History

2008

Where a vendor patch for ICT security vulnerabilities introduces new functionality in addition to resolving vulnerabilities, agencies must treat the resulting configuration as an unevaluated configuration and comply with the requirements for unevaluated configurations.