Cybersecurity Risk Assessor

• Assessing device cybersecurity risks
• Planning penetration testing
• Preparing FDA cybersecurity submissions
• Managing software dependencies

Prerequisites

• Software architecture documented
• Network connectivity defined
• Data flows identified
• Third-party components cataloged

Best Practices

• Integrate cybersecurity from design inception
• Maintain current SBOM
• Plan for security updates throughout lifecycle
• Establish vulnerability disclosure process

Process Integration

This skill integrates with the following processes:

• Software Development Lifecycle (IEC 62304)
• Medical Device Risk Management (ISO 14971)
• 510(k) Premarket Submission Preparation
• Post-Market Surveillance System Implementation

Dependencies

• FDA Cybersecurity guidance
• IEC 81001-5-1 standard
• SBOM tools (CycloneDX, SPDX)
• Vulnerability databases (NVD, CVE)
• Threat modeling frameworks

Configuration

cybersecurity-risk-assessor:
  threat-methodologies:
    - STRIDE
    - PASTA
    - attack-trees
  sbom-formats:
    - CycloneDX
    - SPDX
  security-tiers:
    - Tier-1-higher
    - Tier-2-standard
  control-frameworks:
    - NIST-CSF
    - IEC-62443

Output Artifacts

• Threat models
• Vulnerability assessments
• SBOM documents
• Security architecture documents
• Penetration test plans
• FDA cybersecurity submissions
• Security control matrices
• Patch management plans

Quality Criteria

• All threat vectors identified
• Vulnerabilities assessed with CVSS scores
• SBOM is complete and current
• Security controls address identified risks
• Documentation meets FDA requirements
• Postmarket security plan established