Premarket medical device submissions that meet the definition of a “cyber device” will now be required to include software bill of materials and Cyber-defense plans thanks to new legislation.


On December 29, 2022, President Biden signed the Consolidated Appropriations Act, 2023 (H.R. 2617), an omnibus appropriations bill for fiscal year 2023. Within this over 4,000-page bill, some reforms will directly impact Medical Device manufacturers. Aside from reforms that affect clinical trial diversity, reforms to the FDA’s accelerated approval processes, a modernization of the FDA regulatory regime for cosmetics, and enhanced FDA oversight of infant formulas, there’s a specific piece of legislation will be highlighted in this article called the Food and Drug Omnibus Reform Act of 2022 (FDORA).

Some of the key reforms include:

  • Device Facility Inspections
  • Device Bans for Specific Intended Uses
  • Counterfeit Medical Devices
  • Voluntary Notifications for Device Shortages
  • Miscellaneous Device Reforms
  • Cybersecurity Reforms

While many of these reforms will directly affect medical device manufacturers, we’re going to focus on the Cybersecurity updates. If you’d like to review some of the broader subjects included in FDORA, check out this Ropes and Gray newsroom alert.


Premarket submissions to the FDA for devices that meet the definition of a “cyber device” must now include cybersecurity information, including a software bill of materials and a cybersecurity plan to address device vulnerabilities.

According to this new legislation, a “cyber device” is defined as a device that:

  • Includes software validated, installed, or authorized by the sponsor as a device or in a device
  • Has the ability to connect to the internet
  • Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats

FDORA also amends the list of prohibited acts in the Food, Drug, and Cosmetic Act (FDCA) to include making it prohibited under 21 USC 331 to fail to comply with any requirement relating to ensuring device cybersecurity. As for the plan to address cyber vulnerabilities, medical device manufacturers are also going to have to outline how they’re going to monitor, identify, and address post-market cybersecurity vulnerabilities, including a thorough disclosure of these vulnerabilities, and they’ll have to maintain processes and procedures to provide “reasonable assurance” that the device and related systems are cyber secure. They’ll also be required to make post-market updates and patches available if, or when, vulnerabilities are identified. FDORA also outlined that the FDA may also identify devices, or categories of devices, that are exempt from these new requirements.


This new legislation comes on the heels of the Department of Defense’s announcement of CMMC 2.0—an update to their comprehensive framework to protect the defense industrial base’s (DIB) controlled unclassified information from frequent and increasingly complex cyberattacks. The Federal Government’s renewed focus on cybersecurity legislation comes as we’ve seen unfaltering increases, both in number and severity, of cyberattacks in the medical, defense, and general manufacturing sectors.


While this new legislation may present some added hurdles and some new red tape that manufacturers will now need to cut through to bring their products to market, there are always resources at your disposal. There are entities in the state of New Jersey that can help businesses overcome these challenges. NJMEP’s adept cybersecurity team is always apprised of the latest legislative changes and can help New Jersey manufacturers navigate complex regulatory environments. Rest assured, there’s no need to wade into these legislative waters blindly and on your own. Connect with these resources to take a deep look at your operation to save time and money on the journey to becoming compliant with these new FDA parameters.

Request Your Complimentary Assessment

Schedule Now