Cybersecurity Risk Assessor Skill
Purpose
The Cybersecurity Risk Assessor Skill evaluates cybersecurity risks for medical devices per FDA guidance and IEC 81001-5-1, supporting threat modeling, vulnerability assessment, and security control implementation.
Capabilities
- •Threat modeling (STRIDE methodology)
- •Vulnerability assessment
- •SBOM (Software Bill of Materials) generation
- •Security control identification
- •Penetration testing planning
- •Cybersecurity documentation for FDA submissions
- •Attack surface analysis
- •Security architecture review
- •Coordinated vulnerability disclosure planning
- •Postmarket cybersecurity management
- •Patch management planning
Usage Guidelines
When to Use
- •Assessing device cybersecurity risks
- •Planning penetration testing
- •Preparing FDA cybersecurity submissions
- •Managing software dependencies
Prerequisites
- •Software architecture documented
- •Network connectivity defined
- •Data flows identified
- •Third-party components cataloged
Best Practices
- •Integrate cybersecurity from design inception
- •Maintain current SBOM
- •Plan for security updates throughout lifecycle
- •Establish vulnerability disclosure process
Process Integration
This skill integrates with the following processes:
- •Software Development Lifecycle (IEC 62304)
- •Medical Device Risk Management (ISO 14971)
- •510(k) Premarket Submission Preparation
- •Post-Market Surveillance System Implementation
Dependencies
- •FDA Cybersecurity guidance
- •IEC 81001-5-1 standard
- •SBOM tools (CycloneDX, SPDX)
- •Vulnerability databases (NVD, CVE)
- •Threat modeling frameworks
Configuration
yaml
cybersecurity-risk-assessor:
threat-methodologies:
- STRIDE
- PASTA
- attack-trees
sbom-formats:
- CycloneDX
- SPDX
security-tiers:
- Tier-1-higher
- Tier-2-standard
control-frameworks:
- NIST-CSF
- IEC-62443
Output Artifacts
- •Threat models
- •Vulnerability assessments
- •SBOM documents
- •Security architecture documents
- •Penetration test plans
- •FDA cybersecurity submissions
- •Security control matrices
- •Patch management plans
Quality Criteria
- •All threat vectors identified
- •Vulnerabilities assessed with CVSS scores
- •SBOM is complete and current
- •Security controls address identified risks
- •Documentation meets FDA requirements
- •Postmarket security plan established