Statutory Notes and Related Subsidiaries
Effective Date

Section effective 90 days after Dec. 29, 2022, see section 3305(d) of Pub. L. 117–328, set out as an Effective Date of 2022 Amendment note under section 331 of this title.

Construction

Nothing in section 3305(a) of Pub. L. 117–328, which enacted this section, to be construed to affect the Secretary’s of Health and Human Services authority related to ensuring that there is a reasonable assurance of the safety and effectiveness of devices, which may include ensuring that there is a reasonable assurance of the cybersecurity of certain cyber devices, including for devices approved or cleared prior to Dec. 29, 2022, see section 3305(c) of Pub. L. 117–328, set out as a Construction of 2022 Amendment note under section 331 of this title.

Guidance for Industry and FDA Staff on Device Cybersecurity

Pub. L. 117–328, div. FF, title III, § 3305(e), Dec. 29, 2022, 136 Stat. 5833, provided that: “Not later than 2 years after the date of enactment of this Act [Dec. 29, 2022], and periodically thereafter as appropriate, the Secretary [of Health and Human Services], in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review and, as appropriate and after soliciting and receiving feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders, update the guidance entitled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ (or a successor document).”

[For definition of “device” as used in section 3305(e) of Pub. L. 117–328, set out above, see section 321(h) of this title, as made applicable by section 3305(h) of Pub. L. 117–328, which is set out below.]

Resources Regarding Cybersecurity of Devices

Pub. L. 117–328, div. FF, title III, § 3305(f), Dec. 29, 2022, 136 Stat. 5834, provided that: “Not later than 180 days after the date of enactment of this Act [Dec. 29, 2022], and not less than annually thereafter, the Secretary [of Health and Human Services] shall update public information provided by the Food and Drug Administration, including on the website of the Food and Drug Administration, with information regarding improving cybersecurity of devices. Such information shall include information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through the Cybersecurity and Infrastructure Security Agency and other Federal entities, including the Department of Health and Human Services, to improve the cybersecurity of devices.”

[For definition of “device” as used in section 3305(f) of Pub. L. 117–328, set out above, see section 321(h) of this title, as made applicable by section 3305(h) of Pub. L. 117–328, which is set out below.]

Definition

Pub. L. 117–328, div. FF, title III, § 3305(h), Dec. 29, 2022, 136 Stat. 5834, provided that: “In this section [enacting this section, amending section 331 of this title, and enacting provisions set out as notes under this section and section 331 of this title], the term ‘device’ has the meaning given such term in section 201(h) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 321(h)).”