Name: Mapping To Fda Cybersecurity
Author: LeoDPraetorian

Mapping To Fda Cybersecurity | Skills Pool

FDA Severity	Exploitability	Patient Harm	Action Required
Critical	High	Severe/Death	Immediate patch
High	High	Moderate harm	30-day timeline
Medium	Low	Moderate harm	90-day timeline
Low	Low	Minimal/no harm	Standard patch cycle

Document	FDA Requirement	Purpose
Cybersecurity Plan	Mandatory	Risk management and threat model
SBOM	Mandatory	Software component inventory
Vulnerability Disclosure	Mandatory	Coordinated disclosure process
Security Testing Report	Recommended	Penetration testing results
Access Control Matrix	Recommended	Authentication/authorization
Data Protection Plan	Mandatory	Encryption and data integrity

Requirement	Timeline	Regulatory Reference
Vulnerability monitoring	Continuous	21 CFR 822
Security updates	Risk-based	FDA Postmarket Guidance
Incident reporting	30 days	MDR (Medical Device Reports)
Annual postmarket report	Yearly	21 CFR 822

Patient Harm Level	Description	Examples
Severe/Death	Could result in death or serious injury	Insulin pump dosage manipulation
Moderate	Could result in temporary injury	False alarm suppression on monitor
Minimal	No direct patient harm	Delayed diagnostic result display
None	No patient impact	Administrative interface cosmetic bug

Vulnerability Pattern	Patient Harm	FDA Severity	Premarket Requirement	Postmarket Action
Public S3 with PHI	Severe	Critical	Data protection plan	Immediate patching
Exposed API (device data)	Moderate	High	Access control matrix	30-day disclosure
Missing MFA (clinician UI)	Moderate	High	Authentication design	Security update
Weak encryption (at-rest)	Severe	Critical	Encryption standards	Immediate remediation
CloudTrail disabled	Minimal	Medium	Audit logging plan	90-day timeline

Vulnerability Pattern	Patient Harm	FDA Severity	Premarket Requirement	Postmarket Action
Unauthenticated device control	Severe	Critical	Access control matrix	Recall possible
Weak device pairing	Moderate	High	Authentication design	Coordinated patch
Cleartext communication	Severe	Critical	Encryption requirements	Immediate update
Command injection in firmware	Severe	Critical	Security testing report	Recall possible
Default credentials	High	Critical	Password policy	Mandatory update

Vulnerability Pattern	Patient Harm	FDA Severity	Premarket Requirement	Postmarket Action
Open ports on device	Moderate	Medium	Network architecture	Risk assessment
Missing network isolation	Moderate	High	Network segmentation	Configuration fix
Vulnerable TLS version	Moderate	High	Encryption standards	Security update
Exposed debug interface	High	Critical	Security design	Immediate patch

Vulnerability Pattern	Patient Harm	FDA Severity	Premarket Requirement	Postmarket Action
Vulnerable dependency (CVE)	Variable	Risk-based	SBOM documentation	Assess + patch if high
Outdated OS/framework	Moderate	Medium	SBOM + update plan	Planned update
Unsigned firmware	High	Critical	Code signing	Mandatory signing
Leaked credentials in code	Severe	Critical	Secret management	Immediate rotation

Is this a new device submission?
├─ Yes → Premarket (510(k))
│   ├─ Need cybersecurity plan?
│   │   └─ YES - Mandatory for all devices (2023 guidance)
│   ├─ Need SBOM?
│   │   └─ YES - Mandatory (SPDX 2.3+ or CycloneDX 1.4+)
│   ├─ Need threat model?
│   │   └─ YES - Risk-based approach
│   └─ Need security testing?
│       └─ RECOMMENDED - Penetration testing report
│
└─ No → Postmarket
    ├─ Is this a vulnerability?
    │   ├─ Critical (patient harm + high exploitability)?
    │   │   └─ Immediate disclosure + patch
    │   ├─ High severity?
    │   │   └─ 30-day coordinated disclosure
    │   └─ Medium/Low severity?
    │       └─ 90-day disclosure or standard cycle
    │
    └─ Need to report to FDA?
        ├─ Could cause death/serious injury?
        │   └─ YES - MDR report within 30 days
        └─ Requires device modification?
            └─ Postmarket surveillance report

