From 2112da0f62cf90c7631e26ff57fe3128ca55589d Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Thu, 25 Apr 2024 13:23:25 +0200 Subject: [PATCH] Add Support for sp-800-171 --- README.md | 3 +- .../library/libraries/nist-800-171-rev2.yaml | 2584 +++++++++++++++++ tools/nist/sp-800-171/nist-800-171-rev2.xlsx | Bin 0 -> 50814 bytes 3 files changed, 2586 insertions(+), 1 deletion(-) create mode 100644 backend/library/libraries/nist-800-171-rev2.yaml create mode 100644 tools/nist/sp-800-171/nist-800-171-rev2.xlsx diff --git a/README.md b/README.md index 706080e7b..74ffb7fa5 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant 28. CIS Controls v8* 29. CSA CCM (Cloud Controls Matrix)* 30. FADP (Federal Act on Data Protection) πŸ‡¨πŸ‡­ +31. NIST SP 800-171 rev2 πŸ‡ΊπŸ‡Έ
@@ -122,7 +123,7 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the - SOX - MASVS - FedRAMP -- NIST 800-171 +- NCSC Cyber Assessment Framework (CAF) - UK Cyber Essentials - and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, *free of charge* πŸ˜‰ diff --git a/backend/library/libraries/nist-800-171-rev2.yaml b/backend/library/libraries/nist-800-171-rev2.yaml new file mode 100644 index 000000000..077b48dee --- /dev/null +++ b/backend/library/libraries/nist-800-171-rev2.yaml @@ -0,0 +1,2584 @@ +urn: urn:intuitem:risk:library:nist-800-171-rev2 +locale: en +ref_id: nist-800-171-rev2 +name: NIST SP 800-171 Rev. 2 +description: 'Protecting Controlled Unclassified Information in Nonfederal Systems + and Organizations + + https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final' +copyright: NIST +version: 1 +provider: NIST +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:nist-800-171-rev2 + ref_id: nist-800-171-rev2 + name: NIST SP 800-171 Rev. 2 + description: 'Protecting Controlled Unclassified Information in Nonfederal Systems + and Organizations + + https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + assessable: false + depth: 1 + name: Access Control + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.1 + description: Limit system access to authorized users, processes acting on behalf + of authorized users, and devices (including other systems). + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.1 + description: 'Access control policies (e.g., identity- or role-based policies, + control matrices, and cryptography) control access between active entities + or subjects (i.e., users or processes acting on behalf of users) and passive + entities or objects (e.g., devices, files, records, and domains) in systems. + Access enforcement mechanisms can be employed at the application and service + level to provide increased information security. Other systems include systems + internal and external to the organization. This requirement focuses on account + management for systems and applications. The definition of and enforcement + of access authorizations, other than those determined by account + + type (e.g., privileged verses non-privileged) are addressed in requirement + 3.1.2.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.2 + description: Limit system access to the types of transactions and functions + that authorized users are permitted to execute. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.2 + description: Organizations may choose to define access privileges or other attributes + by account, by type of account, or a combination of both. System account types + include individual, shared, group, system, anonymous, guest, emergency, developer, + manufacturer, vendor, and temporary. Other attributes required for authorizing + access include restrictions on time-of-day, day-of-week, and point-of-origin. + In defining other account attributes, organizations consider system-related + requirements (e.g., system upgrades scheduled maintenance,) and mission or + business requirements, (e.g., time zone differences, customer requirements, + remote access to support travel requirements). + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.3 + description: Control the flow of CUI in accordance with approved authorizations. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.3 + description: 'Information flow control regulates where information can travel + within a system and between systems (versus who can access the information) + and without explicit regard to subsequent accesses to that information. Flow + control restrictions include the following: keeping export-controlled information + from being transmitted in the clear to the Internet; blocking outside traffic + that claims to be from within the organization; restricting requests to the + Internet that are not from the internal web proxy server; and limiting information + transfers between organizations based on data structures and content. Organizations + commonly use information flow control policies and enforcement mechanisms + to control the flow of information between designated sources and destinations + (e.g., networks, individuals, and devices) within systems and between interconnected + systems. Flow control is based on characteristics of the information or the + information path. Enforcement occurs in boundary protection devices (e.g., + gateways, routers, guards, encrypted tunnels, firewalls) that employ rule + sets or establish configuration settings that restrict system services, provide + a packet-filtering capability based on header information, or message-filtering + capability based on message content (e.g., implementing key word searches + or using document characteristics). Organizations also consider the trustworthiness + of filtering and inspection mechanisms (i.e., hardware, firmware, and software + components) that are critical to information flow enforcement. Transferring + information between systems representing different security domains with different + security policies introduces risk that such transfers violate one or more + domain security policies. In such situations, information owners or stewards + provide guidance at designated policy enforcement points between interconnected + systems. Organizations consider mandating specific architectural solutions + when required to enforce specific security policies. Enforcement includes: + prohibiting information transfers between interconnected systems (i.e., allowing + access only); employing hardware mechanisms to enforce one-way information + flows; and implementing trustworthy regrading mechanisms to reassign security + attributes and security labels.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.4 + description: Separate the duties of individuals to reduce the risk of malevolent + activity without collusion. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node10 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.4 + description: Separation of duties addresses the potential for abuse of authorized + privileges and helps to reduce the risk of malevolent activity without collusion. + Separation of duties includes dividing mission functions and system support + functions among different individuals or roles; conducting system support + functions with different individuals (e.g., configuration management, quality + assurance and testing, system management, programming, and network security); + and ensuring that security personnel administering access control functions + do not also administer audit functions. Because separation of duty violations + can span systems and application domains, organizations consider the entirety + of organizational systems and system components when developing policy on + separation of duties. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.5 + description: Employ the principle of least privilege, including for specific + security functions and privileged accounts. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node12 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.5 + description: Organizations employ the principle of least privilege for specific + duties and authorized accesses for users and processes. The principle of least + privilege is applied with the goal of authorized privileges no higher than + necessary to accomplish required organizational missions or business functions. + Organizations consider the creation of additional processes, roles, and system + accounts as necessary, to achieve least privilege. Organizations also apply + least privilege to the development, implementation, and operation of organizational + systems. Security functions include establishing system accounts, setting + events to be logged, setting intrusion detection parameters, and configuring + access authorizations (i.e., permissions, privileges). Privileged accounts, + including super user accounts, are typically described as system administrator + for various types of commercial off-the-shelf operating systems. Restricting + privileged accounts to specific personnel or roles prevents day-to-day users + from having access to privileged information or functions. Organizations may + differentiate in the application of this requirement between allowed privileges + for local accounts and for domain accounts provided organizations retain the + ability to control system configurations for key security parameters and as + otherwise necessary to sufficiently mitigate risk. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.6 + description: Use non-privileged accounts or roles when accessing nonsecurity + functions + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node14 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.6 + description: This requirement limits exposure when operating from within privileged + accounts or roles. The inclusion of roles addresses situations where organizations + implement access control policies such as role-based access control and where + a change of role provides the same degree of assurance in the change of access + authorizations for the user and all processes acting on behalf of the user + as would be provided by a change between a privileged and non-privileged account. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.7 + description: Prevent non-privileged users from executing privileged functions + and capture the execution of such functions in audit logs. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node16 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.7 + description: Privileged functions include establishing system accounts, performing + system integrity checks, conducting patching operations, or administering + cryptographic key management activities. Non-privileged users are individuals + that do not possess appropriate authorizations. Circumventing intrusion detection + and prevention mechanisms or malicious code protection mechanisms are examples + of privileged functions that require protection from non-privileged users. + Note that this requirement represents a condition to be achieved by the definition + of authorized privileges in 3.1.2. Misuse of privileged functions, either + intentionally or unintentionally by authorized users, or by unauthorized external + entities that have compromised system accounts, is a serious and ongoing concern + and can have significant adverse impacts on organizations. Logging the use + of privileged functions is one way to detect such misuse, and in doing so, + help mitigate the risk from insider threats and the advanced persistent threat. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.8 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.8 + description: Limit unsuccessful logon attempts. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node18 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.8 + description: This requirement applies regardless of whether the logon occurs + via a local or network connection. Due to the potential for denial of service, + automatic lockouts initiated by systems are, in most cases, temporary and + automatically release after a predetermined period established by the organization + (i.e., a delay algorithm). If a delay algorithm is selected, organizations + may employ different algorithms for different system components based on the + capabilities of the respective components. Responses to unsuccessful logon + attempts may be implemented at the operating system and application levels. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.9 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.9 + description: Provide privacy and security notices consistent with applicable + CUI rules. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node20 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.9 + description: System use notifications can be implemented using messages or warning + banners displayed before individuals log in to organizational systems. System + use notifications are used only for access via logon interfaces with human + users and are not required when such human interfaces do not exist. Based + on a risk assessment, organizations consider whether a secondary system use + notification is needed to access applications or other system resources after + the initial network logon. Where necessary, posters or other printed materials + may be used in lieu of an automated system banner. Organizations consult with + the Office of General Counsel for legal review and approval of warning banner + content + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.10 + description: Use session lock with pattern-hiding displays to prevent access + and viewing of data after a period of inactivity + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node22 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.10 + description: Session locks are temporary actions taken when users stop work + and move away from the immediate vicinity of the system but do not want to + log out because of the temporary nature of their absences. Session locks are + implemented where session activities can be determined, typically at the operating + system level (but can also be at the application level). Session locks are + not an acceptable substitute for logging out of the system, for example, if + organizations require users to log out at the end of the workday. Pattern-hiding + displays can include static or dynamic images, for example, patterns used + with screen savers, photographic images, solid colors, clock, battery life + indicator, or a blank screen, with the additional caveat that none of the + images convey controlled unclassified information. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.11 + description: Terminate (automatically) a user session after a defined condition. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node24 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.11 + description: "This requirement addresses the termination of user-initiated logical\ + \ sessions in contrast to the termination of network connections that are\ + \ associated with communications sessions (i.e., disconnecting from the network).\ + \ A logical session (for local, network, and remote access) is initiated whenever\ + \ a user (or process acting on behalf of a user) accesses an organizational\ + \ system. Such user sessions can be terminated (and thus terminate user access)\ + \ without terminating network sessions. Session termination terminates all\ + \ processes associated with a user\u2019s logical session except those processes\ + \ that are specifically created by the user (i.e., session owner) to continue\ + \ after the session is terminated. Conditions or trigger events requiring\ + \ automatic session termination can include organization-defined periods of\ + \ user inactivity, targeted responses to certain types of incidents, and time-of-day\ + \ restrictions on system use" + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.12 + description: Monitor and control remote access sessions. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node26 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.12 + description: Remote access is access to organizational systems by users (or + processes acting on behalf of users) communicating through external networks + (e.g., the Internet). Remote access methods include dial-up, broadband, and + wireless. Organizations often employ encrypted virtual private networks (VPNs) + to enhance confidentiality over remote connections. The use of encrypted VPNs + does not make the access non-remote; however, the use of VPNs, when adequately + provisioned with appropriate control (e.g., employing encryption techniques + for confidentiality protection), may provide sufficient assurance to the organization + that it can effectively treat such connections as internal networks. VPNs + with encrypted tunnels can affect the capability to adequately monitor network + communications traffic for malicious code. Automated monitoring and control + of remote access sessions allows organizations to detect cyber-attacks and + help to ensure ongoing compliance with remote access policies by auditing + connection activities of remote users on a variety of system components (e.g., + servers, workstations, notebook computers, smart phones, and tablets). [SP + 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access + and virtual private networks. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.13 + description: Employ cryptographic mechanisms to protect the confidentiality + of remote access sessions. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node28 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.13 + description: Cryptographic standards include FIPS-validated cryptography and + NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National + Security Agency Cryptographic Standards. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.14 + description: Route remote access via managed access control points. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node30 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.14 + description: Routing remote access through managed access control points enhances + explicit, organizational control over such connections, reducing the susceptibility + to unauthorized access to organizational systems resulting in the unauthorized + disclosure of CUI. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.15 + description: Authorize remote execution of privileged commands and remote access + to security-relevant information. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node32 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.15 + description: A privileged command is a human-initiated (interactively or via + a process operating on behalf of the human) command executed on a system involving + the control, monitoring, or administration of the system including security + functions and associated security-relevant information. Security-relevant + information is any information within the system that can potentially impact + the operation of security functions or the provision of security services + in a manner that could result in failure to enforce the system security policy + or maintain isolation of code and data. Privileged commands give individuals + the ability to execute sensitive, security-critical, or security-relevant + system functions. Controlling such access from remote locations helps to ensure + that unauthorized individuals are not able to execute such commands freely + with the potential to do serious or catastrophic damage to organizational + systems. Note that the ability to affect the integrity of the system is considered + security-relevant as that could enable the means to by-pass security functions + although not directly impacting the function itself. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.16 + description: Authorize wireless access prior to allowing such connections + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node34 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.16 + description: Establishing usage restrictions and configuration/connection requirements + for wireless access to the system provides criteria for organizations to support + wireless access authorization decisions. Such restrictions and requirements + reduce the susceptibility to unauthorized access to the system through wireless + technologies. Wireless networks use authentication protocols which provide + credential protection and mutual authentication. [SP 800-97] provides guidance + on secure wireless networks. