Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request – Example #16: Missing Cybersecurity Risk Assessment Documentation
Based on the information provided in your submission, your device meets the definition of a cyber device under Section 524B(c) of the Federal Food, Drug, and Cosmetic Act. However, you did not provide cybersecurity risk assessment documentation.
Cybersecurity risk assessment documentation is important to comply with the requirement specified in section 524B(b)(2) of the FD&C Act to provide a reasonable assurance that the device and related systems are cybersecure. Therefore, please provide cybersecurity risk assessment documentation that includes an assessment of your assets, threats, vulnerabilities, and controls, referring to Section 6 of the FDA guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” for more detail. Specifically, the guidance recommends manufacturers provide their hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: a specific list of all cybersecurity risks that were considered in the design of your device, and a specific list and justification for all cybersecurity controls that were established for your device. The guidance also recommends manufacturers provide a traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered.
When submitting, please also provide documentation for your cybersecurity risk analysis that includes the following:
- A description and rationale for the cybersecurity risk analysis methodology. Multiple methodologies exist including Common Vulnerability Scoring System (CVSS), IEEE 11073-40101-2020, NIST SP 800-30, custom approaches, among others.
- The selected approach should avoid the use of probabilities in assessing the likelihood of occurrence for the risks. The approach should include an assessment of the exploitability of the risk as outlined in the guidance document “Postmarket Management of Cybersecurity in Medical Devices”.
- The cybersecurity risk analysis should include an assessment of any known cybersecurity vulnerabilities/risks for the device/device type. This assessment includes risks from third-party software incorporated in the device/system architecture.
- The cybersecurity risk analysis should include traceability to link the cybersecurity controls to the identified cybersecurity risks.
When your device meets the definition of a Cyber Device, you must provide as part of the submission complete cybersecurity risk assessment documentation.
The cybersecurity risk assessment should focus on exploitability, not probabilistic likelihood. Key points:
- Perform assessments across all software components—including third-party and proprietary
- Evaluate vulnerabilities using an exploitability lens, referencing threats like those in CISA’s Known Exploited Vulnerabilities Catalog
- Document residual risks and justify why they are acceptable or require mitigation
As it wasn’t included in the original submission, the FDA is asking the manufacturer to provide cybersecurity risk assessment documentation that includes an assessment of the assets, threats, vulnerabilities, and controls.
FDA specifically requested the manufacturer provide in their response:
- Description and rationale for the cybersecurity risk analysis methodology
- Avoiding the use of probabilities in assessing the likelihood of occurrence for the risks
- FDA prefers the use of exploitability over likelihood of occurrence
- Assessment of any known cybersecurity vulnerabilities/risks for the device/device type
- Traceability to link the cybersecurity controls to the identified cybersecurity risks
- Then traceability of the cybersecurity controls to testing verifying the implementation