MOA 225-24-015
Memorandum of Agreement
Between
The Department of Homeland Security
Cybersecurity and Infrastructure Security Agency
And
The Department of Health and Human Services
Food and Drug Administration,
Relating to Medical Device Cybersecurity Collaboration
I. Parties.
This Memorandum of Agreement (“Agreement” or “MOA”) is entered into between the United States Department of Health and Human Services (“HHS”), Food and Drug Administration (hereinafter referred to as “FDA”) and the United States Department of Homeland Security (“DHS”), Cybersecurity and Infrastructure Security Agency (“CISA”). FDA and CISA are each referred to herein individually as a “Party” and collectively as “the Parties.”
II. Purpose.
This Agreement is executed to formalize and enhance the working relationship of the Parties, including roles and responsibilities, when sharing information related to vulnerabilities and threats to the Healthcare and Public Health sector that involve the cybersecurity of a medical device(s). The goal is to share such information to enhance mutual awareness, heighten coordination, catalyze standards development, and enhance technical capabilities between the Parties. This Agreement provides a framework for coordination and the principles and procedures by which information sharing and related interactions between the Parties shall take place.
This Agreement also establishes a foundation by which CISA can support FDA as an independent third-party for technical analysis and testing.
III. Authority.
This Agreement is concluded pursuant to authorities applicable to the Parties, including:
- The Homeland Security Act of 2002, Pub. L. 107-296. 116 Stat. 2135 (2002), as amended. See esp. § 2209.
- The Federal Food, Drug, and Cosmetic Act (“FD&C Act”), 21 U.S.C. § 301 et seq. and its implementing regulations.
IV. Definitions.
A. Device: an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is—(1) recognized in the official National Formulary, or the United States Pharmacopeia, or any supplement to them; (2) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals; or (3) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of humans or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term “device” does not include software functions excluded pursuant to section 360j(o) of title 21. (21 U.S.C. § 321(h)).
B. Confidential Commercial Information (“CCI”): valuable data or information which is used in a business and is of such type that it is customarily held in strict confidence or regarded as privileged and not disclosed to any member of the public by the entity to whom it belongs. Examples of CCI may include raw material supplier lists, finished product customer lists, and traceback information. (21 C.F.R. § 20.61).
C. Protected Critical Infrastructure Information (“PCII”): validated Critical Infrastructure Information as defined in Federal Regulation at 6 CFR 29.2(g).
D. Medical Device Manufacturer: any person who designs, manufactures, fabricates, assembles, or processes a finished device. Manufacturer includes but is not limited to those who perform the functions of contract sterilization, installation, relabeling, remanufacturing, repacking, or specification development, and initial distributors of foreign entities performing these functions. (21 C.F.R. § 820.3(o)).
E. Non-public Information: includes, but is not limited to, CCI, Trade Secret Information, and PCII.
F. Trade Secret Information: any commercially valuable plan, formula, process, or device that is used for making, preparing, compounding, or processing of trade commodities, that can be said to be the end product of either innovation or substantial efforts. In order for proprietary information to be considered a trade secret, there must be a direct relationship between the trade secret and the production process. (21 C.F.R.
§ 20.61).
V. Background.
The DHS’s missions include preventing terrorism and enhancing security, managing our borders, administering immigration laws, securing cyberspace, and ensuring disaster resilience. Information-sharing is a key part of the DHS mission to create shared situational awareness of malicious cyberactivity. Cyberspace has united once distinct information structures, including business and government operations, emergency preparedness communications, and critical digital and process control systems and infrastructures. Protection of these systems is essential to the resilience and reliability of the nation’s critical infrastructure and key resources; therefore, to economic and national security.
The CISA leads the national effort to protect and enhance the resilience of the nation's physical and cyber infrastructures. CISA works to prevent or minimize disruptions to critical information infrastructure in order to protect the public, the economy, and government services.
The FDA promotes and protects the public health by ensuring the safety, efficacy, and security of drugs, biological products, veterinary products, medical devices, and radiological products, and the safety and security of foods and cosmetics. The FDA administers the FD&C Act (see generally, 21 U.S.C. § 301 et. seq.) and certain sections of the Public Health Service Act (see, e.g., 42 U.S.C. § 262), among other statutes. Among its duties, the FDA approves pre-market applications for medical products, conducts inspections of manufacturing facilities, and monitors post-marketing adverse events.
The FDA also initiates civil and criminal litigation to enforce applicable laws and regulations.