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.17 + description: Protect wireless access using authentication and encryption + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node36 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.17 + description: Organizations authenticate individuals and devices to help protect + wireless access to the system. Special attention is given to the wide variety + of devices that are part of the Internet of Things with potential wireless + access to organizational systems. See [NIST CRYPTO]. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.18 + description: Control connection of mobile devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node38 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.18 + description: 'A mobile device is a computing device that has a small form factor + such that it can easily be carried by a single individual; is designed to + operate without a physical connection (e.g., wirelessly transmit or receive + information); possesses local, non-removable or removable data storage; and + includes a self-contained power source. Mobile devices may also include voice + communication capabilities, on-board sensors that allow the device to capture + information, or built-in features for synchronizing local data with remote + locations. Examples of mobile devices include smart phones, e-readers, and + tablets. Due to the large variety of mobile devices with different technical + characteristics and capabilities, organizational restrictions may vary for + the different types of devices. Usage restrictions and implementation guidance + for mobile devices include: device identification and authentication; configuration + management; implementation of mandatory protective software (e.g., malicious + code detection, firewall); scanning devices for malicious code; updating virus + protection software; scanning for critical software updates and patches; conducting + primary operating system (and possibly other resident software) integrity + checks; and disabling unnecessary hardware (e.g., wireless, infrared). The + need to provide adequate security for mobile devices goes beyond this requirement. + Many controls for mobile devices are reflected in other CUI security requirements. [SP + 800-124] provides guidance on mobile device security.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.19 + description: 'Encrypt CUI on mobile devices and mobile computing platforms.[23] ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node40 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.19 + description: 'Organizations can employ full-device encryption or container-based + encryption to protect the confidentiality of CUI on mobile devices and computing + platforms. Container-based encryption provides a more fine-grained approach + to the encryption of data and information including encrypting selected data + structures such as files, records, or fields. See [NIST CRYPTO]. + + + [23] Mobile devices and computing platforms include, for example, smartphones + and tablets.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.20 + description: Verify and control/limit connections to and use of external systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node42 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.20 + description: "External systems are systems or components of systems for which\ + \ organizations typically have no direct supervision and authority over the\ + \ application of security requirements and controls or the determination of\ + \ the effectiveness of implemented controls on those systems. External systems\ + \ include personally owned systems, components, or devices and privately-owned\ + \ computing and communications devices resident in commercial or public facilities.\ + \ This requirement also addresses the use of external systems for the processing,\ + \ storage, or transmission of CUI, including accessing cloud services (e.g.,\ + \ infrastructure as a service, platform as a service, or software as a service)\ + \ from organizational systems. Organizations establish terms and conditions\ + \ for the use of external systems in accordance with organizational security\ + \ policies and procedures. Terms and conditions address as a minimum, the\ + \ types of applications that can be accessed on organizational systems from\ + \ external systems. If terms and conditions with the owners of external systems\ + \ cannot be established, organizations may impose restrictions on organizational\ + \ personnel using those external systems. This requirement recognizes that\ + \ there are circumstances where individuals using external systems (e.g.,\ + \ contractors, coalition partners) need to access organizational systems.\ + \ In those situations, organizations need confidence that the external systems\ + \ contain the necessary controls so as not to compromise, damage, or otherwise\ + \ harm organizational systems. Verification that the required controls have\ + \ been effectively implemented can be achieved by third-party, independent\ + \ assessments, attestations, or other means, depending on the assurance or\ + \ confidence level required by organizations. Note that while \u201Cexternal\u201D\ + \ typically refers to outside of the organization\u2019s direct supervision\ + \ and authority, that is not always the case. Regarding the protection of\ + \ CUI across an organization, the organization may have systems that process\ + \ CUI and others that do not. And among the systems that process CUI there\ + \ are likely access restrictions for CUI that apply between systems. Therefore,\ + \ from the perspective of a given system, other systems within the organization\ + \ may be considered \u201Cexternal\" to that system." + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.21 + description: Limit use of portable storage devices on external systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node44 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.21 + description: "Limits on the use of organization-controlled portable storage\ + \ devices in external systems include complete prohibition of the use of such\ + \ devices or restrictions on how the devices may be used and under what conditions\ + \ the devices may be used. Note that while \u201Cexternal\u201D typically\ + \ refers to outside of the organization\u2019s direct supervision and authority,\ + \ that is not always the case. Regarding the protection of CUI across an\ + \ organization, the organization may have systems that process CUI and others\ + \ that do not. Among the systems that process CUI there are likely access\ + \ restrictions for CUI that apply between systems. Therefore, from the perspective\ + \ of a given system, other systems within the organization may be considered\ + \ \u201Cexternal\" to that system." + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node2 + ref_id: 3.1.22 + description: Control CUI posted or processed on publicly accessible systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node46 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.1.22 + description: In accordance with laws, Executive Orders, directives, policies, + regulations, or standards, the public is not authorized access to nonpublic + information (e.g., information protected under the Privacy Act, CUI, and proprietary + information). This requirement addresses systems that are controlled by the + organization and accessible to the public, typically without identification + or authentication. Individuals authorized to post CUI onto publicly accessible + systems are designated. The content of information is reviewed prior to posting + onto publicly accessible systems to ensure that nonpublic information is not + included. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node47 + assessable: false + depth: 1 + name: Awareness and Training + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.2.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node47 + ref_id: 3.2.1 + description: Ensure that managers, systems administrators, and users of organizational + systems are made aware of the security risks associated with their activities + and of the applicable policies, standards, and procedures related to the security + of those systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node49 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.2.1 + description: 'Organizations determine the content and frequency of security + awareness training and security awareness techniques based on the specific + organizational requirements and the systems to which personnel have authorized + access. The content includes a basic understanding of the need for information + security and user actions to maintain security and to respond to suspected + security incidents. The content also addresses awareness of the need for operations + security. Security awareness techniques include: formal training; offering + supplies inscribed with security reminders; generating email advisories or + notices from organizational officials; displaying logon screen messages; displaying + security awareness posters; and conducting information security awareness + events. [SP 800-50] provides guidance on security awareness and training + programs.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.2.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node47 + ref_id: 3.2.2 + description: Ensure that personnel are trained to carry out their assigned information + security-related duties and responsibilities. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node51 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.2.2 + description: Organizations determine the content and frequency of security training + based on the assigned duties, roles, and responsibilities of individuals and + the security requirements of organizations and the systems to which personnel + have authorized access. In addition, organizations provide system developers, + enterprise architects, security architects, acquisition/procurement officials, + software developers, system developers, systems integrators, system/network + administrators, personnel conducting configuration management and auditing + activities, personnel performing independent verification and validation, + security assessors, and other personnel having access to system-level software, + security-related technical training specifically tailored for their assigned + duties. Comprehensive role-based training addresses management, operational, + and technical roles and responsibilities covering physical, personnel, and + technical controls. Such training can include policies, procedures, tools, + and artifacts for the security roles defined. Organizations also provide the + training necessary for individuals to carry out their responsibilities related + to operations and supply chain security within the context of organizational + information security programs. [SP 800-181] provides guidance on role-based + information security training in the workplace. [SP 800-161] provides guidance + on supply chain risk management. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.2.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node47 + ref_id: 3.2.3 + description: Provide security awareness training on recognizing and reporting + potential indicators of insider threat. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node53 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.2.3 + description: 'Potential indicators and possible precursors of insider threat + include behaviors such as: inordinate, long-term job dissatisfaction; attempts + to gain access to information that is not required for job performance; unexplained + access to financial resources; bullying or sexual harassment of fellow employees; + workplace violence; and other serious violations of the policies, procedures, + directives, rules, or practices of organizations. Security awareness training + includes how to communicate employee and management concerns regarding potential + indicators of insider threat through appropriate organizational channels in + accordance with established organizational policies and procedures. Organizations + may consider tailoring insider threat awareness topics to the role (e.g., + training for managers may be focused on specific changes in behavior of team + members, while training for employees may be focused on more general observations).' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + assessable: false + depth: 1 + name: Audit and Accountability + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.1 + description: Create and retain system audit logs and records to the extent needed + to enable the monitoring, analysis, investigation, and reporting of unlawful + or unauthorized system activity + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node56 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.1 + description: An event is any observable occurrence in a system, which includes + unlawful or unauthorized system activity. Organizations identify event types + for which a logging functionality is needed as those events which are significant + and relevant to the security of systems and the environments in which those + systems operate to meet specific and ongoing auditing needs. Event types can + include password changes, failed logons or failed accesses related to systems, + administrative privilege usage, or third-party credential usage. In determining + event types that require logging, organizations consider the monitoring and + auditing appropriate for each of the CUI security requirements. Monitoring + and auditing requirements can be balanced with other system needs. For example, + organizations may determine that systems must have the capability to log every + file access both successful and unsuccessful, but not activate that capability + except for specific circumstances due to the potential burden on system performance. Audit + records can be generated at various levels of abstraction, including at the + packet level as information traverses the network. Selecting the appropriate + level of abstraction is a critical aspect of an audit logging capability and + can facilitate the identification of root causes to problems. Organizations + consider in the definition of event types, the logging necessary to cover + related events such as the steps in distributed, transaction-based processes + (e.g., processes that are distributed across multiple organizations) and actions + that occur in service-oriented or cloud-based architectures. Audit record + content that may be necessary to satisfy this requirement includes time stamps, + source and destination addresses, user or process identifiers, event descriptions, + success or fail indications, filenames involved, and access control or flow + control rules invoked. Event outcomes can include indicators of event success + or failure and event-specific results (e.g., the security state of the system + after the event occurred). Detailed information that organizations may consider + in audit records includes full text recording of privileged commands or the + individual identities of group account users. Organizations consider limiting + the additional audit log information to only that information explicitly needed + for specific audit requirements. This facilitates the use of audit trails + and audit logs by not including information that could potentially be misleading + or could make it more difficult to locate information of interest. Audit logs + are reviewed and analyzed as often as needed to provide important information + to organizations to facilitate risk-based decision making. [SP 800-92] provides + guidance on security log management. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.2 + description: Ensure that the actions of individual system users can be uniquely + traced to those users, so they can be held accountable for their actions. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node58 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.2 + description: This requirement ensures that the contents of the audit record + include the information needed to link the audit event to the actions of an + individual to the extent feasible. Organizations consider logging for traceability + including results from monitoring of account usage, remote access, wireless + connectivity, mobile device connection, communications at system boundaries, + configuration settings, physical access, nonlocal maintenance, use of maintenance + tools, temperature and humidity, equipment delivery and removal, system component + inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.3 + description: Review and update logged events. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node60 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.3 + description: The intent of this requirement is to periodically re-evaluate which + logged events will continue to be included in the list of events to be logged. + The event types that are logged by organizations may change over time. Reviewing + and updating the set of logged event types periodically is necessary to ensure + that the current set remains necessary and sufficient. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.4 + description: Alert in the event of an audit logging process failure. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node62 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.4 + description: Audit logging process failures include software and hardware errors, + failures in the audit record capturing mechanisms, and audit record storage + capacity being reached or exceeded. This requirement applies to each audit + record data storage repository (i.e., distinct system component where audit + records are stored), the total audit record storage capacity of organizations + (i.e., all audit record data storage repositories combined), or both. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.5 + description: Correlate audit record review, analysis, and reporting processes + for investigation and response to indications of unlawful, unauthorized, suspicious, + or unusual activity. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node64 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.5 + description: Correlating audit record review, analysis, and reporting processes + helps to ensure that they do not operate independently, but rather collectively. + Regarding the assessment of a given organizational system, the requirement + is agnostic as to whether this correlation is applied at the system level + or at the organization level across all systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.6 + description: Provide audit record reduction and report generation to support + on-demand analysis and reporting. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node66 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.6 + description: Audit record reduction is a process that manipulates collected + audit information and organizes such information in a summary format that + is more meaningful to analysts. Audit record reduction and report generation + capabilities do not always emanate from the same system or organizational + entities conducting auditing activities. Audit record reduction capability + can include, for example, modern data mining techniques with advanced data + filters to identify anomalous behavior in audit records. The report generation + capability provided by the system can help generate customizable reports. + Time ordering of audit records can be a significant issue if the granularity + of the time stamp in the record is insufficient. