@@ -1493,6 +1493,8 @@ When the product is intended for integration into subsequent products in a suppl
## 5.3 Risk Mitigation Sets
Each risk mitigation is only necessary for the security profiles (see clause C.6.2) that require it to treat a risk. This clause lists all mitigations that are necessary for each security profile.
> TODO-HAS: For each security profile, list all the mitigations required by the threat assessments in C.4.
SP-LR
@@ -1795,12 +1797,6 @@ For each threat, a formula based on the risk factor levels is used to calculate
For each threat, both likelihood and impact must be Low before the risk is considered sufficiently mitigated. If the calculated levels are not already Low, then mitigations must be applied until they are both Low. The mitigation sets that will accomplish this are listed in each threat description.
The risk factors by type are:
* Likelihood: NUSR CUSR DATA PHYS UEIN LOSS HWMD SWMD DVCS TNET FNET CONF ADMN SUPP
