Contact Us
  • FDA's Additional Information (AI) Requests

Example #20: Missing Labeling Needed for a Cyber Device

A promotional banner for a tech device series event by The Device Show Experience and C2.
By Robert Rajewski, President, CriTech Research, Inc.
Here’s this week’s example of an Additional Information Request (AI Request):

FDA Additional Information Request - Example #20: Missing Labeling Needed for a Cyber Device

Based on the information provided in your submission, your device meets the definition of a cyber device under Section 524B(c) of the Federal Food, Drug, and Cosmetic (FD&C) Act. However, you did not provide cybersecurity labeling.

Adequate cybersecurity labeling is important to comply with the requirement specified in section 524B(b)(2) of the FD&C Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with the recommendations in Section VI.A of the FDA guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” for manufacturers to consider all applicable labeling requirements to inform users how to manage cybersecurity risks and/or to ensure the safe and effective use of a device in its intended use environment.

Therefore, please provide cybersecurity labeling as recommended in Section VI.A of the FDA guidance document “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”.

In this example, the FDA’s Additional Information Request focuses on labeling needs for a cyber device.  Manufacturers are required to consider all applicable labeling requirements to inform users how to manage cybersecurity risks and/or to ensure the safe and effective use of a device in its intended use environment.

Key FDA Expectations for Cybersecurity Labeling:

  • Labeling Must Support Safe and Effective Use

The FDA emphasizes that cybersecurity information should be included in device labeling to help users understand how to securely configure, use, and maintain the device throughout its lifecycle. This transparency is key to ensuring safety and effectiveness.

  • Preventing Misbranding Risks

If labeling lacks adequate cybersecurity information, it could make the device misbranded under the FD&C Act—specifically:

    • Section 502(f): missing “adequate directions for use”
    • Section 502(a)(1): containing false or misleading labeling
  • Specific Labeling Content Recommendations

    FDA suggests including, as part of labeling:
    • The device’s intended use, operating environment, and reasonably foreseeable misuse scenarios
    • Electronic interfaces, configuration requirements, and how to apply or receive updates/patches
    • User responsibilities, such as password policies or how and when to update device software
  • Lifecycle and Security Management Supports

Labeling should enable users to manage cybersecurity risks over the device’s entire Total Product Lifecycle (TPLC)—including guidance on firmware updates, patching, and secure configurations.

  • Additional Tools: SBOMs and VEX
  • Software Bill of Materials (SBOM): While SBOM is primarily required in submissions, it complements labeling by giving transparency into software components and helping manage vulnerabilities
  • VEX (Vulnerability Exploitability eXchange) documents: These may also be encouraged or implicitly supported as part of a broader cybersecurity information strategy, though they’re not strictly labeling—providing machine-readable insight into known vulnerabilities and their relevance to the device

FDA concludes by asking the manufacturer to provide cybersecurity labeling in conformance with the Premarket Submission Guidance.

Should you happen to receive an FDA AIR related to software as part of your submission, CriTech is here to help. Contact us any time.

Contact Us
Linkedin

Follow us on LinkedIn to find out when the next example of our FDA AIRs series is released.

View All Media