FDA 510K - Pre Submission Query

#1
Hello All,

Need an advise to the below query

In the Guidance for Industry and Food and Drug Administration Staff document, there, they have mentioned under the Cybersecurity Questions
" Does the Agency agree with the attack vectors that have been identified for our product as described in Appendix R? "

- What does that mean?
- Any Reference to the Appendix R?

Thanks in Advance!

#510k #Pre-Submission #Presubmission
 
Elsmar Forum Sponsor

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
#2
I normally feel confident answering almost any question here on the forum however in the case of cybersecurity and the FDA I would encourage using a consultant experienced with this subject matter.

From my understanding, an attack vector is a method to access the data or software of your device. USB, Ethernet, Wireless, Serial cable, and Bluetooth are things to think about.
 

yodon

Leader
Super Moderator
#5
Thanks @Eric Gasper for posting the link.

Hmm... this is curious. FDA has 3 guidance docs:
None of those have an Appendix R.

FDA adopted the Mitre Rubric as a Medical Device Development Tool (MDDT) and I would think that would be a good way to model the threats / identify all the attack vectors. You can see more about the Rubric and download the tool from the Mitre site.
 

akp060

Involved In Discussions
#6
Do not think that there is a specific reference to Appendix R anywhere, but only an example, as in virtual Appendix R of "a" Q-Sub; worst-case a typo in the guidance document. Regarding the question, you can google "Attack Vector" and sure you will identify the relevance to your product.
 

colinkmorgan

Managing Director
#7
It’s tough to know exactly what is being referred to without additional context, but “attack vector” is usually in reference to threats or risks.
  • Threats – FDA expects manufacturers to execute a threat model on their device, where they identify potential threats (including attack vector) and weakness to the product design, from an architectural and data flow perspective. The threat model then would feed security requirements, which identify how the threats are either eliminated or mitigated. Microsoft STRIDE is one approach to performing a threat model

  • Residual Risk – attack vector is an attributed used in executing a cybersecurity risk assessment on residual risk in a product. For example, if there is a known vulnerability that can be exploited across the internet, that attack vector is “network” whereas a vulnerability that can only be exploited by manually manipulating the device at the device, that attack vector is “physical”. These are common terms used in evaluating risk with something like the common vulnerability scoring system (CVSS) and the healthcare cvss rubric (mentioned above as the MDDT).
Colin Morgan
Managing Director | Apraciti, Medical Device Cybersecurity
[email protected]
 
Thread starter Similar threads Forum Replies Date
R US FDA 510k Australia TGA US Food and Drug Administration (FDA) 0
N Importing into US without 510K/FDA Clearance US Medical Device Regulations 1
C FDA 510k documentation requirements US Food and Drug Administration (FDA) 1
K 510k FDA review, will they accept Biocompatibility result generated using feasibility product lots? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
K FDA 510k electrosurgery 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
J Leveraging FDA 510k Clearance for International Registrations Other Medical Device Regulations World-Wide 2
V Presubmission FDA for 510k US Food and Drug Administration (FDA) 4
Ed Panek Other company wants to use our FDA 510K bundled with their product 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
S IEC 62133 - CB Scheme Required by FDA 510k Other Medical Device Related Standards 3
R FDA 510K - Does the FDA accept the testing report from other countries? Other US Medical Device Regulations 1
I 510k Performance Testing Studies (Raw Data) - What does the FDA expect 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
R FDA Shelf Life Requirements for EO Surgical gown 510k 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 10
F FDA Device List For Class 1 510K Exempt Devices US Food and Drug Administration (FDA) 8
P New FDA 510k Submission Guidance Other US Medical Device Regulations 2
N IEC 60601-1 , 3rd edition and the FDA - Special 510k to my updated Medical Device ISO 13485:2016 - Medical Device Quality Management Systems 40
E FDA and ISO 13485 - Once we get our 510K are we free to sell product? US Food and Drug Administration (FDA) 7
T FDA 510k Submission - Section 012 SE (Substantial Equivalence) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
C Do we have to use an FDA recognized lab for Biocompatibility testing of 510k devices? Other US Medical Device Regulations 2
O US FDA Consultants in Mumbai - Orthopaedic Devices 510K Submission help US Food and Drug Administration (FDA) 9
M Requesting Information From FDA concerning Archived 510K 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 7
J Reputation of a contact person with FDA while corresponding for 510k ISO 13485:2016 - Medical Device Quality Management Systems 6
R FDA Inspections - Questions from a Device Manufacturer Submitting 510k Other US Medical Device Regulations 3
S FDA eSubmitter Medical Device Software 510k Filing Other US Medical Device Regulations 8
A Marketing & Distributing Definitions - FDA to pull non-510k devices off the shelves Other US Medical Device Regulations 2
J FDA 510K - Justifying Fatigue Test results - 3rd Party Component Failure US Food and Drug Administration (FDA) 7
E Questions about FDA registration and 510k application 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
T FDA Class III Medical Device Modification - 510k Application 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
I 510k Approval - Does the FDA look for Clinical Data 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
M Recognized Symbols for Device Labeling? 510k to the FDA 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 6
L Medical Devices FDA 510k third part review? Class II Medical Device ISO 13485:2016 - Medical Device Quality Management Systems 3
Y Convenience pack FDA US Food and Drug Administration (FDA) 1
B FDA regulations medical device prescription fulfillment DME question US Medical Device Regulations 0
N FDA medical devices US Food and Drug Administration (FDA) 1
B How FDA define a new variant/generation or a new device US Medical Device Regulations 11
G FDA Annual Registration and Listing US Food and Drug Administration (FDA) 7
T Book Excerpt: Drugs and the FDA: Safety, Efficacy, and the Public’s Trust Book, Video, Blog and Web Site Reviews and Recommendations 0
E The FDA regulations (21 CFR 312.3): Is it allowable that IND sponsor involves more than one individual or organization? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
P Looking for Korean FDA Drug Master File requirements for packaging systems. Other Medical Device and Orthopedic Related Topics 1
M IEC 62366 Hazard-related Use Scenario vs FDA Critical Task EU Medical Device Regulations 3
N Free sale and FDA US Food and Drug Administration (FDA) 1
N FDA class 1 US Food and Drug Administration (FDA) 6
G UDI in EU vs FDA EU Medical Device Regulations 1
S Initial Audit FDA US Medical Device Regulations 3
T FDA PMA review process - advisory panel timing? Other Medical Device and Orthopedic Related Topics 0
E FDA & Internal Audits US Medical Device Regulations 3
N FDA class 2 Device QS Requirements US Food and Drug Administration (FDA) 2
T FDA labeling requirements US Food and Drug Administration (FDA) 2
S FDA Contract Manufacturer and Applicant US Food and Drug Administration (FDA) 0
R IVD Software FDA/CLIA doubts Medical Device and FDA Regulations and Standards News 1
R IVD software FDA and CLIA US Food and Drug Administration (FDA) 2

Similar threads

Top Bottom