@@ -36,13 +36,14 @@ This clause is a list of cybersecurity requirements necessary to satisfy essenti
#### 5.2.2.1 Requirement
Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address all known exploitable vulnerabilities which were discovered after the product's placement on the market and before first use.
Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address known exploitable vulnerabilities which were discovered after the product's placement on the market and before first use.
#### 5.2.2.2 MI-KEVD: Documentation for secure update before or during first use
The product shall be accompanied by documentation describing how the product can be securely updated, including how to update the product prior to, or as part of, first use.
* Reference: TR-NKEV
* Applicability: The product has software or firmware update capability
* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
* Preparation: Examine public or private vulnerability information sources and select a recently fixed exploitable vulnerability (preferably the most recently fixed)
* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
@@ -54,6 +55,7 @@ The product shall be accompanied by documentation describing how the product can
The product shall implement automatic secure update by default before or during first use.
* Reference: TR-NKEV
* Applicability: The product has software or firmware update capability
* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
* Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
