IEC 62443 Requirements

This is a list of all ISA/IEC 62443 requirements and mapped CWEs from Mitre.

Part 2-4

Req IDBR/REFunctional areaTopicSubtopicMapped CWE(s)
SP.01.01BRSolution staffingTrainingSecurity requirements - IEC 62443-2-4
SP.01.01RE(1)Solution staffingTrainingSecurity requirements - IEC 62443-2-4
SP.01.02BRSolution staffingTrainingSecurity requirements - asset owner
SP.01.02RE(1)Solution staffingTrainingSecurity requirements - asset owner
SP.01.03BRSolution staffingTrainingSensitive data
SP.01.03RE(1)Solution staffingTrainingSensitive data
SP.01.04BRSolution staffingBackground checksService provider
SP.01.04RE(1)Solution staffingBackground checksSubcontractor
SP.01.05BRSolution staffingPersonnel assignmentsSecurity contact
SP.01.06BRSolution staffingPersonnel assignmentsSecurity lead
SP.01.07BRSolution staffingPersonnel assignmentsChange
SP.02.01BRAssuranceSolution componentsVerification
SP.02.02BRAssuranceSecurity tools and softwareTechnical description
SP.02.02RE(1)AssuranceSecurity tools and softwareApproval
SP.02.02RE(2)AssuranceSecurity tools and softwareDetection
SP.02.02RE(3)AssuranceSecurity tools and softwareRobustness
SP.02.03BRAssuranceHardening guidelinesTechnical descriptionCWE-1059: Insufficient Technical Documentation
SP.02.03RE(1)AssuranceHardening guidelinesVerificationCWE-1059: Insufficient Technical Documentation
SP.03.01BRArchitectureRisk assessmentPerform
SP.03.01RE(1)ArchitectureRisk assessmentReporting
SP.03.01RE(2)ArchitectureRisk assessmentVerification
SP.03.02BRArchitectureNetwork designConnectivity
SP.03.02RE(1)ArchitectureNetwork designConnectivityCWE-1357: Reliance on Insufficiently Trustworthy Component
SP.03.02RE(2)ArchitectureNetwork designConnectivityCWE-1357: Reliance on Insufficiently Trustworthy Component
SP.03.03BRArchitectureSolution componentsVulnerabilities
SP.03.03RE(1)ArchitectureNetwork designVulnerabilitiesCWE-1059: Insufficient Technical Documentation
CWE-353: Missing Support for Integrity Check
SP.03.04BRArchitectureNetwork designNetwork time
SP.03.05BRArchitectureDevices - AllLeast functionalityCWE-250: Execution with Unnecessary Privileges
SP.03.05RE(1)ArchitectureDevices - AllLeast functionality
SP.03.06BRArchitectureDevices - WorkstationsSession lock
SP.03.07BRArchitectureDevices - WorkstationsAccess control
SP.03.07RE(1)ArchitectureDevices - WorkstationsAccess control
SP.03.08BRArchitectureDevices - NetworkLeast functionalityCWE-250: Execution with Unnecessary Privileges
CWE-269: Improper Privilege Management
SP.03.08RE(1)ArchitectureDevices - NetworkAccess controlCWE-250: Execution with Unnecessary Privileges
SP.03.08RE(2)ArchitectureDevices - NetworkCryptography
SP.03.08RE(3)ArchitectureDevices - NetworkAccess control
SP.03.09BRArchitectureData protectionCommunications
SP.03.10BRArchitectureData protectionSensitive data
SP.03.10RE(1)ArchitectureData protectionSensitive dataCWE-321: Use of Hard-coded Cryptographic Key
SP.03.10RE(2)ArchitectureData protectionData/event retention
SP.03.10RE(3)ArchitectureData protectionCryptographyCWE-321: Use of Hard-coded Cryptographic Key
SP.03.10RE(4)ArchitectureData protectionSanitizing
SP.04.01BRWirelessNetwork designTechnical description
SP.04.02BRWirelessNetwork designAccess control
SP.04.02RE(1)WirelessNetwork designCommunicationsCWE-353: Missing Support for Integrity Check
SP.04.03BRWirelessNetwork designCommunications
