CVSS Rubric for Medical Devices Calculators
The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability severity and help determine the urgency and priority of response. CVSS and its associated rubric and examples were developed for enterprise information technology systems and do not adequately reflect the clinical environment and potential patient safety impacts. MITRE–in collaboration with a working group of subject matter experts across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery organizations, security experts, and safety/risk assessment experts–developed a rubric to provide more specific guidance guidance for applying CVSS to medical devices. The rubric and additional information can be found on MITRE’s website.
Members of the medical device cybersecurity ecosystem have developed calculators to facilitate using the rubric. Some of the tools are desktop applications, such as spreadsheet based calculators, and others are web-based. The desktop calculators are available in the CVSS Rubric Tools GitHub repo and links to the web-based calculators are listed below.
FDA qualified the rubric as a Medical Device Development Tool (MDDT), which means FDA believes the rubric produces measures that can be used in “the evaluation and justification of patient-centric, situational impact and urgency characteristics in time-sensitive postmarket vulnerability disclosures of medical devices.” Note that the calculators on this web site are NOT MDDTs, but should be validated against the rubric before relying upon them.
Desktop Tools
- MedSec’s Excel spreadsheet calculator