Rubric for Applying CVSS to Medical Devices

MITRE, in support of FDA, has developed a rubric to address the challenges of using CVSS to score the severity of medical device vulnerabilities in collaboration with a multi-disciplinary team of experts.

Download Resources

The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability severity and help determine the urgency and priority of response. When vulnerabilities are discovered in medical devices, medical device manufacturers, typically working with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to provide a consistent and standardized way to communicate the severity of a vulnerability between multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and vulnerability researchers.

Nonetheless, there are challenges in using CVSS to assess the severity of vulnerabilities in medical devices. CVSS and its associated rubric and examples were developed for enterprise information technology systems and do not adequately reflect the clinical environment and potential patient safety impacts.

To address these challenges, the MITRE Corporation, under contract to FDA, developed a rubric that provides guidance for how an analyst can utilize CVSS as part of a risk assessment for a medical device. This rubric was developed by MITRE in collaboration with a working group of subject matter experts across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery organizations, security experts, and safety/risk assessment experts.

Members of the medical device cybersecurity ecosystem have developed calculators to help users apply the rubric in assessing medical device cybersecurity vulnerabilities. Some of these calculators are desktop tools, such as spreadsheet-based calculators, and others are online tools. These tools are available at MITRE’s GitHub CVSS Rubric Tools repository.

On October 20, 2020 FDA announced that the rubric was qualified as a Medical Device Development Tool (MDDT). An MDDT is a tool that FDA has evaluated “and concurs with available supporting evidence that the tool produces scientifically-plausible measurements and works as intended within the specified context of use.” The Qualification Summary is available on the MDDT website.

Please send comments or suggestions about the Medical Device CVSS Rubric to securemed@mitre.org.