The FDA’s Center for Devices and Radiological Health (“CDRH”) is responsible for ensuring that patients and healthcare providers have access to safe and effective medical devices. To advance patient care, medical devices are becoming increasingly interconnected and interoperable. However, interconnected devices also increase cybersecurity risks which, if exploited, may affect device performance CDRH is committed to enhancing patient safety by mitigating cybersecurity risk throughout the lifecycle of medical devices. This includes monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market. CDRH works collaboratively with industry, healthcare organizations, and government entities to address cybersecurity risks to medical devices.
VI. General Provisions.
This is a collaborative agreement between the Parties regarding sharing of information related to vulnerabilities and threats to the Healthcare and Public Health sector that involve the cybersecurity of a medical device(s).
The Parties jointly agree to cooperate and share information, to the extent possible, as follows:
A. CISA and FDA should collaborate to mutually enhance awareness of medical device cybersecurity vulnerabilities and threats to the Healthcare and Public Health sector, but not in a capacity that interferes with any other roles and responsibilities of the Parties.
B. CISA functions as a trusted collaborator among researchers, manufacturers, and other governmental entities consistent with CISA’s broad cybersecurity risk information receipt, analysis, and sharing authorities. Given this role, CISA will coordinate and enable information sharing between medical device manufacturers, researchers, and CDRH, particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to CISA.
C. Should cooperation under this MOA identify opportunities for the Parties to better coordinate activities through joint action (e.g., coordinated assignment of Common Vulnerabilities and Exposures (“CVE”) identifiers for healthcare system vulnerabilities) the Parties should pursue and formalize such collaboration/coordination.
D. If the Parties agree that there is a need, CISA can support FDA as an independent third-party to aid in the evaluation and assessment of the impact of medical device vulnerabilities, subject to availability of DHS resources and funding or a separate Interagency Agreement document between the FDA and CISA.
VII. Responsibilities.
As part of this collaborative agreement, the Parties agree to the following responsibilities.
A. CISA Responsibilities
- Serve as central medical device vulnerability coordination center and interface with appropriate stakeholders in performance of such duties, consistent with current CISA policies and procedures.
- Participate in regular, ad hoc, and emergency coordination calls with FDA to enhance mutual awareness of medical device cybersecurity vulnerabilities and threats to the Healthcare and Public Health sector and device manufacturers operating within that sector.
- Confer with entities providing sensitive information regarding medical devices prior to sharing any CCI, trade secret, or PCII-protected vulnerability or product information with the FDA. Following approval to share information, CISA will notify the FDA of cybersecurity vulnerabilities in medical systems and related information that have been reported to CISA.
- Coordinate with FDA on the content of alerts and advisories related to medical device cybersecurity to be published by CISA.
- Maintain technical capabilities to support requests for independent third-party analysis to aid in the evaluation and assessment of the impact of medical device vulnerabilities, which can be used upon the agreement of both parties.
- Publish Healthcare and Public Health-related alerts and advisories, including those related to specific medical devices, to the Health Information Sharing and Analysis Center (“NH-ISAC”) to raise stakeholder awareness of vulnerabilities and mitigations. Such alerts and advisories will not be exclusively provided to NH-ISAC.
B. FDA Responsibilities
- Coordinate and participate in regular, ad hoc, and emergency coordination calls with CISA to enhance mutual awareness of medical device cybersecurity vulnerabilities and threats to the Healthcare and Public sector and to facilitate resolutions to vulnerability coordination issues.
- Provide CISA with draft public releases, when possible, for review to facilitate coordination of messaging among Federal entities.
- Comment in a timely manner on CISA draft advisories and alerts to facilitate consistent public messaging between the Parties.
- Make assessments regarding the risk to health and the risk of patient harm when the potential impact of a medical device cybersecurity vulnerability is disputed.
- Submit requests to CISA for independent third-party technical assistance to analyze and test medical systems, as appropriate.
- Shares non-trade secret information with CISA, consistent with applicable laws (e.g., 21 U.S.C. 360j(c)), that is necessary to resolve disputes of risk, impacts, and communication alignment.
VIII. Information Sharing.
A. The Parties recognize that exchanged information may contain any of the following types of information and as such must be protected from unauthorized use and disclosure:
- CCI and/or Trade Secret Information, such as the information that would be protected from public disclosure pursuant to Exemption 4 of the Freedom of Information Act (“FOIA”) (5 U.S.C. § 552);
- Personal privacy information, such as the information that would be protected from public disclosure pursuant to Exemption 6 or 7(C) of the FOIA; or
- Information that is otherwise protected from public disclosure by Federal laws and their implementing regulations (e.g., Trade Secrets Act (18 U.S.C. § 1905), the Privacy Act (5 U.S.C. § 552a), other FOIA exemptions not mentioned above (5 U.S.C. § 552(b)), the FD&C Act (21 U.S.C. § 301 et seq.), and the Health Insurance Portability and Accountability Act (“HIPAA”), (Pub. L. 104-191)).
