The Food & Drug Administration (FDA) has issued a response to NIST to the Executive Order (EO) on Improving the Cybersecurity of the Federal Government (EO 14028), dated 26 May 2021.
The document, Response to NIST Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security, summarizes “established FDA practices and efforts presently underway for OT cybersecurity in the greater medical device ecosystem,” with focus on the following NIST identified areas in question:
- Criteria for designating “critical software”
- Standards and guidelines for federal purchasing
- Guidelines outlining security measures that shall be applied to the federal government’s use of critical software
- Initial minimum requirements for testing software source code
- Guidelines for software integrity chains and provenance
Notably, there is the inclusion of a a phased-in approach to implementation of a Cybersecurity Bill of Materials (CBOM) discussed for premarket submissions. For more information regarding CBOM, please visit this article published by SoftwareCPR last year.
There is also a particular emphasis on Threat Modeling and penetration testing, with statements about their high perceived value for security testing related to unknown vulnerabilities.
The document can be found on the FDA website or at the link below.