From e6ff9014e5b351684a261327ec4fa56e5521573c Mon Sep 17 00:00:00 2001
From: Abderrahmane Smimite <smimite@gmail.com>
Date: Sun, 14 Apr 2024 10:03:50 +0200
Subject: [PATCH 1/2] Add NIST Privacy Framework

---
 README.md                                     |  13 +-
 .../library/libraries/nist-privacy-1.0.yaml   | 922 ++++++++++++++++++
 tools/nist/privacy/nist-privacy-1.0.xlsx      | Bin 0 -> 19242 bytes
 tools/nist/privacy/nist-privacy-1.0.yaml      | 922 ++++++++++++++++++
 4 files changed, 1851 insertions(+), 6 deletions(-)
 create mode 100644 backend/library/libraries/nist-privacy-1.0.yaml
 create mode 100644 tools/nist/privacy/nist-privacy-1.0.xlsx
 create mode 100644 tools/nist/privacy/nist-privacy-1.0.yaml

diff --git a/README.md b/README.md
index 3fd80f339..19210c479 100644
--- a/README.md
+++ b/README.md
@@ -71,12 +71,12 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 
 ## Supported frameworks 🐙
 
-1. ISO 27001:2022
+1. ISO 27001:2022 🌐
 2. NIST Cyber Security Framework (CSF) v1.1 🇺🇸
 3. NIST Cyber Security Framework (CSF) v2.0 🇺🇸
 4. NIS2 🇪🇺
-5. SOC2
-6. PCI DSS 4.0
+5. SOC2 🇺🇸
+6. PCI DSS 4.0 💳
 7. CMMC v2 🇺🇸
 8. PSPF 🇦🇺
 9. GDPR checklist from GDPR.EU 🇪🇺
@@ -87,13 +87,14 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 14. NIST SP 800-53 rev5 🇺🇸
 15. France LPM/OIV rules 🇫🇷
 16. CCB CyberFundamentals Framework 🇧🇪
-17. NIST SP-800-66 (HIPAA) 🇺🇸
+17. NIST SP-800-66 (HIPAA) 🏥
 18. HDS/HDH 🇫🇷
-19. OWASP Application Security Verification Standard (ASVS)
+19. OWASP Application Security Verification Standard (ASVS) 🐝
 20. RGS v2.0 🇫🇷
-21. AirCyber
+21. AirCyber ✈️
 22. Cyber Resilience Act (CRA) 🇪🇺
 23. TIBER-EU 🇪🇺
+24. NIST Privacy Framework 🇺🇸
 
 Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the Domain Specific Language used and how you can define your own.
 
diff --git a/backend/library/libraries/nist-privacy-1.0.yaml b/backend/library/libraries/nist-privacy-1.0.yaml
new file mode 100644
index 000000000..8d79e24b9
--- /dev/null
+++ b/backend/library/libraries/nist-privacy-1.0.yaml
@@ -0,0 +1,922 @@
+urn: urn:intuitem:risk:library:nist-privacy-1.0
+locale: en
+ref_id: NIST-PRIVACY-1.0
+name: NIST PRIVACY FRAMEWORK 1.0
+description: 'NIST Privacy Framework: A Tool for Improving Privacy through Enterprise
+  Risk Management. Details and credits on https://www.nist.gov/privacy-framework'
+copyright: With the exception of material marked as copyrighted, information presented
+  on NIST sites are considered public information and may be distributed or copied.
+version: 1
+provider: NIST
+packager: intuitem
+objects:
+  framework:
+    urn: urn:intuitem:risk:framework:nist-privacy-1.0
+    ref_id: NIST-PRIVACY-1.0
+    name: NIST PRIVACY FRAMEWORK 1.0
+    description: NIST Privacy Framework
+    requirement_nodes:
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      assessable: false
+      depth: 1
+      ref_id: ID-P
+      name: IDENTIFY-P
+      description: Develop the organizational understanding to manage privacy risk
+        for individuals arising from data processing.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.IM-P
+      name: Inventory and Mapping
+      description: Data processing by systems, products, or services is understood
+        and informs the management of privacy risk.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P1
+      description: Systems/products/services that process data are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P2
+      description: Owners or operators (e.g., the organization or third parties such
+        as service providers, partners, customers, and developers) and their roles
+        with respect to the systems/products/services and components (e.g., internal
+        or external) that process data are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P3
+      description: Categories of individuals (e.g., customers, employees or prospective
+        employees, consumers) whose data are being processed are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P4
+      description: Data actions of the systems/products/services are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P5
+      description: The purposes for the data actions are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P6
+      description: Data elements within the data actions are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P7
+      description: The data processing environment is identified (e.g., geographic
+        location, internal, cloud, third parties).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P8
+      description: Data processing is mapped, illustrating the data actions and associated
+        data elements for systems/products/services, including components; roles of
+        the component owners/operators; and interactions of individuals or third parties
+        with the systems/products/services.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.BE-P
+      name: Business Environment
+      description: "The organization\u2019s mission, objectives, stakeholders, and\
+        \ activities are understood and prioritized; this information is used to inform\
+        \ privacy roles, responsibilities, and risk management decisions."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      ref_id: ID.BE-P1
+      description: "The organization\u2019s role(s) in the data processing ecosystem\
+        \ are identified and communicated."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      ref_id: ID.BE-P2
+      description: Priorities for organizational mission, objectives, and activities
+        are established and communicated.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      ref_id: ID.BE-P3
+      description: Systems/products/services that support organizational priorities
+        are identified and key requirements communicated.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.RA-P
+      name: Risk Assessment
+      description: The organization understands the privacy risks to individuals and
+        how such privacy risks may create follow-on impacts on organizational operations,
+        including mission, functions, other risk management priorities (e.g., compliance,
+        financial), reputation, workforce, and culture.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P1
+      description: "Contextual factors related to the systems/products/services and\
+        \ the data actions are identified (e.g., individuals\u2019 demographics and\
+        \ privacy interests or perceptions, data sensitivity and/or types, visibility\
+        \ of data processing to individuals and third parties). "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P2
+      description: Data analytic inputs and outputs are identified and evaluated for
+        bias.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P3
+      description: 'Potential problematic data actions and associated problems are
+        identified. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P4
+      description: Problematic data actions, likelihoods, and impacts are used to
+        determine and prioritize risk.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P5
+      description: Risk responses are identified, prioritized, and implemented.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.DE-P
+      name: Data Processing Ecosystem Risk Management
+      description: "The organization\u2019s priorities, constraints, risk tolerance,\
+        \ and assumptions are established and used to support risk decisions associated\
+        \ with managing privacy risk and third parties within the data processing\
+        \ ecosystem. The organization has established and implemented the processes\
+        \ to identify, assess, and manage privacy risks within the data processing\
+        \ ecosystem."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P1
+      description: Data processing ecosystem risk management policies, processes,
+        and procedures are identified, established, assessed, managed, and agreed
+        to by organizational stakeholders.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P2
+      description: Data processing ecosystem parties (e.g., service providers, customers,
+        partners, product manufacturers, application developers) are identified, prioritized,
+        and assessed using a privacy risk assessment process.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P3
+      description: "Contracts with data processing ecosystem parties are used to implement\
+        \ appropriate measures designed to meet the objectives of an organization\u2019\
+        s privacy program. "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P4
+      description: 'Interoperability frameworks or similar multi-party approaches
+        are used to manage data processing ecosystem privacy risks. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P5
+      description: Data processing ecosystem parties are routinely assessed using
+        audits, test results, or other forms of evaluations to confirm they are meeting
+        their contractual, interoperability framework, or other obligations.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      assessable: false
+      depth: 1
+      ref_id: GV-P
+      name: GOVERN-P
+      description: "Develop\_and implement\_the organizational governance structure\
+        \ to enable an ongoing understanding of the organization\u2019s risk management\
+        \ priorities\_that are\_informed by privacy risk."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.PO-P
+      name: Governance Policies, Processes, and Procedures
+      description: "The policies, processes, and procedures to manage and monitor\
+        \ the organization\u2019s regulatory, legal, risk, environmental, and operational\
+        \ requirements are understood and inform the management of privacy risk."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P1
+      description: "Organizational privacy values and policies (e.g., conditions on\
+        \ data processing such as data uses or retention periods, individuals\u2019\
+        \ prerogatives with respect to data processing) are established and communicated."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P2
+      description: Processes to instill organizational privacy values within system/product/service
+        development and operations are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P3
+      description: 'Roles and responsibilities for the workforce are established with
+        respect to privacy. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P4
+      description: Privacy roles and responsibilities are coordinated and aligned
+        with third-party stakeholders (e.g., service providers, customers, partners).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P5
+      description: Legal, regulatory, and contractual requirements regarding privacy
+        are understood and managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P6
+      description: Governance and risk management policies, processes, and procedures
+        address privacy risks.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.RM-P
+      name: Risk Management Strategy
+      description: "The organization\u2019s priorities, constraints, risk tolerances,\
+        \ and assumptions are established and used to support operational risk decisions."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      ref_id: GV.RM-P1
+      description: Risk management processes are established, managed, and agreed
+        to by organizational stakeholders.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      ref_id: GV.RM-P2
+      description: Organizational risk tolerance is determined and clearly expressed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      ref_id: GV.RM-P3
+      description: "The organization\u2019s determination of risk tolerance is informed\
+        \ by its role(s) in the data processing ecosystem."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.AT-P
+      name: Awareness and Training
+      description: "The organization\u2019s workforce and third parties engaged in\
+        \ data processing are provided privacy awareness education and are trained\
+        \ to perform their privacy-related duties and responsibilities consistent\
+        \ with related policies, processes, procedures, and agreements and organizational\
+        \ privacy values."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P1
+      description: 'The workforce is informed and trained on its roles and responsibilities. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P2
+      description: Senior executives understand their roles and responsibilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P3
+      description: Privacy personnel understand their roles and responsibilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P4
+      description: Third parties (e.g., service providers, customers, partners) understand
+        their roles and responsibilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.MT-P
+      name: Monitoring and Review
+      description: "The policies, processes, and procedures for ongoing review of\
+        \ the organization\u2019s privacy posture are understood and inform the management\
+        \ of privacy risk."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P1