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.7 + description: Provide a system capability that compares and synchronizes internal + system clocks with an authoritative source to generate time stamps for audit + records + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node68 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.7 + description: 'Internal system clocks are used to generate time stamps, which + include date and time. Time is expressed in Coordinated Universal Time (UTC), + a modern continuation of Greenwich Mean Time (GMT), or local time with an + offset from UTC. The granularity of time measurements refers to the degree + of synchronization between system clocks and reference clocks, for example, + clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. + Organizations may define different time granularities for different system + components. Time service can also be critical to other security capabilities + such as access control and identification and authentication, depending on + the nature of the mechanisms used to support those capabilities. This requirement + provides uniformity of time stamps for systems with multiple system clocks + and systems connected over a network. See [IETF 5905]. ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.8 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.8 + description: Protect audit information and audit logging tools from unauthorized + access, modification, and deletion. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node70 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.8 + description: Audit information includes all information (e.g., audit records, + audit log settings, and audit reports) needed to successfully audit system + activity. Audit logging tools are those programs and devices used to conduct + audit and logging activities. This requirement focuses on the technical protection + of audit information and limits the ability to access and execute audit logging + tools to authorized individuals. Physical protection of audit information + is addressed by media protection and physical and environmental protection + requirements. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.9 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node54 + ref_id: 3.3.9 + description: Limit management of audit logging functionality to a subset of + privileged users. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node72 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.3.9 + description: Individuals with privileged access to a system and who are also + the subject of an audit by that system, may affect the reliability of audit + information by inhibiting audit logging activities or modifying audit records. + This requirement specifies that privileged access be further defined between + audit-related privileges and other privileges, thus limiting the users with + audit-related privileges + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + assessable: false + depth: 1 + name: Configuration Management + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.1 + description: Establish and maintain baseline configurations and inventories + of organizational systems (including hardware, software, firmware, and documentation) + throughout the respective system development life cycles. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node75 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.1 + description: 'Baseline configurations are documented, formally reviewed, and + agreed-upon specifications for systems or configuration items within those + systems. Baseline configurations serve as a basis for future builds, releases, + and changes to systems. Baseline configurations include information about + system components (e.g., standard software packages installed on workstations, + notebook computers, servers, network components, or mobile devices; current + version numbers and update and patch information on operating systems and + applications; and configuration settings and parameters), network topology, + and the logical placement of those components within the system architecture. + Baseline configurations of systems also reflect the current enterprise architecture. + Maintaining effective baseline configurations requires creating new baselines + as organizational systems change over time. Baseline configuration maintenance + includes reviewing and updating the baseline configuration when changes are + made based on security risks and deviations from the established baseline + configuration. Organizations can implement centralized system component inventories + that include components from multiple organizational systems. In such situations, + organizations ensure that the resulting inventories include system-specific + information required for proper component accountability (e.g., system association, + system owner). Information deemed necessary for effective accountability of + system components includes hardware inventory specifications, software license + information, software version numbers, component owners, and for networked + components or devices, machine names and network addresses. Inventory specifications + include manufacturer, device type, model, serial number, and physical location. [SP + 800-128] provides guidance on security-focused configuration management. ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.2 + description: Establish and enforce security configuration settings for information + technology products employed in organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node77 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.2 + description: 'Configuration settings are the set of parameters that can be changed + in hardware, software, or firmware components of the system that affect the + security posture or functionality of the system. Information technology products + for which security-related configuration settings can be defined include mainframe + computers, servers, workstations, input and output devices (e.g., scanners, + copiers, and printers), network components (e.g., firewalls, routers, gateways, + voice and data switches, wireless access points, network appliances, sensors), + operating systems, middleware, and applications. Security parameters are + those parameters impacting the security state of systems including the parameters + required to satisfy other security requirements. Security parameters include: + registry settings; account, file, directory permission settings; and settings + for functions, ports, protocols, and remote connections. Organizations establish + organization-wide configuration settings and subsequently derive specific + configuration settings for systems. The established settings become part of + the systems configuration baseline. Common secure configurations (also referred + to as security configuration checklists, lockdown and hardening guides, security + reference guides, security technical implementation guides) provide recognized, + standardized, and established benchmarks that stipulate secure configuration + settings for specific information technology platforms/products and instructions + for configuring those system components to meet operational requirements. + Common secure configurations can be developed by a variety of organizations + including information technology product developers, manufacturers, vendors, + consortia, academia, industry, federal agencies, and other organizations in + the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance + on security configuration settings.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.3 + description: Track, review, approve or disapprove, and log changes to organizational + systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node79 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.3 + description: Tracking, reviewing, approving/disapproving, and logging changes + is called configuration change control. Configuration change control for organizational + systems involves the systematic proposal, justification, implementation, testing, + review, and disposition of changes to the systems, including system upgrades + and modifications. Configuration change control includes changes to baseline + configurations for components and configuration items of systems, changes + to configuration settings for information technology products (e.g., operating + systems, applications, firewalls, routers, and mobile devices), unscheduled + and unauthorized changes, and changes to remediate vulnerabilities. Processes + for managing configuration changes to systems include Configuration Control + Boards or Change Advisory Boards that review and approve proposed changes + to systems. For new development systems or systems undergoing major upgrades, + organizations consider including representatives from development organizations + on the Configuration Control Boards or Change Advisory Boards. Audit logs + of changes include activities before and after changes are made to organizational + systems and the activities required to implement such changes. [SP 800-128] + provides guidance on configuration change control. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.4 + description: Analyze the security impact of changes prior to implementation. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node81 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.4 + description: Organizational personnel with information security responsibilities + (e.g., system administrators, system security officers, system security managers, + and systems security engineers) conduct security impact analyses. Individuals + conducting security impact analyses possess the necessary skills and technical + expertise to analyze the changes to systems and the associated security ramifications. + Security impact analysis may include reviewing security plans to understand + security requirements and reviewing system design documentation to understand + the implementation of controls and how specific changes might affect the controls. + Security impact analyses may also include risk assessments to better understand + the impact of the changes and to determine if additional controls are required. [SP + 800-128] provides guidance on configuration change control and security impact + analysis. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.5 + description: Define, document, approve, and enforce physical and logical access + restrictions associated with changes to organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node83 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.5 + description: Any changes to the hardware, software, or firmware components of + systems can potentially have significant effects on the overall security of + the systems. Therefore, organizations permit only qualified and authorized + individuals to access systems for purposes of initiating changes, including + upgrades and modifications. Access restrictions for change also include software + libraries. Access restrictions include physical and logical access control + requirements, workflow automation, media libraries, abstract layers (e.g., + changes implemented into external interfaces rather than directly into systems), + and change windows (e.g., changes occur only during certain specified times). + In addition to security concerns, commonly-accepted due diligence for configuration + management includes access restrictions as an essential part in ensuring the + ability to effectively manage the configuration. [SP 800-128] provides guidance + on configuration change control. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.6 + description: Employ the principle of least functionality by configuring organizational + systems to provide only essential capabilities. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node85 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.6 + description: Systems can provide a wide variety of functions and services. Some + of the functions and services routinely provided by default, may not be necessary + to support essential organizational missions, functions, or operations. It + is sometimes convenient to provide multiple services from single system components. + However, doing so increases risk over limiting the services provided by any + one component. Where feasible, organizations limit component functionality + to a single function per component. Organizations review functions and services + provided by systems or components of systems, to determine which functions + and services are candidates for elimination. Organizations disable unused + or unnecessary physical and logical ports and protocols to prevent unauthorized + connection of devices, transfer of information, and tunneling. Organizations + can utilize network scanning tools, intrusion detection and prevention systems, + and end-point protections such as firewalls and host-based intrusion detection + systems to identify and prevent the use of prohibited functions, ports, protocols, + and services. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.7 + description: Restrict, disable, or prevent the use of nonessential programs, + functions, ports, protocols, and services. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node87 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.7 + description: Restricting the use of nonessential software (programs) includes + restricting the roles allowed to approve program execution; prohibiting auto-execute; + program blacklisting and whitelisting; or restricting the number of program + instances executed at the same time. The organization makes a security-based + determination which functions, ports, protocols, and/or services are restricted. + Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples + of protocols organizations consider preventing the use of, restricting, or + disabling. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.8 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.8 + description: Apply deny-by-exception (blacklisting) policy to prevent the use + of unauthorized software or deny-all, permit-by-exception (whitelisting) policy + to allow the execution of authorized software. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node89 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.8 + description: The process used to identify software programs that are not authorized + to execute on systems is commonly referred to as blacklisting. The process + used to identify software programs that are authorized to execute on systems + is commonly referred to as whitelisting. Whitelisting is the stronger of the + two policies for restricting software program execution. In addition to whitelisting, + organizations consider verifying the integrity of whitelisted software programs + using, for example, cryptographic checksums, digital signatures, or hash functions. + Verification of whitelisted software can occur either prior to execution or + at system startup. [SP 800-167] provides guidance on application whitelisting. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.9 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node73 + ref_id: 3.4.9 + description: Control and monitor user-installed software. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node91 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.4.9 + description: "Users can install software in organizational systems if provided\ + \ the necessary privileges. To maintain control over the software installed,\ + \ organizations identify permitted and prohibited actions regarding software\ + \ installation through policies. Permitted software installations include\ + \ updates and security patches to existing software and applications from\ + \ organization-approved \u201Capp stores.\u201D Prohibited software installations\ + \ may include software with unknown or suspect pedigrees or software that\ + \ organizations consider potentially malicious. The policies organizations\ + \ select governing user-installed software may be organization-developed or\ + \ provided by some external entity. Policy enforcement methods include procedural\ + \ methods, automated methods, or both." + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + assessable: false + depth: 1 + name: Identification and Authentication + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.1 + description: Identify system users, processes acting on behalf of users, and + devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node94 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.1 + description: 'Common device identifiers include Media Access Control (MAC), + Internet Protocol (IP) addresses, or device-unique token identifiers. Management + of individual identifiers is not applicable to shared system accounts. Typically, + individual identifiers are the user names associated with the system accounts + assigned to those individuals. Organizations may require unique identification + of individuals in group accounts or for detailed accountability of individual + activity. In addition, this requirement addresses individual identifiers that + are not necessarily associated with system accounts. Organizational devices + requiring identification may be defined by type, by device, or by a combination + of type/device. [SP 800-63-3] provides guidance on digital identities. ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.2 + description: Authenticate (or verify) the identities of users, processes, or + devices, as a prerequisite to allowing access to organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node96 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.2 + description: 'Individual authenticators include the following: passwords, key + cards, cryptographic devices, and one-time password devices. Initial authenticator + content is the actual content of the authenticator, for example, the initial + password. In contrast, the requirements about authenticator content include + the minimum password length. Developers ship system components with factory + default authentication credentials to allow for initial installation and configuration. + Default authentication credentials are often well known, easily discoverable, + and present a significant security risk. Systems support authenticator management + by organization-defined settings and restrictions for various authenticator + characteristics including minimum password length, validation time window + for time synchronous one-time tokens, and number of allowed rejections during + the verification stage of biometric authentication. Authenticator management + includes issuing and revoking, when no longer needed, authenticators for temporary + access such as that required for remote maintenance. Device authenticators + include certificates and passwords. [SP 800-63-3] provides guidance on digital + identities.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.3 + description: 'Use multifactor authentication for local and network access to + privileged accounts and for network access to non-privileged accounts.[24] + [25]. ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node98 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.3 + description: "Multifactor authentication requires the use of two or more different\ + \ factors to authenticate. The factors are defined as something you know (e.g.,\ + \ password, personal identification number [PIN]); something you have (e.g.,\ + \ cryptographic identification device, token); or something you are (e.g.,\ + \ biometric). Multifactor authentication solutions that feature physical authenticators\ + \ include hardware authenticators providing time-based or challenge-response\ + \ authenticators and smart cards. In addition to authenticating users at the\ + \ system level (i.e., at logon), organizations may also employ authentication\ + \ mechanisms at the application level, when necessary, to provide increased\ + \ information security. Access to organizational systems is defined as local\ + \ access or network access. Local access is any access to organizational systems\ + \ by users (or processes acting on behalf of users) where such access is obtained\ + \ by direct connections without the use of networks. Network access is access\ + \ to systems by users (or processes acting on behalf of users) where such\ + \ access is obtained through network connections (i.e., nonlocal accesses).\ + \ Remote access is a type of network access that involves communication through\ + \ external networks. The use of encrypted virtual private networks for connections\ + \ between organization-controlled and non-organization controlled endpoints\ + \ may be treated as internal networks with regard to protecting the confidentiality\ + \ of information. [SP 800-63-3] provides guidance on digital identities.