@@ -592,21 +592,21 @@ Recognizing that there may be vulnerabilities discovered between the time that a
#### 5.2.1.2 MI-KEVD: Documentation for secure update before or during first use
The product shall be accompanied by documentation describing how the product may be securely updated, including how to update the product prior to, or as part of, first use.
The product shall be accompanied by documentation describing how the product can be securely updated, including the instructions to update the product, for instance through the system bus interface, prior to or as part of its first use.
* Applicability: Product has firmware update capability
* Reference: ER-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities at first use
* Preparation:
1. Examine public or private vulnerability information sources and select a representative sample of recently fixed vulnerabilities for the product and for its dependencies
1. Examine manufacturer's product update information
2. Examine manufacturer's product update information
* Activities: On a new product, scan the product to see if a recently fixed vulnerabilities has been fixed on the product, and examine the documentation for the required info
* Verdict: The secure update completes successfully, the sample set of vulnerabilities is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerabilities, description of how to scan for the vulnerabilities, log of vulnerability scan results
#### 5.2.1.3 MI-KEVA: Automatic secure update before or during first use
The product shall implement automatic secure update by default before or during first use.
The product shall implement automatic secure update by default before or during first use if automation can be implemented with the product design.
* Applicability: Product has automatic firmware update capability
