Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Dear RAPS members,

Has anyone submitted NIST mapping to FDA with their submission? I am attempting to create a NIST mapping, but I am a little confused about the ask for different categories for example ID RA-1 Asset vulnerabilities are identified and documented. Should this be answered at the product level or at the organization level or both?  Product vulnerabilities or the IT infrastructure related vulnerabilities.

Another example is IDRA-4: Potential business impacts and likelihood are identified? This looks  more like an organization level instead of product level. I am also mapping these to procedures in place but it is confusing if i should select product level or organization level procedure.

I appreciate your response in this regard. Thanks in advance.

This message was posted by a user wishing to remain anonymous

I have not. I just stuck to the questions in the 2014 Premarket Guidance and also included a threat analysis. I will add that my software was low risk.
Original Message:
Sent: 30-Jul-2020 20:20
From: Anonymous Member
Subject: NIST Cybersecurity framework mapping

This message was posted by a user wishing to remain anonymous

Dear RAPS members,

Has anyone submitted NIST mapping to FDA with their submission? I am attempting to create a NIST mapping, but I am a little confused about the ask for different categories for example ID RA-1 Asset vulnerabilities are identified and documented. Should this be answered at the product level or at the organization level or both?  Product vulnerabilities or the IT infrastructure related vulnerabilities.

Another example is IDRA-4: Potential business impacts and likelihood are identified? This looks  more like an organization level instead of product level. I am also mapping these to procedures in place but it is confusing if i should select product level or organization level procedure.

I appreciate your response in this regard. Thanks in advance.

 

​Hello,

I would suggest looking at FDA recognized standard UL 2900-1.  It builds upon the NIST framework and should provide a bit of clarity on the device level. NIST SP 800-171 will help on the organization level.  It breaks down security requirements into 14 families (hardware/software, technical and administrative policies etc). 

I didn't send in the entire NIST mapping with the 510(k)submission, but included Cybersecurity within the Risk documents.  

------------------------------
Gretchen Upton CQA, CCRP, RAC
RA/QA
Helotes TX
United States
------------------------------

Original Message:
Sent: 30-Jul-2020 20:20
From: Anonymous Member
Subject: NIST Cybersecurity framework mapping

This message was posted by a user wishing to remain anonymous

Dear RAPS members,

Has anyone submitted NIST mapping to FDA with their submission? I am attempting to create a NIST mapping, but I am a little confused about the ask for different categories for example ID RA-1 Asset vulnerabilities are identified and documented. Should this be answered at the product level or at the organization level or both?  Product vulnerabilities or the IT infrastructure related vulnerabilities.

Another example is IDRA-4: Potential business impacts and likelihood are identified? This looks  more like an organization level instead of product level. I am also mapping these to procedures in place but it is confusing if i should select product level or organization level procedure.

I appreciate your response in this regard. Thanks in advance.

As some of the others commented, it's typically not required for a submission.  When we work on this with medical device manufacturers, we typically take the following approach:

• Security Requirement ID
  • NIST Cybersecurity Framework Category (Identify, Protect, Detect, Respond, Recover)
    • Security Requirement Domain, which is mapped to ISO 80001-2-2 security capabilities
      • User Need/Design Input Statement
        • Security Requirement at a system and software level (traced to UL2900)
          • Is the control met and how - if it is not met, this gets added to the product security risk assessment

The mapping and traceability to an industry standard may not add a significant amount to the submission, but depending on who your customers are it may end up beingvery helpful for selling into a hospital.  During contract process, you may be asked questions related to not only the security design of the product, but also what frameworks you followed. Being able to provide this mapping/traceability may make that process a bit less painful!

One other note, security controls usually fall into three categories:

• Administrative - policies, processes, work instructions (e.g. patch management plan)
• Technical - technical controls built into the product (e.g. encryption)
• Physical - physical protections enabled (e.g. physical lock on device prevent access to exposed ports)

Thanks,
Colin

------------------------------
Colin Morgan
Managing Director

Apraciti | Medical Device Cybersecurity

colinmorgan@apraciti.com
United States
------------------------------

Original Message:
Sent: 30-Jul-2020 20:20
From: Anonymous Member
Subject: NIST Cybersecurity framework mapping

This message was posted by a user wishing to remain anonymous

Dear RAPS members,

Has anyone submitted NIST mapping to FDA with their submission? I am attempting to create a NIST mapping, but I am a little confused about the ask for different categories for example ID RA-1 Asset vulnerabilities are identified and documented. Should this be answered at the product level or at the organization level or both?  Product vulnerabilities or the IT infrastructure related vulnerabilities.

Another example is IDRA-4: Potential business impacts and likelihood are identified? This looks  more like an organization level instead of product level. I am also mapping these to procedures in place but it is confusing if i should select product level or organization level procedure.

I appreciate your response in this regard. Thanks in advance.