\n\ + \n[24] Multifactor authentication requires two or more different factors to\ + \ achieve authentication. The factors include: something you know (e.g., password/PIN);\ + \ something you have (e.g., cryptographic identification device, token); or\ + \ something you are (e.g., biometric). The requirement for multifactor authentication\ + \ should not be interpreted as requiring federal Personal Identity Verification\ + \ (PIV) card or Department of Defense Common Access Card (CAC)-like solutions.\ + \ A variety of multifactor solutions (including those with replay resistance)\ + \ using tokens and biometrics are commercially available. Such solutions may\ + \ employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens\ + \ to store user credentials. \n[25] Local access is any access to a system\ + \ by a user (or process acting on behalf of a user) communicating through\ + \ a direct connection without the use of a network. Network access is any\ + \ access to a system by a user (or a process acting on behalf of a user) communicating\ + \ through a network (e.g., local area network, wide area network, Internet)." + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.4 + description: Employ replay-resistant authentication mechanisms for network access + to privileged and non-privileged accounts. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node100 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.4 + description: Authentication processes resist replay attacks if it is impractical + to successfully authenticate by recording or replaying previous authentication + messages. Replay-resistant techniques include protocols that use nonces or + challenges such as time synchronous or challenge-response one-time authenticators. [SP + 800-63-3] provides guidance on digital identities. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.5 + description: Prevent reuse of identifiers for a defined period. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node102 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.5 + description: Identifiers are provided for users, processes acting on behalf + of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing + the assignment of previously used individual, group, role, or device identifiers + to different individuals, groups, roles, or devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.6 + description: Disable identifiers after a defined period of inactivity. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node104 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.6 + description: Inactive identifiers pose a risk to organizational information + because attackers may exploit an inactive identifier to gain undetected access + to organizational devices. The owners of the inactive accounts may not notice + if unauthorized access to the account has been obtained. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.7 + description: Enforce a minimum password complexity and change of characters + when new passwords are created. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node106 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.7 + description: This requirement applies to single-factor authentication of individuals + using passwords as individual or group authenticators, and in a similar manner, + when passwords are used as part of multifactor authenticators. The number + of changed characters refers to the number of changes required with respect + to the total number of positions in the current password. To mitigate certain + brute force attacks against passwords, organizations may also consider salting + passwords. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.8 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.8 + description: Prohibit password reuse for a specified number of generations. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node108 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.8 + description: Password lifetime restrictions do not apply to temporary passwords + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.9 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.9 + description: Allow temporary password use for system logons with an immediate + change to a permanent password. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node110 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.9 + description: Changing temporary passwords to permanent passwords immediately + after system logon ensures that the necessary strength of the authentication + mechanism is implemented at the earliest opportunity, reducing the susceptibility + to authenticator compromises. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.10 + description: Store and transmit only cryptographically-protected passwords. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node112 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.10 + description: Cryptographically-protected passwords use salted one-way cryptographic + hashes of passwords. See [NIST CRYPTO]. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node92 + ref_id: 3.5.11 + description: Obscure feedback of authentication information + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node114 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.5.11 + description: The feedback from systems does not provide any information that + would allow unauthorized individuals to compromise authentication mechanisms. + For some types of systems or system components, for example, desktop or notebook + computers with relatively large monitors, the threat (often referred to as + shoulder surfing) may be significant. For other types of systems or components, + for example, mobile devices with small displays, this threat may be less significant, + and is balanced against the increased likelihood of typographic input errors + due to the small keyboards. Therefore, the means for obscuring the authenticator + feedback is selected accordingly. Obscuring authenticator feedback includes + displaying asterisks when users type passwords into input devices or displaying + feedback for a very limited time before fully obscuring it. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node115 + assessable: false + depth: 1 + name: Incident response + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.6.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node115 + ref_id: 3.6.1 + description: Establish an operational incident-handling capability for organizational + systems that includes preparation, detection, analysis, containment, recovery, + and user response activities. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node117 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.6.1 + description: Organizations recognize that incident handling capability is dependent + on the capabilities of organizational systems and the mission/business processes + being supported by those systems. Organizations consider incident handling + as part of the definition, design, and development of mission/business processes + and systems. Incident-related information can be obtained from a variety of + sources including audit monitoring, network monitoring, physical access monitoring, + user and administrator reports, and reported supply chain events. Effective + incident handling capability includes coordination among many organizational + entities including mission/business owners, system owners, authorizing officials, + human resources offices, physical and personnel security offices, legal departments, + operations personnel, procurement offices, and the risk executive. As part + of user response activities, incident response training is provided by organizations + and is linked directly to the assigned roles and responsibilities of organizational + personnel to ensure that the appropriate content and level of detail is included + in such training. For example, regular users may only need to know who to + call or how to recognize an incident on the system; system administrators + may require additional training on how to handle or remediate incidents; and + incident responders may receive more specific training on forensics, reporting, + system recovery, and restoration. Incident response training includes user + training in the identification/reporting of suspicious activities from external + and internal sources. User response activities also includes incident response + assistance which may consist of help desk support, assistance groups, and + access to forensics services or consumer redress services, when required. [SP + 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] + provide guidance on integrating forensic techniques into incident response. + [SP 800-161] provides guidance on supply chain risk management. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.6.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node115 + ref_id: 3.6.2 + description: Track, document, and report incidents to designated officials and/or + authorities both internal and external to the organization. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node119 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.6.2 + description: Tracking and documenting system security incidents includes maintaining + records about each incident, the status of the incident, and other pertinent + information necessary for forensics, evaluating incident details, trends, + and handling. Incident information can be obtained from a variety of sources + including incident reports, incident response teams, audit monitoring, network + monitoring, physical access monitoring, and user/administrator reports. Reporting + incidents addresses specific incident reporting requirements within an organization + and the formal incident reporting requirements for the organization. Suspected + security incidents may also be reported and include the receipt of suspicious + email communications that can potentially contain malicious code. The types + of security incidents reported, the content and timeliness of the reports, + and the designated reporting authorities reflect applicable laws, Executive + Orders, directives, regulations, and policies. [SP 800-61] provides guidance + on incident handling. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.6.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node115 + ref_id: 3.6.3 + description: Test the organizational incident response capability. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node121 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.6.3 + description: Organizations test incident response capabilities to determine + the effectiveness of the capabilities and to identify potential weaknesses + or deficiencies. Incident response testing includes the use of checklists, + walk-through or tabletop exercises, simulations (both parallel and full interrupt), + and comprehensive exercises. Incident response testing can also include a + determination of the effects on organizational operations (e.g., reduction + in mission capabilities), organizational assets, and individuals due to incident + response. [SP 800-84] provides guidance on testing programs for information + technology capabilities. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node122 + assessable: false + depth: 1 + name: Maintenance + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node122 + ref_id: 3.7.1 + description: 'Perform maintenance on organizational systems.[26]. ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node124 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.1 + description: 'This requirement addresses the information security aspects of + the system maintenance program and applies to all types of maintenance to + any system component (including hardware, firmware, applications) conducted + by any local or nonlocal entity. System maintenance also includes those components + not directly associated with information processing and data or information + retention such as scanners, copiers, and printers. + + + [26] In general, system maintenance requirements tend to support the security + objective of availability. However, improper system maintenance or a failure + to perform maintenance can result in the unauthorized disclosure of CUI, thus + compromising confidentiality of that information.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node122 + ref_id: 3.7.2 + description: Provide controls on the tools, techniques, mechanisms, and personnel + used to conduct system maintenance. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node126 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.2 + description: This requirement addresses security-related issues with maintenance + tools that are not within the organizational system boundaries that process, + store, or transmit CUI, but are used specifically for diagnostic and repair + actions on those systems. Organizations have flexibility in determining the + controls in place for maintenance tools, but can include approving, controlling, + and monitoring the use of such tools. Maintenance tools are potential vehicles + for transporting malicious code, either intentionally or unintentionally, + into a facility and into organizational systems. Maintenance tools can include + hardware, software, and firmware items, for example, hardware and software + diagnostic test equipment and hardware and software packet sniffers. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node122 + ref_id: 3.7.3 + description: Ensure equipment removed for off-site maintenance is sanitized + of any CUI. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node128 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.3 + description: This requirement addresses the information security aspects of + system maintenance that are performed off-site and applies to all types of + maintenance to any system component (including applications) conducted by + a local or nonlocal entity (e.g., in-contract, warranty, in- house, software + maintenance agreement). [SP 800-88] provides guidance on media sanitization. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node122 + ref_id: 3.7.4 + description: Check media containing diagnostic and test programs for malicious + code before the media are used in organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node130 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.4 + description: If, upon inspection of media containing maintenance diagnostic + and test programs, organizations determine that the media contain malicious + code, the incident is handled consistent with incident handling policies and + procedures. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node122 + ref_id: 3.7.5 + description: Require multifactor authentication to establish nonlocal maintenance + sessions via external network connections and terminate such connections when + nonlocal maintenance is complete. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node132 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.5 + description: Nonlocal maintenance and diagnostic activities are those activities + conducted by individuals communicating through an external network. The authentication + techniques employed in the establishment of these nonlocal maintenance and + diagnostic sessions reflect the network access requirements in 3.5.3. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node122 + ref_id: 3.7.6 + description: Supervise the maintenance activities of maintenance personnel without + required access authorization. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node134 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.7.6 + description: This requirement applies to individuals who are performing hardware + or software maintenance on organizational systems, while 3.10.1 addresses + physical access for individuals whose maintenance duties place them within + the physical protection perimeter of the systems (e.g., custodial staff, physical + plant maintenance personnel). Individuals not previously identified as authorized + maintenance personnel, such as information technology manufacturers, vendors, + consultants, and systems integrators, may require privileged access to organizational + systems, for example, when required to conduct maintenance activities with + little or no notice. Organizations may choose to issue temporary credentials + to these individuals based on organizational risk assessments. Temporary credentials + may be for one-time use or for very limited time periods. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + assessable: false + depth: 1 + name: Media Protection + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.1 + description: Protect (i.e., physically control and securely store) system media + containing CUI, both paper and digital. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node137 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.1 + description: System media includes digital and non-digital media. Digital media + includes diskettes, magnetic tapes, external and removable hard disk drives, + flash drives, compact disks, and digital video disks. Non-digital media includes + paper and microfilm. Protecting digital media includes limiting access to + design specifications stored on compact disks or flash drives in the media + library to the project leader and any individuals on the development team. + Physically controlling system media includes conducting inventories, maintaining + accountability for stored media, and ensuring procedures are in place to allow + individuals to check out and return media to the media library. Secure storage + includes a locked drawer, desk, or cabinet, or a controlled media library. Access + to CUI on system media can be limited by physically controlling such media, + which includes conducting inventories, ensuring procedures are in place to + allow individuals to check out and return media to the media library, and + maintaining accountability for all stored media. [SP 800-111] provides guidance + on storage encryption technologies for end user devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.2 + description: Limit access to CUI on system media to authorized users + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node139 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.2 + description: Access can be limited by physically controlling system media and + secure storage areas. Physically controlling system media includes conducting + inventories, ensuring procedures are in place to allow individuals to check + out and return system media to the media library, and maintaining accountability + for all stored media. Secure storage includes a locked drawer, desk, or cabinet, + or a controlled media library + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.3 + description: Sanitize or destroy system media containing CUI before disposal + or release for reuse. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node141 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.3 + description: 'This requirement applies to all system media, digital and non-digital, + subject to disposal or reuse. Examples include: digital media found in workstations, + network components, scanners, copiers, printers, notebook computers, and mobile + devices; and non-digital media such as paper and microfilm. The sanitization + process removes information from the media such that the information cannot + be retrieved or reconstructed. Sanitization techniques, including clearing, + purging, cryptographic erase, and destruction, prevent the disclosure of information + to unauthorized individuals when such media is released for reuse or disposal. Organizations + determine the appropriate sanitization methods, recognizing that destruction + may be necessary when other methods cannot be applied to the media requiring + sanitization. Organizations use discretion on the employment of sanitization + techniques and procedures for media containing information that is in the + public domain or publicly releasable or deemed to have no adverse impact on + organizations or individuals if released for reuse or disposal. Sanitization + of non-digital media includes destruction, removing CUI from documents, or + redacting selected sections or words from a document by obscuring the redacted + sections or words in a manner equivalent in effectiveness to removing the + words or sections from the document. NARA policy and guidance control sanitization + processes for controlled unclassified information. [SP 800-88] provides guidance + on media sanitization.