Definitions[]
FBI[]
Compensating controls are
“ | temporary control measures implemented in lieu of the required control measures when an agency cannot meet the AA requirement due to legitimate technical or business constraints. The compensating controls must:
Additionally, compensating controls may rely upon other, non-AA, existing requirements as compensating controls and/or be combined with new controls to create compensating controls.[1] |
” |
Medical device[]
A cybersecurity compensating control is
“ | a safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device.[2] | ” |
Overview (Medical device)[]
For example, a manufacturer's assessment of a cybersecurity vulnerability determines that unauthorized access to a networked medical device will most likely impact the device's essential clinical performance. However, the manufacturer determines that the device can safely and effectively operate without access to the host network, in this case the hospital network. The manufacturer instructs users to configure the network to remove the ability of unauthorized/unintended access to the device from the hospital network. This type of counter measure is an example of a compensating control.[3]