Sternum Products Support Compliance

With the FDA Premarket Cybersecurity Guidance, as well as NIST Baseline for IoT Cybersecurity

In late 2018, the FDA released a new guidance entitled 

Content of Premarket Submission for Management of Cybersecurity in Medical Devices.

Satisfying the requirements outlined in the FDA premarket cybersecurity guidance not only helps ensure the development of safe and secure medical devices, but also increases the likelihood of your device meeting FDA clearance. Sternum’s top priority is ensuring the security of embedded devices. We are proud to share some of the ways in which our technology meet the key requirements outlined in the new FDA guidance.

FDA Cybersecurity Guidance - key requirements

Line 320

Documentation demonstrating trustworthiness

"documentation related to design controls, and specifically design validation, software validation and risk analysis…"

Sternum provides documentation that outlines possible threats and how Sternum’s technology mitigates them. The analysis and documentation help manufacturers demonstrate the trustworthiness of their devices, and makes it easier to assess the device’s safety with respect to cyber security.

Line 455

Verify the integrity of all incoming data

"ensuring it is not modified in transit or at rest, and it is well-formed/compliant with the expected protocol/specification."

Sternum EIV ensures the integrity of the device’s behavior at all times during real-time execution. This means that modified data, malformed or malicious data will be detected and any attack attempt through malformed incoming data will be mitigated and prevented.

Line 470

Execution Integrity

"Where feasible, use industry-accepted best practices to maintain/verify integrity of code while it is being executed on the device."

Sternum EIV ensures the integrity of the execution flow and is applied to the device automatically, allowing you to maintain the execution integrity on both pre-market as well as post-market devices.

Line 492

Detect, Respond, Recover: Design Expectations

"Appropriate design should anticipate the need to detect and respond to dynamic cyber security risks, including the need for deployment of cyber security routine updates and patches as well as emergency workarounds."

With Sternum's ADS all of the devices are registered and can be uniquely identified, including devices that are not connected to a managed network.

Line 540

Design the Device to Recover Capabilities

“Implement device features that protect critical functionality and data, even when the device’s cyber security has been compromised.”

Sternum's multi-layer end-point protection makes it possible to protect the critical components of the device even when other components have been exploited. For more information about this unique capability, please contact us.

In mid-2019, NIST Cybersecurity for IoT Program released the draft for its 

Core Cybersecurity Feature Baseline for Securable IoT Devices 

(Draft NISTIR 8259). This baseline complements another NIST publication:

Considerations for Managing Internet of Things Cybersecurity and Privacy Risks 

(NISTIR 8228).


While both guidance are currently voluntary, satisfying the requirements outlined in these documents not only helps ensure the development of safe and secure IoT devices, but also increases the likelihood of your device meeting the upcoming 

IoT Cybersecurity Act.

We are proud to share some of the ways in which our technology meets the key requirements outlined in the NIST IoT security guidance.

NIST IoT Cybersecurity Guidance - key requirements

Page 10

Device Identification

"The IoT device can be uniquely identified logically and physically."  

With Sternum's ADS all of the devices are registered and can be uniquely identified, including devices that are not connected to a managed network.

Page 11

Data Protection

"The IoT device can protect the data it stores and transmits from unauthorized access and modification."

Sternum's EIV will protect against unauthorized access and modification of data stored in the device. By keeping the integrity of the device at all times, EIV will identify and prevent intrusions and attack attempts on the device. Thus, EIV helps to keep the data stored on the device secured.

Page 11

Logical Access to Interfaces

"The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only."

With EIV for Linux based IoT devices, network interfaces and operations can be limited and configurable. To limit logical access, contact us for consultant and service.

Page 12

Software and Firmware Update

"The IoT device’s software and firmware can be updated by authorized entities only using a secure and configurable mechanism."

Sternum’s over-the-air secure mechanism offers scalable and configurable update mechanism suitable for the needs of IoT devices. Additionally, EIV will automatically protect existing over-the-air update mechanisms to keep the integrity of the update process at all times.

Page 12

Cybersecurity State Awareness

“ The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.”

ADS provides real-time and constant logging of different cybersecurity events from within the device. Moreover, ADS logging also includes events occurring in third-party components such as operating systems and communication libraries. All of the data and logs are accessible via a secured platform.

Let’s talk.

To further explore how Sternum can protect your devices from cyber security threats while satisfying FDA regulations, please contact us