Cybersecurity Risk Management Programs Are Essential.The guidance states that it is “essential” for device manufacturers to implement cybersecurity risk management programs and documentation that address postmarket complaint handling, quality audit, corrective and preventative action, software validation and risk analysis, and servicing, consistent with the Quality System Regulation (21 CFR part 820). The guidance also identifies the following “critical components” of an effective cybersecurity risk management program:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing, and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining “essential clinical performance” so that potential compromise of essential clinical performance can be identified and mitigation strategies developed that protect, respond, and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigation strategies that address cybersecurity risk early and prior to exploitation.
Follow the NIST Cybersecurity Framework. The guidance further explains that a cybersecurity risk management program for a medical device should cover both its premarket and postmarket phases. To accomplish cybersecurity across a product’s lifecycle, the FDA strongly encourages manufacturers to develop their cybersecurity risk management programs using the Cybersecurity Framework developed by the National Institute of Standards and Technology (“NIST”). The NIST Cybersecurity Framework is a voluntary, risk-based tool that outlines five core functions (Identify, Protect, Detect, Respond, and Recover) related to cybersecurity risk.
The guidance includes an appendix that walks through the Framework’s core elements in the context of a medical device manufacturer’s cybersecurity risk management program. According to the guidance, medical device companies should use the Framework to develop programs that include methods for (1) identifying, characterizing, and assessing cybersecurity vulnerabilities; (2) analyzing, detecting, and assessing threat sources; and (3) adopting device-based features and compensatory controls to address unacceptable risk.