FDA 510K - Pre Submission Query


Hello All,

Need an advise to the below query

In the Guidance for Industry and Food and Drug Administration Staff document, there, they have mentioned under the Cybersecurity Questions
" Does the Agency agree with the attack vectors that have been identified for our product as described in Appendix R? "

- What does that mean?
- Any Reference to the Appendix R?

Thanks in Advance!

#510k #Pre-Submission #Presubmission

Ed Panek

QA RA Small Med Dev Company
Super Moderator
I normally feel confident answering almost any question here on the forum however in the case of cybersecurity and the FDA I would encourage using a consultant experienced with this subject matter.

From my understanding, an attack vector is a method to access the data or software of your device. USB, Ethernet, Wireless, Serial cable, and Bluetooth are things to think about.


Super Moderator
Thanks @Eric Gasper for posting the link.

Hmm... this is curious. FDA has 3 guidance docs:
None of those have an Appendix R.

FDA adopted the Mitre Rubric as a Medical Device Development Tool (MDDT) and I would think that would be a good way to model the threats / identify all the attack vectors. You can see more about the Rubric and download the tool from the Mitre site.


Involved In Discussions
Do not think that there is a specific reference to Appendix R anywhere, but only an example, as in virtual Appendix R of "a" Q-Sub; worst-case a typo in the guidance document. Regarding the question, you can google "Attack Vector" and sure you will identify the relevance to your product.


Managing Director
It’s tough to know exactly what is being referred to without additional context, but “attack vector” is usually in reference to threats or risks.
  • Threats – FDA expects manufacturers to execute a threat model on their device, where they identify potential threats (including attack vector) and weakness to the product design, from an architectural and data flow perspective. The threat model then would feed security requirements, which identify how the threats are either eliminated or mitigated. Microsoft STRIDE is one approach to performing a threat model

  • Residual Risk – attack vector is an attributed used in executing a cybersecurity risk assessment on residual risk in a product. For example, if there is a known vulnerability that can be exploited across the internet, that attack vector is “network” whereas a vulnerability that can only be exploited by manually manipulating the device at the device, that attack vector is “physical”. These are common terms used in evaluating risk with something like the common vulnerability scoring system (CVSS) and the healthcare cvss rubric (mentioned above as the MDDT).
Colin Morgan
Managing Director | Apraciti, Medical Device Cybersecurity
[email protected]
Top Bottom