| Part B: Supplementary Information Sheet (SIS) |
|
FR Recognition List Number
|
055
|
Date of Entry 10/19/2020
|
|
FR Recognition Number
|
13-116
|
| Standard | |
FIRST CVSS v3.0
Common Vulnerability Scoring System version 3.0 |
|
Scope/Abstract| The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. |
|
| Extent of Recognition
|
Rationale for Recognition
| This standard, when used with the FDA qualified Medical Device Development Tool titled "The Mitre Rubric version 0.12.04 Sept-3, 2019," provides medical device manufacturers and others in the medical device supply chain a common reference framework for discussing the severity and impact of cyber vulnerabilities in already fielded devices. |
|
Relevant FDA Guidance and/or Supportive Publications*
1. Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued December 2016.
2. FDA Qualified MDDT "The Mitre Rubric version 0.12.04 Sept-3, 2019."
Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2018. |
|
| FDA Technical Contacts
|
| Standards Development Organization
|
| FDA Specialty Task Group (STG)
|
| *These are provided as examples and others may be applicable. |
