Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request – Example #19: Missing Adequate Information on the Availability Controls used to Protect the Device
You provided documentation on the cybersecurity controls used to protect the device; however, you did not provide adequate information on the availability controls used to protect the device.
Inadequate availability controls can lead to impacts on device safety and effectiveness in emergent situations when a device is needed for treatment, monitoring, or diagnosis in a timely manner and generally when device unavailability and impact overall effectiveness. Adequate availability controls are important to comply with the requirements specified in section 524B(b)(2) of the Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with recommendations in Section 5 of the FDA guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” that manufacturers address the following related to availability:
- Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised
- Provide methods for retention and recovery of device configuration by an authenticated privileged user.
Therefore, please provide a description of the availability controls implemented in the device design and a justification for how they provide sufficient security. The response should include an assessment of the availability impact on/from other parts of the system (i.e., availability of Cloud, network, web application, mobile application, etc. and the impact on these system elements if the end device is unavailable).
In this specific example, the manufacturer provided some documentation on cybersecurity controls, but did not provide adequate information on the availability controls used to protect the device.
The goal of availability is to ensure systems and data are accessible when needed by authorized users. The threats addressed include DoS/DDoS attacks, hardware failures, ransomware, natural disasters.
Examples of Controls:
- Redundancy & Fault Tolerance
- Load balancing, failover clusters, redundant data storage
- Disaster Recovery & Business Continuity
- Disaster Recovery sites, recovery time objectives (RTO) and recovery point objectives (RPO)
- Tested Disaster Recovery plans
- System & Network Hardening
- Patch management to prevent downtime from exploits
- Configuration baselines to quickly restore services
- DDoS Mitigation
- Traffic scrubbing, rate limiting, Content Delivery Network (CDN) protection
- Monitoring & Alerting
- Availability monitoring
- Automated failover triggers
- Resource Capacity Planning
- Scaling strategies for seasonal or sudden demand spikes
The FDA is specifically requesting two items be addressed:
- Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised
- Provide methods for retention and recovery of device configuration by an authenticated privileged user
The FDA is requiring the manufacturer to provide a description of the availability controls, as implemented by the device, with a justification for how they provide sufficient security, including an assessment of the availability impact on/from other parts of the system.