Title 21 — Food and DrugsRelease 119-73
§360n–2 Ensuring cybersecurity of devices
Title 21 › Chapter CHAPTER 9— - FEDERAL FOOD, DRUG, AND COSMETIC ACT › Subchapter SUBCHAPTER V— - DRUGS AND DEVICES › Part Part A— - Drugs and Devices › § 360n–2
Summary
Anyone who files an application under 360(k), 360c, 360e(c), 360e(f), or 360j(m) for a device that meets the law’s definition of a cyber device must give the Secretary the information needed to show the device meets cybersecurity rules. The device sponsor must send a plan to find and fix security problems, including coordinated vulnerability disclosure; keep processes to make the device and its systems secure; provide updates and patches on a regular cycle for known bad vulnerabilities and right away for critical ones; give a software bill of materials listing commercial, open-source, and off‑the‑shelf parts; and follow any other rules the Secretary makes. A “cyber device” is one that has sponsor‑approved software, can connect to the internet, and has sponsor‑approved features that could be vulnerable to cyber threats. The Secretary may exempt certain devices or types and must publish and update that list in the Federal Register.
Full Legal Text
Title 21, §360n–2
Food and Drugs — Source: USLM XML via OLRC
(a)A person who submits an application or submission under section 360(k), 360c, 360e(c), 360e(f), or 360j(m) of this title for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).
(b)The sponsor of an application or submission described in subsection (a) shall—
(1)submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2)design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—
(A)on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
(B)as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3)provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
(4)comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
(c)In this section, the term “cyber device” means a device that—
(1)includes software validated, installed, or authorized by the sponsor as a device or in a device;
(2)has the ability to connect to the internet; and
(3)contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
(d)The Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cybersecurity requirements established by this section and regulations promulgated pursuant to this section. The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices, or categories or types of devices, so identified by the Secretary.
Legislative History
Notes & Related Subsidiaries
Statutory Notes and Related Subsidiaries
Effective Date
Section effective 90 days after Dec. 29, 2022, see section 3305(d) of Pub. L. 117–328, set out as an
Effective Date
of 2022 Amendment note under section 331 of this title.
Construction
Nothing in section 3305(a) of Pub. L. 117–328, which enacted this section, to be construed to affect the Secretary’s of Health and Human Services authority related to ensuring that there is a reasonable assurance of the safety and effectiveness of devices, which may include ensuring that there is a reasonable assurance of the cybersecurity of certain cyber devices, including for devices approved or cleared prior to Dec. 29, 2022, see section 3305(c) of Pub. L. 117–328, set out as a
Construction
of 2022 Amendment note under section 331 of this title. Guidance for Industry and FDA Staff on Device Cybersecurity Pub. L. 117–328, div. FF, title III, § 3305(e), Dec. 29, 2022, 136 Stat. 5833, provided that: “Not later than 2 years after the date of enactment of this Act [Dec. 29, 2022], and periodically thereafter as appropriate, the Secretary [of Health and Human Services], in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review and, as appropriate and after soliciting and receiving feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders, update the guidance entitled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ (or a successor document).” [For definition of “device” as used in section 3305(e) of Pub. L. 117–328, set out above, see section 321(h) of this title, as made applicable by section 3305(h) of Pub. L. 117–328, which is set out below.] Resources Regarding Cybersecurity of Devices Pub. L. 117–328, div. FF, title III, § 3305(f), Dec. 29, 2022, 136 Stat. 5834, provided that: “Not later than 180 days after the date of enactment of this Act [Dec. 29, 2022], and not less than annually thereafter, the Secretary [of Health and Human Services] shall update public information provided by the Food and Drug Administration, including on the website of the Food and Drug Administration, with information regarding improving cybersecurity of devices. Such information shall include information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through the Cybersecurity and Infrastructure Security Agency and other Federal entities, including the Department of Health and Human Services, to improve the cybersecurity of devices.” [For definition of “device” as used in section 3305(f) of Pub. L. 117–328, set out above, see section 321(h) of this title, as made applicable by section 3305(h) of Pub. L. 117–328, which is set out below.] Definition Pub. L. 117–328, div. FF, title III, § 3305(h), Dec. 29, 2022, 136 Stat. 5834, provided that: “In this section [enacting this section, amending section 331 of this title, and enacting provisions set out as notes under this section and section 331 of this title], the term ‘device’ has the meaning given such term in section 201(h) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 321(h)).”
Reference
Citations & Metadata
Citation
21 U.S.C. § 360n–2
Title 21 — Food and Drugs
Last Updated
Apr 6, 2026
Release point: 119-73