U.S. flag An official website of the United States government
  1. Home
  2. About FDA
  3. Partnerships: Enhancing Science Through Collaborations With FDA
  4. FDA Memoranda of Understanding
  5. Non-Profit and Other MOUs
  6. MOU 225-24-008
  1. Non-Profit and Other MOUs
This memorandum replaces MOU 225-18-030.

Memorandum of Understanding
CloudWave Critical Infrastructure ISAO (CloudWave-ISAO)
The U.S. Food and Drug Administration
Center For Devices and Radiological Health

I. Purpose

The United States Food and Drug Administration (“FDA”)’s Center for Devices and Radiological Health (“CDRH”) and CloudWave Critical Infrastructure ISAO (“CloudWave-ISAO”) have a shared interest in encouraging the identification, mitigation, and prevention of cybersecurity threats to medical devices. FDA and CloudWave-ISAO are each referred to herein individually as a “Party” and collectively as the “Parties.” This Memorandum of Understanding (“MOU”) establishes the terms for collaboration to promote this shared interest.

II. Background

1. FDA is authorized to enforce the Federal Food, Drug, and Cosmetic Act (“the Act”) as amended (21 U.S.C. 301, et seq.). In fulfilling its responsibilities under the Act, FDA, among other things, directs its activities toward promoting and protecting the public health by ensuring the safety, efficacy, and security of drugs, biological products, veterinary products, medical devices, and radiological products, as well as the safety and security of foods and cosmetics. CDRH is responsible for assuring that patients and providers have timely and continued access to safe, effective, and high-quality medical devices and safe radiation-emitting products. To accomplish its mission, FDA takes efforts to stay abreast of the latest technological advances and developments in research by communicating with stakeholders about complex scientific and public health issues.

2. CloudWave-ISAO, owned and operated by CloudWave Cybersecurity Solutions, is an Information Sharing and Analysis Organization that focuses on the sharing of cybersecurity threat intelligence, best practices, toolkits, and other assets across its member base and with vetted and interested parties and organizations across the United States.

The CloudWave-ISAO embraces a community model that relies on tactical principles and strategies in order to provide a rapid response capability to its members, partners, and other interested and vetted parties. The CloudWave-ISAO is designed to eventually provide cross-sector intelligence, practices, and assets among the sixteen critical infrastructure sectors as defined by the U.S. Department of Homeland Security. This includes the integration and fusion of intelligence and other information that directly impacts the healthcare sector and most specifically those threats which could impact patient safety.

3. Executive Order 13636 articulates that cyber threats continue to grow and are one of the most serious threats to national security. Furthermore, Presidential Policy Directive 21 tasks federal government entities with the responsibility to strengthen the security and resilience of critical infrastructure (e.g., the Healthcare and Public Health (“HPH”) sector) against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. As part of sector-specific cybersecurity initiatives, CDRH seeks to create a collaborative information-sharing environment and decision framework that reduces risks to the public's health and allows rapid sharing of medical device vulnerabilities, threats, and mitigations within the hospital and healthcare ecosystem.

The CloudWave-ISAO operates the CloudWave Cybersecurity Tactical Operations Center (“CTOC”) as well as the Cybersecurity Tactical Training Center. The combination of these entities enables the CloudWave-ISAO to utilize its threat collection capabilities and work with healthcare organizations, medical device manufacturers, incident response programs, and other services to support Executive Order 13636 and the efforts, missions, and responsibilities of entities who are critical to the analysis, evaluation, dissemination, and response to cybersecurity intelligence and attacks against the HPH sector.

Ill. Goals of Collaboration

1. Create an environment that fosters stakeholder collaboration and communication and encourages the sharing of information about cybersecurity risks that may affect the safety, effectiveness, and security of the medical devices and their related systems, and/or the integrity and security of the surrounding healthcare information technology (“IT”) infrastructure. Ultimately, exploited vulnerabilities and other cyber risks may have downstream public health and patient safety consequences.

2. Create an environment that fosters stakeholder collaboration and communication, and encourages the sharing of certain medical device software supply chain information, which may include software bills of material (“SBOMs”), to enable the tracking, analysis, and response to potential cyber risks within such software supply chains that may affect the safety, effectiveness, and security of medical devices and their related systems, and/or the integrity and security of the surrounding healthcare IT infrastructure. Ultimately, cyber risks revealed by SBOMs and software supply chain information may have downstream public health and patient safety consequences.

3. Develop awareness of resources related to cyber risk management produced by the Health Sector Coordinating Council, the recognized critical infrastructure industry partner for the HPH sector and enable HPH sector stakeholders to successfully adapt and operationalize these resources for their organizations and products.

4. Encourage stakeholders within the HPH sector to develop innovative strategies to assess and mitigate cybersecurity vulnerabilities and other cyber threats that affect their products.

