecurity vulnerabilities. This plan should align with the guidelines provided in the Premarket Cybersecurity Guidance, emphasizing the necessity for coordinated vulnerability disclosure and the management of cybersecurity exploits.
  • Coordinated Vulnerability Disclosure
    A pivotal element of the cybersecurity management plan involves the establishment of coordinated disclosure practices for vulnerabilities identified by both external entities and the manufacturers themselves. This ensures a systematic approach to addressing and mitigating cybersecurity risks.
  • Timeline for Updates and Patches
    The plan must also detail a timeline for developing and releasing updates and patches, addressing known vulnerabilities regularly and responding swiftly to critical vulnerabilities that emerge outside of this cycle.

Adaptive Cybersecurity Framework

It is recommended that manufacturers maintain a flexible and adaptive approach to their cybersecurity plans, updating them in response to new information and evolving cybersecurity landscapes.

This includes maintaining thorough documentation throughout the product lifecycle, thereby enhancing the ability to swiftly address vulnerabilities as they are identified.

Design and Maintenance of Cybersecurity Systems

The document also pays special attention to the matters related to the design and maintenance of cybersecurity systems.

According to the guidance, manufacturers must design, develop, and maintain processes and procedures that guarantee the cybersecurity of the device and its related systems.

This includes the management of manufacturer-controlled elements and ensuring secure connections to healthcare facility networks, as outlined in the relevant FDA guidance.

Software Bill of Materials (SBOM)

Another important aspect addressed in the document is the Software Bill of Materials (SBOM). The document explains the said concept in detail and also provides additional clarifications with respect to the way it should be used.

According to the document, a crucial aspect of the documentation involves the provision of a Software Bill of Materials, which lists all commercial, open-source, and off-the-shelf software components of a cyber device.

This SBOM is vitally important for ensuring transparency and facilitating the management of software vulnerabilities.


In summary, the present draft guidance issued by the FDA is intended to provide a comprehensive overview of the regulatory requirements related to the documentation the parties responsible for cyber devices should provide to demonstrate that all relevant cybersecurity matters are addressed properly.

By the guidance, the authority also provides additional recommendations to be taken into consideration to ensure compliance with the said requirements, as well as the necessary level of protection against cybersecurity threats in general.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.