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.4 + description: 'Mark media with necessary CUI markings and distribution limitations.[27] ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node143 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.4 + description: "The term security marking refers to the application or use of\ + \ human-readable security attributes. System media includes digital and non-digital\ + \ media. Marking of system media reflects applicable federal laws, Executive\ + \ Orders, directives, policies, and regulations. See [NARA MARK].\n\n[27]\ + \ The implementation of this requirement is per marking guidance in [32 CFR\ + \ 2002] and [NARA CUI]. Standard Form (SF) 902 (approximate size 2.125\u201D\ + \ x 1.25\u201D) and SF 903 (approximate size 2.125\u201D x .625\u201D) can\ + \ be used on media that contains CUI such as hard drives, or USB devices.\ + \ Both forms are available from https://www.gsaadvantage.gov." + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.5 + description: Control access to media containing CUI and maintain accountability + for media during transport outside of controlled areas. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node145 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.5 + description: Controlled areas are areas or spaces for which organizations provide + physical or procedural controls to meet the requirements established for protecting + systems and information. Controls to maintain accountability for media during + transport include locked containers and cryptography. Cryptographic mechanisms + can provide confidentiality and integrity protections depending upon the mechanisms + used. Activities associated with transport include the actual transport as + well as those activities such as releasing media for transport and ensuring + that media enters the appropriate transport processes. For the actual transport, + authorized transport and courier personnel may include individuals external + to the organization. Maintaining accountability of media during transport + includes restricting transport activities to authorized personnel and tracking + and obtaining explicit records of transport activities as the media moves + through the transportation system to prevent and detect loss, destruction, + or tampering. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.6 + description: Implement cryptographic mechanisms to protect the confidentiality + of CUI stored on digital media during transport unless otherwise protected + by alternative physical safeguards. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node147 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.6 + description: This requirement applies to portable storage devices (e.g., USB + memory sticks, digital video disks, compact disks, external or removable hard + disk drives). See [NIST CRYPTO]. [SP 800-111] provides guidance on storage + encryption technologies for end user devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.7 + description: Control the use of removable media on system components. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node149 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.7 + description: In contrast to requirement 3.8.1, which restricts user access to + media, this requirement restricts the use of certain types of media on systems, + for example, restricting or prohibiting the use of flash drives or external + hard disk drives. Organizations can employ technical and nontechnical controls + (e.g., policies, procedures, and rules of behavior) to control the use of + system media. Organizations may control the use of portable storage devices, + for example, by using physical cages on workstations to prohibit access to + certain external ports, or disabling or removing the ability to insert, read, + or write to such devices. Organizations may also limit the use of portable + storage devices to only approved devices including devices provided by the + organization, devices provided by other approved organizations, and devices + that are not personally owned. Finally, organizations may control the use + of portable storage devices based on the type of device, prohibiting the use + of writeable, portable devices, and implementing this restriction by disabling + or removing the capability to write to such devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.8 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.8 + description: Prohibit the use of portable storage devices when such devices + have no identifiable owner. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node151 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.8 + description: Requiring identifiable owners (e.g., individuals, organizations, + or projects) for portable storage devices reduces the overall risk of using + such technologies by allowing organizations to assign responsibility and accountability + for addressing known vulnerabilities in the devices (e.g., insertion of malicious + code). + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.9 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node135 + ref_id: 3.8.9 + description: Protect the confidentiality of backup CUI at storage locations. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node153 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.8.9 + description: Organizations can employ cryptographic mechanisms or alternative + physical controls to protect the confidentiality of backup information at + designated storage locations. Backed-up information containing CUI may include + system-level information and user-level information. System-level information + includes system-state information, operating system software, application + software, and licenses. User-level information includes information other + than system-level information. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node154 + assessable: false + depth: 1 + name: Personnel Security + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.9.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node154 + ref_id: 3.9.1 + description: Screen individuals prior to authorizing access to organizational + systems containing CUI. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node156 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.9.1 + description: "Personnel security screening (vetting) activities involve the\ + \ evaluation/assessment of individual\u2019s conduct, integrity, judgment,\ + \ loyalty, reliability, and stability (i.e., the trustworthiness of the individual)\ + \ prior to authorizing access to organizational systems containing CUI. The\ + \ screening activities reflect applicable federal laws, Executive Orders,\ + \ directives, policies, regulations, and specific criteria established for\ + \ the level of access required for assigned positions." + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.9.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node154 + ref_id: 3.9.2 + description: Ensure that organizational systems containing CUI are protected + during and after personnel actions such as terminations and transfers + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node158 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.9.2 + description: Protecting CUI during and after personnel actions may include returning + system-related property and conducting exit interviews. System-related property + includes hardware authentication tokens, identification cards, system administration + technical manuals, keys, and building passes. Exit interviews ensure that + individuals who have been terminated understand the security constraints imposed + by being former employees and that proper accountability is achieved for system-related + property. Security topics of interest at exit interviews can include reminding + terminated individuals of nondisclosure agreements and potential limitations + on future employment. Exit interviews may not be possible for some terminated + individuals, for example, in cases related to job abandonment, illnesses, + and non-availability of supervisors. For termination actions, timely execution + is essential for individuals terminated for cause. In certain situations, + organizations consider disabling the system accounts of individuals that are + being terminated prior to the individuals being notified. This requirement + applies to reassignments or transfers of individuals when the personnel action + is permanent or of such extended durations as to require protection. Organizations + define the CUI protections appropriate for the types of reassignments or transfers, + whether permanent or extended. Protections that may be required for transfers + or reassignments to other positions within organizations include returning + old and issuing new keys, identification cards, and building passes; changing + system access authorizations (i.e., privileges); closing system accounts and + establishing new accounts; and providing for access to official records to + which individuals had access at previous work locations and in previous system + accounts. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node159 + assessable: false + depth: 1 + name: Physical Protection + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node159 + ref_id: 3.10.1 + description: Limit physical access to organizational systems, equipment, and + the respective operating environments to authorized individuals. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node161 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.1 + description: This requirement applies to employees, individuals with permanent + physical access authorization credentials, and visitors. Authorized individuals + have credentials that include badges, identification cards, and smart cards. + Organizations determine the strength of authorization credentials needed consistent + with applicable laws, directives, policies, regulations, standards, procedures, + and guidelines. This requirement applies only to areas within facilities that + have not been designated as publicly accessible. Limiting physical access + to equipment may include placing equipment in locked rooms or other secured + areas and allowing access to authorized individuals only; and placing equipment + in locations that can be monitored by organizational personnel. Computing + devices, external disk drives, networking devices, monitors, printers, copiers, + scanners, facsimile machines, and audio devices are examples of equipment. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node159 + ref_id: 3.10.2 + description: Protect and monitor the physical facility and support infrastructure + for organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node163 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.2 + description: Monitoring of physical access includes publicly accessible areas + within organizational facilities. This can be accomplished, for example, by + the employment of guards; the use of sensor devices; or the use of video surveillance + equipment such as cameras. Examples of support infrastructure include system + distribution, transmission, and power lines. Security controls applied to + the support infrastructure prevent accidental damage, disruption, and physical + tampering. Such controls may also be necessary to prevent eavesdropping or + modification of unencrypted transmissions. Physical access controls to support + infrastructure include locked wiring closets; disconnected or locked spare + jacks; protection of cabling by conduit or cable trays; and wiretapping sensors. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node159 + ref_id: 3.10.3 + description: Escort visitors and monitor visitor activity. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node165 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.3 + description: Individuals with permanent physical access authorization credentials + are not considered visitors. Audit logs can be used to monitor visitor activity. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node159 + ref_id: 3.10.4 + description: Maintain audit logs of physical access. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node167 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.4 + description: Organizations have flexibility in the types of audit logs employed. + Audit logs can be procedural (e.g., a written log of individuals accessing + the facility), automated (e.g., capturing ID provided by a PIV card), or some + combination thereof. Physical access points can include facility access points, + interior access points to systems or system components requiring supplemental + access controls, or both. System components (e.g., workstations, notebook + computers) may be in areas designated as publicly accessible with organizations + safeguarding access to such devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node159 + ref_id: 3.10.5 + description: Control and manage physical access devices. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node169 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.5 + description: Physical access devices include keys, locks, combinations, and + card readers. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node159 + ref_id: 3.10.6 + description: Enforce safeguarding measures for CUI at alternate work sites. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node171 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.10.6 + description: Alternate work sites may include government facilities or the private + residences of employees. Organizations may define different security requirements + for specific alternate work sites or types of sites depending on the work-related + activities conducted at those sites. [SP 800-46] and [SP 800-114] provide + guidance on enterprise and user security when teleworking. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node172 + assessable: false + depth: 1 + name: Risk Assessment + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.11.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node172 + ref_id: 3.11.1 + description: Periodically assess the risk to organizational operations (including + mission, functions, image, or reputation), organizational assets, and individuals, + resulting from the operation of organizational systems and the associated + processing, storage, or transmission of CUI + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node174 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.11.1 + description: Clearly defined system boundaries are a prerequisite for effective + risk assessments. Such risk assessments consider threats, vulnerabilities, + likelihood, and impact to organizational operations, organizational assets, + and individuals based on the operation and use of organizational systems. + Risk assessments also consider risk from external parties (e.g., service providers, + contractors operating systems on behalf of the organization, individuals accessing + organizational systems, outsourcing entities). Risk assessments, either formal + or informal, can be conducted at the organization level, the mission or business + process level, or the system level, and at any phase in the system development + life cycle. [SP 800-30] provides guidance on conducting risk assessments. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.11.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node172 + ref_id: 3.11.2 + description: Scan for vulnerabilities in organizational systems and applications + periodically and when new vulnerabilities affecting those systems and applications + are identified. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node176 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.11.2 + description: 'Organizations determine the required vulnerability scanning for + all system components, ensuring that potential sources of vulnerabilities + such as networked printers, scanners, and copiers are not overlooked. The + vulnerabilities to be scanned are readily updated as new vulnerabilities are + discovered, announced, and scanning methods developed. This process ensures + that potential vulnerabilities in the system are identified and addressed + as quickly as possible. Vulnerability analyses for custom software applications + may require additional approaches such as static analysis, dynamic analysis, + binary analysis, or a hybrid of the three approaches. Organizations can employ + these analysis approaches in source code reviews and in a variety of tools + (e.g., static analysis tools, web-based application scanners, binary analyzers) + and in source code reviews. Vulnerability scanning includes: scanning for + patch levels; scanning for functions, ports, protocols, and services that + should not be accessible to users or devices; and scanning for improperly + configured or incorrectly operating information flow control mechanisms. To + facilitate interoperability, organizations consider using products that are + Security Content Automated Protocol (SCAP)-validated, scanning tools that + express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) + naming convention, and that employ the Open Vulnerability Assessment Language + (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability + information include the Common Weakness Enumeration (CWE) listing and the + National Vulnerability Database (NVD). Security assessments, such as red + team exercises, provide additional sources of potential vulnerabilities for + which to scan. Organizations also consider using scanning tools that express + vulnerability impact by the Common Vulnerability Scoring System (CVSS). In + certain situations, the nature of the vulnerability scanning may be more intrusive + or the system component that is the subject of the scanning may contain highly + sensitive information. Privileged access authorization to selected system + components facilitates thorough vulnerability scanning and protects the sensitive + nature of such scanning. [SP 800-40] provides guidance on vulnerability management.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.11.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node172 + ref_id: 3.11.3 + description: Remediate vulnerabilities in accordance with risk assessments. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node178 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.11.3 + description: Vulnerabilities discovered, for example, via the scanning conducted + in response to 3.11.2, are remediated with consideration of the related assessment + of risk. The consideration of risk influences the prioritization of remediation + efforts and the level of effort to be expended in the remediation for specific + vulnerabilities. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node179 + assessable: false + depth: 1 + name: Security Assessment + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node179 + ref_id: 3.12.1 + description: Periodically assess the security controls in organizational systems + to determine if the controls are effective in their application. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node181 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.1 + description: Organizations assess security controls in organizational systems + and the environments in which those systems operate as part of the system + development life cycle. Security controls are the safeguards or countermeasures + organizations implement to satisfy security requirements. By assessing the + implemented security controls, organizations determine if the security safeguards + or countermeasures are in place and operating as intended. Security control + assessments ensure that information security is built into organizational + systems; identify weaknesses and deficiencies early in the development process; + provide essential information needed to make risk-based decisions; and ensure + compliance to vulnerability mitigation procedures. Assessments are conducted + on the implemented security controls as documented in system security plans. Security + assessment reports document assessment results in sufficient detail as deemed + necessary by organizations, to determine the accuracy and completeness of + the reports and whether the security controls are implemented correctly, operating + as intended, and producing the desired outcome with respect to meeting security + requirements. Security assessment results are provided to the individuals + or roles appropriate for the types of assessments being conducted. Organizations + ensure that security assessment results are current, relevant to the determination + of security control effectiveness, and obtained with the appropriate level + of assessor independence. Organizations can choose to use other types of assessment + activities such as vulnerability scanning and system monitoring to maintain + the security posture of systems during the system life cycle. [SP 800-53] + provides guidance on security and privacy controls for systems and organizations. + [SP 800-53A] provides guidance on developing security assessment plans and + conducting assessments. