@@ -661,6 +661,46 @@ _Description of mitigation implementing the requirement in "shall" format._
This section is a list of technical requirements necessary to satisfy the CRA essential requirements. Each technical requirement can be satisfied by one or more potential mitigations. Each mitigation may or may not be appropriate for an individual use case. The following section will define which mitigations will be required, depending on risk factors and/or a use case. See Annex C for more information.
### 5.X.Y **TR-NKEV**: No known exploited vulnerabilities at first use
Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known vulnerabilities both when first made available and when first used by a consumer, the manufacturer shall ensure that the product can be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before that first use.
#### 5.2.X.x **MI-KEVD**: No known exploited vulnerabilities after secure update
The product shall be accompanied by documentation describing how the product may be securely updated, including how to update the product prior to, or as part of, first use.
* Reference: TR-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities
* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
* Verdict: If the secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
#### 5.2.X.x **MI-SCAN**: No easily scannable exploitable vulnerabilities
If automatable and freely-usable vulnerability scanners are available for the product, then the product shall satisfy the following with respect to the three (or fewer, if fewer than three are avilable) most comprehensive of such scanners.
1. have no vulnerabilities discovered by scans
1. have discoverable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure
1. for each detected vulnerability, have publicly available documentation explaining how the risk has been mitigated
* Reference: TR-NKEV
* Objective: Prevent exploitation of known vulnerabilities
* Preparation: Select up to three vulnerability scanners meeting the requirements
* Activities: On a new product, carry out a secure update, run the selected scanners on the product, and examine the documentation for any reported vulnerabilities
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, list of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations
| Risk factors | Requires mitigations |
|-------------------|----------------------|
| LOC < 1 & NET < 1 | KEVD |
| all others | KEVD, SCAN |
| Security Profile | Requires mitigations |
|------------------|----------------------|
| WD-1 | KEVD |
| all others | KEVD, SCAN |
### 5.2.X TR-SSDD Secure design and development
#### 5.2.X.x Requirement
@@ -1353,7 +1393,7 @@ Suggested type of tests include, but are not limited to:
