Unverified Commit 65859462 authored by Aki Braun's avatar Aki Braun
Browse files

Resolves HAS 45 

Closes #282

diff --git clauses/5.Requirements.md clauses/5.Requirements.md
index 9dabcc9..6e21e1a 100644
--- clauses/5.Requirements.md
+++ clauses/5.Requirements.md
@@ -36,7 +36,7 @@ This clause is a list of cybersecurity requirements necessary to satisfy essenti

 #### 5.2.2.1 Requirement

-Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before first use.
+Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before first use.

 #### 5.2.2.2 MI-KEVD: Documentation for secure update before or during first use

@@ -44,7 +44,7 @@ The product shall be accompanied by documentation describing how the product can

 * Reference: TR-NKEV
 * Objective: Prevent exploitation of known exploited vulnerabilities at first use
-* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
+* Preparation: Examine public or private vulnerability information sources and select a recently fixed exploitable vulnerability (preferably the most recently fixed)
 * Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
 * Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
 * Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
parent 6c2745c5

clauses/5.Requirements.md

+2 −2
Original line number Diff line number Diff line
@@ -36,7 +36,7 @@ This clause is a list of cybersecurity requirements necessary to satisfy essenti 


#### 5.2.2.1 Requirement



Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before first use.

Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before first use.



#### 5.2.2.2 MI-KEVD: Documentation for secure update before or during first use
@@ -44,7 +44,7 @@ The product shall be accompanied by documentation describing how the product can 


* Reference: TR-NKEV

* Objective: Prevent exploitation of known exploited vulnerabilities at first use

* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

* Preparation: Examine public or private vulnerability information sources and select a recently fixed exploitable vulnerability (preferably the most recently fixed)

* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results