Rubric for Applying CVSS to Medical Devices

The United States Food and Drug Administration (FDA), under its Medical Device Development Tool (MDDT) program, has recently (as of October 20, 2020) qualified a cybersecurity MDDT that includes a series of structured questions to be used along with the Common Vulnerability Scoring System (CVSS) v3.0 to reliably calculate the severity of security vulnerabilities in medical devices and aid in vulnerability disclosure. See the following links for more details: Deep Armor's blog on the Rubric for CVSS and Official Guidance Document from MITRE

Deep Armor has developed this online calculator for using the rubric, recording the answers to the extended vector elements, and presenting the CVSS score and vector.

Attack vector (AV)
Q1 (XAVN)

Q2 (XAVT)

Q3 (XAVW)

Q4 (XAVR)

Q5 (XAVP)

Q5.1 (XAVPA)
Rubric CVSS Score

Attack Complexity (AC)
Q1 (XACL)
Privileges Required(PR)
Q1 (XPRL)

Q2 (XPRZ)

Q3 (XPRS)
User Interaction (UI)
Q1 (XUI)
Scope
Q1 (XS)
Rubric CVSS Vector:
Confidentiality
Integrity
Availability
For any PHI/PII data
Q1.C (XCP)

Q1.1.C (XCPM)
Q1.I (XIP)
Q1.A (XAP)
For any data or functionality related to diagnosis or monitoring
Q2.C (XCD)
Q2.I (XID)
Q2.A (XAD)
For any data or functionality related to the delivery of therapy
Q3.C (XCT)
Q3.I (XIT)
Q3.A (XAT)
For any data or functionality related to clinical workflow
Q4.C (XCW)
Q4.I (XIW)
Q4.A (XAW)
For any data or functionality related to private system or system-user data, e.g. passwords or private keys
Q5.C (XCS)
Q5.I (XIS)
Q5.A (XAS)
For any other kind of critical, sensitive data or functionality
Q6.C (XCO)
Q6.I (XIO)
Q6.A (XAO)

We would love to get your feedback, bugs and comments. Reach out to us at cvss-rubric@deeparmor.com

Disclaimer: This tool is an experimental state. Deep Armor does not provide any assurance on the quality of this tool

Acknowledgement

We use the CVSSjs calculator developed by Chandan BN: https://github.com/chandanbn/cvss

Deep Armor 2020. All Rights Reserved