Oct 19, 2018


  • US FDA updates cybersecurity guidance first issued in 2014 for medical device premarket submissions.
  • The new guidance introduces a two-tier cybersecurity risk categorization system for devices.
  • The guidance also introduces the concept of a Cybersecurity Bill of Materials (CBOM) in lieu of a Software Bill of Materials (SBOM).

The US Food and Drug Administration has issued guidance updating medical device cybersecurity management requirements in premarket submissions from 2014.

The latest draft guidance covers risk management, design, and labeling requirements and recommendations for inclusion in 510(k), Premarket Approval (PMA) and other premarket submissions for devices posing cybersecurity risks.

Since FDA’s 2014 final guidance on cybersecurity management considerations in medical device premarket submissions, proliferation of wireless and network-connected devices and systems as well as increased frequency of cybersecurity threats to healthcare environments have prompted revisions to FDA’s cybersecurity approach, according to the agency.

Tiered approach to assessing cybersecurity risk

A key element of FDA’s new draft guidance is the introduction of a two-tier security risk categorization system for devices; devices would fall under Tier 1 (Higher Cybersecurity Risk) or Tier 2 (Standard Cybersecurity Risk) categories depending on the level of cybersecurity risk they pose. This approach addresses challenges stakeholders have faced attempting to reconcile differences between FDA medical device safety risk classifications and security risk.

  • Tier 1 would include devices capable of connecting to other medical or non-medical products, a larger network or the Internet. Potential harm to multiple patients would result from a cybersecurity issue involving a Tier 1 device. Examples of Tier 1 devices would include pacemakers, implantable cardioverter defibrillators (IDC), dialysis devices, and infusion and insulin pumps.
  • Tier 2 would cover any device that does not meet criteria for inclusion in Tier 1.

The guidance emphasizes that this tiered cybersecurity risk approach would not always align neatly with FDA’s risk-based device classification policies: “For example, based on the manufacturer’s assessment and device design, a class II device such as an infusion pump may meet the criteria for Tier 1 higher cybersecurity risk while a class III device, such as a coronary atherectomy device with no connectivity may meet the criteria for Tier 2 standard cybersecurity risk,” states the guidance.

Cybersecurity Bill of Materials

Under the guidance’s General Principles & Risk Assessment section, FDA refers to a Cybersecurity Bill of Materials (CBOM), which narrows down the “Software Bill of Materials” concept that has been growing in industry acceptance over the past few years. FDA defines CBOMs as lists of commercial, open-source and off-the-shelf software and hardware that may be vulnerable to cybersecurity risks.

Utilizing CBOMs has the potential to help manufacturers and healthcare providers implement cybersecurity risk management processes using more precisely defined criteria for identifying which components of their devices, software and systems are more vulnerable to cyber incidents or attacks.

Manufacturers should utilize CBOMs to identify assets, threats and liabilities, according to the guidance, as well as to set cybersecurity requirements for purchased products and demonstrate compliance to purchasing control regulations. FDA recommends that manufacturers include CBOMs in their premarket application design, labeling and risk management documentation.

Stronger alignment with NIST Cyber Security Framework

FDA ties its cybersecurity requirements more closely to the National Institute of Standards Technology’s (NIST) Cybersecurity Framework, the globally recognized framework, which provides manufacturers with commonly recognized risk and impact assessment tools to determine cybersecurity risks and vulnerabilities. Aligning the new guidance with the NIST Cybersecurity Framework should also foster wider adoption of FDA Recognized Consensus Standards including UL 2900 for medical device cybersecurity.

Cybersecurity documentation requirements

FDA lists cybersecurity documentation requirements in the new guidance. Documentation requirements are specific to Tier 1 and Tier 2 devices.

Manufacturers of Tier 1 higher cybersecurity risk devices should submit design documentation showing that their products meet the following criteria:

  • Design supports timely detection of cybersecurity incidents
  • Design enables device to respond to and contain the impact of a cybersecurity incident
  • Design supports recovery of capabilities and/or services impaired by the cybersecurity incident

Tier 2 device manufacturers must either submit design documentation supporting the same requirements listed above, or provide a risk-based rationale explaining why cybersecurity design controls are not necessary for their submissions.

Both Tier 1 and Tier 2 device premarket submissions should also include system diagrams explaining how these design elements function on a system-wide level.

Finally, manufacturers should include summaries of design features to accommodate software patches and updates throughout their devices’ lifecycles in their premarket submissions.

Anura Fernando is Chief Innovation Architect, Medical Systems Interoperability & Security at UL.

Related US FDA medical device and cybersecurity resources from Emergo by UL:

  • US FDA cybersecurity guidance consulting
  • Cybersecurity risk management and procurement support
  • US FDA regulatory consulting for medical device and IVD companies
  • Webinar: Mapping UL 2900 cybersecurity standards to FDA guidance



  • Anura Fernando and Stewart Eisenhart