NEW!!! Flexibility & configurability to the next level with the latest version of Matrix. Learn more!

SBOM,CBOM,OTS,COTS, SOUP - The complete guide Part 3

There are lot's of names used in different regulations and standards to describe software components not developed according to your own IEC 62304 inspired processes.

This article explains what these terms mean, how the work you're doing is related to them & what you need to do to ensure efficiency.

The first article handled the most commonly used terms that occur in regulations about medical device related software, and some abbreviations that are very often used in this context. The goal is to help you understand what they mean, where they come from and what are the differences / overlaps.

This article is mainly focussing terms specified to talk about.

Most important terms for Cybersecurity

Note: Regulation on cybersecurity cover the design of devices and processes in the manufacturers, the operator's and the user's environment. In this article, we refer to the regulations on cybersecurity for medical devices for medical device manufacturers for the US and the EU market.

The goal  of this article is not  a comprehensive guide on cybersecurity, but rather an overview regarding certain terms and abbreviations that can be found in such guides.

FDA and EU commission both demand from medical device manufacturers to provide devices that mitigate risks to patients and users to the lowest as possible level. This includes risks that may arise from data and connections to other devices which is especially the case for software based devices and devices with connectivity to the internet or other computer networks.

Manufacturers have to analyse and manage the potential risks for the devices and the data processed, as well as the potential risks that these devices can pose to connected devices.

The most basic standard for medical device cybersecurity for USA and EU is ISO/IEC 27000:2018 - most terms in this article will refer to this standard.


State where information and systems are protected from unauthorized activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the risks related to violation of confidentiality , integrity , and availability  are maintained at an acceptable level throughout the life cycle .

This article covers more cybersecurity risk management terms whereas part 1 explained the base terminology for cybersecurity.

Measures for communication of cybersecurity information


ASF in this context refers to an Application Security Framework. It provides operations and security teams of dedicated IT applications with a reliable, standardized, and systematic approach to mitigating cyber risk. Most frameworks provide a strategic plan for protecting data, infrastructure, and information systems, which can help IT and security organizations effectively manage cyber risk.

A special Application Security Framework is for instance the NIST Cybersecurity Framework.

Using an ASF ensures compliance with underlying regulations as GDPR or HIPAA.


The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity

CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.

The CVSS specifications are owned and managed by FIRST.Org, Inc. (FIRST). The official CVSS documentation can be found at

The NIST organization is publishing vulnerabilities (CVE) scored by CVSS - the (US) National Vulnerability Database (NVD).


The Manufacturer Disclosure Statement for Medical Device Security, generally abbreviated MDS2 (or MDS²), gives healthcare providers important cybersecurity information so they can evaluate the security capabilities of their devices or compare new devices when making product selections.


The software development lifecycle (SDLC) is the cost-effective and time-efficient process that development teams use to design and build high-quality software. The goal of SDLC is to minimize project risks through forward planning so that software meets customer expectations during production and beyond.

During this process, most effective means to ensure application safety can be implemented. Therefore, during this process, all potential risks from cybersecurity aspects must be thouroughly analized and managed. This needs to be proven to gain compliance certifications according to the valid base regulation for the application or product developped.


STRIDE is a model for identifying computer security threats developed by Praerit Garg and Loren Kohnfelder at Microsoft. It provides a mnemonic for security threats in six categories.

It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows, and trust boundaries.

Threat Model

Threat modeling is a structured process with these objectives: identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritize remediation methods.

Threat modeling is required to gain compliance with requirements for medical device cybersecurity from FDA and MDR and other base regulations. Goal of threat modelling is to protect critical parts of an application or IT system from failure or data manipulation/exposure due to willing or unwilling threats from connected computer systems or other interfaces, including human interfaces.

