Cybersecurity in FDA CDRH’s Proposed Guidance List for Fiscal Year 2025

The FDA’s Center for Devices and Radiological Health (CDRH) recently shared its target list of guidance documents that the agency intends to publish or develop in fiscal year 2025. The list is organized by priority with an A-list (highest priority documents) and a B-list (intended to publish as resources permit). Further, CDRH provides an “Under Construction” section (intended to be developed as resources permit and that are not on the A- or B-list) as well as a “Retrospective” review list (final guidance documents issued previously and to be reviewed to ensure they still represent current thinking).

From a cybersecurity perspective, several of the listed documents are noteworthy:

A-List: Final Guidances Expected

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Guidance for Industry and Food and Drug Administration Staff (final guidance, Sept. 2023).

This update is anticipated to integrate revisions based on earlier drafts, Select Updates for the Premarket Cybersecurity Guidance: Section 524B (released for public comment in Mar. 2024). Key areas of clarification include:

• Defining which devices fall under section 524B of the FD&C Act, particularly the term ‘Cyber Device’.
• Providing clearer documentation requirements, such as the Software Bill of Materials (SBOM), to demonstrate adequate cybersecurity measures.
• Offering guidance on differentiating between software changes that impact cybersecurity and those that don’t, as well as when software update necessitates a cybersecurity management plan.

Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions.

• As AI components are increasingly integrated into medical devices, this guidance will be pivotal for ensuring that AI is safely deployed, with a strong focus on change management to protect patient safety.

A-List: Proposed Draft Guidances

• Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management Considerations and Pre-market Submission. This guidance, already slated for 2024 will provide much needed insights into managing the lifecycle of AI -enabled software.

B List: Final Guidances Expected

• Computer Software Assurance for Production and Quality System Software. This guidance has been on the B-list previously, and the industry hopes for its release in 2025 to bring greater clarity to software assurance requirements in product environments.

B-List Proposed Draft Guidances:

• Policy for Regulatory Status of Device Software Functions (revision of Policy for Device Software Functions and Mobile Medical Applications). This update will address the regulatory status of software functions, including mobile medical apps, and clarify the boundaries of regulatory oversight.

Missing: Updates to 2016 Cybersecurity Postmarket Guidance

In summary, 2025 could provide another interesting year for medical device software, including cybersecurity and AI. However, suspiciously absent is an update to the 2016 Final Guidance on Postmarket Management of Cybersecurity in Medical Devices. With the legal and regulatory changes introduced through the FD&C Act, an update of the 9-year old postmarket guidance would seem timely. Further, the changes to the premarket guidance make updating the postmarket guidance advisable to ensure it reflects changes in premarket thinking, as well as section 524B of the Act. But maybe this is slated as a 2026 priority?

Navigating the FDA submission process doesn’t have to be a daunting task. With Medcrypt’s experienced team by your side, you can streamline your submission preparation, prioritize cybersecurity remediation, and achieve program maturity. Our unique approach, coupled with a deep understanding of FDA expectations, ensures your medical devices are compliant and secure in an ever-evolving threat landscape. Trust Medcrypt to be your partner in achieving FDA cybersecurity readiness and ensuring the safety of your innovations.

Don’t know where to start? Start by taking our complimentary FDA Cybersecurity Filing Readiness Survey.

‍