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node179 + ref_id: 3.12.2 + description: Develop and implement plans of action designed to correct deficiencies + and reduce or eliminate vulnerabilities in organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node183 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.2 + description: The plan of action is a key document in the information security + program. Organizations develop plans of action that describe how any unimplemented + security requirements will be met and how any planned mitigations will be + implemented. Organizations can document the system security plan and plan + of action as separate or combined documents and in any chosen format. Federal + agencies may consider the submitted system security plans and plans of action + as critical inputs to an overall risk management decision to process, store, + or transmit CUI on a system hosted by a nonfederal organization and whether + it is advisable to pursue an agreement or contract with the nonfederal organization. + [NIST CUI] provides supplemental material for Special Publication 800-171 + including templates for plans of action. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node179 + ref_id: 3.12.3 + description: Monitor security controls on an ongoing basis to ensure the continued + effectiveness of the controls. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node185 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.3 + description: Continuous monitoring programs facilitate ongoing awareness of + threats, vulnerabilities, and information security to support organizational + risk management decisions. The terms continuous and ongoing imply that organizations + assess and analyze security controls and information security-related risks + at a frequency sufficient to support risk-based decisions. The results of + continuous monitoring programs generate appropriate risk response actions + by organizations. Providing access to security information on a continuing + basis through reports or dashboards gives organizational officials the capability + to make effective and timely risk management decisions. Automation supports + more frequent updates to hardware, software, firmware inventories, and other + system information. Effectiveness is further enhanced when continuous monitoring + outputs are formatted to provide information that is specific, measurable, + actionable, relevant, and timely. Monitoring requirements, including the need + for specific monitoring, may also be referenced in other requirements. [SP + 800-137] provides guidance on continuous monitoring. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node179 + ref_id: 3.12.4 + description: 'Develop, document, and periodically update system security plans + that describe system boundaries, system environments of operation, how security + requirements are implemented, and the relationships with or connections to + other systems.[28] ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node187 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.12.4 + description: System security plans relate security requirements to a set of + security controls. System security plans also describe, at a high level, how + the security controls meet those security requirements, but do not provide + detailed, technical descriptions of the design or implementation of the controls. + System security plans contain sufficient information to enable a design and + implementation that is unambiguously compliant with the intent of the plans + and subsequent determinations of risk if the plan is implemented as intended. + Security plans need not be single documents; the plans can be a collection + of various documents including documents that already exist. Effective security + plans make extensive use of references to policies, procedures, and additional + documents (e.g., design and implementation specifications) where more detailed + information can be obtained. This reduces the documentation requirements associated + with security programs and maintains security-related information in other + established management/operational areas related to enterprise architecture, + system development life cycle, systems engineering, and acquisition. Federal + agencies may consider the submitted system security plans and plans of action + as critical inputs to an overall risk management decision to process, store, + or transmit CUI on a system hosted by a nonfederal organization and whether + it is advisable to pursue an agreement or contract with the nonfederal organization. [SP + 800-18] provides guidance on developing security plans. [NIST CUI] provides + supplemental material for Special Publication 800-171 including templates + for system security plans. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + assessable: false + depth: 1 + name: System and Communications Protection + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.1 + description: Monitor, control, and protect communications (i.e., information + transmitted or received by organizational systems) at the external boundaries + and key internal boundaries of organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node190 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.1 + description: 'Communications can be monitored, controlled, and protected at + boundary components and by restricting or prohibiting interfaces in organizational + systems. Boundary components include gateways, routers, firewalls, guards, + network-based malicious code analysis and virtualization systems, or encrypted + tunnels implemented within a system security architecture (e.g., routers protecting + firewalls or application gateways residing on protected subnetworks). Restricting + or prohibiting interfaces in organizational systems includes restricting external + web communications traffic to designated web servers within managed interfaces + and prohibiting external traffic that appears to be spoofing internal addresses. Organizations + consider the shared nature of commercial telecommunications services in the + implementation of security requirements associated with the use of such services. + Commercial telecommunications services are commonly based on network components + and consolidated management systems shared by all attached commercial customers + and may also include third party-provided access lines and other service elements. + Such transmission services may represent sources of increased risk despite + contract security provisions. [SP 800-41] provides guidance on firewalls and + firewall policy. [SP 800-125B] provides guidance on security for virtualization + technologies. + + + [28] There is no prescribed format or specified level of detail for system + security plans. However, organizations ensure that the required information + in 3.12.4 is conveyed in those plans.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.2 + description: Employ architectural designs, software development techniques, + and systems engineering principles that promote effective information security + within organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node192 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.2 + description: Organizations apply systems security engineering principles to + new development systems or systems undergoing major upgrades. For legacy systems, + organizations apply systems security engineering principles to system upgrades + and modifications to the extent feasible, given the current state of hardware, + software, and firmware components within those systems. The application of + systems security engineering concepts and principles helps to develop trustworthy, + secure, and resilient systems and system components and reduce the susceptibility + of organizations to disruptions, hazards, and threats. Examples of these concepts + and principles include developing layered protections; establishing security + policies, architecture, and controls as the foundation for design; incorporating + security requirements into the system development life cycle; delineating + physical and logical security boundaries; ensuring that developers are trained + on how to build secure software; and performing threat modeling to identify + use cases, threat agents, attack vectors and patterns, design patterns, and + compensating controls needed to mitigate risk. Organizations that apply security + engineering concepts and principles can facilitate the development of trustworthy, + secure systems, system components, and system services; reduce risk to acceptable + levels; and make informed risk-management decisions. [SP 800-160-1] provides + guidance on systems security engineering. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.3 + description: Separate user functionality from system management functionality. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node194 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.3 + description: System management functionality includes functions necessary to + administer databases, network components, workstations, or servers, and typically + requires privileged user access. The separation of user functionality from + system management functionality is physical or logical. Organizations can + implement separation of system management functionality from user functionality + by using different computers, different central processing units, different + instances of operating systems, or different network addresses; virtualization + techniques; or combinations of these or other methods, as appropriate. This + type of separation includes web administrative interfaces that use separate + authentication methods for users of any other system resources. Separation + of system and user functionality may include isolating administrative interfaces + on different domains and with additional access controls. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.4 + description: Prevent unauthorized and unintended information transfer via shared + system resources. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node196 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.4 + description: The control of information in shared system resources (e.g., registers, + cache memory, main memory, hard disks) is also commonly referred to as object + reuse and residual information protection. This requirement prevents information + produced by the actions of prior users or roles (or the actions of processes + acting on behalf of prior users or roles) from being available to any current + users or roles (or current processes acting on behalf of current users or + roles) that obtain access to shared system resources after those resources + have been released back to the system. This requirement also applies to encrypted + representations of information. This requirement does not address information + remanence, which refers to residual representation of data that has been nominally + deleted; covert channels (including storage or timing channels) where shared + resources are manipulated to violate information flow restrictions; or components + within systems for which there are only single users or roles. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.5 + description: Implement subnetworks for publicly accessible system components + that are physically or logically separated from internal networks. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node198 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.5 + description: Subnetworks that are physically or logically separated from internal + networks are referred to as demilitarized zones (DMZs). DMZs are typically + implemented with boundary control devices and techniques that include routers, + gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] + provides guidance on firewalls and firewall policy. [SP 800-125B] provides + guidance on security for virtualization technologies + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.6 + description: Deny network communications traffic by default and allow network + communications traffic by exception (i.e., deny all, permit by exception). + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node200 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.6 + description: This requirement applies to inbound and outbound network communications + traffic at the system boundary and at identified points within the system. + A deny-all, permit-by-exception network communications traffic policy ensures + that only those connections which are essential and approved are allowed. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.7 + description: Prevent remote devices from simultaneously establishing non-remote + connections with organizational systems and communicating via some other connection + to resources in external networks (i.e., split tunneling). + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node202 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.7 + description: Split tunneling might be desirable by remote users to communicate + with local system resources such as printers or file servers. However, split + tunneling allows unauthorized external connections, making the system more + vulnerable to attack and to exfiltration of organizational information. This + requirement is implemented in remote devices (e.g., notebook computers, smart + phones, and tablets) through configuration settings to disable split tunneling + in those devices, and by preventing configuration settings from being readily + configurable by users. This requirement is implemented in the system by the + detection of split tunneling (or of configuration settings that allow split + tunneling) in the remote device, and by prohibiting the connection if the + remote device is using split tunneling. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.8 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.8 + description: Implement cryptographic mechanisms to prevent unauthorized disclosure + of CUI during transmission unless otherwise protected by alternative physical + safeguards. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node204 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.8 + description: This requirement applies to internal and external networks and + any system components that can transmit information including servers, notebook + computers, desktop computers, mobile devices, printers, copiers, scanners, + and facsimile machines. Communication paths outside the physical protection + of controlled boundaries are susceptible to both interception and modification. + Organizations relying on commercial providers offering transmission services + as commodity services rather than as fully dedicated services (i.e., services + which can be highly specialized to individual customer needs), may find it + difficult to obtain the necessary assurances regarding the implementation + of the controls for transmission confidentiality. In such situations, organizations + determine what types of confidentiality services are available in commercial + telecommunication service packages. If it is infeasible or impractical to + obtain the necessary safeguards and assurances of the effectiveness of the + safeguards through appropriate contracting vehicles, organizations implement + compensating safeguards or explicitly accept the additional risk. An example + of an alternative physical safeguard is a protected distribution system (PDS) + where the distribution medium is protected against electronic or physical + intercept, thereby ensuring the confidentiality of the information being transmitted. + See [NIST CRYPTO]. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.9 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.9 + description: Terminate network connections associated with communications sessions + at the end of the sessions or after a defined period of inactivity. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node206 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.9 + description: This requirement applies to internal and external networks. Terminating + network connections associated with communications sessions include de-allocating + associated TCP/IP address or port pairs at the operating system level, or + de-allocating networking assignments at the application level if multiple + application sessions are using a single, operating system-level network connection. + Time periods of user inactivity may be established by organizations and include + time periods by type of network access or for specific network accesses + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.10 + description: Establish and manage cryptographic keys for cryptography employed + in organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node208 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.10 + description: Cryptographic key management and establishment can be performed + using manual procedures or mechanisms supported by manual procedures. Organizations + define key management requirements in accordance with applicable federal laws, + Executive Orders, policies, directives, regulations, and standards specifying + appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] + provide guidance on cryptographic key management and key establishment. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.11 + description: Employ FIPS-validated cryptography when used to protect the confidentiality + of CUI. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node210 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.11 + description: Cryptography can be employed to support many security solutions + including the protection of controlled unclassified information, the provision + of digital signatures, and the enforcement of information separation when + authorized individuals have the necessary clearances for such information + but lack the necessary formal access approvals. Cryptography can also be used + to support random number generation and hash generation. Cryptographic standards + include FIPS-validated cryptography and/or NSA-approved cryptography. See + [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP]. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.12 + description: 'Prohibit remote activation of collaborative computing devices + and provide indication of devices in use to users present at the device.[29]. ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node212 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.12 + description: 'Collaborative computing devices include networked white boards, + cameras, and microphones. Indication of use includes signals to users when + collaborative computing devices are activated. Dedicated video conferencing + systems, which rely on one of the participants calling or connecting to the + other party to activate the video conference, are excluded. + + + [29] Dedicated video conferencing systems, which rely on one of the participants + calling or connecting to the other party to activate the video conference, + are excluded.' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.13 + description: Control and monitor the use of mobile code. