The U.S. Army Medical Materiel Agency (USAMMA) earlier this year has entered into a Cooperative Research and Development Agreement (CRADA) with DeltaStrac LLC to start a new Cybersecurity Pre-Assessment Process for medical device vendors seeking to do business with the Army.
Many modern medical devices connect to the hospital networks and in an effort to ensure medical devices purchased by the Government do not introduce security vulnerabilities, each device must pass a robust cybersecurity certification process.
Participation in a cybersecurity pre-assessment (CAP) does not guarantee that the Army will purchase a device; however, the new agreement allows DeltaStrac to work directly with industry partners to help them understand cybersecurity requirements, so they can engineer medical devices to meet the cybersecurity standards.
The CAP CRADA will benefit industry by providing a cybersecurity sponsorship mechanism outside the procurement process offering authoritative Army cybersecurity assessment guidelines and standards.
Specific potential benefits include reducing engineering costs associated with early security integration in the system development life-cycle and improved marketability of the product.
The pre-assessment is designed to save time initiating system specific cybersecurity testing prior to contract award, in the design and engineering of the software systems, rather than after contract award, where significant re-engineering may need to occur before the equipment can be put into operation.
USAMMA believes working with industry partners early to achieve cybersecurity requirements will significantly shorten the time from acquisition to actual use.
Under the CRADA arrangement, USAMMA not provide funding DeltaStrac. Individual companies participating will pay for the services.
The CAP CRADA will pursue two routes for medical device/equipment enrollment into the study. First, are the market outreach efforts by DeltaStrac to vendors producing equipment with the capabilities aligned with USAMMA’s requirements and acquisition objectives. Second is vendor initiated nomination of equipment.
Both routes will require an enrollment phase to qualify the product as a viable candidate for the CRADA and mutual development and acceptance of the project plan. During the CRADA initial operating capability (IOC) phase, equipment enrollment will be limited to validate the initial process, procedures, and assess demand for resource planning.
Vendors who are interested in finding out more about the cybersecurity pre-assessment process should submit their queries to the USAMRMC New Products and Ideas (NPI) web portal.