The U.S. Food and Drug Administration recently became one of a number of federal agencies to adopt the National Institute of Standards and Technology’s (“NIST”) core cybersecurity framework.  On October 2, 2014, FDA issued final guidance on the content of premarket submissions for the management of cybersecurity in medical devices.  The final guidance sets forth recommendations for the design and development of medical devices, as well as the preparation of premarket submissions, that are intended to reduce the likelihood that medical devices will be compromised as a result of inadequate cybersecurity.  Although the final guidance is not binding, it is broadly applicable—the recommendations apply to device manufacturers submitting premarket applications and notifications (including 510(k) notifications), as well as to manufacturers implementing the requirements under the Quality System Regulation.   The guidance supplements other standards generally applicable to software included in medical devices, as well as specific standards addressing cybersecurity risks in medical devices containing off-the-shelf software.

In addition to adopting the NIST core cybersecurity framework, which FDA recently agreed to promote in a Memorandum of Understanding with the National Health Information Sharing and Analysis Center, the final guidance sets forth concrete recommendations specifically applicable to medical devices.  The final guidance suggests, for example, that device manufacturers put systems in place to detect compromises and implement safeguards to preserve critical functionality and recover previous configurations.  The final guidance also recommends that device manufacturers track all cybersecurity risks considered in the design of a device and justify in premarket submissions the safeguards put in place to addresses identified risks.  Specifically, the final guidance recommends that manufacturers justify a decision to use a particular security function, such as the use of one among many authentication processes or methods of securing the transfer of data.

The final guidance also suggests that device manufacturers implement plans to provide and validate software updates throughout the life of a medical device.  FDA’s guidance on off-the-shelf software establishes FDA’s position that device manufacturers have an obligation under the Quality System Regulation to provide systematic software updates to respond to identified risks.  However, the final guidance indicates that software updates will not typically need to be subject to FDA review when their sole purpose is to strengthen the cybersecurity of a medical device.

Recognizing unique features of medical devices that may need to be taken into account when assessing cybersecurity risks, the final guidance recommends that manufacturers balance the benefit of increased safeguards with the usability of a medical device.  For example, the final guidance suggests that device manufacturers consider the need to access a device in emergency situations when establishing authentication procedures.  A previous report by the U.S. Government Accountability Office on information security risks to medical devices also suggests that device manufacturers consider the risk that additional safeguards could lead to decreased battery life, which could result in a need for more frequent surgical procedures to replace batteries in implantable devices, as well as the risk of unforeseen consequences as a result of new software updates.

Although the final guidance only applies to device manufacturers, the NIST cybersecurity framework is becoming increasingly relevant to a number of industries.  In particular, NIST is currently seeking input from a variety of  industries about best practices for managing cyber risks in the supply chain and the U.S. General Services Administration is seeking industry participation in new working groups exploring how to integrate cyber protections into the federal acquisition process.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Jennifer Plitsch Jennifer Plitsch

Jennifer Plitsch leads the firm’s Government Contracts Practice Group, where she works with clients on a broad range of issues arising from both defense and civilian contracts including contract proposal, performance, and compliance questions as well as litigation, transactional, and legislative issues.

She…

Jennifer Plitsch leads the firm’s Government Contracts Practice Group, where she works with clients on a broad range of issues arising from both defense and civilian contracts including contract proposal, performance, and compliance questions as well as litigation, transactional, and legislative issues.

She has particular expertise in advising clients on intellectual property and data rights issues under the Federal Acquisition Regulations (FAR) and obligations imposed by the Bayh-Dole Act, including march-in and substantial domestic manufacturing. Jen also has significant experience in negotiation and compliance under non-traditional government agreements including Other Transaction Authority agreements (OTAs), Cooperative Research and Development Agreements (CRADAs), Cooperative Agreements, Grants, and Small Business Innovation Research agreements.

For over 20 years, Jen’s practice has focused on advising clients in the pharmaceutical, biologics and medical device industry on all aspects of both commercial and non-commercial agreements with various government agencies including:

  • the Department of Veterans Affairs (VA);
  • the Department of Health and Human Services (HHS), including the Biomedical Advanced Research and Development Authority (BARDA), the National Institutes of Health (NIH), and the Centers for Disease Control (CDC);
  • the Department of Defense (DoD), including the Defense Threat Reduction Agency (DTRA), the Defense Advanced Research Projects Agency (DARPA), and the Joint Program Executive Office for Chemical Biological Defense (JPEO-CBRN); and
  • the U.S. Agency for International Development (USAID).

She regularly advises on the development, production, and supply to the government of vaccines and other medical countermeasures addressing threats such as COVID-19, Ebola, Zika, MERS-CoV, Smallpox, seasonal and pandemic influenza, tropical diseases, botulinum toxin, nerve agents, and radiation events. In addition, for commercial drugs, biologics, and medical devices, Jen advises on Federal Supply Schedule contracts, including the complex pricing requirements imposed on products under the Veterans Health Care Act, as well as on the obligations imposed by participation in the 340B Drug Pricing program.

Jen also has significant experience in domestic sourcing compliance under the Buy American Act (BAA) and the Trade Agreements Act (TAA), including regulatory analysis and comments, certifications, investigations, and disclosures (including under the Acetris decision and Biden Administration Executive Orders). She also advises on prevailing wage requirements, including those imposed through the Davis-Bacon Act and the Service Contract Labor Standards.