...
Table 2-2: Requirements for Vulnerability Remediation for Internal Applications
In respect of newly developed applications:
...
...
[1]
...
Teams MAY refine a CVSS Base Score by evaluating its CVSS Environmental Score and thereby taken aspects like its classification or accessibility into account.
...
When a score is refined the respected CVSS vector MUST be documented.
[1] day = calendar day[2] CVSS = Common Vulnerability Scoring System (CVSS) v3, https://www.first.org/cvss