Update EN-304-621.md

This category includes but is not limited to end-to-end management systems and dedicatedconfiguration management systems, such as controllers for software-defined networking.

<mark>IP-connected may exclude other means of remote management. E.g., provisining via Bluetooth is common for consumer devices. “tracking them and” would seem to exclude devices that are not ‘tracked’ (which would need to be defined). NMS’ often control more than just network configuration - e.g., MDM systems.</mark>

## 1.3 Products not in scope

Products not in scope include:

1. **Service Requesting Users (<span name="_term_.SRU">SRU</span>)**: These users rely on the correct functioning of the NEs that are controlled and maintained from the NMS. SRUs do not care about the connected NEs and have no interface to login to the NMS. SRUs can be both, humans or devices and all are dependent to the connected NEs. The number of NE-connected SRUs can vary from a single person up to thousands per NE device, and is in principle not limited. For clarification of the risk factors, and as regulators define the criticality of a facility operation by the number of affected SRUs for the case a NE ceased its service, its relevant for the present document.

1. **User**: This is the person having the credentials to login to the NMS to operate administrative actions to control and maintain the NE.

1. **Machine User**: A virtual user used to access the system programming interfaces. Often attached with a role based access that is tailored for the need.

1. **Component**: software or hardware intended for integration into an electronic information system **Application Programming Interface (API):** A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.

1. **Component**: software or hardware intended for integration into an electronic information system 

1. **Application Programming Interface (API)**: A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.

## 3.2 Abbreviations

This list of use cases is an informative resource for manufacturers to simplify the selection of a set of security requirements. Each use case is mapped to a security profile, which is a collection of risks and the security requirements necessary to mitigate them.

Manufacturers shall declare in the technical documentation security profile for which their products are intended to be evaluated.

Manufacturer shall declare in the technical documentation the security profile for which their products are intended to be evaluated.

Being in scope as written in the technical definition [1.2 Products in scope](#12-products-in-scope) assumes that the NMS controls the device configuration at least partially. The same definition outlines, that NMS is a system with connected elements like routers, hense NMS is an aggregate product. 

As the technical definition of an NMS describes the product as a system [Section 1.2](#12-products-in-scope) with connected elements, such as routers, an NMS is an aggregate product.

Aggregate product can have components, like an OS and networking interfaces, which are evaluated outside of the scope of this standard.

More boundaries are listed in the [C3 Assumptions](#c3-assumptions).

Aggregate product can have components, like OS and networking interfaces, which are evaluated outside of the scope of this standard. More boundaries are listed in the [C3 Assumptions](#c3-assumptions).

Manufacturers shall be responsible for implementing all security measures, regardless of the subcomponents in use.

### 4.4.1 Distributed deployment