SP.04.03RE(1)WirelessNetwork designWireless network identifiers
SP.04.03RE(2)WirelessNetwork designConnectivity
SP.05.01BRSISRisk assessmentVerification
SP.05.02BRSISNetwork designCommunications
SP.05.03BRSISNetwork designCommunications
SP.05.04BRSISNetwork designCommunications
SP.05.05BRSISDevices - WorkstationsCommunications
SP.05.05RE(1)SISDevices - WorkstationsCommunications
SP.05.06BRSISDevices - WorkstationsConnectivity
SP.05.07BRSISDevices - WorkstationsLeast functionalityCWE-250: Execution with Unnecessary Privileges
SP.05.08BRSISDevices - WirelessConnectivity
SP.05.09BRSISUser interfaceConfiguration mode
SP.05.09RE(1)SISUser interfaceConfiguration mode
SP.05.09RE(2)SISUser interfaceConfiguration mode
SP.06.01BRConfiguration managementNetwork designConnectivity
SP.06.01RE(1)Configuration managementNetwork designConnectivity
SP.06.02BRConfiguration managementDevices - AllInventory register
SP.06.03BRConfiguration managementDevices - Control and instrumentationVerification
SP.07.01BRRemote accessSecurity tools and softwareConnectivity
SP.07.02BRRemote accessSecurity tools and softwareTechnical description
SP.07.03BRRemote accessSecurity tools and softwareTechnical description
SP.07.04BRRemote accessSecurity tools and softwareApproval
SP.07.04RE(1)Remote accessData protectionCryptography
SP.08.01BREvent managementEvents - Security compromisesResponding
SP.08.01RE(1)Event managementEvents - Security compromisesReporting
SP.08.02BREvent managementEvents - Security-relatedLogging
SP.08.02RE(1)Event managementEvents - Security-relatedReporting
SP.08.02RE(2)Event managementEvents - Security-relatedLogging
SP.08.03BREvent managementEvents - Alarms & EventsLogging
SP.08.03RE(1)Event managementEvents - Alarms & EventsReporting
SP.08.04BREvent managementEvents - Alarms & EventsRobustness
SP.09.01BRAccount managementAccounts - User and service accountsAdministration
SP.09.02BRAccount managementAccounts - User and service accountsAdministration
SP.09.02RE(1)Account managementAccounts - User and service accountsTechnical descriptionCWE-1391: Use of Weak Credentials
SP.09.02RE(2)Account managementAccounts - User and service accountsAdministration
SP.09.02RE(3)Account managementAccounts - User and service accountsExpiration
SP.09.02RE(4)Account managementAccounts - AdministratorLeast functionalityCWE-250: Execution with Unnecessary Privileges
SP.09.03BRAccount managementAccounts - DefaultLeast functionalityCWE-250: Execution with Unnecessary Privileges
SP.09.04BRAccount managementAccounts - UserLeast functionalityCWE-250: Execution with Unnecessary Privileges
SP.09.04RE(1)Account managementAccounts - UserLogging
SP.09.05BRAccount managementPasswordsComposition
SP.09.06BRAccount managementPasswordsExpiration
SP.09.06RE(1)Account managementPasswordsExpiration
SP.09.07BRAccount managementPasswordsChange
SP.09.08BRAccount managementPasswordsReuse
SP.09.08RE(1)Account managementPasswordsChange
SP.09.09BRAccount managementPasswordsShared
SP.09.09RE(1)Account managementPasswordsShared
SP.10.01BRMalware protectionManual processMalware protection mechanism
SP.10.02BRMalware protectionSecurity tools and softwareInstallation
SP.10.02RE(1)Malware protectionSecurity tools and softwareInstallation
SP.10.03BRMalware protectionSecurity tools and softwareDetection
SP.10.04BRMalware protectionManual processMalware definition files
SP.10.05BRMalware protectionDevices - AllSanitizing
SP.10.05RE(1)Malware protectionPortable mediaUsage
