This security evaluation standard applies to the evaluation of industrial control systems components. It applies to@ but is not limited to@ the following products: a) Programmable Logic Controllers (PLC); b) Distributed Control Systems (DCS); c) Process control systems; d) Data acquistion systems; e) Historians@ data loggers and data storage systems; f) Control servers; g) SCADA (Supervisory Control and Data Acquisition) servers; h) Remote Terminal Units (RTU); i) Intelligent Electronic Devices (IED); j) Human-Machine Interfaces (HMI); k) Input/Output (IO) servers; l) Fieldbuses; m) Networking equipment for ICS systems; n) Data radios; o) Smart sensors; p) Controllers; and q) Embedded system/controllers. This standard does not contain general requirements that are intended to address functional testing of the product unless where expressly specified. This standard also describes requirements for the product risk management process carried out by the vendor of the product@ including a list of security controls that the product (or the vendor@ as applicable) shall comply with unless a risk assessment done by the vendor shows that the risk of not implementing one of these security controls is acceptable.