+      description: "Privacy risk is re-evaluated on an ongoing basis and as key factors,\
+        \ including the organization\u2019s business environment (e.g., introduction\
+        \ of new technologies), governance (e.g., legal obligations, risk tolerance),\
+        \ data processing, and systems/products/services change."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P2
+      description: 'Privacy values, policies, and training are reviewed and any updates
+        are communicated. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P3
+      description: Policies, processes, and procedures for assessing compliance with
+        legal requirements and privacy policies are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P4
+      description: Policies, processes, and procedures for communicating progress
+        on managing privacy risks are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P5
+      description: Policies, processes, and procedures are established and in place
+        to receive, analyze, and respond to problematic data actions disclosed to
+        the organization from internal and external sources (e.g., internal discovery,
+        privacy researchers, professional events).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P6
+      description: Policies, processes, and procedures incorporate lessons learned
+        from problematic data actions.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P7
+      description: Policies, processes, and procedures for receiving, tracking, and
+        responding to complaints, concerns, and questions from individuals about organizational
+        privacy practices are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      assessable: false
+      depth: 1
+      ref_id: CT-P
+      name: CONTROL-P
+      description: Develop and implement appropriate activities to enable organizations
+        or individuals to manage data with sufficient granularity to manage privacy
+        risks.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      ref_id: CT.PO-P
+      name: Data Processing Policies, Processes, and Procedures
+      description: "Policies, processes, and procedures are maintained and used to\
+        \ manage data processing (e.g., purpose, scope, roles and responsibilities\
+        \ in the data processing ecosystem, and management commitment) consistent\
+        \ with the organization\u2019s risk strategy to protect individuals\u2019\
+        \ privacy."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P1
+      description: Policies, processes, and procedures for authorizing data processing
+        (e.g., organizational decisions, individual consent), revoking authorizations,
+        and maintaining authorizations are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P2
+      description: Policies, processes, and procedures for enabling data review, transfer,
+        sharing or disclosure, alteration, and deletion are established and in place
+        (e.g., to maintain data quality, manage data retention).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P3
+      description: "Policies, processes, and procedures for enabling individuals\u2019\
+        \ data processing preferences and requests are established and in place."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P4
+      description: A data life cycle to manage data is aligned and implemented with
+        the system development life cycle to manage systems.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      ref_id: CT.DM-P
+      name: Data Processing Management
+      description: "Data are managed consistent with the organization\u2019s risk\
+        \ strategy to protect individuals\u2019 privacy, increase manageability, and\
+        \ enable the implementation of privacy principles (e.g., individual participation,\
+        \ data quality, data minimization). "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P1
+      description: Data elements can be accessed for review.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P2
+      description: Data elements can be accessed for transmission or disclosure.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P3
+      description: Data elements can be accessed for alteration.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P4
+      description: Data elements can be accessed for deletion.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P5
+      description: Data are destroyed according to policy.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P6
+      description: Data are transmitted using standardized formats.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P7
+      description: Mechanisms for transmitting processing permissions and related
+        data values with data elements are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P8
+      description: Audit/log records are determined, documented, implemented, and
+        reviewed in accordance with policy and incorporating the principle of data
+        minimization.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p9
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P9
+      description: Technical measures implemented to manage data processing are tested
+        and assessed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P10
+      description: Stakeholder privacy preferences are included in algorithmic design
+        objectives and outputs are evaluated against these preferences.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      ref_id: CT.DP-P
+      name: Disassociated Processing
+      description: "Data processing solutions increase disassociability consistent\
+        \ with the organization\u2019s risk strategy to protect individuals\u2019\
+        \ privacy and enable implementation of privacy principles (e.g., data minimization)."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P1
+      description: Data are processed to limit observability and linkability (e.g.,
+        data actions take place on local devices, privacy-preserving cryptography).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P2
+      description: Data are processed to limit the identification of individuals (e.g.,
+        de-identification privacy techniques, tokenization).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P3
+      description: "Data are processed to limit the formulation of inferences about\
+        \ individuals\u2019 behavior or activities (e.g., data processing is decentralized,\
+        \ distributed architectures)."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P4
+      description: 'System or device configurations permit selective collection or
+        disclosure of data elements. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P5
+      description: Attribute references are substituted for attribute values.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
+      assessable: false
+      depth: 1
+      ref_id: CM-P
+      name: COMMUNICATE-P
+      description: Develop and implement appropriate activities to enable organizations
+        and individuals to have a reliable understanding and engage in a dialogue
+        about how data are processed and associated privacy risks.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
+      ref_id: CM.PO-P
+      name: Communication Policies, Processes, and Procedures
+      description: "Policies, processes, and procedures are maintained and used to\
+        \ increase transparency of the organization\u2019s data processing practices\
+        \ (e.g., purpose, scope, roles and responsibilities in the data processing\
+        \ ecosystem, and management commitment) and associated privacy risks."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
+      ref_id: CM.PO-P1
+      description: Transparency policies, processes, and procedures for communicating
+        data processing purposes, practices, and associated privacy risks are established
+        and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
+      ref_id: CM.PO-P2
+      description: Roles and responsibilities (e.g., public relations) for communicating
+        data processing purposes, practices, and associated privacy risks are established.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
+      ref_id: CM.AW-P
+      name: Data Processing Awareness
+      description: "Individuals and organizations have reliable knowledge about data\
+        \ processing practices and associated privacy risks, and effective mechanisms\
+        \ are used and maintained to increase predictability consistent with the organization\u2019\
+        s risk strategy to protect individuals\u2019 privacy. "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P1
+      description: "Mechanisms (e.g., notices, internal or public reports) for communicating\
+        \ data processing purposes, practices, associated privacy risks, and options\
+        \ for enabling individuals\u2019 data processing preferences and requests\
+        \ are established and in place."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P2
+      description: Mechanisms for obtaining feedback from individuals (e.g., surveys
+        or focus groups) about data processing and associated privacy risks are established
+        and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P3
+      description: System/product/service design enables data processing visibility.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P4
+      description: Records of data disclosures and sharing are maintained and can
+        be accessed for review or transmission/disclosure.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P5
+      description: Data corrections or deletions can be communicated to individuals
+        or organizations (e.g., data sources) in the data processing ecosystem.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P6
+      description: Data provenance and lineage are maintained and can be accessed
+        for review or transmission/disclosure.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P7
+      description: Impacted individuals and organizations are notified about a privacy
+        breach or event.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P8
+      description: Individuals are provided with mitigation mechanisms (e.g., credit
+        monitoring, consent withdrawal, data alteration or deletion) to address impacts
+        of problematic data actions.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      assessable: false
+      depth: 1
+      ref_id: PR-P
+      name: PROTECT-P
+      description: Develop and implement appropriate data processing safeguards.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.PO-P
+      name: Data Protection Policies, Processes, and Procedures
+      description: Security and privacy policies (e.g., purpose, scope, roles and
+        responsibilities in the data processing ecosystem, and management commitment),
+        processes, and procedures are maintained and used to manage the protection
+        of data.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P1
+      description: A baseline configuration of information technology is created and
+        maintained incorporating security principles (e.g., concept of least functionality).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P2
+      description: Configuration change control processes are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P3
+      description: Backups of information are conducted, maintained, and tested.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P4
+      description: Policy and regulations regarding the physical operating environment
+        for organizational assets are met.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P5
+      description: Protection processes are improved.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P6
+      description: Effectiveness of protection technologies is shared.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P7
+      description: Response plans (Incident Response and Business Continuity) and
+        recovery plans (Incident Recovery and Disaster Recovery) are established,
+        in place, and managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P8
+      description: Response and recovery plans are tested.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p9
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P9
+      description: Privacy procedures are included in human resources practices (e.g.,
+        deprovisioning, personnel screening).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P10
+      description: A vulnerability management plan is developed and implemented.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.AC-P
+      name: Identity Management, Authentication, and Access Control
+      description: Access to data and devices is limited to authorized individuals,
+        processes, and devices, and is managed consistent with the assessed risk of
+        unauthorized access.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P1
+      description: Identities and credentials are issued, managed, verified, revoked,
+        and audited for authorized individuals, processes, and devices.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P2
+      description: Physical access to data and devices is managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P3
