We have no technical corrections/comments but we do have a few minor updates: Typo on 2.2.3.7 – “The value Produ z ct Name of Branch Type indicates the name of the product.” Syntax: The plural of Product ID is “Product IDs”, not the possessive form “Product ID’s” (2.2.4.n) Syntax: Remove the “:” from the end of 2.2.5.4 Product Tree Model – Grouped: Semantics: The non-normative comment for [CSAF-2.215-1] should read: “The final two vulnerability involvement status states, ….” Reason: since presumably Completed and Disputed are also a final status state based on the statement that open or in-progress documents should eventually be issued as Disputed or Completed. Syntax: The plural forms of OID and MIB are “OIDs” and “MIBs” respectively, not the possessive form “OID’s” and “MIB’s” (4.4 Document Publisher). Formatting of indent for vuln:Notes on page 59 --------- Beth Pumo, MBA, CISA, CISM, CISSP, PCIP Principal – HIT Standards Technology Consultant Health IT Strategy and Policy (HITSP), Technology Risk Office (TRO) Kaiser Permanente Information Technology 6560 Greenwood Plaza Blvd Englewood, CO 80111 (303) 246-8258 (Mobile) --------- kp.org/thrive Out of Office July 24 th – July 28 th September 10 th – September 15 th October 23 rd – October 26 th PTO August 10 th – August 11 th August 31 st – September 1 st September 21 st – September 29 th NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.