The US Food and Drug Administration (FDA) has reissued its final guidance on medical device cybersecurity to reflect the agency’s transition from the Quality System Regulation (QSR) to the Quality System Management Regulation (QMSR). The updated FDA cybersecurity guidance was published on 4 February, just two days after the QMSR officially took effect. The revision updates regulatory references throughout the document and aligns cybersecurity expectations with the new quality system framework under 21 CFR Part 820, which now incorporates ISO 13485 by reference.
According to the agency, the FDA cybersecurity guidance revisions were made under Level 2 guidance procedures. “Revisions issued [were] under Level 2 guidance procedures (21 CFR 10.115(g)(4)), including revisions to align with the amendments to 21 CFR 820 (the Quality Management System Regulation (QMSR)),” the FDA stated. The agency added that the updated document supersedes the final guidance titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, which was published in June last year.
Throughout the revised FDA cybersecurity guidance, references to the former QSR have been replaced with references to the QMSR. The agency also updated the guidance to consistently reference ISO 13485, reflecting its central role in the new regulatory structure designed to harmonize US requirements with those of other global regulatory authorities.
QMSR Framework Reshapes FDA Cybersecurity Guidance and Quality System Expectations
The QMSR became effective on 2 February and amended the device’s current good manufacturing practice (CGMP) requirements under 21 CFR Part 820. These CGMP requirements were first authorized under section 520(f) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) and initially codified in 1978. Significant revisions followed in 1996, when the FDA added design controls and sought closer alignment with international standards, including ISO 9001 and the early versions of ISO 13485.
With the QMSR, the FDA formally incorporated by reference ISO 13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes, as well as Clause 3 of ISO 9000:2015, which covers quality management system fundamentals and vocabulary. The agency stated that this approach promotes consistency in quality system requirements across global markets while reducing regulatory burden on manufacturers.
The QMSR applies to finished device manufacturers intending to commercially distribute medical devices in the United States. A finished device, as defined in 21 CFR 820.3(a), includes any device or accessory suitable for use or capable of functioning, regardless of whether it is packaged, labeled, or sterilized. Certain components, such as blood tubing and diagnostic x-ray components, are considered finished devices when they function as accessories and are therefore subject to QMSR requirements.
Although some devices are exempt from CGMP requirements under classification regulations in 21 CFR Parts 862 through 892, those exemptions do not eliminate obligations related to complaint handling or recordkeeping. In addition, devices manufactured under an investigational device exemption are not exempt from design and development requirements under 21 CFR 820.10(c) of the QMSR or the corresponding ISO 13485 provisions.
FDA Cybersecurity Guidance Emphasizes QMSR-Based Design, Risk, and Inspection Changes
The revised FDA cybersecurity guidance reiterates that documentation outputs demonstrating adherence to the QMSR can be used to address cybersecurity risks and provide reasonable assurance of safety and effectiveness. The agency directs sponsors to specific ISO 13485 clauses to support this approach. For example, the FDA noted that “21 CFR 820.10(c) requires that for all classes of devices automated with software, a manufacturer must comply with the requirements in Design and Development, Clause 7.3 and its subclauses of ISO 13485.”
The guidance highlights ISO 13485 Subclause 7.3.7, which requires design and development validation to ensure that a product is capable of meeting requirements for its specified application or intended use. “Design and development validation includes validation of device software,” the agency stated. The FDA also pointed to Subclause 7.1 of ISO 13485, which specifies that organizations must document one or more processes for risk management in product realization, an expectation closely tied to cybersecurity risk controls.
As part of the update, the FDA removed a substantial section from the prior guidance that referenced former QSR design control provisions, including requirements under 21 CFR 820.30(c) and (d) related to design inputs and design outputs. Those provisions are no longer cited in the updated FDA cybersecurity guidance.
The transition to QMSR also introduced changes to FDA inspection practices. Beginning on 2 February, the agency stopped using the Quality System Inspection Technique (QSIT) and began conducting inspections under the updated Inspection of Medical Device Manufacturers Compliance Program: 7382.850. At the same time, the FDA discontinued use of Compliance Programs 7382.845 and 7383.001, which previously governed device manufacturer and PMA-related inspections.