+      description: Remote access is managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P4
+      description: Access permissions and authorizations are managed, incorporating
+        the principles of least privilege and separation of duties.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P5
+      description: Network integrity is protected (e.g., network segregation, network
+        segmentation).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P6
+      description: "Individuals and devices are proofed and bound to credentials,\
+        \ and authenticated commensurate with the risk of the transaction (e.g., individuals\u2019\
+        \ security and privacy risks and other organizational risks)."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.DS-P
+      name: Data Security
+      description: "Data are managed consistent with the organization\u2019s risk\
+        \ strategy to protect individuals\u2019 privacy and maintain data confidentiality,\
+        \ integrity, and availability."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P1
+      description: Data-at-rest are protected.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P2
+      description: Data-in-transit are protected.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P3
+      description: Systems/products/services and associated data are formally managed
+        throughout removal, transfers, and disposition.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P4
+      description: Adequate capacity to ensure availability is maintained.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P5
+      description: Protections against data leaks are implemented.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P6
+      description: Integrity checking mechanisms are used to verify software, firmware,
+        and information integrity.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P7
+      description: The development and testing environment(s) are separate from the
+        production environment.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P8
+      description: Integrity checking mechanisms are used to verify hardware integrity.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.MA-P
+      name: Maintenance
+      description: System maintenance and repairs are performed consistent with policies,
+        processes, and procedures.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
+      ref_id: PR.MA-P1
+      description: Maintenance and repair of organizational assets are performed and
+        logged, with approved and controlled tools.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
+      ref_id: PR.MA-P2
+      description: Remote maintenance of organizational assets is approved, logged,
+        and performed in a manner that prevents unauthorized access.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.PT-P
+      name: Protective Technology
+      description: Technical security solutions are managed to ensure the security
+        and resilience of systems/products/services and associated data, consistent
+        with related policies, processes, procedures, and agreements.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P1
+      description: Removable media is protected and its use restricted according to
+        policy.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P2
+      description: The principle of least functionality is incorporated by configuring
+        systems to provide only essential capabilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P3
+      description: Communications and control networks are protected.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P4
+      description: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented
+        to achieve resilience requirements in normal and adverse situations.
diff --git a/tools/nist/privacy/nist-privacy-1.0.xlsx b/tools/nist/privacy/nist-privacy-1.0.xlsx
new file mode 100644
index 0000000000000000000000000000000000000000..96e22aeb7378a7c97fbf0daba5ee738eb9ad5b2c
GIT binary patch
literal 19242
zcmeHv1AAu6wr*_OcG6MDNyoNr+qP}HqYgT@ZQHhO->kLHJ!|iE_WcF-%siRNSKl0C
z)~I^ND83~t0Stly00sa7002M;P@Gz_W(^1ckOT?<fD8Zuq#<Bq?Pz4}sH5m+YviCs
z>uP05kOu-pkplqq_5A-{{~wn?U*f2B4?Tj=W6}$JT%(e{uACC8pAh~iTFD)-rUwC<
z_pkxQn-@9Q@89Bl5Czuyq}k1nt~+Vlu2xdj{-G<a>G!30)Lmkgbs39iUN4#()j$ch
z;ux1X#@M_pcv?EJMHv99vJJiI%#=YM6LKuNpvv67`B`Z($|UYl4tRl@q3l<Dl`f;d
zTp%^66iT~=dqq;ieu?$ZrgPhf5n&ki_p(&o|4xJGHl;+0yGc^$)EvnY5K3bQ!^XV|
zrpLH+G<Er4S=w)xH_KC&l@yeu>p=q3!Tvbj-RXT5a#Ae_n3*(I_rI|>D*-|chTzu&
zjx8&>QCG`d&wlmwffLS7`3T}$xi#8GW(WK1i#yr?oSeLsh%<`D!I>QZ(0+L|nKqb+
z3eDM&FMw-j>ykMaz;W~;p9U|Gj<$72eJEcsPVoyQAcNf;UvWC_#5IG;)N(dGj0AG}
z-KeR5^I-W}E*Zi;Dd2SX<%pl3zyPxU=BCKn9Y#Q3Zo2v9h0tGas$*|t=|D&O$NhiZ
z^Z#R?{1?;9;-w^j84!Xm{XYrE+BsLLh-NJ5gpQ;P-vJrY-gQ~iVhdW{ABFiGa~ts7
zGb>%P-O}!jYw}(55j>ocl7%4sGmU3km3t)Ko0`B86YPbf&P03sh%A4fmfnAlqT0`0
zy5|lr+sO;0CH?fpa1v4O_y5tXX~w3SWRIbKCl3FcR5NKGH+U0EcATkyLKK420XUEQ
zsqMLqg;lE3Y}DOm_!lvCY@y&ptlCrTGXKdfbDnbUFOu#m?~&uskyj!EU_5g5_n$|X
z7Sr<b!lXgzz*z^+XKbK#Z3RLO$UbXn!k&lpZH(|ms@8PFd5;X$KMW>RCRvdtHfmnJ
zO5uOHjCe_*-XGtH00RJE0YCt{TGIXHH7+*x7Wy_e7JsyD|JQ>6zZ$qN_xk_)YKtE?
z@1utaybS6Hm~OX=|BxNw@SqH8Z&(GVuSN=yvNR~+aeGZqykMy+NSVqfVY+1)Gk#^i
z+rcGv+MuMU!2xMm$(X2z(teatc_av}|K9QlhZ-qbRZdICGPz_SEo0cqOH{%pubb8z
zkf^AE!(_yrBat#N$mf7%Kpjv4-y)=T@SGLd$()mJ7M>-C;BtV~=M6LbY-6>_q!ks@
z;f+0YjR`#*2Az--{jJ8|>`fa@4G7dNJ6AJdyLS*+O_19TM}?$Fq8UWt?faNMW1~e+
z>^$N)^q?X)$FJ`ibfgZoR4_4KCok31OyfKc_R60p(EkZJ(gSFa*<XQ{1q=WH{tFUc
z$oW^y6etc`uhJv5qaX1gv{927X+#AL@mY}<`!&$7kg<a?326wD$p50CgSffG71!RC
zNQXdb%*ERr<C>ViZyB1FUlGU5(skxzh*wWlJQni5{8$4^!BC1mO*|AH1+g&<ss#VZ
zqg5X1m5zBE2*9fXIgv?iz)ux7?5~1en21H=U;urgYmQz(RlaAIBz7F08JH+suqD2W
zM%ZA}O@G^rWN#^`C3>!oK<#kh>z!0mvyzLt^UW5tQN{@qLLm`=L7~|`0}Lgfzb_$(
zC3(``)??h=)M`6w%K#<a)&(hbBAP0(s*usa1#qf>)a!sJKd?Fhp={FNilu<I+P=gS
z?y=1BPFi^ykD9}m;YE)LY{t9}N#JTDY+=;_`g+T}!rpCD9R0fHZ5aAz2~K{d$_1H{
zbRpyikV0)dIdlVUNc~9nh-nCeB$x-g%r{AbM;!<9@&oDUNN0ljZ}%}Hzq|2_zyu?`
zhdb+QkS^dvA=dnoBT^@SQ@UXOw#wGESMl=+oRl{cs}|djr#LsiDkHGhiYJD>ap?XG
zfoi_uBiM44sKD)n1G25VmNru`L5w8dy+k<Q^n|Pqfhk%oWxwt|=Q7tbczEI}+^!P9
zgtZ==roa$d*Pe=b>CKU`X<^;2;=#J_Z1erj5+1Z&KiXh+KLvTg4>u{v^W<)#$5f%@
zo^vhPD6{pdGCuLJgZlt_rai3Wgy8!#?>=CrM2(aUqV=7&sh*wYj>B7T-qKaJWE2TU
zTYKhxg|!3?vkGoCioki2wwt_c;9IGNE6`?U6_H3?x;^AwI^MDHPIJ1NHET>>5*doA
zj)GSoC&uy;zA?EO@#*fScxkexWpqPr{<$8p@4B7;p}u+CB^Rw#WNSRn6Zn6EvT0yt
zC(Ty?bp7h>!~O+j2S+zcBZohNUxD)IA3$#V3&@EmqxG<2d^jS!zI7C_C`U=j6d4fs
zKte_K;U69;?n~kcEPfu<L;Ln@t+f&y9i|1mF=KO@r6AxY+`^LkEnDUZTQ-krti8nz
zil~aF{YY&l%pIaU-k}z)=x5fWsX_p`Cm=TE<!FI(&&guyKaayHRVnM^=6dEVMYS-6
zBUY^9{R2CANaO8;I0J*mHi3ys+?JHID~yD`={R(scl7s&9z<kB%>-9~%3AqDj>{oS
zN`+#5$C**r$s~5Ob}X0h0BaIVA)Q>7XmMa9XW}6OyfG8y6MVZ;JBwmRG~<Wy*pueY
z9QdW&Al$q`nX!cs+JZuZm-vy(*a!mksBNanlPf~ig`^ul(2TZ106oKZpdOJI?}VqK
zcvZhWQC<)q;bj7sm8;bHn1Ew{8QFJzv{Z1t;`W2{)NAO6=xYgJBs2q5`S${bIbS1T
zqpI+i>-P?S43tERLD1xlyA6yM_#V?bzdCRrFDoe17z2551uSS~b%=?p@ddB)iY=G&
z@*pJfUH{oAWyK~>M}kQgehofw(k1I$U@*X=i4*S6zV62(o0kS0btsz_pmD$bj1DdO
z%E1|M(3w5SP)_u*$D3Gk6%(njIcejW4HU@Wh<>GhdJwr6y_5{=9eZZs(<+gwL-Ovt
zLawdPC`EubZDP;|J=Q!W(uaz;Ou==_<>Wy-Z^|cOv4!RW21jXDAq}f1WJ{-SDZLy4
z*pL@mqYfs3aw{tqBMLJQ;Jq$(w)0MGHBuY}ZUy__N#WB87F!`dc4(a#M#kI+gZ58Q
zQ2}dBqn)-}zn8b>tcJ5^0`1FH#a{%r^U#nzv3-m|btK#dEUJ7ITS3Qd?LIBk>(e`#
zR1It_Oz~U^arPp=-MT-Ub+k<I+Z@oDZ0uzUZE&eqw3*u1YnInE<G-kM3QzX=a3P(S
zf{BAA2z}e4Wbmr;3Uv|D@E1vl_AZ5*!gKf;qVUNG<w?i+2yDan>$?rhkC-+ZsGfPp
znzrZ~)4m@Z*9_NU2#%BS#Q5K6QY3AeO_?c}8vI4+-$f7%W&LqJ84EhUdIkTpZ*g2m
z+GPCIIw)ZOF>3y^g>W=AvNEFk^Um;xbDgP;TVt~#bf6z`B6!HqEXV6(#sNzt@37eE
zFNufalxUf!Ai6XYP;$1Q4p;N~<(W-O_-(jTtbmF7YR?qeW#mcuweg4SiL0wCT9Sjk
zpyOJ8d)$4Sv<+@?Kj#~nB1DY8DMMAHQvnjJi4|dr(CE(czMOIQE$C4T#GDkRPDQ}f
zT=o2HFLf0lB_V})FtG=2^cO7gG%ykhu8Q0@%1(gUfNd77_7_2{6a>NtTu&@7Q>Kba
zLYbxE#gz6tJKv5C2DxV*)^!kX8{J}1kf#fj#4(-eTh^<ZF8+;ZPsAyiBQT~8cop^}
z_mfK&P+yhGbsCE50J+RkTdNzppR6$X?A!TinoM=&5<-+RtPCQ&v1Dnx`t8U=WCtL9
zedwukYnHW>@FajOhJT@QGUK?qP5Vmr42|E}qR>i~c)PsAHR+25G$ZTkxpTYPkbW3e
z?7O-~SEUM8eYq024KJFGPS@g!MwWDMH+F14E80~%^|<hOKelX-DT_L<MaY9Y=sl+4
z&~h|-2i(=YIN;BG0xaX{UurOJg~|Qu;g=56z`kINWv0P%B;*1({3tHA90({DV6FjM
zGuW*tBSEC&(8ID*n)Uwh4ltMuMUN-XkCoXxLSMh^-cM&w+cJYOc(^=o(=+xg7h5#6
zHlEMtCO+Qp3@^LKtaSK3+k>NwAB*_h&-;gy@4Q1f&4P3to;Rzt<a8Y`caN8N9$Okf
z@FQ2;QelFPLx?Mflt;!eyW-MdJD!{`kcAU)nE+Ps#}(o@Tjh|(+?p9p1Fh6Ku1~&;
zgO9js@JI~GbG^^P@f=-R6KWaIm4Mc!+N98rgKB3cv;#(K+yf!p8@QS573a|o#p$y-
zj+UEZp~MGxy=grR!=d~yxcG=W(-(NZqP1MiD4O;Jf-dCd2Ief{xpCS2m^SMK6s|`5
zioQ3kRF7Y1%^i#t-LtSe#>FC}x&>Y$AEaJ$;8AD3h(6ejjDU59DeWNN=o0lXR#2n5
za*##lTMHK4oi~5u-He~L(JfZdZoI4!J0S|nBgP-kNWEpW&xqlGly;~bW0DwIg5QJS
zN6G(D;d!NXVI1lW#<OKv(t0Vs)AV}BZyPcYEqV(uZ8MNpydwQBW%kgbKSrUr>(cM)
z&SBL(y(bZtg-q&-d7-1~+IY>jN{nzC0Y2H<@>+2L_W9h>N|Q3FZgmKXmcHkvW7)Fj
zXqLcL5Q$q1NzD4|IDr%gO%5JS3fQKwX?ZG<{HmVf0*)4K>5R|6G^SV_4k=S0MvIwP
zhX#74T97@3el^YLyJtLd-8h?A?l?<=p4KEx1D<G^vzuYc;z;dwWMmqO!FL~N%yKgz
z6Qc&_{qt0%az%;pgWt-`d1>;8#ViV#o=wGAG!tczS`hvlpk-^mh+3m?wUEXnGtP|;
zw{zdp?}J)I$=Ha3V(K;`xPN1jOBonp3FF}(vtOd%Cp9rMFE?&Eqmd^q&nH)9xL;be
zG2vPtYR|ZN5aFsROG_u`<||K?RW1Od?6jf6=#>Rkn!#zOv|RVn1h?kOLSjD@k<~&j
zHnV1YRF(Be1=YX$_ekRo1u3qolCdz2l@fud8VB1Ff12ZtxywN<iTVIjE-VmYe6Ub<
zMORo1+lullIXj#6ugPKX%85U#BHG0YikNl{=;H^xIu-kKBPQ8$>QVW7`<60US>29&
zn-H2wqN{?Ls4z$-Z=z`A5GqQu+$M`LVN4~bE=PoSydAMl<m{v(+ou!#8asYYDo!6l
zYND43tpF3Q?LkF4b~FIdD)!_;?L)$P0MRx}p8J~movOOR@_{}MA9NCgymXGUOY{~n
zOM03A91xXdi%}$kSPrN$%)3O<pWivFAyMNS5>yn^Ow*_a-;1s4sPKdJY5=G3lVzPR
zpa2GQVf<J-BnkklwzmH$$%>IWxNQJ$;jH?WyzVogU7$?$@+&{*_{XcH3^O%&CHvB(
z+uTZcea^M{`<RFoTne}7r{8T%c<eGh`JLa&;j63$;@g7mDm93l*Dwp7D7vTy9{3d7
zvJkdpdZLwT_{BrdDn(NqEyp^h&d?0&vE!uKnVQ2vjf4I5{rcf^q?YPZwNvx#eJWP`
zgJJl|gDJ-l#$c*W{Rj`&b+?!89gF65Oj`Vd`6r;}b$6nk4~g$y;{>w?>*v?-<bO6x
zFZ*_Mdtbf1-mhT|#@_=M2U8;>M+dq;|NPlDWhQ9YWYD7wZjzsK5_CE+OwsTWqLM}}
zG@7mNFEfPbf*KfeHcGu;aI#6sQ_7<%0eSXzezJ4>$Xq_w+&APz$!bZPA|S$ZR8UQq
z+uz&{_TVE=sxBy%DdFzz0R*p2a{HuTBx+}Xb-9ZkNlIf`ywbqH+VC<W7vphgmLw&Q
z?Z{U0&syjvt&*(LN9V~=q#X^##U5*5{H_2EY2Lwx%=*F4R5zyoR*2ZnK26dIN}i@|
z<NlL+nOL7vT@M~koNKtYNU4ZPqapP%yD-wjBT6RH#y;NeRz+OiwmkB;mG9ma#;wy!
zf-MrGH<{L<4{~r}Zg4pUlq+99K6KbdmfAIFvL^xyM{n@%%(Ac|`}5;3ns}lx@{cD%
z%J;;=n2)B+$am9hlo%mKsuBG+e&bnj-Jp;%E?6gNsPrTz(rwEVm^+ECiMC^p<ZnN7
zL9GFWD6T)KNPn_po1>Gn;k~sen*Xr$?9m}gq_^%R=x##QpvbjyxZ%B=y7kFCnGzYk
zDtm75nbBd3@tNI-$D~kt)lh8cCb*(ilC71p=qz1VK`0&Aq3Ovot2v<u@15?)kVJrI
z)T|%st0eEY#hwndyj)pF#1!F+?~~&<D4^+H3c`r(+r>6W;)3j~iAJF*$k%-p&rJk#
zOcc)d(?9FZnr?+D`)Q!-q2Gtz_v#l&Tl)EhkI%nuiAi$S0rW7zmHzg=e7-EXP@<>q
zh<&jSb5gJ;4XcxI3g@bdJvP7I?|hu}GZ1(V+?pdt*#cJ&UF=Syn1$Z3DiOJ}uoT{w
zoHL~_J5$)DZ=H^%?&UKGB||%apf?3wJK*a%18=wk?O#6cBgNWF*k|YA3qdvopr)+N
z(2k<{!^J52I}IC+Waq6htIGJv4O2;|9KAJGs0z9m&BzN<Nn+}klkrgGb;VAo3HwPX
ztr~xc1fi&s{dyHYcN!p}{6#j3HAMOKFs0KT)z|l5p9{1JL6gOfJCrHO#3-3H$j-l{
z(-JQ%lJw(aU&se7sDn`T3X_o2YYeMp3I~2S$TdW_;VdN9JJ^;P6B3S{{E}ZVkXGX~
z88mlB?ir(g6dZ}y_OB_dNxu)IcjIiPl2^X4q5^CWgJ~|2aHo6!vy=E|fpSIiLG|#$
z2vs8415k&CP92YwmuBnEIg+Vn#1=yRXjjl%dw=9^Q#Q!6sOy`BA%?}X?c^lHDAH_<
z_&7t{CcC)#ok+<&#KJ)UL!_O1yi&fJKnI1DRCbsIl#SSzN)|K02&%}?I20Wlq4Nu8
zSEv~Ual>%pktfCQ7SUrOZK##*&usj2{`k8f=l$YWNO)EU06_UGGB}v(*&7)uINF<8
zoBTN(Y|~t|UlWe^+6;XM2l-hBp=~&6WMU+S%tXqG!I_AGG8pZa4$xZKS}h1{1t9hN
zy{@y`<^#=V#Cte9K~0Gw2g*=^_*6_Wzg0FVDJ6lt_GDj&r(*PMg2_rwr4p`#+uJ)f
z&0Kjh!u<JU>vC}u|9zjpqO~pk&`2vy1)Osh@9qA+^K*5y;hgcU!CVKoti}3vXRjcu
ze2l{;<}|A0%21B=w5``CV_&S*Op@D1Wx(<DW-sG#^3$_sBI1M~V}A9whtt*I;U<pZ
z>hC8vi;24g9<I-qt^3gi*Y_Hatj2P))we<>I+>P5I+>>u?z9Z4Ml7GD)PA0b=cidJ
z9dhrDiFEy0z4P75pPlS2kvtx+7cXzGK7BG9shkQ68D$!2FsI|CJ1Lp@2c*i(A&!)M
zp-iVImRTy#Glm(3O`|5QWt1zcFf}7kp1T#PHn%n7_MRh^bm{I{<F~Yfi>H`@zVI=-
zX1G6fNQ^bs(|(s`Xa&2Npg$W2;K%s98nZb&*N(1et)@A745>^s*24MdIhUJVK#dVl
zt2Y+3WRFe>^_N>4UAHtbYiG_!bYtb4`DCgNF78h990f|Rc}l-&wkU0|4;QE24DiOb
zT=k3<8QzaS;a*-+pCO?`om<(5mXCKZ4vy~jn#w%?vQ}ccwM<~u0*tF$U8Wknt{e&d
z-XpBfHH4tEJruHRx$1nc{;}shretvSX+k7uDm`r|rKR8Ynx|nDWyWf}AZJjl<g9|k
zzhzqM-tOn7ob}U5&Z#i>L$Bc=|KlBo*ekE=gC1>3Z6nQS-S&CuNY<r%$^Sn6zOc+C
zSjUP2M@`kvgz*z#r=-+b;+kvpLdD7A<-Cod4y5!GjH+=H?USM8<T=uq(!pEs_iOvU
z%x<HmK_$zoaR6zZ{(@(eYL&-*_U)&G{YN1a6YYFl9@6|%;`Apm^JQE<A3+m!dJB?8
z@Up<K(hAkCvP?4?sdmeo@!zRNMn8~aTp+Y$t$MSQ@13QAp(6K}6U9FE85RRE%eMPq
zglR^Q7C^qEreHy0fceGBO+p<}&_vNrj7DWU&m^-wt2Lv_tY^$MF3{v2u1S6pl=hot
zy2f0WJB6tF<e21I304S5zVk^*4xhF*R=0jyM{M~*#I>Khe5)VUbA9RjeAa=e=T$AC
zc74wH4DR*Q>d_$7T~Ali`i-6+u^oN^b?q{zi@l%;!^;%#{U}^#>`lX(txhP<|0u98
z5={e8rx5=!&JXTVHWPQOrioJAtv^>(p5FjL?!Y*>D)drnm;?&9ZostLu|}tRGVowF
zWN~cFTnXWxseML6q!mosuc9ab+Jy{?Hbt3jfjAO?U;YC!4Et<YN)15JY$*tjn<Ht+
ziU&zz_1sv2HFRA7X4e@V8sU;Takv~XoPozCV&J84(Ae1ttMn38Z>j{~$4kZ_6RWQh
z6c;~RkW8^DV5a{^#fb;(T(3>VtriO~+c`{|liI?gh*J{kDeN4sTppGLzf~3o#tT$u
zP=wVlK(GanQeoc18X#0SlH(l`eiya9`7s>hh`b(rA#Lt_G0TQ5r;<k}2k626%1|Wh
zuNkY<L{!;218M?EpJ{y|-^;FTLCS-zdo@^|_iEs^F*H>gKp6w^>r@ZEXh+Qme!(i(
zD;D1$7U+yQ5=&@}*htJdJK=~h3shA&`e>i)Sgzo9yg(*0N1`s+Ezz7!Aa>ZCKyh{u
z5)?fYI7W~d;*`S5G_sgW?Q2e<E<!=))1-5&(w}6880o>yqod_RiFSvDyv|J5E!DpY
zS<h=OFaoMgY*mLsVs-Us1pw$Hy&pUbdVgfAJA-7<l50DrCiRz7MxgQoH28TOj|uMt
z+&?-5m^KL;+P7Nu2C5Du(i16?Zuo^_1f#PP8dGt<Jf%^{ihCThhCNZPM)a@HP<x#A
z`nJ9C*ED!(CV<RuOrWj+mGSms9v>la2<8Y&Y2$c7AC;caemI>SH!3GjaE@YdV+5;;
zYy~!9_mA;~52M4*qIo}8W4LBU379tU7k<wsblw=&ppO?gJqep9b6&!_zHAW+V`3Ao
zFR99u$Fep>c^hoD!e1h;)J*AzDT&-`Qv~=Z*?@eZ52?gmoz$ZMYNY2^&_er&jnZNf
z)`Pz}k&}c)T$qcW;id>v(xf%d7bil6MXKSZu4iX1YB$2@l20oGG7%tx+5k&C>FOti
zk#WJWAj8r!-uuRndw0FQ@1Q`vIf=^{jA*`^$UdUe2FZCGm_2+-qp~`eO2OB)vR8ig
zxK`I+GqbJ{&?t}BC141a;RyksxeZ+&fEb5Wp5UFl!tqdR=HoM=DNY{(YX==^1_4eY
z-O%4caZ9EFjDRAdNs>p5o)8eOkmS_So4yK61jX_@E7N%|ttg5n(JcTY3`17mJrAhe
zpI|vp<7`VV6;zk-3EvFEPez=EZ;mBa{31FPu0dCh$>IVsI8fd`#F7yL3p7TE4#3)y
zJ3UeFiU?#@pYjDy<Ott8a{C1S(#O-|-Z~!Q?OX*LexCZ{!NMOyb0J47?2-4v5jK>i
z7}u|~WXLhxUTHKv0!u!W1vY9nU95O`G2qcJ)B9EFmTm|ikFsuj2*Ky+`sv0?fBU_R
zu6?miZ`Mufxzcr<gtI23_S{T<#7;{E6u`W%FRYu{xEa(EbP`ffKY7ir#f9yN8~z{!
