Joint Security Plan (JSP) Quick Reference Guide: Who Does What, When, and Why

The Joint Security Plan (JSP) is the medical technology industry’s framework for embedding cybersecurity across the total product lifecycle. Medcrypt’s JSP Quick Reference Guide distills this comprehensive plan into a practical, shareable resource that helps teams understand who does what, when, and why in building secure medical devices. Using a simple “house” analogy — Foundation (Concept), Framing (Design & Development), Inspection (Verification & Validation), and Maintenance (Postmarket) — this guide makes it easy for product teams, executives, and service functions to align on their cybersecurity responsibilities and regulatory expectations.

The JSP is the backbone of medical device cybersecurity — but many teams struggle to operationalize it. This guide bridges that gap, translating complex regulatory requirements into clear, actionable steps. As the FDA, HSCC, and AAMI continue to emphasize secure-by-design development and lifecycle traceability, understanding the JSP isn’t optional; it’s essential to achieving compliance, building resilient products, and fostering trust with hospitals and regulators.

• Product Managers, Engineers, and QA/RA professionals responsible for lifecycle documentation
• Executives and cybersecurity program leaders ensuring organizational readiness
• Clinical and usability teams validating safety and workflow compatibility
• Sales, marketing, and service teams who communicate security value to customers

• The JSP maps cybersecurity activities across all phases of product development.
• Every function — from engineers to executives — plays a role in securing the product.
• Clear documentation and evidence are essential for FDA and regulatory alignment.
• Lifecycle management (SBOMs, patching, surveillance) is an ongoing responsibility.
• The JSP complements standards like IEC 81001-5-1, offering a “what and why” overview alongside “how and when” resources.

1. Introduction and Objective
   
   1. Why Medcrypt created the JSP Quick Reference Guide
   2. How it simplifies regulatory alignment and team coordination
2. What Is the Joint Security Plan (JSP)?
   
   1. JSP as the medical technology industry’s Secure Product Development Framework (SPDF)
   2. Overview of the HSCC JSP v2 and its purpose
3. The JSP as Your Cybersecurity House
   
   1. The “house” analogy: Foundation, Framing, Inspection, and Maintenance
   2. Role definitions: Builders, Explainers, and Owners
4. Phase 1: Concept — Ask Early, Decide Early
   
   1. Key activities and roles (PM, Engineering, Execs, Clinicians)
   2. Foundational documentation and FDA 524B alignment
5. Phase 2: Design & Development — Bake It In
   
   1. Threat modeling, secure coding, crypto design, SBOM integration
   2. Evidence generation for traceability and compliance
6. Phase 3: Verification & Validation — Prove It Works
   
   1. Testing methodologies (fuzzing, pen testing, residual risk evaluation)
   2. Documentation of evidence and regulatory context
7. Phase 4: Postmarket (Maintenance) — Launch Isn’t the Finish Line
   
   1. Ongoing monitoring, patch management, SBOM updates
   2. Roles and communication between field teams and RA/QA
8. Conclusion: Why JSP Is More Than a Checklist
   
   1. Turning JSP principles into lifecycle traceability
   2. Building confidence with regulators and customers