5. Build a foundation of trust within the HPH community (including but not limited to medical device manufacturers, end user facilities, providers, and healthcare organizations) so that all healthcare technology and medical device stakeholders can directly benefit from the sharing of cybersecurity vulnerability and/or threat information identified within the HPH sector, as well as intelligence feeds from other Critical Infrastructure Sectors that may secondarily affect healthcare and the public health. Gaining timely situational awareness of cybersecurity vulnerabilities that can have negative consequences for patient safety provides stakeholders with an opportunity to share solutions in advance of potential harm and possibly prevent economic or 'brand' damage. It would further enable owners and operators of critical infrastructure to proactively take appropriate measures to strengthen cybersecurity within the HPH sector with accuracy and agility.

IV. Substance of the Agreement

1. FDA intends to establish a mechanism by which information regarding cyber risks and certain software supply chain information can be shared with CloudWave-ISAO. The FDA will not, as a part of the activities covered by this MOU, share any non-public information, including confidential commercial or financial information (21 C.F.R 20.61) or trade secret information (21 U.S.C. 360j(c)) obtained by or provided directly to FDA from a third party.

2. CloudWave-ISAO intends to work with its members to establish a mechanism by which cyber risks and appropriate software supply chain information relevant to medical devices are shared broadly throughout the HPH sector and with FDA, such that the existing agreements among CloudWave-ISAO members will not be infringed upon.

3. The Parties intend to work together to establish mechanisms to ensure that essential medical device or healthcare cyber risk and software supply chain information can be shared with all stakeholders within the HPH sector, including those who are not members of CloudWave-ISAO, to the extent consistent with applicable law. This collaboration will help inform a common understanding of that risk threshold upon which exploit of a vulnerability, threat, or software supply chain information might impact patient safety and/or public health.

4. The Parties intend to collaborate to foster the development of cyber risk and software supply chain analytics that will enable stakeholders to preemptively detect and address cybersecurity risks before they impact the safety, effectiveness, or security of medical devices, or the integrity of the healthcare IT infrastructure.

5. The base cybersecurity medical device policy and vendor assessment framework developed by the CloudWave-ISAO's members will be freely available under open-source license to the HPH sector. Any and all contributions developed by the CloudWave-ISAO membership will also be contributed to the common good and made available under an open-source license.

6. Each Party will establish a principal point of contact to facilitate the actions carried out under this MOU.

V. General Provisions

1. This MOU represents the broad outline of the Parties’ intention to collaborate in areas of mutual interest. All activities that may be undertaken by this MOU are subject to the availability of personnel, resources, and funds. This MOU does not affect or supersede any existing or future understandings or arrangements between the Parties and does not affect the ability of the Parties to enter into other understandings or arrangements related to this MOU. This MOU does not create binding, enforceable obligations against any Party. This MOU and all associated agreements will be subject to the applicable policies, rules, regulations, and statutes under which FDA and CloudWave-ISAO operate.

2. Data Sharing Guidelines: The Parties may enter into separate Confidential Disclosure Agreements (“CDAs”) pertaining to certain data and information shared in accordance with this MOU. In accordance with applicable laws and regulations, including, but not limited to, 21 U.S.C. 331(j), 21 U.S.C. 360j(c), 18 U.S.C. 1905, 21 CFR 20.61 and 20.63, FDA will not share any confidential commercial information, trade secrets, or personal privacy information with CloudWave-ISAO pursuant to this MOU.

VI. Liaison Officers:

A. For the CloudWave-ISAO

Kate Macaleer
SVP of Operations, CloudWave
68 White Street, Suite 7-180
Red Bank, NJ 07701
844-736-7286 x 100

B. For the Food and Drug Administration

Nastassia Tamari, M.S.
Associate Director
Division of Medical Device Cybersecurity
Office of Readiness and Response
Office of Strategic Partnerships and Technology Innovation
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue
Silver Spring, MD 20903


Jessica Wilkerson, J.D.
Senior Cyber Policy Advisor and Medical Device Cybersecurity Team Lead
All-Hazards, Readiness, Response, and Cybersecurity Team
Division of All Hazards Response, Science and Strategic Partnerships
Office of Strategic Partnerships and Technology Innovation
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue
Silver Spring, MD 20903

Each Party may designate new liaisons at any time by notifying the other Party’s administrative liaison in writing. If, at any time, an individual designated as a liaison under this MOU becomes unavailable to fulfill those functions, the Parties will name a new liaison within two (2) weeks and notify the other Party through the designated administrative liaison.

VII. Term, Termination, and Modification:

This MOU, when accepted by all participating Parties, will have an effective period of performance of five (5) years from the date of the latest signature and may be modified or terminated by mutual written consent by both Parties or may be terminated by either Party upon a thirty (30) day advance written notice to the other.

Authorized Signatures

Approved and Accepted For

Erik LittleJohn
Chief Executive Officer
Date: 3/22/2024

Approved and Accepted For
Food and Drug Administration
Center for Devices and Radiological Health

Jeffrey Shuren, M.D., J.D.
Center for Devices and Radiological Health
Date: 3/25/2024

Back to Top