zXDHtVpqOtUe#q1+ZzReCsKo3ST7TZ796zbH|5a?TIDuvVP7~@8y`;eKZ>pa9XnPco
z;HU^rQ{Q@DxVU=XUK)_(s4dnlo;RdB95HXf@6n#Xu3{8>2{qEKFM>ccRZy2GTpP{=
zwn*&86iCq0Ovo-}MF!ru9#ms<x(4&dLRTP2lyRSul+WJN2jW9&9TP-yGAgclljP=c
zX9JlP_3ca3>X>A<O|S*CwOiifCoO<Jr0gNQ2v5wy3=&L!VYPNdefZLc4+5|ZK_-Vd
zpdp=V9x#%MVkno{A;u6I6YL%{?JX;Tdg_79^(lxpF9Mg<hL;1@_V{P4KMh7#{dy()
z!*)vrag7tX4e>=a)Az0E?5!ucdU}*V7RgDGfPF-pCBIuP>C@8MTh_Dyc5h31?fu|J
zXKFwWqh=F;=NzjY;(d{vn=$z{j17Qv8<z>eSeD3dH;fpPOoF<86rP5dzY7_di=HE*
zy6@#WG}k9xxjW_Q4j%^%D*2<+cp$C#iPQxDshmQJX&&ib-0;y3Wd{w|s%B~aJA3m_
zFh=qWflzXyw(SBG1!6(Ob%tW#YBdiYdz3jG*J-eUq2(Gy#T?-<to-}m;u_5m978)K
zYDhFl1%~SUab4H4n%PKi-XPeZ>!b7Ecaqzk;t5two%rm!T$_g>y3b>1wgO6c19)@C
zVP*^hFa7dSYZuTJ2rbRa;~sR>CnMi2PN7mi9NI|3ofiXuP7~r+Og>KnX^|S7auF2m
z)m4X*nyJU$i}Ez={p$N4q9Xe&?K6pBW`|pn-nJZolq$a899nzyd-0iJJIp1d$|@hU
zIiIkykIA}4vlt+D-3$?a&(@raqE-q56>c5W9j-g~rAL!58T%36yZrn2s5@i|fH9Y7
z=2;BLW4`ykLleVfuujxexqHCz?-$D?l~EGif~A25*6sy$1-V4{#=YF&Si1#2XhlWl
zst&?R=Vj*r$W<I~S(&g<4G=+TN|w1FzOc-4-|fv=s58{VWe0!j<C2L38eM)*R?PM_
zWq@pEU&q+IU|-k9X!r(zgPns}M>_1m{ey7pjEH3QuqAs%k}*&r4IKIBz!=OLqfZD?
z4_!lQ{)e`CesXCH`@7q8Ub3~?R<)Q}LhR*Zj(Kx%Oj&tjaY3IHAx>-+274_zpe)7+
z_LcBV!^|ACGqxBwGKUhc7P%ac5h~z?mthcxM-&+(k)Gi>#X>%LfN$g$Z+dp2VO+RE
zrqJ9})g(>vM+@~7X{_uPlFfc4H-AgTw`$nYZD8Lq-gVWfsBC7EI!#|mPg$2Xz)R+&
zBkKY&-_~1_S9S@(qT0vHipq^os}?$|E@9ZGiJY=c2N}Xfk}>|K;_M8>6e@(Wby_sT
zDZt?_cVz;@DVVB^Bj<?kMYX3Si%hh`o<Q4mmFqRw)e4s4YCn3?SE>wNJ*U1g2#^J(
ze$PthQ8t0JAnGxn8b`(b^dxJSBixb#Q-WNYK?zukj}HMQv~|`a%tTcc;Sz+^Y5`{;
zSYnN|Y(+Kq=$xXCQ8T8llmqP}&j5j`P^F95|E&htS!x!oW*wsJy$~kOO5^>Z=zugI
zL0S4E<(p->PHnK=HHlIyJ*=Vus6rRkmRT7(_;>_qq9sz^>eT+&bPmbbx<E&l3rS6w
zVoGJ+2c{tF+4!%ems}HIgGsCN^8~^Gox7$Mo)a=5V_3qRpG!sdJ2XGft_>rI`fPun
z(nNroR<6TjJ`XV?W~skeYyo(1jNL22LG<tWqEQNOgXeiB5O@t#Sk!oC3P-P4bhQL0
zW-V{AkGb)LKqF*EFQ7ANoLJa@V=NI~VFc0Hqc+N3v&{kg%+mp_-vrQil}H9c$W~`Y
zFWO>O`UvR&P^_v`dQr<fQeQ5FZtcjo2~OMtyN^#pu?EB^DgMrru~O!!cHa#M2>W}X
z;Tgut?SwSWZaAC!DSm@e5;oo1+{;$>P^~anQswR_SQb!-w!uK25m?<pR8;rV+Puke
zl`5o`=xiyWWM1!wim%@^^N>}-E>KvLAaKOhI%quq-EyNT*J1SQw3YJK3LCG&l9j_<
zc)U=aPs1A#f-v`0yeAO}GCqP+Rd!92n}1sp0Wy$c=i+UwsQ4*ndbZr2k%GmhKrY&m
z1HUi$Iv^$5h@}&<WoJpiOas6OLZ$LCXCA*m#!B;N<Pl8a`VkPtYu;1NWG}uEMu^9<
z6-A7MiPf;nNxu#ce&@5mrq{`B0v}D>fu-{a6<u12rO>6a1&e^#I=89u{D{s}{`@WG
zGm;)kkO><*TlW_1aEUhAmD4m>)<6SHI)T=p(oF*`-!y|smvjj<7)O=Bvi#@e_KgtQ
zLM=~!DS4aIh%{ktU2TJ4_5BpYEa@9JV?MTWrsYyxbCQtL>4%M6e%tE3f&xRLs_wvK
z;ca|%2DySKm4{&lPSA|0bA~i0oQoLF9hgJ5>Aixz2bT$CXv64a&FV2Qf`h|e3*h;q
z<{S!lgh|%YlkBE{gA<`GfAO&@BcY;n>_noHokU*l&6ZwjK>_iavw`w6ZnMD*pVv>9
zCP2Q~xH);_D|Of@R87`3jGBb6Dd_P200D|r*Qy9(`MuZrPSeJkK8<CA^H)`CRQ7y4
zk;9GcHK~%QQ&;VgpEFI^0M?ffSphNuut)qTa59{&Ol;TM;Zsr09szBg2|~~@2c5-w
zqz{CUnXV5XJ3E(`6O+=F3g5yW6qh>_+ec#pv`sPaS+HFpPXU()l@s)Q!VpB|Z}o=B
zLs0DQY?}M&1f7;d%E{QP;7hLVLTGyy;srZ=;>I2)Jw-V0A4W}HH_)L|0X&5ch_w2}
z>V8DK|M+<ubnGXC=;bNz53u-+T}^D);>A4Ow}KEI8?p~CAkUys1rh&!%J64ub19P0
z#H$|*Y$ro8%2@H|2nE+GQiNDj!0zl%q*#A;#~2buoq62;;F93(?UE3}1oGg^@sEbz
zmlEFx)fDT`%!0g4XDu6=R8`U2F6^37N{7^M9|3#Gq<GOD2)<?(Fr^!=_TZ!S-{9P=
zdlq#<kBEsO?4e4jl&tPqxMZ4_)!(<(FmXuo9zRhOQf*TzRL0{+XpU=0V{H#cuf9=b
z4OIzas(1<XB-X0u3_pX-xk>uA_MD@MNIUnC(8XTY5rmzd2b1fN76?A~K0yd<^1msb
zh^8>w!B9;r4`l1C`h`WuA!g0vGp8{gQ1Eotg#F}9pK<U_kLGZXEo9uuDRP4a%8QL<
zI~K`GSLGNL*$Ew+W5M*#sUtDWSat~s8oW-U;){3}bCCfEo3dO#zW(m4a4R(namMWT
zt;#5w7L-iSHSyySO}p<$=IAs1@DF_Z#!PhFP@FU+rAzD`o7ji#CARX6`+7<~!GfOW
zt#sd<PvJ@L93#co)VMki|2|yi{K|7p&T^ENBO5K^@ix9wI1VG!bvJ+Y?Z%l|Ha=~W
z=JVj&qCM9s9xp6P_4$1zoNL<34V_M@r24gTsM#kM%Ur7t-bzAu2!k;<w|m{FFw9Z%
zyb1WD#yI;FA`&O%UFQutMQZmmkkMWz+8s>|mYOtT(99)4L?aY#neTOh1SMU1bY@d7
zVd)zPIUx9h_wP8I5BtZ*qYxx_sQSUF3&U*2nZK}F<6g;R`M@%E;q=6%NG5p8i3GP{
zL&VU6e%3tr9Etg>N3R|?=M?EFzE)6tc!rpU0kEOL;DWt&*kSNaA~oj~@B`t+i{4SL
zq!e&c-95mslF&seY#LIpwy)IpTrX?O4so1~#3}#Mi@|vna=nQ|9PRTSogll&nX)f%
zEIOs+bSXCfX8q%$vyNCOcdNWNedd&6F;euGLyr0xUZ6cghjavu{h7)`C?O?Ttb<Ng
zfC%Yg!ZUcCozGnMVNAF=^w#eb*VqFi6``HO2SA^XU`hND9}GpFD2{WrG`VEzGH4lb
zig3h$<!G|`gjxk>T*U5<{g_v@%;1Dpq(nb0D>;6Boi;1Buz0<-xn5zphD6b=<5h4w
z&=^2a<!|It%w(Z5wXIfR9!i=k2rL8!hjr^J6?@goBD|VK$zJZsO*|r^+<PQm=NI&x
zLX_zyG;2oaYm*8kTt<pujsTIAT(2m03cFO^x{wkR@~*O0p-xH{gk_;PEhe0#R5#Kv
z+T@892rs?LGdKVe%gWsvb^0u%(L=32OSv>PXq~0Fr%uCVNdzySw*W|B_+n$e?cJvB
z#nFVDwhy8|JZjv`N$#$+-<q}X>nA6k6~Q5OUCQDU6?p~Ko|>xE1dKS55WSSR^@Ca{
zCEAIZFKy^fmqpT`s;`oxqPmc{oAwc}D(7g(=-F9x?Yds5aF!GuU^E}Q6dKIdtnJjG
zC<X+nOZr;bn^nInTTFQsx!xj_r@tt84y7lL5tz*;TJOz+H?hzojoRnqOA!Jw3O5w*
z!su4|O4qhoh5smHfX>`Ej7aM=?#BcY_*o#Uu4;RVwZDkx6gU(uV0u$%f+C{z?S`%S
zj1`}32@jlLutMOsaQd3$s_P5R)<+aCu)XlPU{?mSwHY<xGvSCXs8`DFQVAmqW&aL;
zf>Ta@n?MK;LHfF)|AnLD0m5+2n4BE$@Bm@lvPB}frXOQoGuP<1q53{G#6yc#)TfC3
z@NuuE+XAr7&BnK-3f_XfCSY;6E2%Jw2Y83IJbtIF{igC>mZ>nf-YVd<@3wcm-sVr>
z2pDsV%G^d#wnTHLXiBeGcXL&cz4aq;xo(Ot<h^sV4!%{YVGvEa721wm#67Rl>GdC^
z-85|sLuPApOf%@JX5D@G&?LHrn=lC9;MZ)W7sT=u2dEz`cLcViP%u4xPTs@X-oo?&
z7_%I%+e@X|Pl@bQCO|Vf6T!o%4((O4%|*Hrw;0pfx?t(_8QibP05KnO-irz`6iVK4
z`g@OHQm-Q4jAEsii1`+#^N&C@9f~_Nr0X}A$**Jt)we1T!A}^|P8F=}%y@~LmZFm;
z_5zo<8m7lUz$4BzN#I<c#oS=H0eMldNLWwJD(^bjP8p|1p-*(0AQF!%)|*3~%5rSR
zuLytJP(ly~-`(Bt1Iu0WaRm^A9Zno@U5xZTLPu99%yLR`_hObALdA0=^PdF?1ENqb
zZdKX4ci|<5-tvlvS7;Ry6fZKCoz2(x;e2;WK2cAN&50u8`(}&8hu?}*;?fpki{@_g
z>%4!Tko}J4s*e!Kw7oCHdqc~Og*5!>pubA|H*X(Spn&eegi;(?&E_0pWYb$UZw`5p
zF!WG$7tZj!<V~YeRLiSZhnx+^2{cf(S{G6irgT48k*F>k>T0|AIK)Al4;n3I|6Le0
z#>h_LaK<`MqZIRl>qT69uk%TDUAQ26SNibwOv+G8$}idkr^zW_Ca03JSE!YK7pZDZ
zp~cK*I?;;A*2h9+U{~9SGCKF@CIFV6vcb;V#oz*xB_2t-7N4)lr_VdTp!^QjZ24k@
zU6Z8)bZbgFh+-Yp?l#_DosbW_ZPgfCjq9hB%LyLd+R6zZt{<<1bGKvMlO3HL?XIu0
zuce<OWWxNo%FAn)>-E%hHM3_}3?k;<6u_~w0A045wOt4<^!}UOOu6&<yPJc{*a0n=
zmrp`iy*R;xJbvu1VfGOkiI<m`G0h_eI1U1S;wmRWT-uj1ZB)re{hoEKh0|&IaY)0g
z*pD{{$=L`rr3&n3%rLRZOcK?=aS1t3rXe3&m@Uz{!LFtj+1usO>htT>&n%Vz@%l$(
zPS3O=KAxrT>W?dDt`P$^Rg7mm+}-o@m7n<kX^9kc!=ND+1^_@n`Tw~@%J|3joy-Ke
zuO(81KbJ^Vz2U)tDEJ7K=4sV83(eNEqZqoO28LLq^2|29On}9Hi7F_Aa9?Hld~&`n
zab+4tY&5a(JAp>~BM@&eD1}+;Y%Suq_CpaHn5j%FJGFJ0SYP!%+!l??9S4}PH9|mS
zQQ8_<{Y2JR?ImUQJ8=WgRyPy-=6Ujiq5YulCc;o+hkh)yAg`C0aPg5|Q44zDCn`3{
z<r&0u+b^^m)~KU#$%He!%z_vCJLp0~_)z(}p6nke#KSi!UPVmbG>TtQNE34tf;odt
z*hin9u}LXYm4)Y702nbHI==ZxEd<s;A2)oo(#!EP`5<2aR2DxOPzoIfq3Y<3!uQlb
zk6EQmfXksixv*(LSH)rXoYKF3Y@HV(+4fXW6}V|_4N`m}^+S@aMqTFo^v54>b=kwJ
zQ9Rkgp(8+Pk+nx|y@h?2%8$qTC|J?StATaoX7cX0;HZ1xXogZAWz!V4bGP$W8LZSi
z!-kg7UBLIz&idJ`Hx-kE)hC@&f)*cuD7O7UZA$Kb^T2je&Y&MqEk5xw`<nreWpgkf