Vulnerability detected:

Step 1: Assess Patient Harm
├─ Could cause death or serious injury?
│   └─ Patient Harm = SEVERE
├─ Could cause temporary/reversible injury?
│   └─ Patient Harm = MODERATE
├─ Could delay or degrade functionality?
│   └─ Patient Harm = MINIMAL
└─ No patient impact?
    └─ Patient Harm = NONE

Step 2: Assess Exploitability
├─ Remotely exploitable + no auth required?
│   └─ Exploitability = HIGH
├─ Local access or authentication required?
│   └─ Exploitability = MEDIUM
└─ Requires physical access or complex conditions?
    └─ Exploitability = LOW

Step 3: Determine FDA Severity
├─ SEVERE + HIGH → CRITICAL
├─ MODERATE/SEVERE + HIGH → HIGH
├─ MODERATE + LOW → MEDIUM
└─ MINIMAL/NONE + ANY → LOW

Found vulnerability in deployed medical device:

Is it exploitable remotely?
├─ Yes → Coordinated disclosure required
│   ├─ CRITICAL severity (patient harm possible)?
│   │   └─ 0-day disclosure + immediate patch
│   ├─ HIGH severity?
│   │   └─ 30-day coordinated timeline
│   └─ MEDIUM/LOW severity?
│       └─ 90-day coordinated timeline
│
└─ No (local/physical only)
    ├─ Could cause patient harm?
    │   └─ Report to manufacturer + standard patch cycle
    └─ No patient harm?
        └─ Standard vulnerability disclosure

Question	Answer	Requirement Type
"Is this a new device?"	→ Premarket (510(k))	Cybersecurity plan + SBOM
"Found vuln in deployed device?"	→ Postmarket	Coordinated disclosure
"Testing prototype?"	→ Premarket validation	Security testing report

{
  "component": "openssl",
  "version": "1.1.1k",
  "supplier": "OpenSSL Project",
  "cve": ["CVE-2021-3711"],
  "license": "Apache-2.0"
}

Device Class	Risk Level	Premarket Requirement	Example
Class III	High	Premarket Approval (PMA)	Pacemakers, ventilators
Class II	Moderate	510(k) clearance	Infusion pumps, monitors
Class I	Low	General controls	Bandages, stethoscopes

finding := &tabularium.Finding{
    Title:       "Unauthenticated Infusion Pump Command Interface",
    Description: "Insulin pump accepts commands without authentication, could allow remote dosage manipulation",
    CWE:         "CWE-306",   // Missing Authentication
    Severity:    "Critical",
    FDA: FDAClassification{
        PatientHarm:      "Severe",        // Could cause death
        Exploitability:   "High",          // Network accessible
        Severity:         "Critical",
        PremarketReq:     "Access control matrix, authentication design",
        PostmarketAction: "Immediate patch + MDR report",
        DeviceClass:      "III",
    },
}

capability := &Capability{
    Name: "detect-exposed-medical-device-apis",
    Findings: []Finding{
        {
            Title:       "Medical Device API Exposed Without Authentication",
            CWE:         "CWE-306",
            Severity:    "High",
            FDA: FDAClassification{
                PatientHarm:      "Moderate",  // Could alter readings
                Exploitability:   "High",      // Internet-facing
                Severity:         "High",
                PremarketReq:     "Authentication + encryption design",
                PostmarketAction: "30-day coordinated disclosure",
            },
        },
    },
}

Field	Requirement	Example
Component name	Mandatory	"openssl"
Component version	Mandatory	"1.1.1k"
Supplier	Mandatory	"OpenSSL Project"
Known CVEs	Mandatory	["CVE-2021-3711"]
License	Recommended	"Apache-2.0"
Dependency tree	Recommended	Direct vs transitive
Hash/checksum	Recommended	SHA-256

