ARE YOU READY TO SECURE YOUR DEVICE EMPIRE??
New FDA “refuse-to-accept” Deadline for Medical Device Manufactures Fast Approaching
Among many of these new regulations, the most time-sensitive one is the new FDA cybersecurity legislation for medical devices that was signed into law on March 29th, 2023. With this new law, the FDA signed into effect four new requirements for medical devices and a refuse-to-accept (RTA) policy. Beginning October 1st, 2023, the FDA will begin to reject or “refuse to accept” submissions that do not include information on the four new FDA cybersecurity requirements for medical devices.
If you’re a medical device manufacturer, don’t delay. Act today.
THE 4 NEW FDA CYBERSECURITY REQUIREMENTS FOR MEDICAL DEVICES
Include Postmarket Monitoring, Device Updates, Software Bill of Materials (SBOMs), and Regulatory Compliance Requirements
 |
What is the new FDA SBOM requirement? |
|
With this new legislation, the FDA is reinforcing the National Telecommunications and Information Administration (NTIA) minimum SBOM requirements. Manufacturers of cyber devices are now required to “provide a Software Bill of Materials (SBOM) for the commercial, open-source, and off-the-shelf software components” contained within their devices. |
|
What does the FDA require for cybersecurity regulatory compliance? |
| To demonstrate reasonable assurance that the device and related systems are secure, the FDA clarified how manufacturers should be ensuring their devices are compliant with other pre-existing FDA requirements or regulations, such as the Quality System (QS) Regulation. |
|
What does the FDA postmarket monitoring requirement involve? |
|
Under Section 524B(b)(1) of the FD&C Act, the FDA recommends manufacturers manage “postmarket cybersecurity vulnerabilities for marketed and distributed medical devices.” This includes submitting a plan that involves monitoring, identifying, and addressing any cybersecurity vulnerabilities and exploitst that occur after the product has been released, and a plan for coordinating, disclosing, and remediating vulnerabilities. The FDA specifies that cybersecurity should be monitored throughout the product lifecycle, including “during the design, development, production, distribution, deployment and maintenance of the device.” |
|
What does the FDA require for device updates? |
| In addition to the postmarket monitoring requirement, the FDA requires device manufacturers to submit a plan on keeping their devices patched and updated across the total product life cycle (TPLC). This includes designing, developing, and maintaining processes and procedures that “provides a reasonable assurance that the device and related systems are cybersecure” with a justifiable regular cycle on which known unacceptable vulnerabilities and critical vulnerabilities are patched. |
HOW TIMESYS AND VIGILES HELP YOU WITH THE
FDA cybersecurity requirements in section 524B of the “Omnibus”
 |
Generate NTIA-Compliant Industry-Standard FDA Approved SBOMs with One Click |
| The Vigiles SBOM dashboard empowers you to generate, track, and monitor multiple SBOMs across industry-standard formats, such as CycloneDX and SPDX, and facilitates collaborative work with your entire team. Vigiles notifies you immediately if your SBOMs meet the NTIA minimum element conformance standards and adheres to the latest FDA cybersecurity guidelines. Vigiles will also proactively alert you if your device or product has a license violation. |
|
Simplify and Automate Postmarket Monitoring with Vigiles |
| As a best-in-class Software Bill of Materials (SBOM) management and vulnerability monitoring and remediation tool, Vigiles offers a centralized dashboard for you to automate your postmarket cybersecurity monitoring process and share it with your whole team, streamlining and cutting down the amount of hours your team needs to spend verifying what Common Vulnerabilities and Exposures (CVEs) actually matter and need to be addressed for your device. |
|
Identify and Release Immediately Needed Device Updates with Timesys and Vigiles |
| Vigiles provides you with a continuous accurate security feed against all of your SBOMs so you’re aware of what vulnerabilities and CVEs correspond to your product, where, when, how, and what remediation options are available. With Vigiles, you’ll know if there is a fix available, what the patch is, the minimum version, and the config option information needed to remediate the vulnerability. When a patch is not available, Vigiles will also recommend workarounds and include links for recreating the CVE exploit for testing and remediation. |
|
Elevate Your Quality System and Streamline Your Reporting Process with Vigiles |
| Comprehensively validate your Software Bill of Materials for compliance, minimize time spent on false positive risks, and minimize the risk of missing critical open source vulnerability issues with Vigiles. Vigiles centralizes the information of your devices in an easy-to-use SBOM dashboard, provides a curated CVE/CPE database, and pulls data from multiple feeds, resulting in 40% more accurate reporting of vulnerabilities in your SBOMs over the National Vulnerability Database (NVD). Make decisions confidently with the right information through triage reports and implement efficient and strategic quality improvements with Vigiles. |
How does the Europe Cyber Resilience Act (CRA) Affect Cybersecurity Regulations for Hardware and Software Products?
