US FDA introduces cyber-security considerations for Tier 1 & 2 Devices and clarifies CBOM import

For this cyber-security guidance only, FDA introduces the tiers of higher and standard cyber-security risk to aid medical device manufacturers in the design of secure devices and aid in providing supporting documentation to FDA. These updated recommendations will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.

Tier 1 “Higher Cyber-security Risk”

A device is a Tier 1 device if the following criteria are met:

1) The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; AND

2) A cyber-security incident affecting the device could directly result in patient harm to multiple patients. Examples of Tier 1 devices, include but are not limited to, implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.

Tier 2 “Standard Cybersecurity Risk”

A medical device for which the criteria for a Tier 1 device are not met.

US FDA has also clarified on the Cyber-security Bill of Materials (CBOM). CBOM can be a critical element in identifying assets, threats, and liabilities. Leveraging a CBOM may also support compliance with purchasing controls (21 CFR 820.50), by facilitating the establishment of requirements regarding cybersecurity for all purchased or otherwise received products.

For more information on the draft guidance, check out the following link:

- Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

Contact us at

Recent Posts