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node214 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.13 + description: Mobile code technologies include Java, JavaScript, ActiveX, Postscript, + PDF, Flash animations, and VBScript. Decisions regarding the use of mobile + code in organizational systems are based on the potential for the code to + cause damage to the systems if used maliciously. Usage restrictions and implementation + guidance apply to the selection and use of mobile code installed on servers + and mobile code downloaded and executed on individual workstations, notebook + computers, and devices (e.g., smart phones). Mobile code policy and procedures + address controlling or preventing the development, acquisition, or introduction + of unacceptable mobile code in systems, including requiring mobile code to + be digitally signed by a trusted source. [SP 800-28] provides guidance on + mobile code. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.14 + description: Control and monitor the use of Voice over Internet Protocol (VoIP) + technologies. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node216 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.14 + description: VoIP has different requirements, features, functionality, availability, + and service limitations when compared with the Plain Old Telephone Service + (POTS) (i.e., the standard telephone service). In contrast, other telephone + services are based on high-speed, digital communications lines, such as Integrated + Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). + The main distinctions between POTS and non-POTS services are speed and bandwidth. + To address the threats associated with VoIP, usage restrictions and implementation + guidelines are based on the potential for the VoIP technology to cause damage + to the system if it is used maliciously. Threats to VoIP are similar to those + inherent with any Internet-based application. [SP 800-58] provides guidance + on Voice Over IP Systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.15 + description: Protect the authenticity of communications sessions. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node218 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.15 + description: Authenticity protection includes protecting against man-in-the-middle + attacks, session hijacking, and the insertion of false information into communications + sessions. This requirement addresses communications protection at the session + versus packet level (e.g., sessions in service-oriented architectures providing + web-based services) and establishes grounds for confidence at both ends of + communications sessions in ongoing identities of other parties and in the + validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] + provide guidance on secure communications sessions. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node188 + ref_id: 3.13.16 + description: Protect the confidentiality of CUI at rest. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node220 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.13.16 + description: Information at rest refers to the state of information when it + is not in process or in transit and is located on storage devices as specific + components of systems. The focus of protection at rest is not on the type + of storage device or the frequency of access but rather the state of the information. + Organizations can use different mechanisms to achieve confidentiality protections, + including the use of cryptographic mechanisms and file share scanning. Organizations + may also use other controls including secure off-line storage in lieu of online + storage when adequate protection of information at rest cannot otherwise be + achieved or continuous monitoring to identify malicious code at rest. See + [NIST CRYPTO]. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + assessable: false + depth: 1 + name: System and Information Integrity + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + ref_id: 3.14.1 + description: Identify, report, and correct system flaws in a timely manner. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node223 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.1 + description: Organizations identify systems that are affected by announced software + and firmware flaws including potential vulnerabilities resulting from those + flaws and report this information to designated personnel with information + security responsibilities. Security-relevant updates include patches, service + packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered + during security assessments, continuous monitoring, incident response activities, + and system error handling. Organizations can take advantage of available resources + such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities + and Exposures (CVE) database in remediating flaws discovered in organizational + systems. Organization-defined time periods for updating security-relevant + software and firmware may vary based on a variety of factors including the + criticality of the update (i.e., severity of the vulnerability related to + the discovered flaw). Some types of flaw remediation may require more testing + than other types of remediation. [SP 800-40] provides guidance on patch management + technologies. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + ref_id: 3.14.2 + description: Provide protection from malicious code at designated locations + within organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node225 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.2 + description: Designated locations include system entry and exit points which + may include firewalls, remote-access servers, workstations, electronic mail + servers, web servers, proxy servers, notebook computers, and mobile devices. + Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious + code can be encoded in various formats (e.g., UUENCODE, Unicode), contained + within compressed or hidden files, or hidden in files using techniques such + as steganography. Malicious code can be inserted into systems in a variety + of ways including web accesses, electronic mail, electronic mail attachments, + and portable storage devices. Malicious code insertions occur through the + exploitation of system vulnerabilities. Malicious code protection mechanisms + include anti-virus signature definitions and reputation-based technologies. + A variety of technologies and methods exist to limit or eliminate the effects + of malicious code. Pervasive configuration management and comprehensive software + integrity controls may be effective in preventing execution of unauthorized + code. In addition to commercial off-the-shelf software, malicious code may + also be present in custom-built software. This could include logic bombs, + back doors, and other types of cyber-attacks that could affect organizational + missions/business functions. Traditional malicious code protection mechanisms + cannot always detect such code. In these situations, organizations rely instead + on other safeguards including secure coding practices, configuration management + and control, trusted procurement processes, and monitoring practices to help + ensure that software does not perform functions other than the functions intended. + [SP 800-83] provides guidance on malware incident prevention. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + ref_id: 3.14.3 + description: Monitor system security alerts and advisories and take action in + response. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node227 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.3 + description: "There are many publicly available sources of system security alerts\ + \ and advisories. For example, the Department of Homeland Security\u2019s\ + \ Cybersecurity and Infrastructure Security Agency (CISA) generates security\ + \ alerts and advisories to maintain situational awareness across the federal\ + \ government and in nonfederal organizations. Software vendors, subscription\ + \ services, and industry information sharing and analysis centers (ISACs)\ + \ may also provide security alerts and advisories. Examples of response actions\ + \ include notifying relevant external organizations, for example, external\ + \ mission/business partners, supply chain partners, external service providers,\ + \ and peer or supporting organizations. [SP 800-161] provides guidance on\ + \ supply chain risk management." + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + ref_id: 3.14.4 + description: Update malicious code protection mechanisms when new releases are + available. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node229 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.4 + description: 'Malicious code protection mechanisms include anti-virus signature + definitions and reputation-based technologies. A variety of technologies and + methods exist to limit or eliminate the effects of malicious code. Pervasive + configuration management and comprehensive software integrity controls may + be effective in preventing execution of unauthorized code. In addition to + commercial off-the-shelf software, malicious code may also be present in custom-built + software. This could include logic bombs, back doors, and other types of cyber-attacks + that could affect organizational missions/business functions. Traditional + malicious code protection mechanisms cannot always detect such code. In these + situations, organizations rely instead on other safeguards including secure + coding practices, configuration management and control, trusted procurement + processes, and monitoring practices to help ensure that software does not + perform functions other than the functions intended. ' + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + ref_id: 3.14.5 + description: Perform periodic scans of organizational systems and real-time + scans of files from external sources as files are downloaded, opened, or executed. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node231 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.5 + description: Periodic scans of organizational systems and real-time scans of + files from external sources can detect malicious code. Malicious code can + be encoded in various formats (e.g., UUENCODE, Unicode), contained within + compressed or hidden files, or hidden in files using techniques such as steganography. + Malicious code can be inserted into systems in a variety of ways including + web accesses, electronic mail, electronic mail attachments, and portable storage + devices. Malicious code insertions occur through the exploitation of system + vulnerabilities. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + ref_id: 3.14.6 + description: Monitor organizational systems, including inbound and outbound + communications traffic, to detect attacks and indicators of potential attacks. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node233 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.6 + description: System monitoring includes external and internal monitoring. External + monitoring includes the observation of events occurring at the system boundary + (i.e., part of perimeter defense and boundary protection). Internal monitoring + includes the observation of events occurring within the system. Organizations + can monitor systems, for example, by observing audit record activities in + real time or by observing other system aspects such as access patterns, characteristics + of access, and other actions. The monitoring objectives may guide determination + of the events. System monitoring capability is achieved through a variety + of tools and techniques (e.g., intrusion detection systems, intrusion prevention + systems, malicious code protection software, scanning tools, audit record + monitoring software, network monitoring software). Strategic locations for + monitoring devices include selected perimeter locations and near server farms + supporting critical applications, with such devices being employed at managed + system interfaces. The granularity of monitoring information collected is + based on organizational monitoring objectives and the capability of systems + to support such objectives. System monitoring is an integral part of continuous + monitoring and incident response programs. Output from system monitoring serves + as input to continuous monitoring and incident response programs. A network + connection is any connection with a device that communicates through a network + (e.g., local area network, Internet). A remote connection is any connection + with a device communicating through an external network (e.g., the Internet). + Local, network, and remote connections can be either wired or wireless. Unusual + or unauthorized activities or conditions related to inbound/outbound communications + traffic include internal traffic that indicates the presence of malicious + code in systems or propagating among system components, the unauthorized exporting + of information, or signaling to external systems. Evidence of malicious code + is used to identify potentially compromised systems or system components. + System monitoring requirements, including the need for specific types of system + monitoring, may be referenced in other requirements. [SP 800-94] provides + guidance on intrusion detection and prevention systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node221 + ref_id: 3.14.7 + description: Identify unauthorized use of organizational systems. + - urn: urn:intuitem:risk:req_node:nist-800-171-rev2:node235 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-800-171-rev2:3.14.7 + description: 'System monitoring includes external and internal monitoring. System + monitoring can detect unauthorized use of organizational systems. System + monitoring is an integral part of continuous monitoring and incident response + programs. Monitoring is achieved through a variety of tools and techniques + (e.g., intrusion detection systems, intrusion prevention systems, malicious + code protection software, scanning tools, audit record monitoring software, + network monitoring software). Output from system monitoring serves as input + to continuous monitoring and incident response programs. Unusual/unauthorized + activities or conditions related to inbound and outbound communications traffic + include internal traffic that indicates the presence of malicious code in + systems or propagating among system components, the unauthorized exporting + of information, or signaling to external systems. Evidence of malicious code + is used to identify potentially compromised systems or system components. + System monitoring requirements, including the need for specific types of system + monitoring, may be referenced in other requirements. [SP 800-94] provides + guidance on intrusion detection and prevention systems. ' diff --git a/tools/nist/sp-800-171/nist-800-171-rev2.xlsx b/tools/nist/sp-800-171/nist-800-171-rev2.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..826aa711961f3aa77559bf5bdf53c25c1908ea0a GIT binary patch literal 50814 zcmeFX^OGjgx9<5?RhL~|w!3WGwr$(CZQJg0b=h{8ZR;&t)8~6*V(!eD|KQw=$elmr zj*QG5&u6Xutd$DVU_Vd+5CA9u06+w&$f(@30|5Y1!2y7u04PvxVS76lQ#%)Z6;B6K zXI(lETN}cnAD|Qk0MLK)|IhJ1cm;-1ChZ0okVKzT-w+d9RgDZ3RnY=P2`14iAHa0H z3DNz=jVV5Se?e4LNeM!g*cp-KwLg38XYP5}$~FW=taoNTR^wCmN!B%IuUz`R>1;QE zCOb%BUKg0*2(aPn>cf|312h!=3}&%XhI-E^vKfG@@dXs;X2z?Ldc`{9hv-Cb-U!yY zPnNnv>rg3I_lpgRXGE4t4liW!*-H{*nhX!J)jw8cLiJlvq9op>D);J4T z8G6Bs7(z%6zcan=de)0)36rDiW^ob& z>RQ#RV|4dq^Zr{VoO4##_2D0g-``*Wh5r|(KlOS{LH}X8^N&KG(jG3PX?3oEA9iPu)f-Z%B z@V#>C-19s$AI%zzJ&KXM-B8j*p@VYF7CO}iq(9r*Ad!=u#9}Wc1_Fs~sxGP@nPaJr z3RfTbqH6YwLg>i812A31)rNz3+jT5CG*X=~wH~AptH^XxkMP2Fuob3RhG!(8xShd@ z_+GkRyV%%e>nta|?8i$-{FqA|~F6jluALX?^CO zUR%#8DT$GVW`X4%zg}{HH+PkYI{)j7Te|Y`RKDv^o zt%exjLasx5g6Fy&lfD!txV$MtyZ>xJGBlus%i0)M@_W8#r2yILOVa-qld{}1PMN)P zKJ4R>xNcKYG~)i~SkInmfzf-GSAQmqXkqSnMnH>^sQ*nz&o;YiEhlf%DL`Dwp=6Lb z7@VS_jmu)nS0J4}GAihdZA=|pi`XHmdHk9i)5}_rWf_&Lh~$2ZJ>&;B{%UW#!=f7- z-{Xh#_ZACwJQ6m!Ada>%$nrxET@w`CGp|r5d2etOOjCr<5m%kGT)O>-@(1&j5mT%6 zK*AF8H0-DfA6F@}Ha(eh6BS&%@A+E;HOn;rlat!_Iqd(Ra$bVgL$dz`S~>^-0P&wB z{we2w*G!3uu6;HGs&9Vtcfg07?N1?Q6{Qy0Vo|Mf3+;{336NhJ;Mr^B1XXW4?(jqe z)6y$NLj*b;d?(w3-EBJQp{EO|PGz)oq)cjECRpw6zOwloQ}UC|G;jo{NQdzd z5n7>|o#4V_=ft~2sf#4(jUWp>2G|E#I;w@j)HCm0sj~cw33*jbkRch=0XuAk!&FNi zO^MRA8o-+M`tvfjAMyufAknE@(BE;zQi&EOE4x_$c58|JgK`ihuT=jV3*@yhOvADC zo>iN1X)$7Bl$*vJeoT^lv0}a2K`Lg_vtaXAoOVDMhO^>L_;Lq+bya?iODa`@I)kx2 zv!Q2Nf%9q=8h=OO#d!xhxCkY*WyFnx`AKCM{Nh(ty^gfmYitsF&7aaQO>Ndy_IA*p z-n}n7S{4X92pUj_ePi<((^DyHo7Jv~gg*8H1ZGV!);e}fJwrn4*eR(Qb<{q)f^JqX z-ws65x+n}#_Tw!Vt&)H^E?^E@%X;vm$pcv9XErU-v%;RuyQQ3tleaw65~HtI%K#4cmKLO+1$%p^81p)41QAP-Kp@ zjl8iKjom)%y;vQq)juz>SA%z{o7e+3ye`Cvm|Lt+Z95)4f4r&5?kbwF$t%!bUSIp3 z7$t&j1Uy7Gbs*qY|G;a&YOxt{c(vm&3PwC-u|=_9ZTf{{jbT)lxy@7ho2-zrQ}3J! zep+G_$iO>Z@zd>P9pEG|d)9wYzs-x!5_%mct(hp-azY+1on^3c9{&ALrT;wwt|uGs zME{F^6fgh){QuIivx}#Vsq=qDzGk(Z_-qa&zdD!i;9+iS!US330ZD?PVopdQMshuO!p4>Q~Cd+q*dVpW)ABF9(k2_cn}CWE6y z4nKh#a6mAYyogW-CX3_OI>+?_|MqY!pQD$5i3$l6QPvQrm2Mq_-5tqq31<>(DueQr zDq?IA*FM?b6qMKpDvr1w+qmi>(B<*DkI+3m+k1Pvn>9Y=bR_+mRev7kL>)=7H7>FvVN5ofaDJizQRo@R=@SX>Hi%!5pMrk1 zyPwA<3e}vFFh6iw>PQvhq)e)v4rPKUCcq8ML8twEiZ9;NhD!0+?DgLEl$2OQ}vr+FUwE+|IF7N6&HNWO7 z#xOO&e(ME%tdq>Ki=IQSYeGzMWCg9I1(IhrUnd{)x}!3!sP6l)U6bYCbl799$mDn* zJ|jSBmDqzX{IptP$_VXU$@9Ok4er|#S=;P}9~kSNOzY`<`qOk{#~9s6^KK~Z8V4f~ z4P?^KTU$C7Y)N(xLoinRo7AkspTqw1r147xc3Ew*X$j+rq6I#YBmGg_x%Ac986xG% z80;D8qgag*&^v9Ho_$5{eEV(mQ1crjzT*=n@c3y^ zb#U)YUAR#=>KQ|KUnT^<=QlxLo{>I;^EKTauRHs_4|`5>XlKSOu{*|VzZt&Sh6RRf zy|}&42k+(kr+Ekn!Ecso3Ui}FD-(+<@FancaMGKxA3Z+%rTqVP9RHo#vof+avwxXK z8Rx$o`G2yHi-oDJDgA#&#{XjXQghl4haIU0nWC$QEakxCz9Q_-;cm?P7?WVmhkc8P`{apXD?Py&#xl;1UKRI#b33p4^) za)FmudkJAb9$Ci?oTa)ZcNvwH=tE?1E#`;T4D07As*s(Cxn&B3r?fzBB3~5qc@#j5 zG^jl0V5p9N*4XIj_Tvnbm!)0OUR`9$H`J{n#j3%}BO{v0RCjCLPdvr+fH1T~T)1`S z+PR9&0vs@d%GA=BrnT(5*YoCS0xwrY*K?)1m7H(M-mGDn*f*}+x;4j)BC!)bwY2-{ z)UjKBt3uifpzG`Rt*mS3$_@78Bn-2o-*i(?i%k#XC=6JzX$e?|KY4*aVwsGs#bNXy z+&oHwj;j1{zt(D(SeHRk%!aK4v9r)4gMA*=yfmj9G2P@F3Fq6!%i*lOigT{WS}1U_*^!JO zImRE%9AF%e5PHKSK;EAN;+Mwhx?57T9SVm66&FVqt&{lhI09LAnuV2bCWp$I+twSV zfx3&wQ{|6roGyt8NEx0X*FTRlZn^NObKWGL9496qdLvc$f8H4o4=~kIqj_+V#}wO% zlssIu(+cb)E!Z1WsOz;}H%guphZd0#OlN1@GdX3)b3w~F*G;iVPpl#yLJ6T3^Va&@ z=mO0m{2=&uZ7MsjmG;}-AA}sjN8%*z0dw{vMHTCEpR$%u9Y#|WDhKYv9$s9w{d0%X zk-0y~Jg|WJ8Xm2;92+D^7txTjogMGBK#1?xj!v5NSuNWWaP+K0Pkoz?Ll?_ro{|{6 z3TP7c(z9eTTy#Z5bXhR_vbMFqDZg%7D1Zob=&P54LDlgUQV1wH!tuJSB>FV4^9>@L z=?oj0rp!J`KbxmHBnzk6k_~ld;r`%D)VO(?q_0dg?Zw1oq8c;%%VGVt1T{DP<92kF zq54}zdiuCZjkPFK>7;^98Ox`w0-I*023i*?XdAp{GXPn45}^s&jC9_u)%kvrHtR98 zLxP-xI5fU_JDRTw`6 zPj6y8O*J{Ww8CPwzcqEsV5s|DXmEx#p>>uBdg&dvgEV2Cg$mF(PvzuI&@1ii*y|DEs1St;ZcC zgjC(!EQdE0F$EN*UNw*%6GX%<`bLZhg5O;$g7}bA9k>mtg8TxiS!`|ZCunCx=TqtH z;bv-$(|)y4v~r1-XWHzM$D1={{G$GijOcPdVVA<)OGSP}FY(Wpe$T4Roj~hg)QGNw z5p5pA#JKeQ0i{zJD11 zwRu7u4AEfc^i`P~FME9d2eN~^o;GdEe?+fDjq0tmxZsTUT}Gaj8nTXab=GrnJ*uVP z*6MRg+!i67PvSf9K0Yd8jo{Zq;QGnCf;RHUvcU%R4@KW`Hhc*T32l7HzZ`3#I5Jr& zwi;2ur-2QMwnRFvEiC=9dG<4xS<6dJ=i^3ar`yM^lh+tsjnxL%_Jzj`?4&1?sPiWa zt})Ef4E>e~exBQYUxx=ao!j`#q$jIy5S`op6hnW~fWy`qR&Dn0f7a)}r=>8$km9F* zn@MRn008sb8)-s#Q8D_K8>>En>FaFL=iULU$=sTNS+O`v6YDNm772$pWSb*To{@NN)aOLe*a z7S1p@rCfE+?o(HJVUz4Xoq*9doWn6Zpq>hoCgavCIdn%Cy*MMC*&L=o*t|8uY?J1X z*`m>kZL;akfk;O5AM;Ujn5uuAP*f;0K_;y>km!1?p)R<_MR+pWbwTIhNw4=R8qWQ3w@kX%Arfzs^3PuhliP#2adgqkr`3mjR)6T z@9-NDN!b^jBd!dy5&uoTEY|2`NB=*LW!x=X96C-gD7ja7G(kHj1qn{+d94ty@{k^!~&ld#g^lw9#G{@!;(9 zglYP~MVm{tE2XNHq_A$ttx6@cldrQnzQ+nCo8K!tp4!=LL=`5+GG7K*Bi}-e`kNem z343u$<;!4?ztH6*N)07?0wrZ?%nos5YZ=$bpV8;_9DX3P zQzDh||Mf(?vW%rEDAy)tyABBlZ_LAE`3eP5cFuj*@KB^#onK_@VkKBpX!^*PW_8ag z3JW-uW(-DZ6jmE7huVuBuh}>72J1BnivwpV755D5j1FoNVR)BE8)l^mI6S1DFQ8xl z;qyOB%M&9AGavvbT8H8UppJ<6dp7aAI?rIyg(p&A7k@g79C%liLdiGA#zhE6tXFup{(B>t9tJzL<|Gv~4|ynqJbs1= zT!pc9EG{8hzZCaCv>g?B+hpdMKi%XW*?T5)tdssfukrt_R@VpI>!-y606_yF0Mvgo z{uNN1EexGZO_W`nEbYwy<3BHbH{wV~6OTFppTY(C5(U*+?nw2+Mrc;=lfMLLB7B5<9IR9L+es4db<9?|NXR(pYN@e z-tV(|Hhxq&+}eF~hp&S__bH#x(@AIhd1Lt2YxSAi$C(@VPxQ|(o=sj(AmXQyYuEMr zg4_LJxBK?%>9||NHt%`bpr`xWRWTyp>x-iM_U~^mU~jYh_V-J$xW12{j{oiJS@iJj zDnWd7w(R$7@&ZOa|6cjibk$BiaFhUuzA=u7_<8lMQ&*NwkRJZ{72;0d|LD>_#N0_A zzIDc6GqUr=^R@eV;a<0c=l_y_arL%{M-W%;w?TUuR$i!`BmX>T_}S{WlpCM%I=c16 zaAWz2+{sNR9yL9~y>bw{7^&UUvt{)r2E%u;&$nhO{c0Nk=^IjlUc=PJocQNYn;Xf~J zc|8&PHR6F>L$X(;K56*wtrzf+KBwt}hDRj&@Tda^8(Ur&O>SGS1JB%J*Nr0{3{SeSKX}WIt!>fv(YvR|XQ6RjnuwmAy4Up{ZFx+Qp|i?E z@iKkF9jpj4&Co~CKO+V5EyZ21C#ztC!