SP.10.05RE(2)Malware protectionPortable mediaSanitizing
SP.11.01BRPatch managementManual processPatch qualification
SP.11.01RE(1)Patch managementManual processPatch qualification
SP.11.02BRPatch managementPatch listPatch qualification
SP.11.02RE(1)Patch managementPatch listPatch qualification
SP.11.02RE(2)Patch managementPatch listApproval
SP.11.03BRPatch managementSecurity patchDelivery
SP.11.04BRPatch managementSecurity patchInstallation
SP.11.05BRPatch managementSecurity patchApproval
SP.11.06BRPatch managementSecurity patchInstallation
SP.11.06RE(1)Patch managementSecurity patchInstallation
SP.11.06RE(2)Patch managementSecurity patchInstallationCWE-353: Missing Support for Integrity Check
SP.11.06RE(3)Patch managementSecurity patchInstallation
SP.12.01BRBackup/RestoreManual processTechnical description
SP.12.02BRBackup/RestoreRestoreTechnical description
SP.12.03BRBackup/RestorePortable mediaTechnical description
SP.12.04BRBackup/RestoreBackupVerification
SP.12.05BRBackup/RestoreRestoreVerification
SP.12.06BRBackup/RestoreBackupPerform
SP.12.07BRBackup/RestoreBackupRobustness
SP.12.08BRBackup/RestoreManual processLogging
SP.12.09BRBackup/RestoreManual processDisaster recovery

Part 3-3

BR-RERequirementSL1SL2SL3SL4Mapped CWE(s)
SR 1.1 Human user identification and authenticationxxxxCWE-250: Execution with Unnecessary Privileges
CWE-287: Improper Authentication
SR 1.1 RE 1Unique identification and authentificationxxx
SR 1.1 RE 2Multifactor authentification for non trusted interfacesxx
SR 1.1 RE 3Multifactor authentification for all interfacesx
SR 1.2 Software process and device identification and authenticationxxxCWE-250: Execution with Unnecessary Privileges
CWE-269: Improper Privilege Management
CWE-287: Improper Authentication
SR 1.2 RE 1Unique identification and authentificationxx
SR 1.3 Account managementxxxx
SR 1.3 RE 1Uniform account managementxx
SR 1.4 Identifier managementxxxx
SR 1.5 Authenticator managementxxxxCWE-256: Plaintext Storage of a Password
CWE-321: Use of Hard-coded Cryptographic Key
CWE-798: Use of Hard-coded Credentials
SR 1.5 RE 1Hardware security for authenticatorsxx
SR 1.6Wireless access managementxxxx
SR 1.6 RE 1Unique identification and authentificationxxx
SR 1.7 Strength of password-based authenticationxxxx
SR 1.7 RE 1Password generation and lifetime restrictions for human usersxx
SR 1.7 RE 2Password lifetime restriction for all users (human, software process or device)x
SR 1.8 Public key infrastructure certificatesxxx
SR 1.9 Strength of public key-based authenticationxxxCWE-347: Improper Verification of Cryptographic Signature
SR 1.9 RE 1Hardware security for public key authenticationxx
SR 1.10Authenticator feedbackxxxx
SR 1.11Unsuccessful login attemptsxxxx
SR 1.12System use notificationxxxx
SR 1.13Access via untrusted networksxxxxCWE-1357: Reliance on Insufficiently Trustworthy Component
SR 1.13 RE 1Explicit acces request approvalxx
SR 1.14Strength of symmetric key-based authenticationxxx
SR 1.14 RE 1Hardware security for symmetric key authenticationxx
SR 2.1 Authorization enforcementxxxxCWE-250: Execution with Unnecessary Privileges
CWE-269: Improper Privilege Management
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
SR 2.1 RE 1Authorization enforcement for all users (human, software process and all devices)xxxCWE-250: Execution with Unnecessary Privileges
SR 2.1 RE 2Permission mapping to rolesxxx
