1 files changed, 21 insertions, 19 deletions

diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst
index fb318dd..522b195 100644
--- a/docs/Chapter4/Security.rst
+++ b/docs/Chapter4/Security.rst
@@ -106,11 +106,10 @@ the product’s lifecycle.
     :id: R-23882
     :target: VNF
     :keyword: SHOULD
+    :updated: casablanca
 
-    The VNF **SHOULD** be scanned using both network scanning
-    and application scanning security tools on all code, including underlying
-    OS and related configuration. Scan reports shall be provided. Remediation
-    roadmaps shall be made available for any findings.
+    The VNF **SHOULD** provide the capability for the Operator to run security
+    vulnerability scans of the operating system and all application layers.
 
 .. req::
     :id: R-46986
@@ -124,13 +123,14 @@ the product’s lifecycle.
     :id: R-99771
     :target: VNF
     :keyword: MUST
+    :updated: casablanca
 
-    The VNF **MUST** provide all code/configuration files in a
-    "Locked down" or hardened state or with documented recommendations for
-    such hardening. All unnecessary services will be disabled. VNF provider
-    default credentials, community strings and other such artifacts will be
-    removed or disclosed so that they can be modified or removed during
-    provisioning.
+    The VNF **MUST** have all code (e.g., QCOW2) and configuration files
+    (e.g., HEAT template, Ansible playbook, script) hardened, or with
+    documented recommended configurations for hardening and interfaces that
+    allow the Operator to harden the VNF. Actions taken to harden a system
+    include disabling all unnecessary services, and changing default values
+    such as default credentials and community strings.
 
 .. req::
     :id: R-19768
@@ -383,10 +383,11 @@ Identity and Access Management Requirements
     :id: R-71787
     :target: VNF
     :keyword: MUST
+    :updated: casablanca
 
-    The VNF **MUST** comply with Segregation of Duties (access to a
-    single layer and no developer may access production without special
-    oversight) when persons or non-person entities access VNFs.
+    Each layer of the VNF **MUST** support access restriction
+    independently of all other layers so that Segregation of Duties
+    can be implemented.
 
 .. req::
     :id: R-86261
@@ -591,11 +592,11 @@ Identity and Access Management Requirements
 .. req::
     :id: R-15671
     :target: VNF
-    :keyword: MUST NOT
+    :keyword: MUST
+    :updated: casablanca
 
-    The VNF **MUST NOT** provide public or unrestricted access
-    to any data without the permission of the data owner. All data
-    classification and access controls must be followed.
+    The VNF **MUST** provide access controls that allow the Operator
+    to restrict access to VNF functions and data to authorized entities.
 
 .. req::
     :id: R-89753
@@ -1321,9 +1322,10 @@ Data Protection Requirements
     :id: R-95864
     :target: VNF
     :keyword: MUST
+    :updated: casablanca
 
-    The VNF **MUST** use commercial tools that comply with X.509
-    standards and produce x.509 compliant keys for public/private key generation.
+    The VNF **MUST** support digital certificates that comply with X.509
+    standards.
 
 .. req::
     :id: R-12110