@@ -1856,6 +1856,43 @@ The product shall protect the availability of essential and core network service
| LR, IoT-1 | none |
| all others | AVNT |
5.X.Y **TR-NKEV**:
The product shall be made available on the market with no known vulnerabilities.
5.X.Y.Z **MI-KEVD**:
The product shall be accompanied by documentation of how to report vulnerabilities, how to find out what vulnerabilities have been fixed, the timeline in which vulnerabilities will be remediated, and how the product may be securely updated before use.
* Reference: TR-NKEV
* Objective: Prevent exploitation of known vulnerabilities
* Preparation: Examine the documentation and select a recently fixed vulnerability (preferably the most recently fixed)
* Activities: On a new product, carry out a secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
* Verdict: If the secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
5.X.Y.Z **MI-SCAN**:
If automated, freely usable vulnerability scanners are available for the product, the product shall either (1) not have any vulnerabilities discoverable by the top three most comprehensive scanners (or fewer, if there are fewer than three automated, freely usable scanners), or (2) have documentation explaining why the risk of any detected vulnerability has been mitigated.
* Reference: TR-NKEV
* Objective: Prevent exploitation of known vulnerabilities
* Preparation: Select up to three vulnerability scanners meeting the requirements
* Activities: On a new product, carry out a secure update, run the selected scanners on the product, and examine the documentation for any reported vulnerabilities
* Verdict: All reported vulnerabilities have documentation explaining how they have been mitigated, mitigations result in appropriate risk based on risk assessment => PASS, otherwise FAIL
* Evidence: List of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations
| Risk factors | Requires mitigations |
|---------------------|----------------------|
| FNET < 2 & RT-High | KEVD |
| FNET > 1 | KEVD, SCAN |
| RT-Medium or RT-Low | KEVD, SCAN |
| Security Profile | Requires mitigations |
|------------------|----------------------|
| LR, IoT-\*, IF-1 | KEVD |
| all others | KEVD, SCAN |
### 5.2.X **TR-SCUD**: Secure updates
### 5.2.X.x Requirement
@@ -2189,7 +2226,7 @@ Description: Firewall for enterprise network