zYiHJ_Bynvi%NFwu87Sj|P}gLdU^JfIVSjB{lniVsEUw@a7LffX#1bS@(c_}PoA$?_
z+=@RJ$PzWrqp{iHJd<?swr1pg=#0TJ2EAhm(6_wLah?6oE>`iE@tTxK<B>nUYZhph
zlc~wimLE2LdVYTFzT6KkrX2EozAhH=`1nxC{M`6>ypLghzFU2}JHBM}dVg5${A~92
zd3|_~!SCdO{roLMH@P`?r(^{W|NJ4<@&3%n<@51;^Y*;j+W)JO!u0xAW3j2-`8VOZ
zrhBy6-kn;_#oe8gN}V+!y4yqO*(5|fbWY@HG>uUGh;o)@20m-9p=n94I7GZX7NSLc
z&Nz!|`wjlo7D_~P{nsryQ!u(&zAWo)blcq17C={bAfB*!ooJ2f`{!{o9$WVO)1d%t
zUlT=uPSS1}OE2$;VR%ipCjiGh8>uT~jh~z5H^AuO<6lqM_Pkj^dh4Iwu1b2BOZ=j8
z2EK|k*=i(z3M-$qVSTQrO}Yi<CFdE5r99I=`<|Fv$7Bz6O2?H+bqJ9s9iN!^5^Bd=
zvqYj%G!mBA>7(tRKuMZUq+jOHpQJv><`ZhcoTph1h?`}vg=Bv7d!So#qrb3qy?j<w
z=>tq4`fy)hA~CYK*p7E58Pyi6)k%PJ@2Ct@Tv%<6jlj$Tnk}mCcN3wzFwKM^zc%eY
zEuofV10zFrw~y(XQsx9TcC$b6N#a%fGzK%A@r*L2ZF*BA@yXnEJR%k|oal-?ur%_b
zy<oe3wp<3%NK}q7gH2XpMJn(K%5AzF4)cSFyleyso78%IE3UnLxZ5~IG!{6CRX<=+
z7&5pVxt+QBrapCa^z|0Eg1IK*zJ7GE!kC4y-5gu0n1)@K*}+#rBj6Z?G%Tu!>~}Ja
zqO=Hh7<SJ7He(c#sDQLORPan=s(V(!$<Y3CM`HnnUfigh1IY&I@0I?#L;Y%?^N~Bn
zcJv7iJHE3sq|%&wJEYS5cC_~ul<Njz%AsiDQKf8IDh;*_B6HLSkp0bbt%X-W0v*<-
zvdtYtEBz!-91QG#yy<=QTQO?FR-NOd+zO!zIoaSJYI$dractGu$q=3N?IkHDO26#7
zbnjaQw^eUWCH^v>A)n10C-#plD$^c>a`bzS{kQE&U$)cPF@}E+4ks>7V=JFsA(f7>
z*4{CEV9ReGjH{f4+@N5t2)!A>kux#k{?pb~D{444E6p)Pr|{?0<=sDCzp?8(J3#Fq
z*gm+O_G1F$!VZMlpvGy%)d)_&dSb*=oMJ*KvfPA^W5B@QMLUgnq#sAFC{+ftU(Vpu
z8QOfDgzfw<b%|f~^i`ALz|x%P4uV<w+(us}1IPbSXcK?QlqgHBmD;5<mwzQ_`h2!s
zbf1!wk{mLw3k9Jk-Z;HVXih+0w1^*_quf!}PRi|WC9l5XIAS&BA)h7QQRZ`+<4n~#
zfoFkL9D{HQd5uuSV1YAP?ei7+m2z}zt4*3tqL|0z821a3dn<|=a7<Dij(L9-`ZCH~
zo|tqdKZr;9a^%NY?gxbVj9^g(PefG$zk{&f7e=Hs{D#65LUqZ54#qw~`j%eM1EQy^
z4nL5)HMbD0TYfFY$_z~zbwI<SyFRyUt2K8auL+U6drYUj9P+*`0v>h(Z_POgn*_EW
zjU7$loW$lBBl#&TV)rwYqGw^^rVHRA%@sgOCqZ*Xt7QT4m^g|?1!y)pL1d+~oWJS_
z>y8zAg|jERov^IRtnZx$d(DQoKi)$e)N^)E?05}B#9_V8QWiTcPM283Bc0J~rbHr?
z*zwMy5jpOVokZ!H0CpM%ibesaHz4HB4uRrr7siBtnvPfoC)<7}DR!IfHrpAei(Yn=
zk25yrtP5Nv<daI@VzPtUPL-lVH8VCeg)|bCO(0{FY6Bc#$grlG85^2H8i~yzld?5`
zX?W}jGhlgFEJ%yXB~AQG)QJ+rcGgBH9TQWXAM;Pk98&lpIN@WH$DF?`^Eb2!nJPIw
zM>;E>N_WE`A6V#R!`(HUd|##RZu2K!dMz~)4qlKA2C2W`;22;3{H8ZnSP#|RY-}hR
z_1;QbEQXw!PImEQ-fpb0Ih^S`V_h&K$)AZV7o1XoSylt-afDwXWHy=5@noe9gmX2L
znONWtWEeqYCDR7!j`d6AO46COL&H9f?Vkp}_hjh$H+K=AF?%cq!fEv_(TEX{u1&U|
z$YiqW?Mu;jYdabTn!*N&%6<>)GTRqnVl$pK@7J7!n8t#N`=b!lTaN^n!X~~E3+h|0
zJK^Rxm*ZrCI5-lWIVm=N)kO8rGk^8jFzGehcEmFpo`(OfoE2A4nX1~iB}V>&0YE8@
z&?&QBRIcs`GS|_s8vVj8A%9U+hAIeW#@3hWKk^^+1qirHtp!BumzpPaabupkpjSe^
zaTK7UER`#^gNt9X|CRJre{=V~c4O-jxsfndxiFCCGayA3(2)ig+E7M#qgF1t+w&ow
z>wz>b?v)_7P}#bNl!w{VgbWRiqJypl%2qASkAop!CLo;&{*li7;GiXY+7O_C+th{p
zUrBJLD;yxwPFp}SRmfQ$!Xa~PIcBE_Z1aB5T;0-so8LM9v?-*k1g=e(f63$0Y4Rxc
z52J8_ibgI+Hy|G5De?t8iUs`BDd#xmXMQ2{d}Yni6yE6zYR0FE5?_GvpiG?3{W13k
zrpgt*X+aU5eHqAE7xE`S|4acqbMhaJHG{`p@J6DvWDsf`Y2U%#mBvdV%oRefZxFo2
z*jF4M@fk8{^XL>;WBS-Qtq~B83s)CGwy;2Ing7UA!)S1i+GaE~Jg$mv;<zk0iD9}O
z7$w7La9{sQt@|^zvhXA(Q?nJ00ZyYG%?^_h$VpX1GmBO6UIeS+EfzAQd_1DzDfuK;
zt|V^(QAML@s+^_re&f+8vb8xW?l)tg`mZXjI^Jku@3p|*g~Febx9L;Vl<F>GJ3OmL
zkLOYcBGQqy7zh{jQKPYP<-HtGK!^8A?{VLCTNnO#<A&XERyu$QjwATbBVA*Jscy)&
z8V*sW#T}Y*@tdnaTkKx}%bI+tEo3)*dD|ytmEs35L5sZ{p?;6w(Vk$59ZR*y)9g&*
zl<Y+)J#CZyyB^y7ZJo~d0{Yl1wRxKNq!pjGL_z(mDhM>SWS$A8ZSR%Un*&g}+0^)S
zGpHd{7FB8KEwk3w#39i$gLUTsMVh+GoiE|gd)C)R?lQx1!gVWjx2pn2E+KU0D=DkA
zBGT**A(e)48?U<Epn+ET0D2bg)8LUzy4<4<^1vzIUY1Sqaay;sS^=!<Em-hLuqvc^
zDh=Uunu_Z&L2SGD_mgk#pOS)MY#J~hiCCN<1j1zWWS3xoY)hpKp1ssWn~K2FYB98-
zGc%`DfWESQF8!4q%-yPa3+|M;IG7NpoEpZ|an!_8k9CZYaw#9Ilqz?|o=S2RPbLAo
z3FE2DjJ)}Fr!ltD?!()rzAwt||J_elLn$gLb1y|BJ~>9MJR~MXU9H48^_^8oo?=9D
z($_)!2HG+SCJ80}Mne3HwKNtv*Oxd)6l<QdQ}_0UgdwsyA>7H;Nzuwi%v|3G_aC=&
zai`QNcYkd<TltH%4`^s(AZu@9>p*AV<ltyy^~V6_ix&L9q{gqpt4oxKSfxh^dJOsi
z&u<^7p&3pVW0X9DfpHw+ouO@kba&GaB{iTl6FBy%oKX?Y#ZIB2Q^E0iv}LP(rF-XQ
zPoH*~nBa2`;ngp*Z>g<xxYE0YkcfREC`0ow8OO<t1b>WZv@xd3#~#Dr*iE3&d&fEB
z$N0^3Z*JngeYvwTAay#R9mp14Sz@s&oi<P+U}GuDz)zzDj;{$H!ehTxr0oQwKw7V0
z!trV6fJJnn{~+;}Sm$+ghvR8wy3T|m7pl@0j5(4Vd)Ve%EC@ko_dbNLyvfU$iEj|A
zIz2f1b5VwF)rCL(on<s}f|)!PvWIY5lD|S6QbXD(3^Xot_k0AZnU&+i2WI|@w$R%I
zvD-a1Gs-35Q~OSC#GPbs#ZT<toYx0|911Zu1cr*LrzFg?9+)oq%bP{-u%cY+Q}npl
z21vZfzawV4`KDn4DU}AkqjunRZ_5T5oP`}ui(Y1Npr$5PJ`@J+_f#y#fUX-J<fucp
zSu{ifD?@v#dtU%l^~48<Ku(*iVuLI}rT~9kASp5q<61)y-<s@*jlHntlo_ZzC$_!}
zZL2M9wS-xYk6vMlyte0mB(zb~{#;i2LcZPC257`DR`1`)x3M?+U)+BI{=crscsZGX
zFWhfRy}=h;%3@ez0nx}c8itXO^)@{zueL^sO3W%_er^C^>)&+`ZaBQ$XJ(L%B3EY0
z$hMRTg#%5Bz(J_j%Hzo2X_l>P?3oIH5G#En5c+0XH&#)JL}j2(?J8dnVkABlO$v#t
zkd~Lvz&M~fOKh9>;}k)8Z803#Am+rEH1~23!1dr2daN5k7^WL{Dv1~|D=sox^f~u8
zUKd3$6dOdo-4^K6ss*pz`(coF8k?J$x*2EIuJm#w+|CjAu{{%u)Go6ge(wSN6|K+O
zgVMUZV{4voP2hAY6+xl0+M-TF5mk4BUSn6dX~L@3rG&1FRl_*zbD=8xUX-8w-cT5T
zNj){v+p5L0SJpP7ZZs?gyc6w+gzKklnH<ZlN!+Q3H3I5~6b|i<+tZ5Bvt1`N7t9m;
zRA<;U5!?at4ruIsvyXTD*?;5-i|xeuWPD+f`787z{3{mqY;FG+ivJgg005Z@-CsOY
znBYs`2RQ$Ws5MK9U|wapI%;>-Y5*}0T-CJbAgXvm2I00Me5?GDT0F2b;kZs8Zz3Zv
zuQiWpy%E}Ad2L!KO8O<$<|^v_*{@~I43sni#Vvy_`G?f~`sX*XN(D=XxL%qiqCI&Q
z!E^BvOYAiPZCiHRU(sgpeS>uh)fHL&t)}oEFa^m%cE7GfF{sLDR}ykFaa3^ME6q^P
zyHb8OdX07oZ`PH&poQ9);bloN45s%HtD;jJ2z&CV->HuqrL(h|!Vk;YK$Rbev{!Fk
zCu^i)c?y?rAin_WVQgY)jtINdolMC~618q}b^Su2i?suwHUb~!BLKrOoYjl;%Aid1
z;9|RU>p_LGHieHI>M3ChzO^~1el<_d_YH8^)};ru+s1J^4b6BjTZ}!@*(2`l`?2l%
z7*BBDX$jLNn;wuIySm3w^&TP-d8?P%3E<symHu<ZstvfOk?$w@eW70<>g7RQr~*IF
zRb&Fbq%}4KXW0f5K6EdzTlNQ#gIhgC2TI$unsn*oqxHvE?fk_b0R;N?wIlpL9|!bz
z75??#e>faSR^s0k{QE&A|Ei$q%S-;{*phz={`+wa|0=lhMYQ~XAKvg!J^v){|E&oH
z@_$hI|0(=Wy7b?|n_m&&D-(Z{r~fJXPfF<DqAXu$2z-hDlOXy}1^*=P{H<Ud^}jRz
zKd3za)bh`b{(oyZ#Qe*Ge{TE#r-pydkpHdWit#_@<Inl>e`@*n9_rsZ000_z0091O
zwg0=n`cDP_-q8Q6f-3%hRq$WU{y)Y4JvRTVIG51Bi2qllmX!eg0vP}R%-0Y27fxYC
I|M>KO0ASn2$N&HU

literal 0
HcmV?d00001

diff --git a/tools/nist/privacy/nist-privacy-1.0.yaml b/tools/nist/privacy/nist-privacy-1.0.yaml
new file mode 100644
index 000000000..8d79e24b9
--- /dev/null
+++ b/tools/nist/privacy/nist-privacy-1.0.yaml
@@ -0,0 +1,922 @@
+urn: urn:intuitem:risk:library:nist-privacy-1.0
+locale: en
+ref_id: NIST-PRIVACY-1.0
+name: NIST PRIVACY FRAMEWORK 1.0
+description: 'NIST Privacy Framework: A Tool for Improving Privacy through Enterprise
+  Risk Management. Details and credits on https://www.nist.gov/privacy-framework'
+copyright: With the exception of material marked as copyrighted, information presented
+  on NIST sites are considered public information and may be distributed or copied.
