FREQUENTLY Asked Questions

What information should be included in the risk management documentation in regards to cybersecurity risks?

View All FAQs
About the Author
Proxima CRO Team
Isabella Schmitt, RAC
Director of Regulatory Affairs
Ms. Schmitt has also served in additional regulatory affairs and clinical research roles in which she contributed to multiple regulatory submissions and clinical affairs projects across a wide range of indications.

The following information should be included:

  • A system level threat model that includes a consideration of system level risks, including but not limited to risks related to the supply chain (e.g., to ensure the device remains free of malware), design, production, and deployment (i.e., into a connected/networked environment).  
  • A specific list of all cybersecurity risks that were considered in the design of your device. It is recommended to provide descriptions of risk that leverage an analysis of exploitability to describe likelihood instead of probability. If numerical probabilities are provided, it is recommended to provide additional information that explains how the probability was calculated.
  • A specific list and justification for all cybersecurity controls that were established for your device. This should include all risk mitigations and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
    -    A list of verifiable function/subsystem requirements related to access control, encryption/decryption, firewalls, intrusion detection/prevention, antivirus packages, etc.
    -    A list of verifiable of security requirements impacting other functionality, data, and interface requirements
  • A description of the testing that was done to ensure the adequacy of cybersecurity risk controls (e.g., security effectiveness in enforcing the specified security policy, performance for required traffic conditions, stability and reliability as appropriate). Test reports should include:
    -    Testing of device performance
    -    Evidence of security effectiveness of third-party OTS software in the system
    -    Static and dynamic code analysis including testing for credentials that are “hardcoded”, default, easily-guessed, and easily compromised
    -    Vulnerability scanning
    -    Robustness testing
    -    Boundary analysis
    -    Penetration testing
    -    Third Part test reports
  • A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered in your security risk and hazard analysis.
  • A CBOM cross referenced with the National Vulnerability Database (NVD) or similar known vulnerability database. Provide criteria for addressing known vulnerabilities and a rationale for not addressing remaining known vulnerabilities, consistent with the FDA’s final guidance, Postmarket Management of Cybersecurity in Medical Devices.

Related Terms:
No items found.
Related FAQs:
More Questions? We're here to help!
SPEAK WITH A SPECIALIST