There are various methods for thread modelling - it is possible to use tools which contain the information about axisiting weaknesses, vulnerabilities and threats as well as architecture information of common computing hardware and software products. However, it is also possible to use manual activities for threat modelling and mitigation. However this will only be feasible for applications with very a small layer stack or self-coded applications without use of other operating systems or 3rd party libraries.


A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware, steal or manipulate data. Either of these activities can affect humans, sensitive information, the computer system itself or other connected systems.

Vulnerabilities of software and hardware products and components are published ny their vendors or other organisations and listed in the common vulnerability enumeration CVE catalog by the MITRE organisation.


A weakness is a feature, effect or side-effect of a software or hardware component due to its architecture, its function or its implementation/construction.

Weaknesses can lead to exploitable vulnerabilities.

Weaknesses are researched by cybersecurity experts in order to avoid implementation of weaknesses when creating and developing software and hardware systems.

Weaknesses are listed by the MITRE organisation in the Common Weakness Enumeration CWE database.

A human being is still the weakest link in cyber security. Whether due to intended or unintended misuse or use errors, it's always the human element.

Organizations that define and publish guidances and standards for cybersecurity


ANSI (American National Standards Institute) is the main organization supporting the development of technology standards in the United States. ANSI works with industry groups, and it is the U.S. member of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The ANSI is publishing US state of the art guidances and standards - a pendant for instance to the or DIN on the German national level. 


European Union Agency for Cybersecurity is a nonprofit organization, is the Union's agency dedicated to achieving a high common level of cybersecurity across Europe.

ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

ENISA acts as the institution to work EU-wide on the implementation of regulations as the EU Cybersecurity Act by providing advice and expertise and by acting as a Union centre of information and knowledge.

ENISA is also providing best practices and guidance on available tools and on procedure for information system security in the EU. This includes the creation of language and formats for exchange of incident and vulnerability information.

ENISA supports the prevention, detection and resolution of incidents through a network of Computer Security Incident Response Teams (CSIRTs), the EU CSIRTs Network.

ENISA can be seen as a pendant to NIST and FIRST.


FIRST a US-based non-profit organization, whose mission is to help computer security incident response teams across the world.

FIRST is defining common language, policy and governance, and provides platforms, means and tools to ensure a safe internet globally.

FIRST set up and manages the Common Vulnerability Scoring System CVSS for evaluating cybersecurity threats.


The Mitre Corporation is a US American not-for-profit organization that acts as a connector between the US government and the industry. It manages federally funded research and development centers (FFRDCs) supporting various U.S. government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others.

Within its focus on cybersecurity, MITRE creates and publishes lists with vulnerabilities, weaknesses and mitigation measures for software and hardware products regarding cybersecurity

  • CVE (CVE® list with cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. ),

  • CWE (CWE™ is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.), and

  • CAPEC (CAPEC™Common Attack Pattern Enumeration and Classification - A Community Resource for Identifying and Understanding Attacks).


The National Institute of Standards and Technology in the USA does not create but promotes standards, and creates measurement solutions. The mission of NIST is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

With the Cybersecurity Framework NIST established a common language for information security activities and issues and their evaluation and classification.

Also, NIST publishes lists (catalogs) with measures for actions to take to ensure highest possible protection and prevention levels for various technologies - thus also for safety of information systems.


The Open Worldwide Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation.

OWASP has wordwide local chapters. OWASP Local Chapters build community for application security professionals around the world.

Base regulations on cybersecurity

Base regulations on cybersecurity are most of all aiming at the protection of personal data.


The Health Insurance Portability and Accountability Act is a public law of the US that governs the privacy and security of Personal Health Information (PHI) in the US. 

It can be seen as a pendant to the GDPR in the EU.


GDPR stands for General Data Protection Legislation. It is a European Union (EU) law. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person).


The Radio Equipment Directive (RED, EU directive 2014/53/EU) established a regulatory framework for placing radio equipment on the market in the EU. It has an Article on  which strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers' personal data. This article also aims at reduction of the risk of fraud.

About the Author
Regina Preysing
Partnerships Manager