diff --git a/server_platform_requirements.adoc b/server_platform_requirements.adoc
index 8f59cc7..00b43ce 100644
--- a/server_platform_requirements.adoc
+++ b/server_platform_requirements.adoc
@@ -161,6 +161,8 @@ TBD: it is expected the high-level root of trust / boot flow requirements will c
 |===
 | ID#      ^| Requirement
 | `SEC_010`  | MUST implement UEFI Secure Boot and Driver Signing (cite:[UEFI] Section 32)
+| `SEC_011`  | It MUST be possible for a physically present user to disable Secure Boot enforcement, thus allowing unsigned code to be executed.
+| `SEC_012`  | It MUST be possible for a physically present user to fully manage the contents of all Secure Boot key stores (PK, KEK, db and dbx). This includes the ability to delete all factory-provided keys, enrolling their own custom keys, and resetting all key stores to their factory state.
 | `SEC_020`  | MUST back the UEFI Authenticated Variables implementation with
              a mechanism that cannot be accessed or tampered by an unauthorized
              software or hardware agent.