AgentSkillsCN

cybersecurity-risk-assessor

根据美国食品药品监督管理局(FDA)的上市前与上市后指南,掌握医疗器械网络安全风险评估技能

SKILL.md
--- frontmatter
name: cybersecurity-risk-assessor
description: Medical device cybersecurity risk assessment skill per FDA premarket and postmarket guidance
allowed-tools:
  - Read
  - Write
  - Glob
  - Grep
  - Edit
  - Bash
metadata:
  specialization: biomedical-engineering
  domain: science
  category: Risk Management
  skill-id: BME-SK-010

Cybersecurity Risk Assessor Skill

Purpose

The Cybersecurity Risk Assessor Skill evaluates cybersecurity risks for medical devices per FDA guidance and IEC 81001-5-1, supporting threat modeling, vulnerability assessment, and security control implementation.

Capabilities

  • Threat modeling (STRIDE methodology)
  • Vulnerability assessment
  • SBOM (Software Bill of Materials) generation
  • Security control identification
  • Penetration testing planning
  • Cybersecurity documentation for FDA submissions
  • Attack surface analysis
  • Security architecture review
  • Coordinated vulnerability disclosure planning
  • Postmarket cybersecurity management
  • Patch management planning

Usage Guidelines

When to Use

  • Assessing device cybersecurity risks
  • Planning penetration testing
  • Preparing FDA cybersecurity submissions
  • Managing software dependencies

Prerequisites

  • Software architecture documented
  • Network connectivity defined
  • Data flows identified
  • Third-party components cataloged

Best Practices

  • Integrate cybersecurity from design inception
  • Maintain current SBOM
  • Plan for security updates throughout lifecycle
  • Establish vulnerability disclosure process

Process Integration

This skill integrates with the following processes:

  • Software Development Lifecycle (IEC 62304)
  • Medical Device Risk Management (ISO 14971)
  • 510(k) Premarket Submission Preparation
  • Post-Market Surveillance System Implementation

Dependencies

  • FDA Cybersecurity guidance
  • IEC 81001-5-1 standard
  • SBOM tools (CycloneDX, SPDX)
  • Vulnerability databases (NVD, CVE)
  • Threat modeling frameworks

Configuration

yaml
cybersecurity-risk-assessor:
  threat-methodologies:
    - STRIDE
    - PASTA
    - attack-trees
  sbom-formats:
    - CycloneDX
    - SPDX
  security-tiers:
    - Tier-1-higher
    - Tier-2-standard
  control-frameworks:
    - NIST-CSF
    - IEC-62443

Output Artifacts

  • Threat models
  • Vulnerability assessments
  • SBOM documents
  • Security architecture documents
  • Penetration test plans
  • FDA cybersecurity submissions
  • Security control matrices
  • Patch management plans

Quality Criteria

  • All threat vectors identified
  • Vulnerabilities assessed with CVSS scores
  • SBOM is complete and current
  • Security controls address identified risks
  • Documentation meets FDA requirements
  • Postmarket security plan established