+version: 1
+provider: NIST
+packager: intuitem
+objects:
+  framework:
+    urn: urn:intuitem:risk:framework:nist-privacy-1.0
+    ref_id: NIST-PRIVACY-1.0
+    name: NIST PRIVACY FRAMEWORK 1.0
+    description: NIST Privacy Framework
+    requirement_nodes:
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      assessable: false
+      depth: 1
+      ref_id: ID-P
+      name: IDENTIFY-P
+      description: Develop the organizational understanding to manage privacy risk
+        for individuals arising from data processing.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.IM-P
+      name: Inventory and Mapping
+      description: Data processing by systems, products, or services is understood
+        and informs the management of privacy risk.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P1
+      description: Systems/products/services that process data are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P2
+      description: Owners or operators (e.g., the organization or third parties such
+        as service providers, partners, customers, and developers) and their roles
+        with respect to the systems/products/services and components (e.g., internal
+        or external) that process data are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P3
+      description: Categories of individuals (e.g., customers, employees or prospective
+        employees, consumers) whose data are being processed are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P4
+      description: Data actions of the systems/products/services are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P5
+      description: The purposes for the data actions are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P6
+      description: Data elements within the data actions are inventoried.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P7
+      description: The data processing environment is identified (e.g., geographic
+        location, internal, cloud, third parties).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
+      ref_id: ID.IM-P8
+      description: Data processing is mapped, illustrating the data actions and associated
+        data elements for systems/products/services, including components; roles of
+        the component owners/operators; and interactions of individuals or third parties
+        with the systems/products/services.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.BE-P
+      name: Business Environment
+      description: "The organization\u2019s mission, objectives, stakeholders, and\
+        \ activities are understood and prioritized; this information is used to inform\
+        \ privacy roles, responsibilities, and risk management decisions."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      ref_id: ID.BE-P1
+      description: "The organization\u2019s role(s) in the data processing ecosystem\
+        \ are identified and communicated."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      ref_id: ID.BE-P2
+      description: Priorities for organizational mission, objectives, and activities
+        are established and communicated.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
+      ref_id: ID.BE-P3
+      description: Systems/products/services that support organizational priorities
+        are identified and key requirements communicated.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.RA-P
+      name: Risk Assessment
+      description: The organization understands the privacy risks to individuals and
+        how such privacy risks may create follow-on impacts on organizational operations,
+        including mission, functions, other risk management priorities (e.g., compliance,
+        financial), reputation, workforce, and culture.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P1
+      description: "Contextual factors related to the systems/products/services and\
+        \ the data actions are identified (e.g., individuals\u2019 demographics and\
+        \ privacy interests or perceptions, data sensitivity and/or types, visibility\
+        \ of data processing to individuals and third parties). "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P2
+      description: Data analytic inputs and outputs are identified and evaluated for
+        bias.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P3
+      description: 'Potential problematic data actions and associated problems are
+        identified. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P4
+      description: Problematic data actions, likelihoods, and impacts are used to
+        determine and prioritize risk.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
+      ref_id: ID.RA-P5
+      description: Risk responses are identified, prioritized, and implemented.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
+      ref_id: ID.DE-P
+      name: Data Processing Ecosystem Risk Management
+      description: "The organization\u2019s priorities, constraints, risk tolerance,\
+        \ and assumptions are established and used to support risk decisions associated\
+        \ with managing privacy risk and third parties within the data processing\
+        \ ecosystem. The organization has established and implemented the processes\
+        \ to identify, assess, and manage privacy risks within the data processing\
+        \ ecosystem."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P1
+      description: Data processing ecosystem risk management policies, processes,
+        and procedures are identified, established, assessed, managed, and agreed
+        to by organizational stakeholders.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P2
+      description: Data processing ecosystem parties (e.g., service providers, customers,
+        partners, product manufacturers, application developers) are identified, prioritized,
+        and assessed using a privacy risk assessment process.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P3
+      description: "Contracts with data processing ecosystem parties are used to implement\
+        \ appropriate measures designed to meet the objectives of an organization\u2019\
+        s privacy program. "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P4
+      description: 'Interoperability frameworks or similar multi-party approaches
+        are used to manage data processing ecosystem privacy risks. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
+      ref_id: ID.DE-P5
+      description: Data processing ecosystem parties are routinely assessed using
+        audits, test results, or other forms of evaluations to confirm they are meeting
+        their contractual, interoperability framework, or other obligations.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      assessable: false
+      depth: 1
+      ref_id: GV-P
+      name: GOVERN-P
+      description: "Develop\_and implement\_the organizational governance structure\
+        \ to enable an ongoing understanding of the organization\u2019s risk management\
+        \ priorities\_that are\_informed by privacy risk."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.PO-P
+      name: Governance Policies, Processes, and Procedures
+      description: "The policies, processes, and procedures to manage and monitor\
+        \ the organization\u2019s regulatory, legal, risk, environmental, and operational\
+        \ requirements are understood and inform the management of privacy risk."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P1
+      description: "Organizational privacy values and policies (e.g., conditions on\
+        \ data processing such as data uses or retention periods, individuals\u2019\
+        \ prerogatives with respect to data processing) are established and communicated."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P2
+      description: Processes to instill organizational privacy values within system/product/service
+        development and operations are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P3
+      description: 'Roles and responsibilities for the workforce are established with
+        respect to privacy. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P4
+      description: Privacy roles and responsibilities are coordinated and aligned
+        with third-party stakeholders (e.g., service providers, customers, partners).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P5
+      description: Legal, regulatory, and contractual requirements regarding privacy
+        are understood and managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
+      ref_id: GV.PO-P6
+      description: Governance and risk management policies, processes, and procedures
+        address privacy risks.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.RM-P
+      name: Risk Management Strategy
+      description: "The organization\u2019s priorities, constraints, risk tolerances,\
+        \ and assumptions are established and used to support operational risk decisions."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      ref_id: GV.RM-P1
+      description: Risk management processes are established, managed, and agreed
+        to by organizational stakeholders.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      ref_id: GV.RM-P2
+      description: Organizational risk tolerance is determined and clearly expressed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
+      ref_id: GV.RM-P3
+      description: "The organization\u2019s determination of risk tolerance is informed\
+        \ by its role(s) in the data processing ecosystem."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.AT-P
+      name: Awareness and Training
+      description: "The organization\u2019s workforce and third parties engaged in\
+        \ data processing are provided privacy awareness education and are trained\
+        \ to perform their privacy-related duties and responsibilities consistent\
+        \ with related policies, processes, procedures, and agreements and organizational\
+        \ privacy values."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P1
+      description: 'The workforce is informed and trained on its roles and responsibilities. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P2
+      description: Senior executives understand their roles and responsibilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P3
+      description: Privacy personnel understand their roles and responsibilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
+      ref_id: GV.AT-P4
+      description: Third parties (e.g., service providers, customers, partners) understand
+        their roles and responsibilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
+      ref_id: GV.MT-P
+      name: Monitoring and Review
+      description: "The policies, processes, and procedures for ongoing review of\
+        \ the organization\u2019s privacy posture are understood and inform the management\
+        \ of privacy risk."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P1
+      description: "Privacy risk is re-evaluated on an ongoing basis and as key factors,\
+        \ including the organization\u2019s business environment (e.g., introduction\
+        \ of new technologies), governance (e.g., legal obligations, risk tolerance),\
+        \ data processing, and systems/products/services change."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P2
+      description: 'Privacy values, policies, and training are reviewed and any updates
+        are communicated. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P3
+      description: Policies, processes, and procedures for assessing compliance with
+        legal requirements and privacy policies are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P4
+      description: Policies, processes, and procedures for communicating progress
+        on managing privacy risks are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P5
+      description: Policies, processes, and procedures are established and in place
+        to receive, analyze, and respond to problematic data actions disclosed to
+        the organization from internal and external sources (e.g., internal discovery,
+        privacy researchers, professional events).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P6
+      description: Policies, processes, and procedures incorporate lessons learned
+        from problematic data actions.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
+      ref_id: GV.MT-P7
+      description: Policies, processes, and procedures for receiving, tracking, and
+        responding to complaints, concerns, and questions from individuals about organizational
+        privacy practices are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      assessable: false
+      depth: 1
+      ref_id: CT-P
+      name: CONTROL-P
+      description: Develop and implement appropriate activities to enable organizations
+        or individuals to manage data with sufficient granularity to manage privacy
+        risks.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      ref_id: CT.PO-P
+      name: Data Processing Policies, Processes, and Procedures
+      description: "Policies, processes, and procedures are maintained and used to\
+        \ manage data processing (e.g., purpose, scope, roles and responsibilities\
+        \ in the data processing ecosystem, and management commitment) consistent\
+        \ with the organization\u2019s risk strategy to protect individuals\u2019\
+        \ privacy."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P1
+      description: Policies, processes, and procedures for authorizing data processing
+        (e.g., organizational decisions, individual consent), revoking authorizations,
+        and maintaining authorizations are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P2
+      description: Policies, processes, and procedures for enabling data review, transfer,
+        sharing or disclosure, alteration, and deletion are established and in place
+        (e.g., to maintain data quality, manage data retention).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P3
+      description: "Policies, processes, and procedures for enabling individuals\u2019\
+        \ data processing preferences and requests are established and in place."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
+      ref_id: CT.PO-P4
+      description: A data life cycle to manage data is aligned and implemented with
+        the system development life cycle to manage systems.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      ref_id: CT.DM-P
+      name: Data Processing Management
+      description: "Data are managed consistent with the organization\u2019s risk\
+        \ strategy to protect individuals\u2019 privacy, increase manageability, and\
+        \ enable the implementation of privacy principles (e.g., individual participation,\
+        \ data quality, data minimization). "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P1
+      description: Data elements can be accessed for review.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P2
+      description: Data elements can be accessed for transmission or disclosure.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P3
+      description: Data elements can be accessed for alteration.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P4
+      description: Data elements can be accessed for deletion.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P5
+      description: Data are destroyed according to policy.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P6
+      description: Data are transmitted using standardized formats.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P7
+      description: Mechanisms for transmitting processing permissions and related
+        data values with data elements are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P8
+      description: Audit/log records are determined, documented, implemented, and
+        reviewed in accordance with policy and incorporating the principle of data
+        minimization.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p9
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P9
+      description: Technical measures implemented to manage data processing are tested
+        and assessed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
+      ref_id: CT.DM-P10
+      description: Stakeholder privacy preferences are included in algorithmic design
+        objectives and outputs are evaluated against these preferences.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
+      ref_id: CT.DP-P
+      name: Disassociated Processing
+      description: "Data processing solutions increase disassociability consistent\
+        \ with the organization\u2019s risk strategy to protect individuals\u2019\
+        \ privacy and enable implementation of privacy principles (e.g., data minimization)."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P1
+      description: Data are processed to limit observability and linkability (e.g.,
+        data actions take place on local devices, privacy-preserving cryptography).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P2
+      description: Data are processed to limit the identification of individuals (e.g.,
+        de-identification privacy techniques, tokenization).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P3
+      description: "Data are processed to limit the formulation of inferences about\
+        \ individuals\u2019 behavior or activities (e.g., data processing is decentralized,\
+        \ distributed architectures)."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P4
+      description: 'System or device configurations permit selective collection or
+        disclosure of data elements. '
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
+      ref_id: CT.DP-P5
+      description: Attribute references are substituted for attribute values.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
+      assessable: false
+      depth: 1
+      ref_id: CM-P
+      name: COMMUNICATE-P
+      description: Develop and implement appropriate activities to enable organizations
+        and individuals to have a reliable understanding and engage in a dialogue
+        about how data are processed and associated privacy risks.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
+      ref_id: CM.PO-P
+      name: Communication Policies, Processes, and Procedures
+      description: "Policies, processes, and procedures are maintained and used to\
+        \ increase transparency of the organization\u2019s data processing practices\
+        \ (e.g., purpose, scope, roles and responsibilities in the data processing\
+        \ ecosystem, and management commitment) and associated privacy risks."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
+      ref_id: CM.PO-P1
+      description: Transparency policies, processes, and procedures for communicating
+        data processing purposes, practices, and associated privacy risks are established
+        and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
+      ref_id: CM.PO-P2
+      description: Roles and responsibilities (e.g., public relations) for communicating
+        data processing purposes, practices, and associated privacy risks are established.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
+      ref_id: CM.AW-P
+      name: Data Processing Awareness
+      description: "Individuals and organizations have reliable knowledge about data\
+        \ processing practices and associated privacy risks, and effective mechanisms\
+        \ are used and maintained to increase predictability consistent with the organization\u2019\
+        s risk strategy to protect individuals\u2019 privacy. "
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P1
+      description: "Mechanisms (e.g., notices, internal or public reports) for communicating\
+        \ data processing purposes, practices, associated privacy risks, and options\
+        \ for enabling individuals\u2019 data processing preferences and requests\
+        \ are established and in place."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P2
+      description: Mechanisms for obtaining feedback from individuals (e.g., surveys
+        or focus groups) about data processing and associated privacy risks are established