SR 2.1 RE 3Supervisor overridexx
SR 2.1 RE 4Dual approvalx
SR 2.2 Wireless use controlxxxxCWE-863: Incorrect Authorization
SR 2.2 RE 1Identify and report unauthorized wireless devicesxx
SR 2.3 Use control for portable and mobile devicesxxxx
SR 2.3 RE 1Enforcement of security status of portable and mobile devicesxx
SR 2.4Mobile codexxxx
SR 2.4 RE 1Mobile code integrity checkxx
SR 2.5 Session lockxxxx
SR 2.6 Remote session terminationxxx
SR 2.7 Concurrent session controlxxCWE-770: Allocation of Resources Without Limits or Throttling
SR 2.8 Auditable eventsxxxx
SR 2.8 RE 1Centrally managed, system-wide audit trailxx
SR 2.9 Audit storage capacityxxxx
SR 2.9 RE 1Warn when audit log recorded capacity threashold reachedxx
SR 2.10Rationale and supplemental guidancexxxx
SR 2.11Timestampsxxxx
SR 2.11 RE 1Time synchronizationxxx
SR 2.11 RE 2Protection of time source integrityx
SR 2.12Non-repudiationxxxx
SR 2.12 RE 1Non-repudiation for all usersx
SR 3.1 Communication integrityxxxxCWE-353: Missing Support for Integrity Check
CWE-354: Improper Validation of Integrity Check Value
SR 3.1 RE 1Communication authenticationxxx
SR 3.2Protection from malicious codexxxx
SR 3.2 RE 1Malicious code protection on entry and exit pointsxxx
SR 3.2 RE 2Central management and reporting for malicious codexx
SR 3.3 Security functionality verificationxxxx
SR 3.3 RE 1Automated mechanisms for security functionality verificationxx
SR 3.3 RE 2Security functionality verification during normal operationx
SR 3.4 Software and information integrityxxxx
SR 3.4 RE 1Automated notification of integrity violationsxx
SR 3.5 Input validationxxxxCWE-122: Heap-based Buffer Overflow
CWE-190: Integer Overflow or Wraparound
CWE-787: Out-of-bounds Write
CWE-94: Improper Control of Generation of Code ('Code Injection')
SR 3.6 Deterministic outputxxxx
SR 3.7 Error handlingxxxx
SR 3.8 Session integrityxxx
SR 3.8 RE 1Invalidation of session IDs after session terminationxx
SR 3.8 RE 2Unique session ID generationxx
SR 3.8 RE 3Randomness of session IDSx
SR 3.9 Protection of audit informationxxx
SR 3.9 RE 1Audit records on write once mediax
SR 4.1Information confidentialityxxxxCWE-311: Missing Encryption of Sensitive Data
CWE-312: Cleartext Storage of Sensitive Information
CWE-319: Cleartext Transmission of Sensitive Information
SR 4.1 RE 1Protection of confidentiality at rest or in transit via untrusted networksxxx
SR 4.1 RE 2Protection of confidentiality across zone boundariesx
SR 4.2Information persistencexxx
SR 4.2 RE 1Erase of shared memory resourcesxx
SR 4.3Use of cryptographyxxxxCWE-311: Missing Encryption of Sensitive Data
CWE-321: Use of Hard-coded Cryptographic Key
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
SR 5.1Network segmentationxxxx
SR 5.1 RE 1Physical network segmentationxxx
SR 5.1 RE 2Independence from non-control system networksxx
SR 5.1 RE 3Logical and physical isolation of critical networksx
SR 5.2Zone boundary protectionxxxx
SR 5.2 RE 1Deny by default, allow by exceptionxxx
SR 5.2 RE 2Island modexx
SR 5.2 RE 3Fail closexx
SR 5.3General purpose person-to-person communication restrictionsxxxx
SR 5.3 RE 1Prohibit all general purpose person-to-person communicationsxx
SR 5.4Application partitioningxxxx
SR 6.1Audit log accessibilityxxxx
SR 6.1 RE 1Programmatic acces to audit logsxx
SR 6.2Continuous monitoringxxxCWE-920: Improper Restriction of Power Consumption
