As some of the others commented, it's typically not required for a submission. When we work on this with medical device manufacturers, we typically take the following approach:
- Security Requirement ID
- NIST Cybersecurity Framework Category (Identify, Protect, Detect, Respond, Recover)
- Security Requirement Domain, which is mapped to ISO 80001-2-2 security capabilities
- User Need/Design Input Statement
- Security Requirement at a system and software level (traced to UL2900)
- Is the control met and how - if it is not met, this gets added to the product security risk assessment
The mapping and traceability to an industry standard may not add a significant amount to the submission, but depending on who your customers are it may end up beingvery helpful for selling into a hospital. During contract process, you may be asked questions related to not only the security design of the product, but also what frameworks you followed. Being able to provide this mapping/traceability may make that process a bit less painful!
One other note, security controls usually fall into three categories:
- Administrative - policies, processes, work instructions (e.g. patch management plan)
- Technical - technical controls built into the product (e.g. encryption)
- Physical - physical protections enabled (e.g. physical lock on device prevent access to exposed ports)
Thanks,
Colin
------------------------------
Colin Morgan
Managing Director
Apraciti | Medical Device Cybersecurity
colinmorgan@apraciti.comUnited States
------------------------------
Original Message:
Sent: 30-Jul-2020 20:20
From: Anonymous Member
Subject: NIST Cybersecurity framework mapping
This message was posted by a user wishing to remain anonymous
Dear RAPS members,
Has anyone submitted NIST mapping to FDA with their submission? I am attempting to create a NIST mapping, but I am a little confused about the ask for different categories for example ID RA-1 Asset vulnerabilities are identified and documented. Should this be answered at the product level or at the organization level or both? Product vulnerabilities or the IT infrastructure related vulnerabilities.
Another example is IDRA-4: Potential business impacts and likelihood are identified? This looks more like an organization level instead of product level. I am also mapping these to procedures in place but it is confusing if i should select product level or organization level procedure.
I appreciate your response in this regard. Thanks in advance.