Frequently Asked Questions
What information should be included in the risk management documentation in regards to cybersecurity risks?
The following information should be included:
- A system level threat model that includes a consideration of system level risks, including but not limited to risks related to the supply chain (e.g., to ensure the device remains free of malware), design, production, and deployment (i.e., into a connected/networked environment).
- A specific list of all cybersecurity risks that were considered in the design of your device. It is recommended to provide descriptions of risk that leverage an analysis of exploitability to describe likelihood instead of probability. If numerical probabilities are provided, it is recommended to provide additional information that explains how the probability was calculated.
- A specific list and justification for all cybersecurity controls that were established for your device. This should include all risk mitigations and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
- A list of verifiable function/subsystem requirements related to access control, encryption/decryption, firewalls, intrusion detection/prevention, antivirus packages, etc.
- A list of verifiable of security requirements impacting other functionality, data, and interface requirements - A description of the testing that was done to ensure the adequacy of cybersecurity risk controls (e.g., security effectiveness in enforcing the specified security policy, performance for required traffic conditions, stability and reliability as appropriate). Test reports should include:
- Testing of device performance
- Evidence of security effectiveness of third-party OTS software in the system
- Static and dynamic code analysis including testing for credentials that are “hardcoded”, default, easily-guessed, and easily compromised
- Vulnerability scanning
- Robustness testing
- Boundary analysis
- Penetration testing
- Third Part test reports - A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered in your security risk and hazard analysis.
- A CBOM cross referenced with the National Vulnerability Database (NVD) or similar known vulnerability database. Provide criteria for addressing known vulnerabilities and a rationale for not addressing remaining known vulnerabilities, consistent with the FDA’s final guidance, Postmarket Management of Cybersecurity in Medical Devices.