@@ -597,10 +597,10 @@ The product shall be accompanied by documentation describing how the product may
* Applicability: Product expected use is long enough to require updates
* Reference: ER-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities at first use
* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
* Preparation: Examine public or private vulnerability information sources and select a representative sample of recently fixed vulnerabilities for the product and for its dependencies
* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerabilities has been fixed on the product, and examine the documentation for the required info
* Verdict: The secure update completes successfully, the sample set of vulnerabilities is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerabilities, description of how to scan for the vulnerabilities, log of vulnerability scan results
#### 5.2.1.3 MI-KEVA: Automatic secure update before or during first use
@@ -609,10 +609,10 @@ The product shall implement automatic secure update by default before or during
* Applicability: Product expected use is long enough to require updates
* Reference: ER-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities at first use
* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
* Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
* Preparation: Examine public or private vulnerability information sources and select a representative sample of recently fixed vulnerabilities for the product and for its dependencies
* Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerabilities has been fixed on the product, and examine the documentation for the required info
* Verdict: The secure update completes successfully, the sample set of vulnerabilities is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerabilities, description of how to scan for the vulnerabilities, log of vulnerability scan results
#### 5.2.1.4 MI-KEVM: Documentation of mitigation of known exploitable vulnerabilities
