The phrase that seemed to be on everybody’s lips when the FDA finally received authority to regulate cybersecurity in medical devices, which was granted in the Omnibus spending bill at the end of 2022 but had been specified in an earlier targeted bill called the PATCH Act, was “game changer”. This was because one of the likely consequences of the FDA’s new authority (it wasn’t directly mandated by the bill itself) is that they will require medical device makers (MDMs, in industry parlance) to provide a software bill of materials (SBOM) with their “pre-market submissions”.
The latter refers to a package of
documentation that – if the MDM has done their homework correctly – will assure
the FDA that the device the MDM seeks permission to market to hospitals or
other end users is both safe (which has always been a criterion for approval)
and cybersecure (which is a new criterion, due to passage of the Omnibus Bill).
This provision (for a cybersecurity review, not just an SBOM) came into effect
at the end of March (I believe), but the FDA said they won’t enforce it until
October 1 – although they’re requiring submission of an SBOM now, and they’ll
have a discussion with the MDM about any shortcomings they find.
What will actually be required
come October 1? The MDM will be required to submit a single SBOM for their
device. It will be scrutinized as part of the review of the entire submission,
although no criteria have yet been stated for what will be considered an
acceptable SBOM. Most importantly, the SBOM will never be shown to any person
or organization outside of the FDA, including any customers or potential
customers of the device.
Folks, this is the big “first SBOM
regulation” that everybody is so excited about! Of course, it’s hard to see how
anybody would get excited about just that. The reason people even use the
phrase “game changer” is because the FDA hasn’t released any guidelines for
what should be in an SBOM, how often it should be released, who should receive
it, etc. A lot of people, most of whom have an economic stake in MDMs being forced
to utilize (insert name of startup services vendor or startup cybersecurity
tool vendor here) to help them produce and distribute SBOMs, have worked mightily
at convincing themselves that this one small step will inevitably lead within months
(or at least before their seed funding runs out) to industries of all stripes
facing onerous regulations that will cause them to start banging on their door,
open checkbooks in hand, begging to be allowed to buy their product or
services. A true “game changer”.
I don’t deny that these people
have achieved a lot of success – in convincing themselves of this quite dubious
proposition. However, I have no idea what game they’re talking about changing,
unless it’s TiddlyWinks. I’ve been working in the cyber regulation field – specifically
in NERC CIP, which is no game at all – for a long time, and I’ve noticed one
funny thing about regulation: The organizations that are being regulated and
face onerous fines for violations don’t take kindly to being told to comply with
a list of “requirements” that are poorly worded, based on ambiguous terms, make
assumptions that appear to be taken from The Chronicles of Narnia, etc.[i] They tend to push back and
demand clarification or wholesale rewriting of any requirement that’s ambiguous
or misconceived. And if the agency that imposed the requirements pushes forward
and implements the objectionable regulations, any penalties they levy are
likely to be immediately reversed by highly skeptical judges, who will issue
strongly worded opinions suggesting that perhaps whoever drafted those
regulations should consider a career change to shoe sales.
In other words, if any game at all
is going to be changed on October 1, whatever additional “requirements” are
imposed by the FDA’s guidelines to be issued in September will need to be clear,
practical and based on an understanding of what is in fact possible as of October
1, 2023. And they cannot be based on what some person wishes were in place,
without being very concerned with whether that’s actually the case.
Moreover, the fact that the
September guidelines won’t be requirements raises the question whether they
will have any impact at all. However, I don’t deny that an agency with as much
power over MDMs as the FDA has will probably meet with a remarkable “compliance”
rate with these “guidelines”. After all, the executives of MDMs are
(presumably) well paid to develop a keen understanding regarding on which side
their bread is buttered.
What about other industries? Will they
immediately start to require SBOMs from their suppliers? Perhaps. As long as
there’s a federal agency that has the authority today to impose mandatory
cybersecurity (not just safety) requirements on vendors to the industry. And
how many industries are blessed (?) with such an agency today? As I discussed
in this
blog post, the only industries that I know of in which a federal agency very
likely has that power now are nuclear power and the military. For any other
industry, “changing the game” will first require putting in place an agency
that will be staffed by experts (both in cybersecurity in general and in the
specific circumstances of the industry in question), that will be granted all
the authority required to enforce whatever regulations they determine to be
necessary, and will act without any hint of partisan game-playing, as well as…hello,
did somebody just cut the connection?
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] Note
that I’m not inferring here that the NERC CIP requirements are overly ambiguous,
unrealistic, or anything like that. The fact that the CIP standards, like all
NERC reliability standards, are drafted over a period of literally years by teams
composed of subject matter experts from the utilities and other entities being
regulated, that they’re submitted to a series of votes – almost always at least
four - by all NERC members (which can include the general public and other non-participants
in the industry), and that they’re reviewed scrupulously by the Federal Energy
Regulatory Commission (FERC) before they’re approved and implemented, means they
will never be poorly thought out, whatever other problems they may have.
No comments:
Post a Comment