Other Risk Factors have matching hardware/software pairs, but the
"threat actor" risk only had a hardware section.

Do we want to have explict tests for RF-NUSR and RF-CUSR? I imagine it
would look like this. This kind of feels redundant, but we don't seem
to call out these things yet in the MI section.

Collapse the control-flow protections together (implementions vary),
and collapse the memory tagging protection (implementations vary). They
protect the same basic things, just in very different ways, but the
testing for each are fundamentally the same. It doesn't seem worthwhile
getting hyper-specific here.

I worry specific language like "scan for" etc is getting too specific? I
think just an enumeration is needed. Added memory-mapped interface and
added the "privilege boundary" language.