+        and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P3
+      description: System/product/service design enables data processing visibility.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P4
+      description: Records of data disclosures and sharing are maintained and can
+        be accessed for review or transmission/disclosure.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P5
+      description: Data corrections or deletions can be communicated to individuals
+        or organizations (e.g., data sources) in the data processing ecosystem.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P6
+      description: Data provenance and lineage are maintained and can be accessed
+        for review or transmission/disclosure.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P7
+      description: Impacted individuals and organizations are notified about a privacy
+        breach or event.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
+      ref_id: CM.AW-P8
+      description: Individuals are provided with mitigation mechanisms (e.g., credit
+        monitoring, consent withdrawal, data alteration or deletion) to address impacts
+        of problematic data actions.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      assessable: false
+      depth: 1
+      ref_id: PR-P
+      name: PROTECT-P
+      description: Develop and implement appropriate data processing safeguards.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.PO-P
+      name: Data Protection Policies, Processes, and Procedures
+      description: Security and privacy policies (e.g., purpose, scope, roles and
+        responsibilities in the data processing ecosystem, and management commitment),
+        processes, and procedures are maintained and used to manage the protection
+        of data.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P1
+      description: A baseline configuration of information technology is created and
+        maintained incorporating security principles (e.g., concept of least functionality).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P2
+      description: Configuration change control processes are established and in place.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P3
+      description: Backups of information are conducted, maintained, and tested.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P4
+      description: Policy and regulations regarding the physical operating environment
+        for organizational assets are met.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P5
+      description: Protection processes are improved.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P6
+      description: Effectiveness of protection technologies is shared.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P7
+      description: Response plans (Incident Response and Business Continuity) and
+        recovery plans (Incident Recovery and Disaster Recovery) are established,
+        in place, and managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P8
+      description: Response and recovery plans are tested.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p9
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P9
+      description: Privacy procedures are included in human resources practices (e.g.,
+        deprovisioning, personnel screening).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p10
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
+      ref_id: PR.PO-P10
+      description: A vulnerability management plan is developed and implemented.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.AC-P
+      name: Identity Management, Authentication, and Access Control
+      description: Access to data and devices is limited to authorized individuals,
+        processes, and devices, and is managed consistent with the assessed risk of
+        unauthorized access.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P1
+      description: Identities and credentials are issued, managed, verified, revoked,
+        and audited for authorized individuals, processes, and devices.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P2
+      description: Physical access to data and devices is managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P3
+      description: Remote access is managed.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P4
+      description: Access permissions and authorizations are managed, incorporating
+        the principles of least privilege and separation of duties.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P5
+      description: Network integrity is protected (e.g., network segregation, network
+        segmentation).
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
+      ref_id: PR.AC-P6
+      description: "Individuals and devices are proofed and bound to credentials,\
+        \ and authenticated commensurate with the risk of the transaction (e.g., individuals\u2019\
+        \ security and privacy risks and other organizational risks)."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.DS-P
+      name: Data Security
+      description: "Data are managed consistent with the organization\u2019s risk\
+        \ strategy to protect individuals\u2019 privacy and maintain data confidentiality,\
+        \ integrity, and availability."
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P1
+      description: Data-at-rest are protected.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P2
+      description: Data-in-transit are protected.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P3
+      description: Systems/products/services and associated data are formally managed
+        throughout removal, transfers, and disposition.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P4
+      description: Adequate capacity to ensure availability is maintained.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p5
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P5
+      description: Protections against data leaks are implemented.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p6
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P6
+      description: Integrity checking mechanisms are used to verify software, firmware,
+        and information integrity.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p7
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P7
+      description: The development and testing environment(s) are separate from the
+        production environment.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p8
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
+      ref_id: PR.DS-P8
+      description: Integrity checking mechanisms are used to verify hardware integrity.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.MA-P
+      name: Maintenance
+      description: System maintenance and repairs are performed consistent with policies,
+        processes, and procedures.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
+      ref_id: PR.MA-P1
+      description: Maintenance and repair of organizational assets are performed and
+        logged, with approved and controlled tools.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
+      ref_id: PR.MA-P2
+      description: Remote maintenance of organizational assets is approved, logged,
+        and performed in a manner that prevents unauthorized access.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      assessable: false
+      depth: 2
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
+      ref_id: PR.PT-P
+      name: Protective Technology
+      description: Technical security solutions are managed to ensure the security
+        and resilience of systems/products/services and associated data, consistent
+        with related policies, processes, procedures, and agreements.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p1
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P1
+      description: Removable media is protected and its use restricted according to
+        policy.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p2
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P2
+      description: The principle of least functionality is incorporated by configuring
+        systems to provide only essential capabilities.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p3
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P3
+      description: Communications and control networks are protected.
+    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p4
+      assessable: true
+      depth: 3
+      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
+      ref_id: PR.PT-P4
+      description: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented
+        to achieve resilience requirements in normal and adverse situations.

From 9dd0f2bf5daf2c7c9d47135c6f4c098e533205da Mon Sep 17 00:00:00 2001
From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com>
Date: Sun, 14 Apr 2024 10:13:56 +0200
Subject: [PATCH 2/2] Delete nist-privacy-1.0.yaml

useless
---
 tools/nist/privacy/nist-privacy-1.0.yaml | 922 -----------------------
 1 file changed, 922 deletions(-)
 delete mode 100644 tools/nist/privacy/nist-privacy-1.0.yaml

diff --git a/tools/nist/privacy/nist-privacy-1.0.yaml b/tools/nist/privacy/nist-privacy-1.0.yaml
deleted file mode 100644
index 8d79e24b9..000000000
--- a/tools/nist/privacy/nist-privacy-1.0.yaml
+++ /dev/null
@@ -1,922 +0,0 @@
-urn: urn:intuitem:risk:library:nist-privacy-1.0
-locale: en
-ref_id: NIST-PRIVACY-1.0
-name: NIST PRIVACY FRAMEWORK 1.0
-description: 'NIST Privacy Framework: A Tool for Improving Privacy through Enterprise
-  Risk Management. Details and credits on https://www.nist.gov/privacy-framework'
-copyright: With the exception of material marked as copyrighted, information presented
-  on NIST sites are considered public information and may be distributed or copied.
-version: 1
-provider: NIST
-packager: intuitem
-objects:
-  framework:
-    urn: urn:intuitem:risk:framework:nist-privacy-1.0
-    ref_id: NIST-PRIVACY-1.0
-    name: NIST PRIVACY FRAMEWORK 1.0
-    description: NIST Privacy Framework
-    requirement_nodes:
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
-      assessable: false
-      depth: 1
-      ref_id: ID-P
-      name: IDENTIFY-P
-      description: Develop the organizational understanding to manage privacy risk
-        for individuals arising from data processing.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
-      ref_id: ID.IM-P
-      name: Inventory and Mapping
-      description: Data processing by systems, products, or services is understood
-        and informs the management of privacy risk.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P1
-      description: Systems/products/services that process data are inventoried.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P2
-      description: Owners or operators (e.g., the organization or third parties such
-        as service providers, partners, customers, and developers) and their roles
-        with respect to the systems/products/services and components (e.g., internal
-        or external) that process data are inventoried.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P3
-      description: Categories of individuals (e.g., customers, employees or prospective
-        employees, consumers) whose data are being processed are inventoried.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P4
-      description: Data actions of the systems/products/services are inventoried.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P5
-      description: The purposes for the data actions are inventoried.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P6
-      description: Data elements within the data actions are inventoried.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p7
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P7
-      description: The data processing environment is identified (e.g., geographic
-        location, internal, cloud, third parties).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p8
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
-      ref_id: ID.IM-P8
-      description: Data processing is mapped, illustrating the data actions and associated
-        data elements for systems/products/services, including components; roles of
-        the component owners/operators; and interactions of individuals or third parties
-        with the systems/products/services.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
-      ref_id: ID.BE-P
-      name: Business Environment
-      description: "The organization\u2019s mission, objectives, stakeholders, and\
-        \ activities are understood and prioritized; this information is used to inform\
-        \ privacy roles, responsibilities, and risk management decisions."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
-      ref_id: ID.BE-P1
-      description: "The organization\u2019s role(s) in the data processing ecosystem\
-        \ are identified and communicated."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
-      ref_id: ID.BE-P2
-      description: Priorities for organizational mission, objectives, and activities
-        are established and communicated.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
-      ref_id: ID.BE-P3
-      description: Systems/products/services that support organizational priorities
-        are identified and key requirements communicated.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
-      ref_id: ID.RA-P
-      name: Risk Assessment
-      description: The organization understands the privacy risks to individuals and
-        how such privacy risks may create follow-on impacts on organizational operations,
-        including mission, functions, other risk management priorities (e.g., compliance,
-        financial), reputation, workforce, and culture.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
-      ref_id: ID.RA-P1
-      description: "Contextual factors related to the systems/products/services and\
-        \ the data actions are identified (e.g., individuals\u2019 demographics and\
-        \ privacy interests or perceptions, data sensitivity and/or types, visibility\
-        \ of data processing to individuals and third parties). "
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
-      ref_id: ID.RA-P2
-      description: Data analytic inputs and outputs are identified and evaluated for
-        bias.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
-      ref_id: ID.RA-P3
-      description: 'Potential problematic data actions and associated problems are
-        identified. '
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
-      ref_id: ID.RA-P4
-      description: Problematic data actions, likelihoods, and impacts are used to
-        determine and prioritize risk.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
-      ref_id: ID.RA-P5
-      description: Risk responses are identified, prioritized, and implemented.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
-      ref_id: ID.DE-P
-      name: Data Processing Ecosystem Risk Management
-      description: "The organization\u2019s priorities, constraints, risk tolerance,\
-        \ and assumptions are established and used to support risk decisions associated\
-        \ with managing privacy risk and third parties within the data processing\
-        \ ecosystem. The organization has established and implemented the processes\
-        \ to identify, assess, and manage privacy risks within the data processing\
-        \ ecosystem."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
-      ref_id: ID.DE-P1
-      description: Data processing ecosystem risk management policies, processes,
-        and procedures are identified, established, assessed, managed, and agreed
-        to by organizational stakeholders.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
-      ref_id: ID.DE-P2
-      description: Data processing ecosystem parties (e.g., service providers, customers,
-        partners, product manufacturers, application developers) are identified, prioritized,
-        and assessed using a privacy risk assessment process.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
-      ref_id: ID.DE-P3
-      description: "Contracts with data processing ecosystem parties are used to implement\
-        \ appropriate measures designed to meet the objectives of an organization\u2019\
-        s privacy program. "
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
-      ref_id: ID.DE-P4
-      description: 'Interoperability frameworks or similar multi-party approaches
-        are used to manage data processing ecosystem privacy risks. '
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
-      ref_id: ID.DE-P5
-      description: Data processing ecosystem parties are routinely assessed using
-        audits, test results, or other forms of evaluations to confirm they are meeting
-        their contractual, interoperability framework, or other obligations.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
-      assessable: false
-      depth: 1
-      ref_id: GV-P
-      name: GOVERN-P
-      description: "Develop\_and implement\_the organizational governance structure\
-        \ to enable an ongoing understanding of the organization\u2019s risk management\
-        \ priorities\_that are\_informed by privacy risk."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
-      ref_id: GV.PO-P
-      name: Governance Policies, Processes, and Procedures
-      description: "The policies, processes, and procedures to manage and monitor\
-        \ the organization\u2019s regulatory, legal, risk, environmental, and operational\
-        \ requirements are understood and inform the management of privacy risk."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
-      ref_id: GV.PO-P1
-      description: "Organizational privacy values and policies (e.g., conditions on\
-        \ data processing such as data uses or retention periods, individuals\u2019\
-        \ prerogatives with respect to data processing) are established and communicated."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
-      ref_id: GV.PO-P2
-      description: Processes to instill organizational privacy values within system/product/service
-        development and operations are established and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
-      ref_id: GV.PO-P3
-      description: 'Roles and responsibilities for the workforce are established with
-        respect to privacy. '
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
-      ref_id: GV.PO-P4
-      description: Privacy roles and responsibilities are coordinated and aligned
-        with third-party stakeholders (e.g., service providers, customers, partners).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
-      ref_id: GV.PO-P5
-      description: Legal, regulatory, and contractual requirements regarding privacy
-        are understood and managed.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
-      ref_id: GV.PO-P6
-      description: Governance and risk management policies, processes, and procedures
-        address privacy risks.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
-      ref_id: GV.RM-P
-      name: Risk Management Strategy
-      description: "The organization\u2019s priorities, constraints, risk tolerances,\
-        \ and assumptions are established and used to support operational risk decisions."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
-      ref_id: GV.RM-P1
-      description: Risk management processes are established, managed, and agreed
-        to by organizational stakeholders.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
-      ref_id: GV.RM-P2
-      description: Organizational risk tolerance is determined and clearly expressed.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
-      ref_id: GV.RM-P3
-      description: "The organization\u2019s determination of risk tolerance is informed\
-        \ by its role(s) in the data processing ecosystem."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
-      ref_id: GV.AT-P
-      name: Awareness and Training
-      description: "The organization\u2019s workforce and third parties engaged in\
-        \ data processing are provided privacy awareness education and are trained\
-        \ to perform their privacy-related duties and responsibilities consistent\
