That all looks pretty good to me. I would add one thing, however, and that is a recommendation (not requirement) for the console to have some form of fall-back authentication that does not require functioning IP or depend on external servers. something like this:
Requirement: The Non-IP console interface SHOULD support an authentication mechanism which does not require functional IP or depend on external services. This authentication mechanism MAY be disabled until a failure of other preferred mechanisms is detected. In the event of fallback AUTHENTICATION, the interface MUST either implement a locally defined AUTHORIZATION profile or consider all commands to be AUTHORIZED.
Justification: It does little good to have a non-IP dependent console interface on a device if you cannot get into the device with it when the network is not working.
Warnings: There are many ways to implement this which would provide reduced security for the device. This mechanism SHOULD be implemented as a fallback if the preferred authentication method is not "LOCAL".
Example: Some devices which use TACACS or RADIUS for authentication will fall back to a local account if the TACACS or RADIUS server does not reply to an authentication request.
Attachment:
pgp00002.pgp
Description: PGP signature