SR 7.1Denial of service protectionxxxxCWE-400: Uncontrolled Resource Consumption
SR 7.1 RE 1Manage communication load from componentxxx
SR 7.1 RE 2Limit DoS effects to other systems or networksx
SR 7.2Resource managementxxxxCWE-190: Integer Overflow or Wraparound
CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-771: Missing Reference to Active Allocated Resource
CWE-779: Logging of Excessive Data
SR 7.3Control system backupxxxx
SR 7.3 RE 1Backup integrity veificationxxx
SR 7.3 RE 2Backup automationxx
SR 7.4Control system recovery and reconstitutionxxxx
SR 7.5Emergency powerxxxx
SR 7.6Network and security configuration settingsxxxx
SR 7.6 RE 1Machine-readable reporting of current security settingsxx
SR 7.7Least functionalityxxxx
SR 7.8Control system component inventoryxxx

Part 4-1

SM-1Development ProcessMapped CWE(s)
SM-2Identification of responsibilities
SM-3Identification of applicability
SM-4Security expertiese
SM-5Process scoping
SM-6File integrityCWE-1357: Reliance on Insufficiently Trustworthy Component
CWE-347: Improper Verification of Cryptographic Signature
SM-7Development environment security
SM-8Controls for private keys
SM-9Security requirement for externaly provided componentsCWE-1357: Reliance on Insufficiently Trustworthy Component
CWE-1395: Dependency on Vulnerable Third-Party Component
SM-10Custom developed components from third-party suppliersCWE-1357: Reliance on Insufficiently Trustworthy Component
CWE-1395: Dependency on Vulnerable Third-Party Component
SM-11Assessing and addressing of security-releated issues
SM-12Process verification
SM-13Continuous improvement
SR-1Product security context
SR-2Threat modelCWE-1395: Dependency on Vulnerable Third-Party Component
CWE-190: Integer Overflow or Wraparound
CWE-306: Missing Authentication for Critical Function
CWE-346: Origin Validation Error
SR-3Product security requirements
SR-4Product security requirements content
SR-5Security requirements review
SD-1Secure design prinzipleCWE-321: Use of Hard-coded Cryptographic Key
CWE-346: Origin Validation Error
CWE-353: Missing Support for Integrity Check
CWE-779: Logging of Excessive Data
CWE-863: Incorrect Authorization
SD-2Defense in depth design
SD-3Security design reviewCWE-269: Improper Privilege Management
CWE-654: Reliance on a Single Factor in a Security Decision
CWE-657: Violation of Secure Design Principles
SD-4Secure design best practicesCWE-1242: Inclusion of Undocumented Features or Chicken Bits
CWE-1246: Improper Write Handling in Limited-write Non-Volatile Memories
CWE-250: Execution with Unnecessary Privileges
CWE-269: Improper Privilege Management
CWE-654: Reliance on a Single Factor in a Security Decision
CWE-655: Insufficient Psychological Acceptability
CWE-657: Violation of Secure Design Principles
CWE-863: Incorrect Authorization
CWE-920: Improper Restriction of Power Consumption
SI-1Security implementation reviewCWE-122: Heap-based Buffer Overflow
CWE-1246: Improper Write Handling in Limited-write Non-Volatile Memories
CWE-269: Improper Privilege Management
CWE-400: Uncontrolled Resource Consumption
CWE-416: Use After Free
CWE-654: Reliance on a Single Factor in a Security Decision
CWE-657: Violation of Secure Design Principles
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-787: Out-of-bounds Write
SI-2Secure coding standardsCWE-122: Heap-based Buffer Overflow
CWE-1235: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
CWE-190: Integer Overflow or Wraparound