Discovery → Vendor notification → FDA notification → Joint assessment
→ Patch development → Coordinated release → Public disclosure

Reference	Content
premarket-requirements.md	Complete 510(k) cybersecurity checklist
postmarket-requirements.md	Vulnerability management and disclosure
sbom-templates.md	SPDX and CycloneDX SBOM examples
severity-classification.md	Patient harm + exploitability decision trees, Tier 1/2 classification

Skill	Purpose
`mapping-to-cwe`	Map findings to CWE identifiers
`mapping-to-mitre-attack`	Map to adversary tactics/techniques
`calculating-cvss-vectors`	Determine CVSS scores for findings
`mapping-to-sans-top-25`	Cross-reference with SANS Top 25

Phase	Requirements	Documentation
Premarket	Cybersecurity plan, threat model, SBOM	510(k) submission package
Postmarket	Vulnerability monitoring, patch lifecycle	Annual postmarket reports

❌ Wrong	✅ Correct
CVSS 9.0 = Critical	CVSS 9.0 + Patient Harm Assessment
Network exposure	Network + authentication + patient impact
SQL injection	SQL injection + data type + harm level

Requirement	Trigger	Timeline	Recipient
MDR	Device malfunction/death/injury	30 days	FDA
CVD	Security vulnerability discovered	30-90 days	Manufacturer + FDA

Format	Version	FDA Accepted	Notes
SPDX	2.3+	✅ Yes	ISO/IEC 5962:2021 standard
CycloneDX	1.4+	✅ Yes	OWASP project
SWID	ISO/IEC 19770-2	✅ Yes	Legacy format

Severity	Disclosure Window	Patch Deadline	FDA Notification
Critical	0-7 days	Immediate	Same day
High	30 days	30 days	Within 5 days
Medium	90 days	90 days	Within 30 days
Low	Standard cycle	Next release	Annual report

Skill	When	Purpose
`mapping-to-cwe`	Classifying vulnerability	CWE mapping for FDA documentation
`calculating-cvss-vectors`	Technical severity	CVSS supplement to patient harm

Skill	Trigger	Purpose
`mapping-to-mitre-attack`	Threat intelligence context	ATT&CK mapping for threat model
`mapping-to-sans-top-25`	Risk prioritization	Cross-reference with SANS

Mapping To Fda Cybersecurity

Mapping Findings to FDA Cybersecurity Guidance

When to Use

Mapping To Fda Cybersecurity

Mapping Findings to FDA Cybersecurity Guidance

When to Use

Critical Rules

1. Use FDA Severity Classification (Dual-Axis)

2. Premarket vs Postmarket Requirements

3. SBOM (Software Bill of Materials) Requirements

Quick Reference

Premarket Requirements (510(k) Submission)

Postmarket Requirements

Vulnerability Severity (Patient Harm)

Mapping Security Findings to FDA Requirements

Cloud Security (Medical Device Backend)

Medical Device Interface Security

Network & Infrastructure

Software Supply Chain

Decision Trees

"Which FDA Requirement Applies?"

"What is the FDA Severity?"

"Do I Need Coordinated Disclosure?"

Common Mistakes

1. Using Only CVSS Scores

2. Ignoring Premarket vs Postmarket Context

3. Missing SBOM Documentation

4. Confusing MDR (Medical Device Reporting) with CVD (Coordinated Vulnerability Disclosure)

5. Not Considering Device Classification

Integration with Capability Development

Nebula/Diocletian Pattern (Medical Device Scanning)

Janus Capability Pattern (Medical Device Backend)

Validation Checklist

SBOM Requirements

Required SBOM Fields (FDA 2023 Guidance)

SBOM Format Standards

Coordinated Vulnerability Disclosure (CVD)

Timeline Requirements

CVD Stakeholders

CVD Process

References

External Sources

Integration

Called By

Requires (invoke before starting)

Calls (during execution)

Pairs With (conditional)

Related Skills

Taskflow Inbox Triage

Accessibility

Open a Pull Request

Investor Materials

Continuous Agent Loop

Configure Ecc