New Medical Device Development Tool (MDDT) Qualification for Cybersecurity

If your email program has trouble displaying this email, view as a webpage.

US Food and Drug Administration

The FDA Qualifies New Cybersecurity Medical Device Development Tool

The U.S. Food and Drug Administration (FDA) has qualified the The Mitre “Rubric For Applying the cybersecurity Common Vulnerability Scoring System (CVSS) To Medical Devices.” Additionally, the FDA recognized the cybersecurity standard CVSSv3.0.

Using the tool and CVSSv3.0 together allows a common framework for risk evaluation and communication between all parties involved in a security vulnerability disclosure, particularly when discussing its severity and urgency.

Using the tool in the same way, the security researcher, the manufacturer, the health care provider, the FDA, and the Department of Homeland Security can employ a consistent and coordinated approach to addressing cybersecurity vulnerabilities in medical devices, consistent with the recommendations in the FDA’s guidance for postmarket management of medical device cybersecurity.

Read the Summary

Benefits of Tool Qualification

The FDA’s qualification of a medical device development tool (MDDT) is different from the FDA marketing authorization (clearance or approval) of a medical device.  Qualified MDDTs are not intended for clinical diagnosis or treatment of a patient outside of medical device development studies.

Having a qualified tool means that product evaluation can be done more predictably and efficiently by providing innovators with the tools and techniques that the FDA has found to be acceptable for their purposes. This can eliminate much of the risk and uncertainty developers often experience in product development. The use of a qualified tool also allows FDA regulators to concentrate on the most important aspects of the process and ensure that the end products are developed in a safe and timely manner.


If you have questions about the MDDT Program, contact