Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 7667 (Reported in House) — To amend the Federal Food, Drug, and Cosmetic Act to revise and extend the user-fee programs for prescription drugs,... · Sec. 808

Sec. 808. Ensuring cybersecurity of medical devices

602 words·~3 min read·/bill/117/hr/7667/rh/section-808

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subchapter A of chapter V of the Federal Food, Drug, and Cosmetic Act ( 21 U.S.C. 351 et seq. ), as amended by section 501, is further amended by adding at the end the following: For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness, including at a minimum the cybersecurity requirements under subsection (b).
At a minimum, the manufacturer of a cyber device shall meet the following cybersecurity requirements: The manufacturer shall have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures. The manufacturer shall design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure, and shall make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device to address— on a reasonably justified regular cycle, known unacceptable vulnerabilities; and as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.
The manufacturer shall provide in the labeling of the cyber device a software bill of materials, including commercial, open-source, and off-the-shelf software components. The manufacturer shall comply with such other requirements as the Secretary may require to demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity, which the Secretary may require by an order published in the Federal Register. In making a determination of substantial equivalence under section 513(i) for a cyber device, the Secretary may— find that cybersecurity information for the cyber device described in the relevant premarket submission in the cyber device’s use environment is inadequate; and issue a nonsubstantial equivalence determination based on this finding.
In this section: The term cyber device means a device that— includes software, including software as or in a device; has the ability to connect to the internet; or contains any such technological characteristics that could be vulnerable to cybersecurity threats. The term lifecycle of the cyber device includes the postmarket lifecycle of the cyber device. The term premarket submission means any submission under section 510(k), 513, 515(c), 515(f), or 520(m). The Secretary may identify devices or types of devices that are exempt from meeting the cybersecurity requirements established by this section and regulations promulgated pursuant to this section.
The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices and types of devices so identified by the Secretary. . Section 301(q) of the Federal Food, Drug, and Cosmetic Act ( 21 U.S.C. 331(q) ) is amended by adding at the end the following: The failure to comply with any requirement under section 524C (relating to ensuring device cybersecurity). . Section 501 of the Federal Food, Drug, and Cosmetic Act ( 21 U.S.C. 351 ) is amended by inserting after paragraph
(j)the following: If it is a device subject to the requirements set forth in section 524C (relating to ensuring device cybersecurity) and fails to comply with any requirement under that section. . Section 502(t) of the Federal Food, Drug, and Cosmetic Act ( 21 U.S.C. 352(t) ) is amended— by striking or
(3)and inserting
(3); and by inserting before the period at the end the following: , or
(4)to furnish a software bill of materials as required under section 524C (relating to ensuring device cybersecurity) .
Connectionstraces to 3
Citation graph
cites case law
Sec. 808
Ensuring cybersecurity of medical devices
U.S.C.§ 351
U.S.C.§ 331
U.S.C.§ 352
Cites 3Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.