FREQUENTLY Asked Questions

What documentation should be included for Tier 1 and Tier 2 devices?

View All FAQs
About the Author
Proxima CRO Team
Isabella Schmitt, RAC
Director of Regulatory Affairs
Ms. Schmitt has also served in additional regulatory affairs and clinical research roles in which she contributed to multiple regulatory submissions and clinical affairs projects across a wide range of indications.

The FDA recommends premarket submissions for Tier 1 devices with higher cybersecurity risk to include documentation demonstrating how the device design and risk assessment incorporate the cybersecurity design controls of identifying and protecting device assets and functionality and detecting, responding, and recovering design expectations. Tier 2 devices with standard cybersecurity risk should include documentation that either 1) demonstrates they have incorporated each of the specific design features and cybersecurity design controls aforementioned, or 2) provide a risk-based rationale for why specific cybersecurity design controls are not appropriate. Risk-based rationales should leverage an analysis of exploitability to describe likelihood instead of probability.

Related Terms:
No items found.
Related FAQs:
More Questions? We're here to help!
SPEAK WITH A SPECIALIST