Postmarket risk

Controlled vs Uncontrolled Risk Classifier

Decide whether a fielded vulnerability is controlled or uncontrolled under the FDA postmarket cybersecurity framework. Six questions, FDA-aligned verdict, and the next actions.

Reviewed by

Christian Espinosa

Founder & CEO, Blue Goat Cyber

Last reviewed June 26, 2026

1. Is the vulnerable code reachable in the deployed device configuration?

Reachability = an attacker can actually invoke the affected code path given how the device ships and is used.

No - the vulnerable function is not called or the interface is disabled

Only after authentication / on a trusted network

Yes - reachable from a normal user-facing or network-facing path

2. If exploited, what is the worst credible patient-safety consequence (ISO 14971)?

No patient-safety impact (data confidentiality only, no PHI)

Inconvenience or temporary minor injury

Serious injury, delayed therapy, or PHI exposure

Permanent impairment, death, or wide-scale therapy disruption

3. What is the public exploit signal today?

Use CISA KEV, EPSS, public PoC, and active-exploitation reporting.

Theoretical - no PoC, low EPSS (<5%)

Public PoC exists, EPSS moderate (5-30%)

Listed in CISA KEV or actively exploited in the wild

4. What access does an attacker need?

Physical access + disassembly (e.g. JTAG)

Local network + valid credentials

Adjacent network (BLE, Wi-Fi range, same VLAN)

Remote / internet-reachable, no authentication

5. What compensating controls are in place right now?

Strong: signed firmware, secure boot, network segmentation, MFA - exploit path is blocked

Partial: some controls reduce likelihood but not all paths blocked

None or untested

6. Can you detect exploitation attempts in fielded devices?

Yes - device or cloud telemetry catches anomalous behavior

Partial - hospital can detect but manufacturer has no telemetry

No detection capability

What you'll see after you submit

Six questions - reachability, harm, exploit signal, access, mitigations, monitoring

Verdict: Controlled, Uncontrolled-monitor, or Uncontrolled-action required.
Hard rule: any CISA KEV vulnerability with serious patient-harm pathway is uncontrolled-action.
Per-verdict FDA timeline plus a next-actions checklist.
Printable record for the risk file and the postmarket CAPA log.

Common misconceptions

What teams usually get wrong

Myth: A high CVSS score means uncontrolled risk.

Reality: CVSS measures the vulnerability, not your residual risk. A 9.8 in unreachable code with secure boot can be controlled; a 6.5 in a network-reachable, KEV-listed library may not be.
Myth: If we patched it, it was never uncontrolled.

Reality: Classification is based on the state at discovery, not after remediation. Document the controlled/uncontrolled decision at the moment you learned about the vulnerability.
Myth: Uncontrolled risk always means a recall.

Reality: It triggers customer notification, mitigation, and 21 CFR 806 evaluation - which may or may not be a recall depending on the correction.