The European Commission introduced the European Cyber Resilience Act (CRA) to address growing cybersecurity risks and ensure safer hardware and software. This act aims to verify that “products with digital elements placed on the EU market have fewer vulnerabilities and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle.”
Some requirements made essential with this act include:
- Manufacturers are required to take cybersecurity into account in the planning, designing, development, production, delivery, and maintenance life cycles of their products.
- All cybersecurity risks must be documented.
- Manufacturers are required to report actively exploited vulnerabilities and incidents with their products.
- Security updates to the products must be made regularly available for at least five (5) years.
- Once sold, manufacturers are expected to ensure vulnerabilities are handled effectively for the lifetime of the product or a period of five years (whichever is the shorter).
How can Timesys and Vigiles help in preparing for the EU Cyber Resilience Act?
Vigiles ensures medical device manufacturers are well-prepared to navigate the intricacies of the European Cyber Resilience Act (EU CRA). Vigiles simplifies compliance by efficiently managing Software Bill of Materials (SBOMs), proactively mitigating security risks, and ensuring readiness for emerging regulations like the EU CRA. Focus on compliance, minimize risks, and safeguard your devices against evolving threats with Vigiles.
How do you gain the upper hand in tracking, monitoring, and managing cybersecurity vulnerabilities throughout your product’s lifecycle with Vigiles?
- Vigiles makes it easy to incorporate cybersecurity into your DevSecOps process and account for security in the planning, designing, development, production, delivery, and maintenance life cycles of your products
- Identify and implement critical security updates and patches, all while maintaining comprehensive documentation of relevant cybersecurity risks with Vigiles
- Produce SBOM reports at the click of a button summarizing and comparing the changes, updates, and vulnerabilities identified in your devices
- Vigiles helps you handle vulnerabilities efficiently and seamlessly for the lifetime of your product with a comprehensive and unified SBOM dashboard of all your devices and products
Trust Vigiles to be your partner in achieving compliance and peace of mind in the ever-changing cybersecurity landscape.
What Does the White House Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity mean for you?
EO 14028 included many new requirements and provisions that affect healthcare, automotive, and industrial sectors, with the aim of enhancing the cybersecurity of federal government networks and improving cybersecurity practices across the United States. As part of EO 14028, federal agencies now request or require Software Bill of Materials (SBOMs) for software they procure or develop.
In addition, the National Institute of Standards and Technology (NIST) developed and provided new guidelines, standardized formats, and best practices for creating and using SBOMs.
With EO 14028, businesses that supply software to the government may need to provide SBOMs as part of their contracts.
Generate, Track, Monitor, and Maintain Multiple SBOMs Across Your Products and Devices with Vigiles SBOM Manager
Vigiles SBOM Manager is an ideal tool that helps you meet NIST and EO 14028 SBOM requirements by enabling you to intuitively import, export, track, and manage SBOMs across various products and releases. Vigiles supports all major Linux build system integrations including Yocto, Buildroot, PetaLinux, Wind River Linux, PTXdist, OpenWrt, and Timesys Factory, containers, RTOSes, and other operating systems and ecosystems such as Python for more accurate SBOM generation. Additionally, with Vigiles, you can convert non-industry-standard SBOMs (such as CSV) to industry-standard SBOM formats (such as CycloneDX, SPDX, and SPDX Lite), making it easier than ever to share SBOMs with agencies that require them.
