FREQUENTLY Asked Questions
What information should be included in the risk management documentation in regards to cybersecurity risks?
View All FAQs
About the Author
Proxima CRO Team
Isabella Schmitt, RAC
Director of Regulatory Affairs

Prior to joining Proxima, Isabella served as the Senior Regulatory & Quality Manager at a medical device company, where she outlined the regulatory strategy & put together design controls & design history documentation. She was the Dir. of CMC & Quality at a biopharmaceutical company, where she oversaw all manufacturing and analytical processes and timelines and ensured CMC regulatory strategy was sufficient for filings in Europe and the US.

The following information should be included:

  • A system level threat model that includes a consideration of system level risks, including but not limited to risks related to the supply chain (e.g., to ensure the device remains free of malware), design, production, and deployment (i.e., into a connected/networked environment).  
  • A specific list of all cybersecurity risks that were considered in the design of your device. It is recommended to provide descriptions of risk that leverage an analysis of exploitability to describe likelihood instead of probability. If numerical probabilities are provided, it is recommended to provide additional information that explains how the probability was calculated.
  • A specific list and justification for all cybersecurity controls that were established for your device. This should include all risk mitigations and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
    -    A list of verifiable function/subsystem requirements related to access control, encryption/decryption, firewalls, intrusion detection/prevention, antivirus packages, etc.
    -    A list of verifiable of security requirements impacting other functionality, data, and interface requirements
  • A description of the testing that was done to ensure the adequacy of cybersecurity risk controls (e.g., security effectiveness in enforcing the specified security policy, performance for required traffic conditions, stability and reliability as appropriate). Test reports should include:
    -    Testing of device performance
    -    Evidence of security effectiveness of third-party OTS software in the system
    -    Static and dynamic code analysis including testing for credentials that are “hardcoded”, default, easily-guessed, and easily compromised
    -    Vulnerability scanning
    -    Robustness testing
    -    Boundary analysis
    -    Penetration testing
    -    Third Part test reports
  • A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered in your security risk and hazard analysis.
  • A CBOM cross referenced with the National Vulnerability Database (NVD) or similar known vulnerability database. Provide criteria for addressing known vulnerabilities and a rationale for not addressing remaining known vulnerabilities, consistent with the FDA’s final guidance, Postmarket Management of Cybersecurity in Medical Devices.

Related Terms:
No items found.
Related FAQs:
More Questions? We're here to help!
SPEAK WITH A SPECIALIST