The recently announced "Refuse to Accept Policy" signed into law under section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act) gives the FDA more traction to encourage the medical device manufacturing industry to utilize software bills of materials that help to incorporate supply chain security. The ISA/IEC 62443 series of standards defines a secure product lifecycle process that can be adopted by medical device manufacturers to identify and manage the security risks of all external components used within the product.
What is the Refuse to Accept Policy?
The Refuse to Accept Policy, signed into law under section 524B of the Federal Food, Drug, and Cosmetic Act, enhances the FDA's ability to encourage medical device manufacturers to use software bills of materials (SBOMs) for improved supply chain security. This policy applies to medical devices classified as cyber devices, with new submission processes starting after October 1, 2023.
How do SBOMs contribute to cybersecurity?
SBOMs serve as machine-readable inventories of software components, akin to an ingredients list, allowing manufacturers to track attributes like component source and version. This transparency aids in identifying vulnerabilities and managing them throughout the product lifecycle, thereby enhancing overall cybersecurity.
The ISA/IEC 62443 series of standards outlines best practices for designing and maintaining secure systems, initially aimed at industrial automation but now applicable to medical devices. These standards guide manufacturers in implementing secure product development processes and managing supply chain vulnerabilities, ultimately supporting compliance with FDA recommendations.
Sign in with LinkedIn