Patches, updates or other vendor mitigations for vulnerabilities in high assurance IT equipment are applied only when approved by ASD, and in doing so, using methods and timeframes prescribed by ASD.
Topic
Mitigating known vulnerabilities
Applicable to
Secret, Top Secret
History
Priority
must not
Jun 2024
Patches, updates or other vendor mitigations for vulnerabilities in high assurance IT equipment are applied only when approved by ASD, and in doing so, using methods and timeframes prescribed by ASD.
References to high assurance ICT equipment were amended to high assurance IT equipment.
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in high assurance ICT equipment are applied only when approved by ASD, and in doing so, using methods and timeframes prescribed by ASD.
References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in high assurance ICT equipment are applied only when approved by ASD, and in doing so, using methods and timeframes prescribed by ASD.
References to ‘ACSC’ were replaced with ‘ASD’.
Mar 2022
Patches, updates or vendor mitigations for security vulnerabilities in high assurance ICT equipment are applied only when approved by the ACSC, and in doing so, using methods and timeframes prescribed by the ACSC.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.
2015
High Assurance products must only be patched with ASD approved patches using methodsand timeframes prescribed by ASD.
2010
Agencies must not patch high assurance products or HGCE without the patch being approved by DSD.