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-787: Out-of-bounds Write
SVV-1Security requirements testingCWE-122: Heap-based Buffer Overflow
CWE-1395: Dependency on Vulnerable Third-Party Component
CWE-190: Integer Overflow or Wraparound
CWE-346: Origin Validation Error
CWE-771: Missing Reference to Active Allocated Resource
CWE-787: Out-of-bounds Write
CWE-863: Incorrect Authorization
CWE-94: Improper Control of Generation of Code ('Code Injection')
SVV-2Threat mitigation testing
SVV-3Vulnerability testingCWE-122: Heap-based Buffer Overflow
CWE-1242: Inclusion of Undocumented Features or Chicken Bits
CWE-1246: Improper Write Handling in Limited-write Non-Volatile Memories
CWE-1395: Dependency on Vulnerable Third-Party Component
CWE-190: Integer Overflow or Wraparound
CWE-306: Missing Authentication for Critical Function
CWE-400: Uncontrolled Resource Consumption
CWE-779: Logging of Excessive Data
CWE-787: Out-of-bounds Write
CWE-94: Improper Control of Generation of Code ('Code Injection')
SVV-4Penetration testingCWE-863: Incorrect Authorization
SVV-5Independence of testers
DM-1Receiving notifications of security-releated issuesCWE-1395: Dependency on Vulnerable Third-Party Component
DM-2Reviewing security-related issues
DM-3Assessing security-related issuesCWE-1395: Dependency on Vulnerable Third-Party Component
DM-4Adressing security-related issuesCWE-1395: Dependency on Vulnerable Third-Party Component
DM-5Disclosing security-related issues
DM-6Periodic review of security defect management practice
SG-1Product defense in depthCWE-1059: Insufficient Technical Documentation
SG-2Defense in depth measures expected in the environmentCWE-1059: Insufficient Technical Documentation
SG-3Security hardening guidelinesCWE-1059: Insufficient Technical Documentation
SG-4Security disposal guidelinesCWE-1059: Insufficient Technical Documentation
SG-5Security operational guidelinesCWE-1059: Insufficient Technical Documentation
SG-6Account management guidelinesCWE-1059: Insufficient Technical Documentation
SG-7Documentation reviewCWE-1059: Insufficient Technical Documentation

Part 4-2

BR-RERequirementSL1SL2SL3SL4Mapped CWE(s)
CR 1.1 Human user identification and authenticationxxxxCWE-1391: Use of Weak Credentials
CWE-250: Execution with Unnecessary Privileges
CWE-269: Improper Privilege Management
CWE-287: Improper Authentication
CWE-306: Missing Authentication for Critical Function
CR 1.1 RE 1Unique identification and authentificationxxx
CR 1.1 RE 2Multifactor authentification for all interfacesxx
CR 1.2 Software process and device identification and authenticationxxxCWE-1391: Use of Weak Credentials
CWE-287: Improper Authentication
CWE-306: Missing Authentication for Critical Function
CR 1.2 RE 1Unique identification and authentificationxx
CR 1.3 Account managementxxxx
CR 1.4 Identifier managementxxxx
CR 1.5 Authenticator managementxxxxCWE-1391: Use of Weak Credentials
CWE-256: Plaintext Storage of a Password
CWE-311: Missing Encryption of Sensitive Data
CWE-798: Use of Hard-coded Credentials
CR 1.5 RE 1Hardware security for authenticatorsxx
NDR 1.6 Wireless access managementxxxx
NDR 1.6 RE 1Unique identification and authentificationxxx
CR 1.7 Strength of password-based authenticationxxxxCWE-1391: Use of Weak Credentials
CR 1.7 RE 1Password generation and lifetime restrictions for human usersxx
CR 1.7 RE 2Password lifetime restriction for all users (human, software process or device)x
