Skip to main content
Find a Lawyer

21 U.S.C. § 360n-2 - U.S. Code - Unannotated Title 21. Food and Drugs § 360n-2. Ensuring cybersecurity of devices

Current as of January 01, 2024 | Updated by Findlaw Staff

(a)In general

A person who submits an application or submission under section 360(k), section 360c, section 360e(c), section 360e(f), or section 360j(m) of this title for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).

(b)Cybersecurity requirements

The sponsor of an application or submission described in subsection (a) shall--

(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;

(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address--

(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;

(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and

(4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

(c)Definition

In this section, the term “cyber device” means a device that--

(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;

(2) has the ability to connect to the internet; and

(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

(d)Exemption

The Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cybersecurity requirements established by this section and regulations promulgated pursuant to this section. The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices, or categories or types of devices, so identified by the Secretary.

Previous Part of Code Next Part of Code
Back to Chapter List

Cite this article: FindLaw.com - 21 U.S.C. § 360n-2 - U.S. Code - Unannotated Title 21. Food and Drugs § 360n-2. Ensuring cybersecurity of devices - last updated January 01, 2024 | https://codes.findlaw.com/us/title-21-food-and-drugs/21-usc-sect-360n-2/

FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature before relying on it for your legal needs.

Was this helpful?

Welcome to FindLaw's Cases & Codes

A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw’s Learn About the Law.

Go to Learn About the Law

Latest Blog Posts

For Legal Professionals

Learn About The Law

Get help with your legal needs

FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.

Go to Learn About the Law

Need to Find an Attorney?

Search our directory by legal issue

Enter information in one or both fields (Required)

Copied to clipboard