B. The Parties recognize and acknowledge that it is essential that any non-public information that is shared between the Parties, whether written or oral, cannot be further shared unless authorized by law. See e.g., 21 U.S.C. § 331(j), 21 U.S.C. § 360j(c), 18 U.S.C. § 1905, 21 CFR Parts 20 and 21. In some cases, such information also cannot be further shared unless specifically authorized by and with the consent of the original information provider. Any non-public information shared under this MOA will not be further disclosed without the written permission of the originating agency.
C. Pursuant to section 301(j) of the FD&C Act (21 USC §§ 331(j)), FDA will not disclose certain trade secret information to CISA. Pursuant to section 520(c) of the FD&C Act (21
U.S.C. § 331j(c)), certain CCI could be disclosed to “officers and employees concerned with carrying out [the FD&C Act] or when relevant in any proceeding under [the FD&C Act] (other than section 360c or 360d of [the FD&C Act]).” 21 U.S.C. §360j(c).
D. Within 90 days of the execution of this Agreement, CISA and CDRH will review and if necessary, update a standard operating procedure for information sharing and exchange pursuant to this MOA.
E. The Parties will establish proper safeguards to ensure that non-public information shared under this MOA will be used and disclosed solely in accordance with applicable laws and regulations.
- Proper safeguards will include the adoption of policies and procedures to ensure that the information shared under this MOA will be shared and used consistent with the Trade Secrets Act (18 U.S.C. § 1905), the FD&C Act (21 U.S.C. § 301 et seq.), the Privacy Act of 1974 (5 U.S.C. § 552a), FOIA (5 U.S.C. § 552), the Critical Infrastructure Information Act, (6 U.S.C. § 671 et seq.), the confidentiality or non-disclosure provisions of any other agreement entered into by CISA or FDA, and other applicable Federal laws and their implementing regulations, specifically 21 C.F.R. 20.85.
- Proper safeguards will protect against unauthorized use and disclosure of the non- public information shared or exchanged pursuant to this MOA and such safeguards are necessary for effective implementation of this MOA.
- Access to the information shared or exchanged under this MOA will be restricted to authorized Parties’ employees, agents, contractors, and officials who require access to perform their official duties in accordance with the uses of information as authorized by this MOA and the authorities of the Parties. Such personnel will be advised of: (1) the confidential nature of the information; (2) safeguards required to protect the information; and (3) the administrative, civil, and criminal penalties for noncompliance contained in applicable Federal laws. Contractors, their subcontractors, and agents requiring access to the non-public information shared or exchanged under this Agreement must be covered by an agreement that requires them to keep the information confidential.
When an Authorized Contact Person requests information, documents, or data, the request should be made in writing, which may include email, and contain all substantive requirements of 21 C.F.R. § 20.85 to include the following language:
Information is being requested pursuant to Memorandum of Agreement [MOA NUMBER]. We agree not to disclose any shared information in any manner without your written permission or, if such disclosure is required by law, without advance notice to the originating agency.
By including this statement, requestors do not have to use a particular format or include other pre-specified text. Additionally, information can be requested using the 20.85 Model Request Letter (Attachment A).
- The Parties agree to notify promptly each other of any actual or suspected unauthorized disclosure of any information shared pursuant to this MOA.
- The Agency who has received shared information (“requesting Agency”) will promptly notify the contact person or designee of the Agency who shared the information (“sharing Agency”) of any attempt by a third party to obtain shared non-public information by compulsory process, including, but not limited to, a FOIA request, subpoena, discovery request, or litigation complaint or motion.
- If an Agency that has received information under this MOA receives a FOIA request where there are responsive records which originated with the other Agency, this Agency will refer the FOIA request to the other Agency for it to respond directly to the FOIA requestor. In such cases, the Agency which received the FOIA request will notify the FOIA requestor that it has referred the FOIA request to another Agency and that a response will issue directly from that Agency.
- The requesting Agency will notify the sharing Agency before complying with any judicial order that compels the release of shared non-public information, so that the Parties may determine the appropriate measures to take, including, where appropriate, legal action.
