Quick Links: Skip to main page content Skip to Search Skip to Topics Menu Skip to Common Links
  • Decrease font size
  • Return font size to normal
  • Increase font size
U.S. Department of Health and Human Services

Recognized Consensus Standards: Medical Devices
  • Print
  • Share
  • E-mail
-
Super Search Devices@FDA
510(k) | DeNovo | Registration & Listing | Adverse Events | Recalls | PMA | HDE | Classification | Standards
CFR Title 21 | Radiation-Emitting Products | X-Ray Assembler | Medsun Reports | CLIA | TPLC
 

New Search Back To Search Results
Part B: Supplementary Information Sheet (SIS)
FR Recognition List Number 055 Date of Entry 10/19/2020 
FR Recognition Number 13-116
Standard
FIRST  CVSS v3.0
Common Vulnerability Scoring System version 3.0
Scope/Abstract
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.
Extent of Recognition
Complete standard
Rationale for Recognition
This standard, when used with the FDA qualified Medical Device Development Tool titled "The Mitre Rubric version 0.12.04 Sept-3, 2019," provides medical device manufacturers and others in the medical device supply chain a common reference framework for discussing the severity and impact of cyber vulnerabilities in already fielded devices.

NOTE: Conformance to this standard may not satisfy all the cybersecurity requirements outlined in Section 524B of FD&C Act or the recommendations in the (1) listed below (Relevant FDA Guidance). Manufacturers should consider the information contained within these resources in their assessment of cybersecurity for their device.
Transition Period
FDA recognition of FIRST CVSS v3.0 [Rec# 13-116] will be superseded by recognition of FIRST CVSS v3.1 [Rec# 13-142]. FDA will accept declarations of conformity, in support of premarket submissions, to [Rec# 13-116] until December 20, 2026. After this transition period, declarations of conformity to [Rec# 13-116] will not be accepted.
Relevant FDA Guidance and/or Supportive Publications*
1. Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions, Guidance for Industry and Food and Drug Administration Staff, issued February 2026.

2. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, issued December 2016.

3. FDA Qualified MDDT "The Mitre Rubric version 0.12.04 Sept-3, 2019."

Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2018.
FDA Technical Contact
 CDRH Division of Medical Device Cybersecurity
  FDA/OC/CDRH/OST/ORR/
  --
  CyberMed@fda.hhs.gov
Standards Development Organization
FIRST Forum on Internet Response and Security Teams http://www.first.org
FDA Specialty Task Group (STG)
Software/Informatics
*These are provided as examples and others may be applicable.
-
-