The senate passage of the omnibus appropriations bill funding the federal government is an unprecedented step toward empowering the FDA for the cyber safety of connected medical devices.
The bill requires FDA to ask for a plan to address postmarket vulnerabilities and exploits with a justifiable regularity and have a process in place for critical vulnerabilities.
In a significant nod to Executive Order 14028 — Improving the Nation’s Cybersecurity — the bill also asks FDA to collect a software bill of materials (SBOM) for such devices.
At Interlynk, we believe that an easy, obvious, and automated software disclosure is the foundational block of software security and welcome these requirements in the Senate bill.
Text from the bill:
SEC. 524B. ENSURING CYBERSECURITY OF DEVICES.
(a) IN GENERAL. — A person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m) for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).
(b) CYBERSECURITY REQUIREMENTS. — The sponsor of an application or submission described in subsection (a) shall —
(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address — ‘A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and (B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
(4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