CR 1.8 Public key infrastructure certificatesxxxCWE-1391: Use of Weak Credentials
CR 1.9 Strength of public key-based authenticationxxxCWE-1391: Use of Weak Credentials
CR 1.9 RE 1Hardware security for public key authenticationxx
CR 1.10Authenticator feedbackxxxx
CR 1.11Unsuccessful login attemptsxxxx
CR 1.12System use notificationxxxx
NDR 1.13Access via untrusted networksxxxx
NDR 1.13 RE 1Explicit acces request approvalxx
CR 1.14Strength of symmetric key-based authenticationxxxCWE-1391: Use of Weak Credentials
CR 1.14 RE 1Hardware security for symmetric key authenticationxx
CR 2.1 Authorization enforcementxxxxCWE-1391: Use of Weak Credentials
CWE-269: Improper Privilege Management
CWE-276: Incorrect Default Permissions
CWE-306: Missing Authentication for Critical Function
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CR 2.1 RE 1Authorization enforcement for all users (human, software process and all devices)xxx
CR 2.1 RE 2Permission mapping to rolesxxx
CR 2.1 RE 3Supervisor overridexx
CR 2.1 RE 4Dual approvalx
CR 2.2 Wireless use controlxxxxCWE-863: Incorrect Authorization
CR 2.3 Use control for portable and mobile devicesxxxx
SAR 2.4 Mobile codexxxx
HDR 2.4Mobile codexxxx
NDR 2.4Mobile codexxxx
EDR 2.4Mobile codexxxx
SAR 2.4 RE 1Mobile code integrity checkxxx
HDR 2.4 RE 1Mobile codexxx
NDR 2.4 RE 1Mobile codexxx
EDR 2.4 RE 1Mobile codexxx
CR 2.5 Session lockxxxx
CR 2.6 Remote session terminationxxx
CR 2.7 Concurrent session controlxxCWE-770: Allocation of Resources Without Limits or Throttling
CR 2.8 Auditable eventsxxxx
CR 2.9 Audit storage capacityxxxx
CR 2.9 RE 1Warn when audit log recorded capacity threashold reachedxx
CR 2.10Rationale and supplemental guidancexxxx
CR 2.11Timestampsxxxx
CR 2.11 RE 1Time synchronizationxxx
CR 2.11 RE 2Protection of time source integrityx
CR 2.12Non-repudiationxxxxCWE-1242: Inclusion of Undocumented Features or Chicken Bits
CR 2.12 RE 1Non-repudiation for all usersx
HDR 2.13Use of physical diagnostic and test interfacesxxxx
NDR 2.13Use of physical diagnostic and test interfacesxxxx
EDR 2.13Use of physical diagnostic and test interfacesxxxx
HDR 2.13 RE 1Active monitoringxx
NDR 2.13 RE 1Active monitoringxx
EDR 2.13 RE 1Active monitoringxx
CR 3.1 Communication integrityxxxxCWE-353: Missing Support for Integrity Check
CR 3.1 RE 1Communication authenticationxxx
SAR 3.2 Protection from malicious codexxxx
EDR 3.2Protection from malicious codexxxx
HDR 3.2Protection from malicious codexxxx
HDR 3.2 RE 1Report version of code protectionxxx
NDR 3.2Protection from malicious codexxxx
CR 3.3 Security functionality verificationxxxx
CR 3.3 RE 1Security functionality verification during normal operationx
CR 3.4 Software and information integrityxxxx
CR 3.4 RE 1Authenticity of software and informationxxx
CR 3.4 RE 2Automated notification of integrity violationsxx
CR 3.5 Input validationxxxxCWE-122: Heap-based Buffer Overflow
CWE-190: Integer Overflow or Wraparound
CWE-754: Improper Check for Unusual or Exceptional Conditions
CWE-787: Out-of-bounds Write
CWE-94: Improper Control of Generation of Code ('Code Injection')
CR 3.6 Deterministic outputxxxx
CR 3.7 Error handlingxxxxCWE-754: Improper Check for Unusual or Exceptional Conditions
CR 3.8 Session integrityxxx
CR 3.9 Protection of audit informationxxx
CR 3.9 RE 1Audit records on write once mediax
HDR 3.10Support for updatexxxx
NDR 3.10Support for updatexxxx
