Add subject lines to requirements and mitigations missing them

The product shall record security-relevant internal events, including but not limited to changes to configuration and access or modification of data and functions. The product shall provide an opt-out mechanism.

#### 5.2.X.x **MI-LOGG**:

#### 5.2.X.x **MI-LOGG**: Logging

The product shall record log messages indicating security-relevant internal events in an internal or external log. The log messages shall not include any confidential information such as PII, secrets, or credentials, or any information which might reasonably be expected to include such items.

> FIXME: Update when risk factors are updated

### 5.X.Y **TR-MIMP**:

### 5.X.Y **TR-MIMP**: Impact minimization

The product shall minimise its negative impact on other products or services.

#### 5.2.X.x **MI-MNET**:

#### 5.2.X.x **MI-MNET**: Minimize negative impact of network transmission

The product shall minimise its negative impact on other products or services via the data it transmits on the network. Each source of network data shall be documented, along with the ways it can interfere with other products or services, and methods the product uses to minimise that interference.

  * Verdict: Every method of sending network data is documented with ways it can interface and methods used to minimise => PASS, otherwise FAIL

  * Evidence: All configuration files for network services, documentation of network services and their impact and methods to minimise it, internal lists of listening ports, results of an external port scan

#### 5.2.X.x **MI-MAMP**:

#### 5.2.X.x **MI-MAMP**: Minimize negative impact of network traffic amplification

The product shall mitigate abuse of network services that amplify network traffic in manner that can be used to attack other devices. Each network service and its associated mitigations shall be documented.

| IoT-2, IoT-3     | MNET                 |

| all others       | MNET, MAMP           |

### 5.X.Y **TR-AVAI**:

### 5.X.Y **TR-AVAI**: Availability

The product shall protect the availability of essential and core functions.

#### 5.2.X.x **MI-AVNT**:

#### 5.2.X.x **MI-AVNT**: Availabilty of network services

The product shall protect the availability of essential and core network services through mitigation of denial-of-service attacks.

| LR, IoT-1        | none                 |

| all others       | AVNT                 |

### 5.X.Y **TR-NKEV**:

### 5.X.Y **TR-NKEV**: No known exploitable vulnerabilities

The product shall be made available on the market with no known vulnerabilities.

#### 5.2.X.x **MI-KEVD**:

#### 5.2.X.x **MI-KEVD**: No known exploitable vulnerabilities after secure update

The product shall be accompanied by documentation of how to report vulnerabilities, how to find out what vulnerabilities have been fixed, the timeline in which vulnerabilities will be remediated, and how the product may be securely updated before use.

  * Verdict: If the secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

  * Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results

#### 5.2.X.x **MI-SCAN**:

#### 5.2.X.x **MI-SCAN**: No easily scannable exploitable vulnerabilities

If automated, freely usable vulnerability scanners are available for the product, the product shall either (1) not have any vulnerabilities discoverable by the top three most comprehensive scanners (or fewer, if there are fewer than three automated, freely usable scanners), or (2) have documentation explaining why the risk of any detected vulnerability has been mitigated.