Guidance issued by the agency on March 30 explains that the new requirements are part of the Consolidated Appropriations Act signed into law in late 2022, specifically a section titled “Ensuring Cybersecurity of Medical Devices”, which amended the Federal Food, Drug, and Cosmetic Act (FD&C Act).

According to the FDA, submissions for new medical devices will need to include specific cybersecurity-related information, such as the description of a plan for identifying and addressing vulnerabilities and exploits in a reasonable time.

Companies must also provide details on the processes and procedures for releasing postmarket updates and patches that address security issues, including through regular updates and out-of-band patches in the case of critical vulnerabilities.