The FDA recommends premarket submissions for Tier 1 devices with higher cybersecurity risk to include documentation demonstrating how the device design and risk assessment incorporate the cybersecurity design controls of identifying and protecting device assets and functionality and detecting, responding, and recovering design expectations. Tier 2 devices with standard cybersecurity risk should include documentation that either 1) demonstrates they have incorporated each of the specific design features and cybersecurity design controls aforementioned, or 2) provide a risk-based rationale for why specific cybersecurity design controls are not appropriate. Risk-based rationales should leverage an analysis of exploitability to describe likelihood instead of probability.