IX. Points of Contact.
A. For CISA
Sandra Radesky
Associate Director, Vulnerability Management
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
202-710-3127
sandra.radesky@cisa.dhs.gov
B. For FDA
Nastassia Tamari, M.S.
Associate Director
Division of Medical Device Cybersecurity
Office of Readiness and Response
Office of Strategic Partnerships and Technology Innovation
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue
Silver Spring, MD 20903
(240) 687-0904
nastassia.tamari@fda.hhs.gov
Jessica Wilkerson, J.D.
Senior Cyber Policy Advisor and Medical Device Cybersecurity Team Lead
Division of Medical Device Cybersecurity
Office of Readiness and Response
Office of Strategic Partnerships and Technology Innovation
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue
Building 66, Room 4652
Silver Spring, MD 20903
(240) 401-8691
jessica.wilkerson@fda.hhs.gov
X. Other Provisions.
Nothing in this Agreement is intended to conflict with current law. If a term of this Agreement is inconsistent with any applicable law, then that term will be invalid, but the remaining terms and conditions of this Agreement will remain in full force and effect.
XI. Resource Obligations.
This Agreement represents the broad outline of the Parties’ intent to enter into collaborative efforts in areas of mutual interest to the Parties. All activities undertaken pursuant to this Agreement are subject to the availability of personnel, resources, and funds. This Agreement does not affect or supersede any existing or future agreements or arrangements between the Parties and does not serve to commit or obligate any funding or resources of the Parties. This Agreement does not create binding, enforceable obligations against the Parties. This Agreement and all associated agreements will be subject to the applicable policies, rules, regulations, and statutes under which the Parties operate.
XII. Effective Date.
This Agreement is effective on the date of the final signature.
XIII. Term, Termination, and Modification.
This MOA, when accepted by all participating Parties, will have an effective period of performance of five (5) years from the date of the latest signature and may be modified or terminated by mutual written consent by both Parties or may be terminated by either Party upon a thirty (30) day advance written notice to the other.
XIV. Costs.
This Agreement does not obligate any funds. Each party shall remain responsible for its own costs to perform its responsibilities under this Agreement. All responsibilities herein are subject to the continued availability of funds.
XV. Dispute Resolution.
The Parties will make their best efforts to amicably resolve disputes that may arise under this Agreement through discussions. If resolution cannot be reached, the Parties will solicit the views and mediation of the above referenced technical points of
contact. If those views or mediation cannot be obtained, or fail to resolve the matter, the issue will be elevated through the respective signatories to this Agreement for resolution.
Authorized Signatures
Approved and Accepted For:
Food and Drug Administration
By:/s/
Michelle Tarver, M.D., Ph.D.
Acting Center Director
Center for Devices and Radiological Health
Date: 08/05/2024
Approved and Accepted For
Cybersecurity and Infrastructure Security Agency
By: /s/
Jen Easterly
Director
Date: 07/29/2024
ATTACHMENT A
20.85 Model Request Letter
[Partner(s)] LETTERHEAD *Please copy and paste onto your agency’s letterhead
Attn: Information Sharing Specialist
Division of Information Disclosure Programs
Office of Partnerships
Office of Regulatory Affairs
Food and Drug Administration
ORAInfoShare@fda.hhs.gov
Dear Information Sharing Specialist,
The [Partner(s) and office] requests access to the following non-public information, pursuant to MOA [MOA number], [Request: list the type of records/information requested, including the firm and/or product name and the relevant timeframe] pursuant to 21 C.F.R. § 20.85/20.88.
*(Requests for all documents, or all communications relating to a product/firm, is usually overly broad and can result in processing delays).
The purpose for which the information is requested is to assist in the [state the nature of your interest]. The records will only be used for the following authorized activity: [state the activity].
*If the request for information is the result of an ongoing investigation give the details.
I certify that the ACTIVITY is authorized by law, that the records or information will be used only for the stated purpose and will not be disclosed outside [Partner(s) and office] without the prior written permission of the Food and Drug Administration. I also certify that disclosure within [Partner(s)] will be limited to the specific purpose stated above, and that I will provide a copy of this letter to any person(s) with whom I share the non- public information.
I understand that 21 U.S.C. § 331 of the Federal Food, Drug, and Cosmetic Act prohibits disclosure of trade secret information outside the Department of Health and Human Services. If you have any questions, please contact [Provide your name and email (additional contact information)].
Sincerely,
YOUR SIGNATURE LINE
cc: RECOMMEND INSERTING NAME OF YOUR FDA CONTACT, IF ANY.