-        \ with related policies, processes, procedures, and agreements and organizational\
-        \ privacy values."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
-      ref_id: GV.AT-P1
-      description: 'The workforce is informed and trained on its roles and responsibilities. '
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
-      ref_id: GV.AT-P2
-      description: Senior executives understand their roles and responsibilities.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
-      ref_id: GV.AT-P3
-      description: Privacy personnel understand their roles and responsibilities.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
-      ref_id: GV.AT-P4
-      description: Third parties (e.g., service providers, customers, partners) understand
-        their roles and responsibilities.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
-      ref_id: GV.MT-P
-      name: Monitoring and Review
-      description: "The policies, processes, and procedures for ongoing review of\
-        \ the organization\u2019s privacy posture are understood and inform the management\
-        \ of privacy risk."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      ref_id: GV.MT-P1
-      description: "Privacy risk is re-evaluated on an ongoing basis and as key factors,\
-        \ including the organization\u2019s business environment (e.g., introduction\
-        \ of new technologies), governance (e.g., legal obligations, risk tolerance),\
-        \ data processing, and systems/products/services change."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      ref_id: GV.MT-P2
-      description: 'Privacy values, policies, and training are reviewed and any updates
-        are communicated. '
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      ref_id: GV.MT-P3
-      description: Policies, processes, and procedures for assessing compliance with
-        legal requirements and privacy policies are established and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      ref_id: GV.MT-P4
-      description: Policies, processes, and procedures for communicating progress
-        on managing privacy risks are established and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      ref_id: GV.MT-P5
-      description: Policies, processes, and procedures are established and in place
-        to receive, analyze, and respond to problematic data actions disclosed to
-        the organization from internal and external sources (e.g., internal discovery,
-        privacy researchers, professional events).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      ref_id: GV.MT-P6
-      description: Policies, processes, and procedures incorporate lessons learned
-        from problematic data actions.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p7
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
-      ref_id: GV.MT-P7
-      description: Policies, processes, and procedures for receiving, tracking, and
-        responding to complaints, concerns, and questions from individuals about organizational
-        privacy practices are established and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
-      assessable: false
-      depth: 1
-      ref_id: CT-P
-      name: CONTROL-P
-      description: Develop and implement appropriate activities to enable organizations
-        or individuals to manage data with sufficient granularity to manage privacy
-        risks.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
-      ref_id: CT.PO-P
-      name: Data Processing Policies, Processes, and Procedures
-      description: "Policies, processes, and procedures are maintained and used to\
-        \ manage data processing (e.g., purpose, scope, roles and responsibilities\
-        \ in the data processing ecosystem, and management commitment) consistent\
-        \ with the organization\u2019s risk strategy to protect individuals\u2019\
-        \ privacy."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
-      ref_id: CT.PO-P1
-      description: Policies, processes, and procedures for authorizing data processing
-        (e.g., organizational decisions, individual consent), revoking authorizations,
-        and maintaining authorizations are established and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
-      ref_id: CT.PO-P2
-      description: Policies, processes, and procedures for enabling data review, transfer,
-        sharing or disclosure, alteration, and deletion are established and in place
-        (e.g., to maintain data quality, manage data retention).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
-      ref_id: CT.PO-P3
-      description: "Policies, processes, and procedures for enabling individuals\u2019\
-        \ data processing preferences and requests are established and in place."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
-      ref_id: CT.PO-P4
-      description: A data life cycle to manage data is aligned and implemented with
-        the system development life cycle to manage systems.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
-      ref_id: CT.DM-P
-      name: Data Processing Management
-      description: "Data are managed consistent with the organization\u2019s risk\
-        \ strategy to protect individuals\u2019 privacy, increase manageability, and\
-        \ enable the implementation of privacy principles (e.g., individual participation,\
-        \ data quality, data minimization). "
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P1
-      description: Data elements can be accessed for review.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P2
-      description: Data elements can be accessed for transmission or disclosure.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P3
-      description: Data elements can be accessed for alteration.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P4
-      description: Data elements can be accessed for deletion.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P5
-      description: Data are destroyed according to policy.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P6
-      description: Data are transmitted using standardized formats.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p7
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P7
-      description: Mechanisms for transmitting processing permissions and related
-        data values with data elements are established and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p8
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P8
-      description: Audit/log records are determined, documented, implemented, and
-        reviewed in accordance with policy and incorporating the principle of data
-        minimization.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p9
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P9
-      description: Technical measures implemented to manage data processing are tested
-        and assessed.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p10
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
-      ref_id: CT.DM-P10
-      description: Stakeholder privacy preferences are included in algorithmic design
-        objectives and outputs are evaluated against these preferences.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
-      ref_id: CT.DP-P
-      name: Disassociated Processing
-      description: "Data processing solutions increase disassociability consistent\
-        \ with the organization\u2019s risk strategy to protect individuals\u2019\
-        \ privacy and enable implementation of privacy principles (e.g., data minimization)."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
-      ref_id: CT.DP-P1
-      description: Data are processed to limit observability and linkability (e.g.,
-        data actions take place on local devices, privacy-preserving cryptography).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
-      ref_id: CT.DP-P2
-      description: Data are processed to limit the identification of individuals (e.g.,
-        de-identification privacy techniques, tokenization).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
-      ref_id: CT.DP-P3
-      description: "Data are processed to limit the formulation of inferences about\
-        \ individuals\u2019 behavior or activities (e.g., data processing is decentralized,\
-        \ distributed architectures)."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
-      ref_id: CT.DP-P4
-      description: 'System or device configurations permit selective collection or
-        disclosure of data elements. '
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
-      ref_id: CT.DP-P5
-      description: Attribute references are substituted for attribute values.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
-      assessable: false
-      depth: 1
-      ref_id: CM-P
-      name: COMMUNICATE-P
-      description: Develop and implement appropriate activities to enable organizations
-        and individuals to have a reliable understanding and engage in a dialogue
-        about how data are processed and associated privacy risks.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
-      ref_id: CM.PO-P
-      name: Communication Policies, Processes, and Procedures
-      description: "Policies, processes, and procedures are maintained and used to\
-        \ increase transparency of the organization\u2019s data processing practices\
-        \ (e.g., purpose, scope, roles and responsibilities in the data processing\
-        \ ecosystem, and management commitment) and associated privacy risks."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
-      ref_id: CM.PO-P1
-      description: Transparency policies, processes, and procedures for communicating
-        data processing purposes, practices, and associated privacy risks are established
-        and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
-      ref_id: CM.PO-P2
-      description: Roles and responsibilities (e.g., public relations) for communicating
-        data processing purposes, practices, and associated privacy risks are established.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
-      ref_id: CM.AW-P
-      name: Data Processing Awareness
-      description: "Individuals and organizations have reliable knowledge about data\
-        \ processing practices and associated privacy risks, and effective mechanisms\
-        \ are used and maintained to increase predictability consistent with the organization\u2019\
-        s risk strategy to protect individuals\u2019 privacy. "
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P1
-      description: "Mechanisms (e.g., notices, internal or public reports) for communicating\
-        \ data processing purposes, practices, associated privacy risks, and options\
-        \ for enabling individuals\u2019 data processing preferences and requests\
-        \ are established and in place."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P2
-      description: Mechanisms for obtaining feedback from individuals (e.g., surveys
-        or focus groups) about data processing and associated privacy risks are established
-        and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P3
-      description: System/product/service design enables data processing visibility.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P4
-      description: Records of data disclosures and sharing are maintained and can
-        be accessed for review or transmission/disclosure.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P5
-      description: Data corrections or deletions can be communicated to individuals
-        or organizations (e.g., data sources) in the data processing ecosystem.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P6
-      description: Data provenance and lineage are maintained and can be accessed
-        for review or transmission/disclosure.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p7
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P7
-      description: Impacted individuals and organizations are notified about a privacy
-        breach or event.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p8
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
-      ref_id: CM.AW-P8
-      description: Individuals are provided with mitigation mechanisms (e.g., credit
-        monitoring, consent withdrawal, data alteration or deletion) to address impacts
-        of problematic data actions.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
-      assessable: false
-      depth: 1
-      ref_id: PR-P
-      name: PROTECT-P
-      description: Develop and implement appropriate data processing safeguards.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
-      ref_id: PR.PO-P
-      name: Data Protection Policies, Processes, and Procedures
-      description: Security and privacy policies (e.g., purpose, scope, roles and
-        responsibilities in the data processing ecosystem, and management commitment),
-        processes, and procedures are maintained and used to manage the protection
-        of data.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P1
-      description: A baseline configuration of information technology is created and
-        maintained incorporating security principles (e.g., concept of least functionality).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P2
-      description: Configuration change control processes are established and in place.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P3
-      description: Backups of information are conducted, maintained, and tested.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P4
-      description: Policy and regulations regarding the physical operating environment
-        for organizational assets are met.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P5
-      description: Protection processes are improved.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P6
-      description: Effectiveness of protection technologies is shared.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p7
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P7
-      description: Response plans (Incident Response and Business Continuity) and
-        recovery plans (Incident Recovery and Disaster Recovery) are established,
-        in place, and managed.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p8
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P8
-      description: Response and recovery plans are tested.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p9
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P9
-      description: Privacy procedures are included in human resources practices (e.g.,
-        deprovisioning, personnel screening).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p10
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
-      ref_id: PR.PO-P10
-      description: A vulnerability management plan is developed and implemented.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
-      ref_id: PR.AC-P
-      name: Identity Management, Authentication, and Access Control
-      description: Access to data and devices is limited to authorized individuals,
-        processes, and devices, and is managed consistent with the assessed risk of
-        unauthorized access.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
-      ref_id: PR.AC-P1
-      description: Identities and credentials are issued, managed, verified, revoked,
-        and audited for authorized individuals, processes, and devices.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
-      ref_id: PR.AC-P2
-      description: Physical access to data and devices is managed.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
-      ref_id: PR.AC-P3
-      description: Remote access is managed.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
-      ref_id: PR.AC-P4
-      description: Access permissions and authorizations are managed, incorporating
-        the principles of least privilege and separation of duties.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
-      ref_id: PR.AC-P5
-      description: Network integrity is protected (e.g., network segregation, network
-        segmentation).
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
-      ref_id: PR.AC-P6
-      description: "Individuals and devices are proofed and bound to credentials,\
-        \ and authenticated commensurate with the risk of the transaction (e.g., individuals\u2019\
-        \ security and privacy risks and other organizational risks)."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
-      ref_id: PR.DS-P
-      name: Data Security
-      description: "Data are managed consistent with the organization\u2019s risk\
-        \ strategy to protect individuals\u2019 privacy and maintain data confidentiality,\
-        \ integrity, and availability."
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P1
-      description: Data-at-rest are protected.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P2
-      description: Data-in-transit are protected.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P3
-      description: Systems/products/services and associated data are formally managed
-        throughout removal, transfers, and disposition.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P4
-      description: Adequate capacity to ensure availability is maintained.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p5
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P5
-      description: Protections against data leaks are implemented.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p6
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P6
-      description: Integrity checking mechanisms are used to verify software, firmware,
-        and information integrity.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p7
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P7
-      description: The development and testing environment(s) are separate from the
-        production environment.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p8
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
-      ref_id: PR.DS-P8
-      description: Integrity checking mechanisms are used to verify hardware integrity.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
-      ref_id: PR.MA-P
-      name: Maintenance
-      description: System maintenance and repairs are performed consistent with policies,
-        processes, and procedures.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
-      ref_id: PR.MA-P1
-      description: Maintenance and repair of organizational assets are performed and
-        logged, with approved and controlled tools.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
-      ref_id: PR.MA-P2
-      description: Remote maintenance of organizational assets is approved, logged,
-        and performed in a manner that prevents unauthorized access.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
-      assessable: false
-      depth: 2
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
-      ref_id: PR.PT-P
-      name: Protective Technology
-      description: Technical security solutions are managed to ensure the security
-        and resilience of systems/products/services and associated data, consistent
-        with related policies, processes, procedures, and agreements.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p1
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
-      ref_id: PR.PT-P1
-      description: Removable media is protected and its use restricted according to
-        policy.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p2
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
-      ref_id: PR.PT-P2
-      description: The principle of least functionality is incorporated by configuring
-        systems to provide only essential capabilities.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p3
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
-      ref_id: PR.PT-P3
-      description: Communications and control networks are protected.
-    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p4
-      assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
-      ref_id: PR.PT-P4
-      description: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented
-        to achieve resilience requirements in normal and adverse situations.