Rubric for Applying CVSS to Medical Devices
Abstract
The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability severity and help determine the urgency and priority of response, which is currently maintained by the Forum of Incident Response and Security Teams (FIRST) CVSSSpecial Interest Group (SIG). Per Food and Drug Administration (FDA) guidance, policy and regulation, medical device manufacturers need to assess the severity of vulnerabilities as part of their risk assessment process, both during product development and as part of post-marketsurveillance after the product has been cleared or approved and points to CVSS as an example tool for doing this. When vulnerabilities are discovered by third party researchers, manufacturers, typically working with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to score the vulnerability as part of the vulnerability disclosure process. This highlights the value of CVSS in providing a consistent and standardized way to communicate the severity of a vulnerabilitybetween multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and vulnerability researchers.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 03, 2019
- Accession Number
- AD1108129
Entities
People
- Penny Chase
- Steve C. Coley
Organizations
- MITRE Corporation