Unverified Commit c192ed27 authored by Aki Braun's avatar Aki Braun
Browse files

Resolves HAS 50 

Closes #287

diff --git clauses/5.Requirements.md clauses/5.Requirements.md
index 6e21e1a..7cf1039 100644
--- clauses/5.Requirements.md
+++ clauses/5.Requirements.md
@@ -36,14 +36,14 @@ This clause is a list of cybersecurity requirements necessary to satisfy essenti

 #### 5.2.2.1 Requirement

-Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before first use.
+Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploitable vulnerabilities which were discovered after the product's placement on the market and before first use.

 #### 5.2.2.2 MI-KEVD: Documentation for secure update before or during first use

 The product shall be accompanied by documentation describing how the product can be securely updated, including how to update the product prior to, or as part of, first use.

 * Reference: TR-NKEV
-* Objective: Prevent exploitation of known exploited vulnerabilities at first use
+* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
 * Preparation: Examine public or private vulnerability information sources and select a recently fixed exploitable vulnerability (preferably the most recently fixed)
 * Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
 * Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
@@ -54,7 +54,7 @@ The product shall be accompanied by documentation describing how the product can
 The product shall implement automatic secure update by default before or during first use.

 * Reference: TR-NKEV
-* Objective: Prevent exploitation of known exploited vulnerabilities at first use
+* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
 * Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
 * Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
 * Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
@@ -69,7 +69,7 @@ The product's development and release process shall include a process to documen
 1. for each detected vulnerability, has documentation of how the risk has been mitigated

 * Reference: TR-NKEV
-* Objective: Prevent exploitation of known exploited vulnerabilities at first use
+* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
 * Preparation: Compile a list of known exploitable vulnerabilities in the product and its components
 * Activities: Compare the generated list of known exploitable vulnerabilities with the documentation of the known exploitable vulnerabilities that have been fixed or mitigated in the product
 * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
@@ -84,7 +84,7 @@ The product shall be tested for all known exploitable vulnerabilities to demonst
 1. for each tested vulnerability, the test result shows that the vulnerability has been mitigated

 * Reference: TR-NKEV
-* Objective: Prevent exploitation of known exploited vulnerabilities at first use
+* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
 * Preparation: Compile a list of known exploitable vulnerabilities in the product and its components, compile a list of known exploitable vulnerabilities that will be tested, collect tests for each one
 * Activities: On a new product, carry out a secure update, run the tests, and compare the results with the generated list of known exploitable vulnerabilities
 * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or mitigation requirement => PASS, otherwise FAIL
parent 65859462

clauses/5.Requirements.md

+5 −5
Original line number Diff line number Diff line
@@ -36,14 +36,14 @@ This clause is a list of cybersecurity requirements necessary to satisfy essenti 


#### 5.2.2.1 Requirement



Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before first use.

Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploitable vulnerabilities which were discovered after the product's placement on the market and before first use.



#### 5.2.2.2 MI-KEVD: Documentation for secure update before or during first use



The product shall be accompanied by documentation describing how the product can be securely updated, including how to update the product prior to, or as part of, first use.



* Reference: TR-NKEV

* Objective: Prevent exploitation of known exploited vulnerabilities at first use

* Objective: Prevent exploitation of known exploitable vulnerabilities at first use

* Preparation: Examine public or private vulnerability information sources and select a recently fixed exploitable vulnerability (preferably the most recently fixed)

* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
@@ -54,7 +54,7 @@ The product shall be accompanied by documentation describing how the product can 
The product shall implement automatic secure update by default before or during first use.



* Reference: TR-NKEV

* Objective: Prevent exploitation of known exploited vulnerabilities at first use

* Objective: Prevent exploitation of known exploitable vulnerabilities at first use

* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

* Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
@@ -69,7 +69,7 @@ The product's development and release process shall include a process to documen 
1. for each detected vulnerability, has documentation of how the risk has been mitigated



* Reference: TR-NKEV

* Objective: Prevent exploitation of known exploited vulnerabilities at first use

* Objective: Prevent exploitation of known exploitable vulnerabilities at first use

* Preparation: Compile a list of known exploitable vulnerabilities in the product and its components

* Activities: Compare the generated list of known exploitable vulnerabilities with the documentation of the known exploitable vulnerabilities that have been fixed or mitigated in the product

* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
@@ -84,7 +84,7 @@ The product shall be tested for all known exploitable vulnerabilities to demonst 
1. for each tested vulnerability, the test result shows that the vulnerability has been mitigated



* Reference: TR-NKEV

* Objective: Prevent exploitation of known exploited vulnerabilities at first use

* Objective: Prevent exploitation of known exploitable vulnerabilities at first use

* Preparation: Compile a list of known exploitable vulnerabilities in the product and its components, compile a list of known exploitable vulnerabilities that will be tested, collect tests for each one

* Activities: On a new product, carry out a secure update, run the tests, and compare the results with the generated list of known exploitable vulnerabilities

* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or mitigation requirement => PASS, otherwise FAIL