EDR 3.10Support for updatexxxx
HDR 3.10 RE 1Update authenticity and integrityxxx
NDR 3.10 RE 1Update authenticity and integrityxxx
EDR 3.10 RE 1Update authenticity and integrityxxx
HDR 3.11Physical tamper resistance and detectionxxx
NDR 3.11Physical tamper resistance and detectionxxx
EDR 3.11Physical tamper resistance and detectionxxx
HDR 3.11 RE 1Notification of tampering attemptxx
NDR 3.11 RE 1Notification of tampering attemptxx
EDR 3.11 RE 1Notification of tampering attemptxx
HDR 3.12Provisioning product supplier roots of trustxxxCWE-1357: Reliance on Insufficiently Trustworthy Component
CWE-347: Improper Verification of Cryptographic Signature
NDR 3.12Provisioning product supplier roots of trustxxxCWE-1357: Reliance on Insufficiently Trustworthy Component
CWE-347: Improper Verification of Cryptographic Signature
EDR 3.12Provisioning product supplier roots of trustxxxCWE-1357: Reliance on Insufficiently Trustworthy Component
CWE-347: Improper Verification of Cryptographic Signature
HDR 3.13Provisioning asset owner roots of trustxxxCWE-1357: Reliance on Insufficiently Trustworthy Component
NDR 3.13Provisioning asset owner roots of trustxxxCWE-1357: Reliance on Insufficiently Trustworthy Component
EDR 3.13Provisioning asset owner roots of trustxxxCWE-1357: Reliance on Insufficiently Trustworthy Component
HDR 3.14Integrity of the boot processxxxx
NDR 3.14Integrity of the boot processxxxx
EDR 3.14Integrity of the boot processxxxx
HDR 3.14 RE 1Integrity of the boot chainxxx
NDR 3.14 RE 1Integrity of the boot chainxxx
EDR 3.14 RE 1Integrity of the boot chainxxx
HDR 3.14 RE 2Authenticity of the boot processxxx
NDR 3.14 RE 2Authenticity of the boot processxxx
EDR 3.14 RE 2Authenticity of the boot processxxx
CR 4.1Information confidentialityxxxxCWE-311: Missing Encryption of Sensitive Data
CR 4.2Information persistencexxx
CR 4.2 RE 1Erase of shared memory resourcesxx
CR 4.2 RE 2Erase verificationxx
CR 4.3Use of cryptographyxxxxCWE-1391: Use of Weak Credentials
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CR 5.1Network segmentationxxxx
NDR 5.2Zone boundary protectionxxxx
NDR 5.2 RE 1Deny all, permit by exceptionxxx
NDR 5.2 RE 2Island modexx
NDR 5.2 RE 3Fail closexx
NDR 5.3General-purpose person-to-person communication restrictionsxxxx
CR 5.4Application partitioningxxxx
CR 6.1Audit log accessibilityxxxx
CR 6.1 RE 1Programmatic acces to audit logsxx
CR 6.2Continuous monitoringxxxCWE-1395: Dependency on Vulnerable Third-Party Component
CWE-920: Improper Restriction of Power Consumption
CR 7.1Denial of service protectionxxxxCWE-400: Uncontrolled Resource Consumption
CR 7.1 RE 1Manage communication load from componentxxx
CR 7.2Resource managementxxxxCWE-1395: Dependency on Vulnerable Third-Party Component
CWE-190: Integer Overflow or Wraparound
CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-771: Missing Reference to Active Allocated Resource
CWE-779: Logging of Excessive Data
CR 7.3Control system backupxxxxCWE-311: Missing Encryption of Sensitive Data
CWE-321: Use of Hard-coded Cryptographic Key
CR 7.3 RE 1Backup integrity veificationxxx
CR 7.4Control system recovery and reconstitutionxxxx
CR 7.5Emergency powerxxxxCWE-1391: Use of Weak Credentials
CR 7.6Network and security configuration settingsxxxx
CR 7.6 RE 1Machine-readable reporting of current security settingsxx
CR 7.7Least functionalityxxxx
CR 7.8Control system component inventoryxxx