Part B: Supplementary Information Sheet (SIS) |
FR Recognition List Number
|
055
|
Date of Entry 10/19/2020
|
FR Recognition Number
|
13-116
|
Standard | |
FIRST CVSS v3.0 Common Vulnerability Scoring System version 3.0 |
|
Scope/AbstractThe Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. |
|
Extent of Recognition
|
Rationale for Recognition
This standard, when used with the FDA qualified Medical Device Development Tool titled "The Mitre Rubric version 0.12.04 Sept-3, 2019," provides medical device manufacturers and others in the medical device supply chain a common reference framework for discussing the severity and impact of cyber vulnerabilities in already fielded devices. |
|
Relevant FDA Guidance and/or Supportive Publications*
1. Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued December 2016.
2. FDA Qualified MDDT "The Mitre Rubric version 0.12.04 Sept-3, 2019."
Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2018. |
|
FDA Technical Contacts
|
Standards Development Organization
|
FDA Specialty Task Group (STG)
|
*These are provided as examples and others may be applicable. |