Quick Links: Skip to main page content Skip to Search Skip to Topics Menu Skip to Common Links
  • Decrease font size
  • Return font size to normal
  • Increase font size
U.S. Department of Health and Human Services

Recognized Consensus Standards: Medical Devices
  • Print
  • Share
  • E-mail
-
Super Search Devices@FDA
510(k) | DeNovo | Registration & Listing | Adverse Events | Recalls | PMA | HDE | Classification | Standards
CFR Title 21 | Radiation-Emitting Products | X-Ray Assembler | Medsun Reports | CLIA | TPLC
 

New Search Back To Search Results
Part B: Supplementary Information Sheet (SIS)
FR Recognition List Number 064 Date of Entry 05/26/2025 
FR Recognition Number 13-140
Standard
FIRST  CVSS v4.0
Common Vulnerability Scoring System version 4.0
Scope/Abstract
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Threat group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. Base metric values are combined with default values that assume the highest severity for Threat and Environmental metrics to produce a score ranging from 0 to 10. To further refine a resulting severity score, Threat and Environmental metrics can then be amended based on applicable threat intelligence and environmental considerations.
Supplemental metrics do not modify the final score and are used as additional insight into the characteristics of a vulnerability. A CVSS vector string consists of a compressed textual representation of the values used to derive the score. This document provides the official specification for CVSS version 4.0. The most current CVSS resources can be found at https://www.first.org/cvss/.
Extent of Recognition
Complete standard
Rationale for Recognition
This standard is relevant to medical devices and is recognized on its scientific and technical merit and/or because it supports existing regulatory policies.
Transition Period
FDA recognition of FIRST CVSS v3.1 [Rec# 13-142] will be superseded by recognition of FIRST CVSS v4.0 [Rec# 13-140]. FDA will accept declarations of conformity, in support of premarket submissions, to [Rec# 13-142] until July 4, 2027. After this transition period, declarations of conformity to [Rec# 13-142] will not be accepted.
Relevant FDA Guidance and/or Supportive Publications*
1. Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued December 2016.

2. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions - Guidance for Industry and Food and Drug Administration Staff, issued September 2023.

3. Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2018.
FDA Technical Contacts
 OPEQ Cybersecurity Team
  FDA/OC/CDRH/OPEQ/
  --
  OPEQ_Cybersecurity@fda.hhs.gov
 CDRH Division of Medical Device Cybersecurity
  FDA/OC/CDRH/OST/ORR/
  --
  CyberMed@fda.hhs.gov
Standards Development Organization
FIRST Forum on Internet Response and Security Teams http://www.first.org
FDA Specialty Task Group (STG)
Software/Informatics
*These are provided as examples and others may be applicable.
-
-