Standards, Guidance & Notices
Showing 21–29 of 29
IEC
IEC 81001-5-1:2021
Health software and health IT systems safety, effectiveness and security — Part 5-1: Security activities in the product life cycle
Establishes a common framework for secure health software life cycle processes. Defines security activities and tasks to increase cybersecurity of health software.
Published: 2021-12-01
NIST
IR
IR
IR 8259B
IoT Non-Technical Supporting Capability Core Baseline
Non-technical supporting capabilities are actions a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline.
Published: 2021-08-25
NIST
IR
IR
IR 8259C
Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline
The core baseline in NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline and the non-technical baseline in NISTIR 8259B, IoT Manufacturer Non-Technical Supporting Capability Core Baseline can be expanded upon based on more specific contextual information. Using source material with information pertinent to IoT device customers’ needs and goals, the central concepts of the NISTIR 8259 series can be used to guide the development of new elaboration on device cybersecurity capabilities an IoT device may need and the non-technical supporting capabilities that may be needed in relation to the IoT device. This process of expanding on the core baseline and non-technical baseline using additional contextual information is called profiling. A process by which readers of the NISTIR 8259 series can profile source documents is described in this publication.
Published: 2020-12-15
EU
MDCG
MDCG
MDCG 2019-16 rev.1
Guidance on cybersecurity for medical devices
MDCG 2019-16 rev.1 — Guidance on cybersecurity for medical devices — (July 2020)
Published: 2020-07-01
NIST
IR
IR
IR 8259A
IoT Device Cybersecurity Capability Core Baseline
Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. This publication can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers.
Published: 2020-05-29
NIST
IR
IR
IR 8259
Foundational Cybersecurity Activities for IoT Device Manufacturers
Internet of Things (IoT) devices often lack device cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving how securable the IoT devices they make are by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices.
Published: 2020-05-29
IMDRF
IMDRF/CYBER WG/N60FINAL:2020
Principles and Practices for Medical Device Cybersecurity (FINAL 2020)
This core document establishes international principles and practices for medical device cybersecurity, covering the complete device lifecycle. It specifies requirements for security by design, vulnerability management, and incident response frameworks. Manufacturers should integrate cybersecurity considerations throughout product development, maintenance, and end-of-life phases. The document serves as the common foundation referenced in Japan's Basic Principles for Conformity Assessment of Medical Devices (Article 12, Paragraph 3), FDA 2023 final cybersecurity guidance, and EU MDCG cybersecurity guidance. Japanese regulatory authorities directly reference this document in official notifications, making it essential for regulatory compliance in multiple jurisdictions.
Published: 2020-03-01
NIST
FIPS
FIPS
FIPS 140-3
Security Requirements for Cryptographic Modules
The selective application of technological and related procedural safeguards is an important responsibility of every federal organization in providing adequate security in its computer and telecommunication systems. This standard is applicable to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106 and the Federal Information Security Management Act of 2002, Public Law 107-347.
This standard shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the s
Published: 2019-03-22
FDA
CDRH
CDRH
FDA-Cybersecurity-OTS-2005
Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
This FDA guidance document (2005) addresses cybersecurity management for network-connected medical devices incorporating off-the-shelf (OTS) software components. The guidance delineates responsibility allocation between manufacturers and healthcare facility information technology personnel, acknowledging shared accountability for device cybersecurity posture. Key technical topics include operating system patch management, antivirus software deployment, network access controls, and authentication mechanisms. The document establishes that manufacturers bear primary responsibility for device design incorporating security controls, while healthcare facilities assume responsibility for network infrastructure, patch management, and periodic security assessments appropriate to their operational environments. While superseded by more contemporary 2023 guidance addressing current cybersecurity threats and FDA regulatory expectations, this 2005 document provides valuable historical context for understanding the evolution of FDA cybersecurity requirements. Manufacturers and healthcare organizations benefit from understanding these foundational cybersecurity management principles, which remain relevant despite advances in threat landscape and technology. The document emphasizes that cybersecurity is a shared responsibility requiring collaboration between device manufacturers and end-users.
Published: 2005-01-14