The FDA has reissued draft guidance for premarket cybersecurity considerations four years after the previous draft guidance, and eight years after the issuance of the most recent final guidance. While this draft guidance is not the final word on this policy, we would advise our clients that it represents a fundamental shift in the agency’s approach to cybersecurity, one that comes with a substantially more demanding set of requirements in the premarket phase of device development.
In October 2014, the FDA’s Center for Devices and Radiological Health (CDRH) released a final guidance regarding the contents of premarket submissions for device cybersecurity, a nine-page document that offered definitions for a number of terms. That guidance also featured cybersecurity-related requirements for implementation of critical features of the Quality System Regulation (QSR), such as design controls, along with a list of recognized standards that could be used to demonstrate compliance.
The 2014 guidance cited the then-current version of ISO 14971 only as a reference for definitions, but that version of 14971 was replaced in 2019, which the new FDA draft guidance seems to suggest is a helpful but in-exhaustive source of guideposts for risk management. The draft states that safety risk management per 14971 is distinct from security risk management in that the scope of possible harms is different, and thus the factors that go into a risk assessment are also different.
Another point raised by the FDA is that while device safety problems can be estimated in a probabilistic manner based on historical data or modeling, cybersecurity failures do not hew to a probabilistic model, a difference the agency said is not accounted for in the ISO standard. The draft also states that exploitability may differ in premarket assessments as compared to risk assessments for vulnerabilities identified in a post-market assessment. The agency seems to be signaling its intent to maintain premarket and post-market cybersecurity guidances as distinct policy documents, particularly given the draft’s mention of the post-market cybersecurity guidance. In contrast, the International Medical Device Regulators Forum (IMDRF) encodes all its recommendations regarding cybersecurity into a single guidance.
The 2018 draft guidance was never drawn to a final guidance, but the 2018 draft represented a significant rework of the 2014 final, running 24 pages and detailing several critical differences. One of these was the use of a two-tier risk classification scheme that was criticized as a potential source of regulatory distraction, given that it would have represented a risk management overlay for the device’s overall risk classification. That two-tier risk management scheme is absent in the new draft guidance, which spans 49 pages.
Draft Offers Alternative to QSR
One of the more noteworthy changes proposed in the new draft guidance is the use of a secure product development framework (SPDF) to satisfy the requirements of the QSR. The SPDF approach is not seen in previous premarket cybersecurity policy documents by the FDA, but the SPDF approach to total product life cycle (TPLC) cybersecurity management is consistent with the agency’s growing interest in TPLC considerations. One of the benefits of an SPDF approach is that it may relieve the developer of a need to re-engineer the device when connectivity features are added in the post-market phase, the guidance states.
The SPDF section of the draft is divided into three sections, including security risk management, security architecture and cybersecurity testing. Cybersecurity testing as documented in the product’s dossier would fulfill two requirements under Part 820.30. This includes design verification procedures under Part 820.30(f) and design validation under Part 820.30(g). The related components, which should be documented in premarket submissions, include testing for:
- Security requirements;
- Threat mitigation;
- Vulnerability testing; and
- Penetration testing.
Among the provisions for security requirement testing is documentation of the boundary analysis and the rationale for the developer’s boundary assumptions. Vulnerability testing can be managed by compliance with section 9.4 of ANSI/ISA 62443-4-1, and the draft list six testing modalities to control for vulnerabilities, such as static and dynamic code analysis. This would account for credentials that are hard-coded, are default credentials, or are credentials that are easily guessed and easily compromised.
Another interesting feature of this draft is that it calls for the preservation and maintenance of software infrastructure to evaluate patches, such as virtual machines and regression testing suites, a recommendation not found in previous draft or final guidances. The draft also recommends that developers make plans for sustaining licenses for third-party software throughout the supported life span of the device, along with contingency plans to manage these third-party products in the event the vendor goes out of business.
The draft is open for comment for 90 days, but the breadth of this document could prompt a request an extension of the comment period as this draft represents a sharp departure from existing policy. We advise our clients to keep in mind that the Biden administration had placed a significant emphasis on cybersecurity in May 2021.
The related concerns have been amplified recently because of cybersecurity threats though to be emanating from Russia in tandem with its invasion of Ukraine. There is also legislation for cybersecurity requirements emerging from the U.S. Senate, all of which suggests that the FDA’s concerns regarding cybersecurity are already significantly elevated.
Companies that market products that would fall under this new draft guidance may not have to concern themselves that a final guidance will emerge in the current fiscal year as it does not appear on the CDRH guidance agenda for FY 2022. We would also advise our readers that CDRH had posted a number of draft guidances in calendar year 2021 that have yet to be converted into final guidance, indicative of a guidance backlog at CDRH. All of this would seem to suggest that a final premarket cybersecurity guidance may not arrive until sometime in the first half of 2023.