+!hH}} z&`{vCT=%n7!DtW(aU@NLEp7( z*~rh@#=CRtGO%0E^Es=rtIUrzPcWZ^*MN(-b?3K>yN5l^t~YPi($)DVZu)FL#MUGD z9e+WD@3@yW{SWD4nMR0kYv1zbc8xo^yPFddon$9y^Ea*7(^<|L6)=Iws?FWZxri{7|FVxp%Zd=`nt0$2_uY z>FK^g%y6>exV&2kAj8!CLCcU6#Ua=ecfwnSNA0JfAbun+BMbRF^M25M@JDgt#ErRY zU+?v9)O<5Gr)MzAeyLk4A6Q9H2&km@g_q@)VH;{HL3N#E;0*r)PQCKF)fpUAh*v+A z$UU|04!*n?xe)0a2H7CjldDjgZ(AgAAr8jS<^!#w``_VDezGwsCvG;mnR5BlI0 z>RA$8B4B2-FtP}B%(_0amY4O2qbw%qS!Hh+2JZ+q^Iz#beC9F5g&PIdeke&v`(11d z)(>~yhAS!5+TJ{MZ8V)1$&QD6)+pkFL1RK(`N3+`C zZiAA`JwLzVW~a|GAb#O{@Q6bCzg?`1uE|zbx(|*6M{&?do~n8abw6G~o~{E#UuDh> zgv%p^r|7HMLt=y%+J)!r#O_t<6}7sn(V#xK2ma); zG`QEEasT|UD)y+y5_n5G%^cPeoIG4EX*ig{eh2lda0)Lc2aLtVU&EM2n%VcNtU#%e ztftexw*c#vs$F^zWqT^oY8Qgd6nuKdl+O@z(R$dP74ix}`PS-IU!TUIG18A zVOh!}((YeWU_&M|ox1JZ6~-jS=NU{b$uDr?cAZNM_6vBP7B1^&D4PP?1+B?VJFJGy z$6kkqZ>f1wX~-sG7wmMEvXo8-1ST*odoRRA~k)4;nt>ZZ1KM>I&kpb*MDGrVvy}r zu1VnwiHD`vL~tygXwy$(kIa3`;lp6-D)Y4?2xa4cfTE3$q2?g4gF<#`7muY(inlkj zIDT*JZqP*-JfDJ(gufXmIrPxm&h|>Z^K8er2-y{0*aH3m+g`+1Ai!i#Q7^oRzgXbx z+WVjytj1%-7A69MjQK$S1kPADxyk|K7S)?m7B=JC<$!__z=mf)XW6 z#@Z%Kecj0SbQnp8VVp+B-Et)0OuL2YFfV$KH;Y{M#26@f@$)SB3E+=Iw6Fz`a9cf7 z!HuUbJwa7&(%2QunhB>Mj@T_De&Ty!DUI584p?cZB-wz{viUfV)%ua#4*PA>A^8!< zrH4BOks!99AxxtHAza4lvt#-RP8{?2>4j*iX7M8cS7+G!M6I}XRDXnnl}j8#uYGsy zpPUfCCW|l4!qJFBV-Zt-gF9ZghgoE~!#WKd$?6Y)j9HP$R}~W?L98On)Y>LXyC-F9 zKT7u`Qa>(ZFRi{iKCA!G(7}~JWW&ofi;g};*%YlvEpi1BL+Yn3vhbND=&Vy9McnB7 zK-*NLBevDsD)`Io0tX~|u?xMp}5sZ*594az6F@k(kAlT5jUIFlrfHGX9J4WG;^v0}C6QO!}Cgjyi zU{_xG3{acy-s6B!$YbVF=_C7~yKCwR1Vi*=g(=f^hr0*TpA_zywSlpy_m*6c8WY>h zZu$UAXcPJ3HH6-8DVrn=FkX!SwiOkw6L6%g3Zi`2bXfWf zUAP&?Z%P3#J4g`#m;?F?Dx@YT!SecE9o%JsW-8Dzi3WZe%iFMx4eE$VG$$;P6WhBp zeo>D{->4Y#C;IYw8y=l2FOC@a!|C#@iX}_JprdSgkk`+B(=0)dNpLD#AL%a1f)wLI zk{Jz}rL4TrU@cUZQ95QQlBss^Pe%N<1pH+&x$Zfr_lZVjnFL1DaS zhWIIh&2p!(eV(af4Cpr1%FG4I1YT+fCD?k4tkThhn4w@6jrJ#JLH}MCkppIMql{=w zn@w;B$PIwYunClrT7e*b<&%5k`M^74Yl&DJMG#+lDfo9Uz$XaMskh~CcZU62X89A? zA($-B8&zWVt?3LBDrQ2Fi6Z9UK4ok8^hVZSb0`bOEmS|A3Ploj9r?hnXDP)%%y;A` zA4z>|inK;Z(E;qSJ=yU^FC0!Bb$A&4T>C7TYV2QFZa6&-}k zp@}X{1tDi9z!W&fSy%!_UXJn91NWDYF6o^V84F2z*!|$&EQBx;oNxjH1>>9r{!%xZ z7lWoEED@VX0X-m!tNl*xF={T~*DWS5fc$%;nulbpBI)jK znv4(wl0!r(kHsE@oM4;K!6PhL>EUa-mL{Wn4FhLZ&20iOuVhdGS1GAnTMPND4w=1u z0a%&?7ReWZ0rBH}pJrKrczFDN?Ro~TQB2^->A*_r$8z6-nDD7USB}v6Bt;9gme$oAStWP^fSbGeTFvxVJ z%?#jUfR1OtysNUQCuIbB%r-<){puzWyJyGFz?CnAiRlL;Ni|8Hw2411*+Ta{L;XJT zQP?pH8R25iE-FE~Pe4(TKo_2CQvG8X+&hpdE+?v5vzEZCZx%{sJ;25eeB7TnVL{Fe#PfAz(?OQidG8EdD-+ z(-rqxIMo2NvPt+Z8%yDuqjz74u=}sG`xqf05ag>i9EjC5bDDYxtmRpXsZHIuBjf0(IkgWn-gs*UzUd1Blz%Wjvv zO=KF8pb&&I9*%Q;%KAhREXe+ zm~xN*@XGW9-)u1H-x>uG6IbM5W-M<(i4sKSba;^PpJWod|EkysvYetfmor6ZS%zFw zd%7E#I|0phdTBYd4@wA%ov}4j}Xa%4|#HoEzhs~nO*t&u?vEXiM{{YwKUg%z77fp2f8OATg?d_cbhNn_;W?<&Rk}FGJ2y!T0ErZ$#WD_g zZ<}IGq%_XzyTQKEN)^#dbP}dGMwi2)4eegw|N82UOXj@tFN^CpN=`KzVS~3& z$z!c-)X`_c2AjG)g4C0MYgU=-$% zT}=|xG6Z{D&x56jWg31=^(T?@3&xS<`(MNPH+^3MOQXSECbA>;59}djGc}0`Hz?jj zZ0heQh{Q^2=Y!i4&8wU3mj!zW4M8h9irv0jttf-U(A&}-b{V0tzoBb>M2MpvxgyVW zwh&Tpa4WjKB+*?qW)Z*k7x#SJ5xIrwf5^!(6vLpQ%p;Ss+Z?%tj0tTb?y7~H1(4LY z6Nf$?Gtj6xj3Nm_r;BhU3ZAX9f|Y_l4Ukk#NP4yN1uP4yAn$=U+u$w8@AyhD!+Jsl zQ0@&;J`=fhA9?N-B;-*FnZcXqnqQ4c`Xbpwp8WVJ#@!uyZ%o)e%@s({xn#b@tKhkb zeP`MkT9&FlNQle=ArGB-tQ>D4fXS2F^*4{$f(sP=Zr9V=+ZhN&@Kcbk0QH$_rQXBo zBP{j$k*%`#OMqz&7MRz#Rr{G8pn(lCZVGI|e^7gi#(jc2^3ag{ki)ibOaYSG)S z84Qs&+fK5pIg?tXE5p7}2_!1WRf<(K{Ak2h z3|CiC$aK~LDLNX2uc78aQCNgKBpMwEk+TenGGR2;%51wjfN`O(h}D|wqj!R6pBm@> zE!@&wvl^GlG}|x#^NNmN3|NAcG$qjs&jpK)wt6_t(1oNrmFYiv1sZes$$QA;g1@Dh zFvgJS|F+i&Om^RHf7>nQ=cn`c`C$Co1;*O%_&$H~L)svUbu3h*Y(i2aOK28%dmNR< z@a~leJpZ9`SYU?FjLnJdhp)}F8k%A{e;XqH`J-uJrglZ6T^df!t28 z(6-ZvGe2A*%Gbdla{EhL@3{NFJ*^?mcGCBL6YTJQ59aen^XGp(=zbpHeBS<6L&~Zn zP0f!2?zDh?2#OkG?tbvdS;*}qe{pKz6QhMaf)O+MVoZ#C*e846)1~YoZ*9SkSzn`_ zYqhgAbZeWy+v6gpgJQrXxgbSH3;cwc!dRu%#k<)Yx%=Dvr zg>{|H*g3YdQJj%|s+^}nQBr{B!QkMAS|g^5)SsGFTH|lhxAt?RWoK--)!o3hB_MB9xMQ$R zOHP<#IZVg|@y=>)1AD-nm<>Xa1t`5EaiCgqGE7XwXNBBtYz%u9cNrh4l~G!I7HX-c zb~9}CidEY+(OGBC?c>< zEVn*T&a(Ikg{tw?#pMF6o8sGB^lK}fgTO!V*naq$;SvHRB0U``VWU6l<*`Oi||*VrXS;MZz&X`0d=HL%mP2e!)FyMyQZNJfQ? zyPPh+xVG|vAb01k`2L&`Tk@^jT#5$|-9C^D*ujX|Z*U^0ZmuKFA0)~hf3O#3im$eM z?N7F%4C)qR+1xz2_1GkGi*y-)BgX@k>C?nq8DfTWyLd5^6~c)uIm(LTHnD))TFH^7m(8Ql!tG9_LdHM`_N2sqNLY8m(O;bg$= zevb&%&V_;WnS+~M`6hwAX2(Z|d*nDHPg+P5GU6!DDsZSA25ngdnn;h2Kc zX~f=wY2_JpG^_f}r|Ll>WGX@-%^X{s!bHpW@atd)Wo3wJNM2f5sSmk9jC33MYB=2# zJCqx+7QCQwa1_~NBPnEPn30sKqAgE(&^4in15ZC7@((L?^_4kA0l|AVkQtDTkt+23 z?Mn+!kjLo^cvf*Gx@K>e_)+j{lp&rI12%@wX+IQeq(Z_NL6?UeWxqg$zQLt5;06X# zGcaOGvI1vcSgNnry1O2s@X^>EBi;hCPg@ybO?20ZG;?TkO+1 z)OYG)#6~IUV98qWD%#Oi1wRe4+|}8^q-iYsL3%f)r0FL^hP>+C7RKZbCaSZU&s%nt z-C6};3?gKQ@d@0dML;ML%17AL0=JcoxY&*)Pk%KiXzp#+Z=0tSc9#k71t91 z)1MblXNrkI!89eRaMO>+yGj;6NR=!Xxj-;&Or$}Tc~>6%DV^f4<~}*>r?k!;RkH_p z*Hxc~zZP3_*wZ3tJQ*mG;?zS$s}`#t=xh?g?qnW~Sfz!ls6wPQU}k;nV=UCCDxv2p z$U;_siU&wb4ToE02XW-Po^-2Afcyef<=M#cFmFY$L$No-Nw(ey$t!NZ{i*l?gcN~} zyN!^wG2n9tzJ<*prNwPz$6*lHdhl$hH{)_|G(jP2LP~yzod5NFC?&Nj5s~n07e({y z1zoGl)l|_7inz=tE&c*}6X?{RPcu*W9?MQ-hzuaG=NGA%M$WL0xxh|%Jq)XxwGJZ@ z?bYRi0cF1{vXB{gM0MNmGZ7=;~#(0p##Xt8pZ zsv;$h9f6om`!O@|K6Yd0LC$-c!83ZM=?122T)#b-J|Hlh`OEj_N37;p157S|xop`0m0V?>a z6e;C>pD>7DN{1olw?98#v=2yM!#s$K-0yTzDI8@Iks~g}Q?O->lI9Ra@}bnSNy)98 z(2l(mQB~7Cmy08c6c9!HL=5A=jcsuIfow$)4j%aW3CjIl5M*{L5)7U0&gbJOjw~|U zIAsE$UD|=)#R{BFlu=xUN%Y z4=8i2uElMehnLPe8Y!$Unsmg1axZXOT_uo`J_>t(L*A~B+?J0&~ttlPdsW(&t6(vo+3eSiaeAnq{A6T@D^4p(kI;p2cxXAc>U$6J>?z1 zp5a}kHoD5y6mI9Wr@d9vsoE4C2SFxuB|Xuo)n7dXe^|l#&by`|hNnBdWI+v}u$nM0 z3z|V7MC0L4R6H3gUe%kLiT6H_5!13xr|D_=*N_3E-NjEvtOmo%ocAVDP83Ai!IOi3 zYe!knE{0J=Zl9Gl5?x6qi`IhwL2?!|A-yV?`b%*Ir!3j*)7i#?aG;yiXD*stGVrO! zIl&oKQa(`|{Fh~!)2^%(y&6NU8GW6p-VN!37-kUNNxYUT8y&fSVf#0kjKlUHjK~5e z%D}9lA&4C1#t-p>#+?MP)cdMfIe5ltRlvm{Ovct;NSG9qf%n5pGKN-UE}Rd5d=ZWS zHQ?1g=yUa7<0%sB)K#yvX7mHglQKj0pc!qR(kXfRQn;*#HWZ#g7pn66_W2u6={COi zJ6|L_m|b!oWPxV;cBF91N1RdBZ@k0NnR%dfNy}!nS)^Jjih~o9v;|Tiv*-s;{Pwbu zX8?hGmabo;WeoZ4w88WQ{HDM~Ln2`Aw?x)KnPrq_pFt6$nxJ>+?#Hj!yN)fk3k;ET zUv8H7T(8twrh0Mks$xE=C=`Znhqqm<2CT$OM6uF8L=odR$FSikLA0wb6fwuFU3N_1 zLvmCjIm^$9oXMmh7C~lsug`Q3MlSd5;yXVNII|*YWG#0^WLQ>Lr_DrF=EO80~VUl)}(h6wuQ99H8@{>42 z5y))%Zbc@D&_S+SC)R?#>E5q;hr`~#vt{R|Lv+yvXjmgw?`fWBUHD&lkH68czygY! z+jA~0Fb^AkwrX|-b-zkUG6&`Qb6`H0Y2oJYZmhR0c8+4*hWJ@J{FM3bpvSN3PRmg> z!?94itzPt`TW2ke*SU}GounP19S)LGE8x*B3L|jd*M&-~Ch-m%legnxU+8T5qYvHt zC*TGsnZR(#GA@=%C6L@%iREUoqer$dSxg_Js0^bP-i}?am{)q9GGtDuG!#TBjQ)}i znzII;R;Rv!jkP_5K~z(E7Z9Ygu&tE|)^IGba4UH%{xJ}op&`4r`l|Zi`h4oZI*n9c zoN6RLL(Zk#zp=9=>nwCF%MI{P#kZ><_g&B!qHtC{0U3?W)p2bvhu%D-t>;kVNI4G< zi7RwP>xw}p!Vnq*4OOD5UfsYWidSm;J`a<`88Xs;_@%}YGF;D=o>&xfD(P;#>HwW< zp{!Lp)~`dM@688GY44^w zbDILg>9CACu|ia6o4J%h7#5+DgcQRPM}P)GP-aI?LI?~H>Kz>`b|@1T@y5-rCJXbWyy1z{v0*^>N?Z_qE1*}RJr2ykvbi#iN|n>py$5h zM>CfoD^+;}PYmn^-?ZZSc4wZ(UX71cb8QyYs5zE1v0&uyksyFF%DDl=S*Ca8{2`kw z9Mha|7_mdmit)zxNkna!62DZDsRj^Z;2%&)f=29hJ7+QEa33B`7A9A;Q13l}i5QUjCWu}*>KfR8 zWIo07huBPpyrH>Lqv}_`FFsBUm8vB>6gs6YyK^-};IJH1?FdwymSSzCzX$|Y0ChT* z_L*;a`+m#)P(^0&$h7Fa)^tr<`+c>%xxJ66g|LkBel(i$ujrzlR73A9CbSYm1quj5 z7lx!VHn+s_Ur%4@0%?f6NqOfQ`CKI`-fB^mPWEj@-fO|yjT&ObekyM^#COs{w>}#M zh$WKvJLL5gzka0N9>S!bW2qRV_|^(cHf(@kY9+%PTJmQ8ZR}oUn|!loPO4O?j{dkV2+v@UUb`7ZrVhK*_V!t~5%*|I~Fn*sHGhhSj zTXI7&jbR8M`t1@%IxY&Hq*Q6E9yM;zliev3SANtJ8KRIQ0;L#`kgbC%1Q9mxSSbdo1W>9xt@mDymBj3*2UX z;l8Z4H$p#{v)*{aVKyWUo03%GmbFqHNvm2?T;Hz5li(1WnB&UdOcyzuks!Wyy5E$D znQiPHj=2 zTUms1LwP@AK+$cuepS~3d*!JgoT2+=sbJM(X4TGe?(UTn6hRx{N+DbMHb9D&yDIh7{%)I4UyU!W!)tDDyXN!V^;HX~|Hootq#h~&evJNq0Jiym2g+0Xh(KO7JpQxk(e zsk+S$(gj4T*gLMlOo(@5`q7l>5r@OR1S{+0@&XYF@MUa4BpDh~`Z1d}P)?u8K+-Bl zi~Qa}h}H0?6i-xd?e1Y1IcVr6Ij|#S!fn1PRO)3!)$Dc7^Mm^e_Z*yuQLtnBG*{lwA&N;;0$%Mi1g16Vw7K@Y@(zF_9A*$8-p+ADDToap^ZmR@_w2YcD6}z22D>=)ls;0{Zd9tqXo*%CO3jL{4^!cRNlt-TJ5Lst-(neD(w1qLoiX8W>Ku}0iG{!@Hpm>x)7xFvN_3u)mXIJT!f}Sw1w3&d*ZavA02Reazh^xDe zs#pWIs?**2aRlzu<~$iaCVkd9qyYFYlzj86oe@m7p1BB(h+*^d$?77=8kgUHv$H%> ze}v8FlJNx0vrOdeALr_<0e9Bg+KLcy8;~LAW+DAhA6d? zqgegKx19uiB;0~=3HcM|rql6jE6as((0heQac;OZp#D&({MirMyzJJOR^sOC!q5~t zdfy!J9;{RnUJ|LV&D#*tN2?vC8_qMuMTjg*MIpu9fO&*ph%-3_9I@=DHp!m#)093? z!DOvhiUqc`YR~FH^8i9{(M^?gkaZc5pC>+8FBO}$ewBtM6AE4MXj)#ygaPDCz7A9s z(}a2b2yj`aXygbqe1GV;!Fj8&|6PRtCJh~b$Z$93*H+Ah5-N^3BtGO8iq@BA?HooT#;=Py*b_nxPdCKROCZzP{ts93Q56Q$!s@O&*-=lVs_ z+4nVqH|mrf`_-l4U|JY?PtY`+k&u8gE)qe6LIBCE>~}~~3>exEw+?<&{>BZB9tV_Z zg@sq=kxiag%DFXd7Y7eQlTlG+0nR%`C1W>r`PqY~k@sc6@g0>yYt)9A`8OD<8OV?g zo`aCEg&Ci!nIw?jxjSD7INxut`Goy5h|dh8q|Hlf^Hx4*g^Ml-zX^N`p3Av9>*qMB z)UYE8Q7#UE^ebF%yU#}Ca-$H(8+6N6gtwMvJ13rw9A6w0X=n5bAY{)n#bpnZagJ-6 zQGrK&GShrBGdI0r0%=2M42DUmX14103Zeg{70-6^HcXFWNQmIB6Dl!hz841wf-OFW zXDTC4rd)(qa^bvwkay&Q;-iX8D1vyda059WYY#4=$Dv3wBGWufI*~#Jx?2@;cqu!I zP^vQ5fMk;TbUm#A2}R=~O32I$avQO?CTs)8^^7>^_?(q9aVDdaAeg4ow$Eh~FQUny z`m!uDjFvK+JsAAdE}m8HqYY0aRR?#hWpk=d&Ugt)0$W?@CI(31r?Ymkr%A&n?0*_0J-_|xaoTD zr>*+x(213VWFMQ)_O-zNQ5@b@aWt8|9&=+SeqrR0V)I`QhAahouX1NXJ z&H|JM>G4P54Tg4x@2W-u0c!b)!Z=x+z_#6zRWXDXkX*AoGab)Hjk^!eqW9W0A1OCL zZs-!ry$X`S4pOGGAsoi6a7EZ%7gq>3vMHr^+^hkg>&M^+d6riz$9H;v5_Io}E3J)F z3&e#!G?h2j0@hm^V1AsL;+`21S%JY8Dez&jKmg5_2X20h5-#o`P*kI=BYc5Q(d35|OJv41e+}p%-ED4-E zC;-KKvb7AV5*@)T_g;+H+ykMO%N$MYtwxwG9@FV^uf-jpM;#2lg3q^nHBboqv=`+9h-61 z29J{QUfrV&6`3c=Rl#LPdxdNdFQV~qmwv7_=S^5TnvFdB>iO5*hrfB}!#@K)nRELl zy+#-ivQN^yS!_cD@nlTqoAhEt#n@bh-eitDV%mPT1+&?nX~8s=7(9^tg+tqoTE^WY z9ATuy6haVqTzk`d@KQO`GBxKyF1LO)N{c2G%uYNZEy#MeN1I=<79Dw38T48IYeiV5iumvD4y5YAKMat-~Ca7Fz7hxaO9Tu1c*CNG-k4 zuq@z?Um65`HD`Ot{Hi;BZY{wdkI?GWZ9cXBR<>X#DgC)c_OQro04 zUsw&{p|>%m35YgCdHm2^AYeU!nq&KT?2FyfkKe=Fy}HLUh}2V)2^2Wr{Dr&Apfp&QE;VnY95nF~sRi}5Ke4BGgVI~6fLYcH_nJ^HniJ8{j{^h~ zn%Jq}d@xhYP!3k7c$OA^B<2DZ^)|;r{Iu5~^Mat8CnRPgH)LTduvrfluY^n-`ksy$ zk2B9@@p%lq$UjbCCZ{UO4_!;812nC5|MFoubEwO_7sg{uX5WnoLO*<+X)R;9LqSHZ zisLUlz;1Y0a@2#z z(@yDZnL__h9gD)2>JjzmQ@Ft~WE@e#zIVVrxOs%T`f&r|cLvYTxH7d3MXr$zvs({n zhev;D!Jq=e_mNihwmN!p%+DOt9OA-8J!mQ9Wj3WqoTV(Yo54*G`xEjAU9omvm0zzJ|u&x;OxAy3&}3t~&@)5N)*AF8!M53#4gQ6*KWEU0}-tcnT? z#S+`tu~FmPoaHq;CvYN1xg92iqLWp(#Khx7A9O${XVR4wFL?^8Oi!=Ys$dg(b0ufl z2qj=dgpTq9fim@6&oN~u*TxxqR(lRt#T|R!R;?z{vo2_uuy9YXi)u5K$Vr8Hj>h2b z0C=&Qk@@X2JJx}(P?K=09;S*XoktcxB&cW&KYm7$|J2i^icSI8!$9GvsYXAix(T#t z!8|oN;PmZC$D|fAo%Q0d4bQQ=7{ z@t@JgAk+dI)#wIG@TBz*g+n@Y4Q*ViO-zs@JKeSDV>)+E6B}VdZ6m$8q50~53cvA=ggPFyZI}Uk zAfp)=%L{5ojhfYzk;e{MpQ-d~LNR`=wrlD4%rbo-4){;>`L&swJ07LAskJjy-p^NR zTYEuKSQ;3Nc2*d(tu)bVBDk*mM{amC;^HDd$4qAzp!^Ca#et&6Rghv(99!Y1@es#OC=8JZi;Qk8&t>LGlPPPADu#$RDx4x{M$)`_v+R&J|LIYXp*Lspx>9=kf={5 z_31BI?t~||8<=Mqt9eG6LmEUJLOWO?F+sO9Z%K`1^18by=RKfZXcb97#<8_cvi~%C z!xF`%M_mdq>82!G&sm?tOKQjqFI?`Ikj8((X>_k*#?a^9ezm7?b~}WTHJxGMGT;PP zl5N0nHi~GI4k$G&dcpbv%!2vprRNR%Ae2&joRwLa?3^S~IjP&`L{F2^Iu1DGxY>&M zi^AFcjvcs_;QG=c^rzNt;UT{9qL$I|vuaqy-ho)3I{acdzg7(NDm0lOj~EZWihrtC zh8@GcUHk=Kgp6IRn#sIK<~3p4m6?UkXUv`vz*fzvXXt-*5*qSv+B4x3CrsH7cILX; z>4Xyu0!HToI2v$Kx?OheDym>dR@l71QS|m&{WOONPbqT7a5l(3{1QKYCe29c+taF| ziNeqR9W-8T3m}YpwqSZv_&vfFYGGIEXHY#L^+~W`#ej$68`W+-avI%_D_{3Jq`G=s z$rFdv2&CTBC%_0TEbGV_5&tzeX}Q_xg6P$+X{~U_@dc94rf92ohD1JCitH5;6q>); zQ7h98Sb)cw6N*5_+SYT-SzzRe<7Q|8m083P0$%aA8knMfOnRm^yvgon>a)RFO*gRF zx1LZ1S+}G=4jdz-tDH%4vUT_1+v@q-94htbl{)qIxNrp%fhDdWt-y*R8*fj zUUJfr&Ow|xGem6ID9vT;xj{h#+ z0-`)md4xygQEuQgO~#Ukys&4+TzAQFf2x1pO?%2t^3}#rD*ic`r9jX?W^;vzwcbpe zCBwf|NPVFuZ`L@(z4>^p%6N+Y3w$O2iC<$-(Q!5+`<<44bRka7MD(y115@DbJi&w z7*+|!=~Dc)PcrFFbTG~F!9n(jq$iKE0zZ{Np)Hy`ESEg@#HD)a(fM)>x;$3B{3~-)MLlpcQn92>A+|VCzx#rL!Qo zIs7Yk1h!{b!YF%*|8IPY2|w1))fBFUp)RfP@)oRH9vI$I6p-4_k^Kcv3Tqswg;uUk zOT$STdp4BOL@(g9||x~zXXj0+(l*Aer-5mE_f0&2l;FU$ZC>jFh+ z#&cky8$ji@`V;-r5bUSb9lf{1a0p5g+D6{1;g&iB?3tPu95G0VE2j}?0*h5CtMR&( zU=@Ag>>O@HYM_`6pVkX^nLVhx zK`X2m1i2&Wk4=R0%r5TLvA9b&yP@SJyIxp>!an;-L5(TLT@T=9ZOsq zxvA&SfeA(SsoKUP`S5Uc^MJ+Famd)aZ{=k~CSgE^9i`+nHxmhO+wnvzLnX~|Tga6f z+rh6MJt7N6endS;t~vNPF*-xMXKIVf@hXMAT69F&6tO2P$HC=QlalJ;%P)lw$Q}bl zkJ*u`%qoaOh6S$)pFCT}m&Y^Yd z%_-~3s-cDnKGbS`w`L(C>sjnvL1|^233*@j|8@6MZdG|{1k4dx2+^;_4J`;+l1dew zxo?Hc+TnEGXV?3qOQ)FT!N7PvV@Xwu;L%2Qq|9)W^? z>(D1)jywegCPVi0^2jopR~{;`^}KtrV+NVF3T36_Vk4KiCZAP#f%5B_Mkm#*L|aEF zwQ?Y%tFTZGtwpkf-nu(3t#a1nIM0Y)w8LpK|B)e8Epy|UGX^VQfa?4nux@5|9K2FC z0#VTYfW$`uGN@<~;A7kSS8zDbCsf~YxywhGq}h7mXF8y`Irx%iP}gdj>5lwxO1t*E zfP7&fsW;1TBf!*~wSs~!XF1>oof=Ui%&lnNu{-Qzdp1va_SCks#-bdE+dAgt8|I<{ z{t0dI);CXCCpObA0nHL}hap*RR)AbtGZ4uA3v}B`57IG_PD{7YqV&;dhU4e(7{Nvd zj03^}21sdlVxdt~fbc$#v+R@&U!y9Jh0*zT>WXc?JzOc{-%Xq7kMCUj{9^kWb+;)9 zX$dRbZ4P^}x(OVValMrysoLlkO0#Lw@;M@37}K0y}|kru6H>DM>Ny;l6td%V7=(YY}2a zRYzR6VcDx1eu57Y&6mttD=rzCxi=}hE`tH)p}H-SXP?}8iHumWVudyZlJAzp zi5B#Z=V52PCv~BvnN*?VW`=UOadtVtQ`Fn<0BgSdBhWxoPlTcPMY20c`T~vYJfJpM z686yBQ{|lT$>8qMaU&EBxW5@VW$mr0hr5YnrQ&aRffHeJSgiZV;EtI`XOE6Am6s?d z07#%|MD$G@RF|+a5DQebRNl2OrvcF7o0r$G_Mzw%R2x{7Gu)|WPX<=LcmL+j6jE1T zoe)K9P;UiK67VYVm)R%{DTqy`S--sjS6nY7e92n26*XG0su+K&S~kYXO|w(TnL z%KT6Y6_fYSa|XR@{-5^a&#WOR~W4MVNN@HZqO+f*SR_1LlXLh1(9v1A=V(ZPVqBf2g ziJ;tms26y-x!v99=tn{<)+rx^>_eEy z{>1HX{S_tvaVU%A32;+##Ew zJ<`s0@Ot?@xXjAsq%!@rWa6cwsXRV7XYJbsRv2dE2}@P~d-g#|VFlq?9#b+^zxy_` z2J*NP-plsiYw%I@1&4F;BC6?k2mX)mVe~(OP5)UG2E;hJ`>9q=Q)>96b98JUrNGUO`V!$a08+S~$_F-g98X&D|6J z?Sm%(E%w+17t`w34h*6k)Dx2(sh&r>no7O81^vDYQOU~)AH~<|VEqA3k**#>9Oic9 zEoiqnkL1ZEn}INxehZab`s&_@r+pu<2)`Y8(HUma>a2N7>5{TA?i6hZEY5@*iAwhm z>|Q=)MqdLV*M$OmGP*TP!GZXf|3)|G9y5;c!6G6B;xyd~gCi}mghy@lWh6_c5z-m; z&K*w0DfW8FTyNvtFWPHR1)9xX8Ddj9`#pmU^Xe{*--R$wF)mh;u{C4&qX5O0L_mOb#8T**qd_=)t3b<7yA&KbZcbdg1)4=+pz*0ICBHlTx(P z3TErcPC?VW$nfs!VN?9RMh`Hlt{N&Xx`!D+_I~2uH6ogLmj|8@y*%;zxI&g(_HFuR zCYCxSEdzokj7M)gVR3%?w;;**^Q_Z+v=5jXe!LHlYqvN;67rY;^t^7Qm#sNk80c7a z>=WfP8wQEeO_+xZYwlN&vktf=rv`%E6!)T7Yl5f#VOT;@5GwGtkiGtN)@OW*aw5XY z9ZD=2_;Jz=rCycUeD+4a>YqdkCst2fsM#^DRCiPrZn^q);<%2w4$xU@hm(gyB0x}z z6V~TT9gZ!mNSvlaqy(38#`Bj&en7FN)vO0HmydRw*}j{%HvUHh0mpwq(TZPBFWWx_ zW-gTq*;KUJjbR0K<1z#w-s!J zS|5+?%H!tzx&vH1*ngFFV0It z^72KOz_KY%|5$MH{AopQ9J#w_-Uuo57ti2uS}mCqoUxE_ijczIQcowRU=~9lA6gbX zp~to<@sRlu*aPup^Z{f#>!7?dchTlAwJr$yh{Z3Y2nb&#D8lf!(!L#lIoV$F;z5Q% z6j>zOC>bxQ*0_X_)fOMA=)Vn_3pg}8P-x+IET(Bco_NCYsa38;(pGZ)yL<{geL#%T zsKc3R$m;mCClz>G`;-=&yPm91Pk#K5gXcf| zy!?h!!?qt@T(QF}P`Q)i7jXY1&(^!8<>s0VZ26?|hdt47yu%QAs|098+HY6sO(5f) zLPjHSb(c=L^?CE~Zm^YG_nG%MEJh?)>00xxc2v>QnD800Qm9k<1%gieQw;m$#cuaY z6TS#TiIQ~O%Gmm_=ExX$mj*Z_yc&W10NO;@gk!;mnjPcIqGLo=An7Bc^74bAJCv-A zy@AzkTl=^E6tp&tHgXD3p~!j|FGSxEKGOu+b4t6%Hn7QWBSu8rKk}3$h|Pw zQt(@|hN?ZWw+ok<-gA3MeuLdGNH1ZN;M(UgRygAIqHF~O{(HXV+4bz-duw-IGQzQE zTlLx9N`9>zfN27M+#am`G3nd2B^XD$R$5_5qmzK)(o>4Wx-BM!n>!}7@QL@~dS?tk zyR0;&OQQ)+XsCSC-5%epCs#yIS{^MNtauUlp7Vc!Ww5su8}sJ1B~xo^nXMg76VRzY8=As|VN?cGi?5QnTDVJ$ zz(is!q0E0U&5Zms&IcSBRy0u+3lPCKDF}A=7KpQb6yn$PE4CP?8Y1D;t%$?dytGtq z+7<}CFL!cM{>!<)!aLN01l4sPZqUjG!5cQZ^#F!-1W}Bd99_LetAQ>BhyI5U2E~y* zPPmh(UzYZ?>S;;q^qt{D`h(_FA*j<%-vWEwJZ_tA?JPJY5>_w^@FHN0w&{1YHlNRCnn0FIV;|eqHVKD6#Wm9Fr;WpUxfE6%%=B2ZbnLRyB$B$z_}2%ZIFz0_F7lE zE)O8cW2I!cw&nIOk;RiDN)wKVvw*(QT7mx7fGUhd_88v@kpyL@vxK^S2krp2usD~F=C>4vk zr}nd%ZR8%x4dte)nzb2AqDYb4MM~><(LDbhbpEWy_k){~}^r0dN)qT6+wLu2NPaTj_WxuFssL*1}Fl>rd1 z-$H?u!M_j_vlvshPa{jS@C6*D;j&h>1oz_`yC0uAcG^;lO6T1k1F~IQ?`6h6l(&Y# z^IhFJf1HGJh}(44(;HgH&XggFj|T79Hs46spEukOY+Qq%mBjwp7LDHrTv7+5VzBRPoapq@e6e0&~SUWJKrkW3dgbe$3NbRm2c7p1F3^WC$OMU+&4{(trzirVD1)2_J}J*b@|DztH#OP&Sj_oY zU}b*x^ZrEHpYu50X~TBfqKcHYL{E$3w{-1C>hoiAEiExb_de}h-@g=pnk734#x1ux zC=CvZUTi8$8HT{e8RI~xqxVsbVkYBkcN154EZ?0FM4_+~Z_W5?Eaa%OTVI=eWOsp_k=o%Wm8(u);f>fEr>5sgw+}f6>aF9I)?B}<1{*# z1~LQJK>AXRf+Ph=lP|0=JwP=vC&FzBjcG5^5WtYJH?%iT?SNjB{qC>ka=qF+m}dZw~OA(f!zzT5!lEP_%c z_$5if#Ea&hO(wHnTFScI zoeP8CsmX)BccIHM2U=PNHn~ws14)sQP^=mL((IY{wqKkES8(CId4u;#u+CE=enc%M zsu_U31J1WX0;a0M(ajo7d2y&CvEpRjpgP^6sbT7nPpdy78l*I$_b0cUyneP~xvjxO zH^%z@OG;k4&qFa?{ZWRzMx%gJed&u3lQZ>XpQex)spiv>0Um0b%N}tecD4H9{RzgXv1}m zRe!+1iDBezwP>oUO>6c3O$wf!LRFUig+P{2=Og+{=tQXJm9f=Hx@(+c<$TjB)UL4v z94mmALq7}X(iO!XH#ky?y@bw~a&b9Nhl(;olY$Z4gR<_Z!CFkef4)Ca<$e@t_|94( zqQlu=VyP27AT~kzS75tuCuV$COrU6ph5za>YtpN=*1#&c=4SUU^a1kH^~rS7zXy)2 z`iX8w6GAF?RlzE?cSIy>Kg6<7|J;1Wni*eV-Xe1nDtXxwk({A{Zd!1!etPud zt|7l#@>}>07=y*hmuzAirg1}z9Srv^DVbuy#d=`NFFp%5g$E@oaqV4d`f&9zNDsQ> z%>oLSq;Re3pZov8<}CX_gZCmfLGHBTkgx1onNUPG*I0GMgU-lY>NyJm!pD=$vL;K?`|0iX%RVaAUebEv7J#3B#1n=pq7>6^L+L zx3B}Q;QqOU5Wkgt{P?%N3RSuOYy0N%sVlgna3&}P`4ZL<+?ng`1^?Y;x#Vz)vaBKz z1f#!fj@jM>e|UOMnWFd?<58*;^G|$h$57ZXn~ZAw0!0?%7#nDJfdSYQygoa++@VYP zYx2QudE^S2TGH??srcBkU#|H)v`5rhs6AjeSnl=uE)j-TsaT^`!r;S5sfj2QLjm?0 zbR%L}+uxpgtqSqXFtk>#ZLf$86V7zMu72lQ(j@z)ak*M5XHe?k?)P`p*e$qAS=Q$L zD1yxZl3|vJpCji@4k_C)a&MuM>IO~bZBjg6)yCgcO9%vX|sP-jBy>#D2glgSk;KC_GN(E*Ur4~>AH@Uz%6=hE} zUA^H_q}OIWpfUIT_hVy%=k@EBB_NqN|6|^+_9CZ53wb>Z?Pa~ryV7G9uxdDRh!vP1 zocXylws#U6q~2>VUwh_9yfuz+>(?^^V2fFGHTMz?K$NZ{Sn zqHzsCteqH?mW_lGb;F|0sBZ*UPbpBb8Ce0Cq(HTwx0Yvlqnu(ex5k zCf$sugj+DP47(+swa}i++a@S5Tq(6T-O#QWB09Pw>c?mum{pUp2VC|5;+w;tkxusB%0*B$VD&RsmiNY-*!B8l&vcw_3j@iqx za*xOQfohVZxH zrC&@n&CAK&@6Za+okB&k?Ratd*eDQ7X=U>`6EI~+lkil?=`flGQov9_T`DwTcE0uK z@P}d23Fv2eVoSDicX%pAyj&!(w#VA?NxMZ|nufqS~tpsdpme|Ot+L!e5S?I%k^WEbg|Hsdsb;XqN>Y2OfOv-?y@?tB;^yQAjKL7Kh zPc~1!{c-cj#~**<3_^Vo)(%PeL!c(e)g80U=Jn>m;kO@bzWn%;%>xML1iYWP>W?3N^zPle{g+o;m_DFG2%z?%Sh|2o zelg?JPXc*Jd6`AWi*pd+z`G|D20$Bw#G^yVHbN8X(5@tF8Xq{%`rT#=^! zl&9ee2!R_9i@tgux06X4SsfpVpcQ_if4PpDnrYI?bx3aQ49XV@L@`N{cJey|x^<=zBwz@tEyWrU%MESAJK;7P!~qdZAad7HO2Nztf6E8r2{wQ1!D8t-OG`L zpA2eM?jOEE=?#MuWPgQQ%!ELDU#fl3lkqf;IPzZoEy1At8?rXVuw~o({wt5b%ZAcu z>G)QaiL3W;Ck@xq%GemYF-${s7-fW@{$KM_dm#Q+$}jC^VmH&B~8VhZS%s3jsn5Cg1^&wMqCoaOMvPZ z#rwaQwy+MGJU%cKMj364Mu?p3fKV<@-!9g{YG zfSmq>BG*gGy@KGAX^5-sDQYpK&vrjcrLnenlI(JK_$!qyV8{U!^Fnxy7>o_CfwmGO zUBE}xx2fW&xi{r%VhtC;Sfn=Q`rDSPe)x~ah9;qfxRVN@q=CtHYOs91=UU{vP>g7X zpADMi;wBFonJM7&N>c&Vi-RW1N6t+sQ#jl=`62BCWr!gj(D-)>cXFhJy|EIdY$v-} z@Pfnc%5Ed&sU5nkk9+ON2&ykNwsDcB)}GNpjrN1Q7(F}IoVNz~x+8}su`(AF^@c9a zCG>?^+-x0M%ZMvbwV3{yKeBcJh8dIK9j#a%xFhQDFfOgAiVLrqhC*A+Sf4x={8kIZ ztgVflVb-_cs94?LU8InN;o5u%LaI0>MtidXIvA$>iowk%hqWTbSSE4Jub}wE&4q$GxTujd zA>G6R-*LYT1=n!l-BPdmHZV7o)tEev8rZmha?cbiCaOW(6<*6yo3OEmu~;ERP1r7LWA${x$hm>f)WIV+4yEt}IOVap1h z5(G@MaM%G9VMK7i!ppn9xW0mmTd-57k7s(#>1d*Y;EFt~^X%$7+m0`1robT}SGJ*O z`eE=7aOct_MbzR!1uK(yVJy}pL{RBVb;s}$S0dVrj*FPk2XB$)$A16;X>q}s$+v2g zMRDHl%}1>Xv8j(mO8bBR*Z<-{69-JZTnk1&-2CO{_@&7$obPV2wWWu1e&*qkEfa}c zqRaIQgQcfI(c=or}%3qx*>R9QiOW6|K*&Ib-wV_J}3F^T1JXw#IbkzK9_Uz z@JWVS(n=*9bx1ox{!*!Apo)S?BBA5iaI+iV_#WR;ZIRIqbSIfr0@k2XTNp}=F0|Tg zbMnt9;70B^NqQ&m5?9UYf&5(Br6rwjCCR01iVfd)+;LS@_mE4aXC~IwqM8ISX)-`` z#`!QWZqCky*HG4lhU=Sttewul$m>&PM1prQ^}^j*aY$TLXF1P54l6t*qFIu%0&FAa z(o{rfc$rH;FuuEG>m~a*?h%`t@zR!Vwd8~?QRa4YT!_;192IqJw}4<>3&Gk!JbhT1 zt~vq!I$s#;SKh8pfn{t;<}XRvHvU#QSfG3c6{j~6dvE!!dD^+(JiUnn2mghgTnSf7 z$|(rBO#Bul$Sw>7c70@hXnl9WnEz$>0?nl{w>y`lIXgeMibk^&OhDC=B4PMWE|toj zFfadh35nPd1RI*=tWfW@!c)8>R;ab?aB5aUWn_^?^FsZ3yZ>1qy{j0V6?4Rh6~MCXvXri#?o zR58~eq9h%W_1BRogCf0dtTD#Mjmy>sPL1p?lQKJui|gFc<*?_c#G+SB_4^<|?q-a4 z=U(^iJxAU^64MObvbCg%8O+~T)(*Xy_P}g9E;K?PCt4!6g65@w3Lr$zin#uRtqVsc z0r&?TSLloypTdG|{*EirkcE(LNKlo5BZ`_{bsP27Rxu5I7THS|7naO_y4+q&D;QNl z%5Y$25AM}1#>?Vo3lp53X2rUBd zD9J@t3_5ei*idU%JU1T+U2=8M*pF<#Lub0HTbV=!s)Rs;^EzKs z*FIrt(_&&v!H{5LPSpetD0C;_q@ku!h$VE2p@{Nye(t^6PUZZZDCc9aQ9MGKB9cHA zu^@BUA>y?O%dIWR0hsmH1}x;&+<}1W)I|N5DDR@54yF6cCgRu_ zVn^_xL=|g1GAxZ`d|6t7?hbGz>oQ?JFkM%< znq56+6ip+-25(D5Fll*m!Itam$M5@Yr*^QM5ZuAzo=G2lVXyTYclf%tkNpJrdh#xy zfH(w9f&X?soFw%yd2)+`7-fl|uQUZw77Nq?@8=V)21NxNG_E_!Hs7AW-xHOl?fM9w zj?fDd^Hm6k@;{_2OJtfaYvS4#y#LI$^Her45+X>^>DWjxt}mw1eD?n1kO zeXO9q9<9+ZGdGYL5~vnAUYE8g9N)OeE0nhKazn=co%M{QM*$&>uSAuzqC4X_x*-B} z0VnG(>`$Q9@m?|_QiQw4*gyhF5P!j59eAY`;Ov zJzPR@*L7#pe;DY_?Lz*nRA!;}x{4~t+AS5Kb*%>Z?u?KkAi&hroA(&63{7Zj(+nbh z2mpiuxp$DNF`Fu4ze_rXl$rDmvyqtIxWA>Bit0Q6+hm{g@TfwhH!;3bq|$H}Jk7RM zVu4b-`0yBd_?^gr7Cu%OP0Gb&tKX<)+g>0-<<@`pG*}>t*0&q9piu`J$+lQH3iFj6 zN_i!o>`oigJx+o5I-<>s-QLW$B}VN}49yeL=6k?DisKoDX$*u%>0+nd$OWfhrjq)Y z8GlHeLM0{C#W>h)MJvQ#f1pxN%EzfwOdh1J{d>I-s|D^un9S;P%+2fXvVMy`_f!-d ziEU$3yQNgQl)G~;M(MXfa3FaUuy0lO}}2@P_S4&%EO_LMWCxe*g3EJ(2f-!OS1#!J6L zv(xw$e;D-+A2w;EPVZ2ZC(Hv|Z$!mSzLKF8prmso*rs!ekkxmO2_0VXy%)CY!-aZ9 zK+w2PDH^KY%1Sjb?Bm1cNU@4awM?~NxbT?3^mV8RgiAUEm{|y>-5{w0pWwaqrI>-I zNN+=4V=4mARjYD;#vkX^i8rMLI*#;^_x!NPnwxLsHH10MQ!03YT4x|lq$Q!3N zo!7=Fu|$s^v}<;)BAV<~DzqxXgyIZG2D;SvRw+!Qw4{oXJZ%UKDGwe7OVATFETdym z6(PNbvoUIU$Dg@P^qbXNZYuG@a!VF4vL4FoD8l!*7Sb}WYy`47x`pOWsR4ZS@rojw zkDPNb?bk&!GR1|5oCEIsg>3yw+EQ;*w8vD{-%JtgUv|?OABviOLQ?XcieOSxO7o<= z6|#DMW}*MiU4Tu3r1i@|&STL{!h@{0oclKPY}S@~XtLYWG)3s=0047)Sq|1>d`_8% z{(3d~++=8+qZtJ0I?rLa$GL)efXi*q5Hcci(;2MV%>_DH^WH)u4B(*CB*Up^LWN(T zme8p2f_b<91o9OV5!Fau&}`!{L2hyEOdZ>C|27#bw2r_+@#R%=fl!W15NW``f{uRC zjm0FWax(jyp9)iif>2cck75)mLZCV$^p>hlkX)1noom7Jz*6vtSRRrS*nB&i3LM|Q z*`gY~{Dkf|dt~RI5Juj-x_xnZX6-1*tc8ttR#z8U)l4i8VqA*cD*@P`sc1b% z7u#z<0Vq1B`>FI^4X9_x-u#*rbCk0j6Pon5@LN; z6MTC15`M5s88PtPCHU0WQm&*6b zQ3Ps<2)#R1ytX-M-~5VGrx@YElb^o%V8cTIYmBi|iXhP+`xYT)^5A|zMZ$1Oo4>mG z6S_U!FkX7_!%vU@Bwnh3`#lEFmxoDy|ux37xm43A|Rpn;IH}bt|+_t20gcw z=fJx^c=GRfJK%x3Y$A{Ty_{KiQ@z1?3YALwQJV+f|MZkvV7XGoJ!;A@+*uTUsN%Ag zeS&E?2EKr4Br_v>H8d6E$yW1iEgQwi96NfnD7{nWEWX(J_iPDFot0TS1iG*{+j_)Q118U49oI7Qv(75au zyoKP5!R{K1!2S37gbu41t=s5}r-8XM>PNlfl*U~586ulVnHmu8+(Va?eI zWKWBd`raO=Q0lb#`}g3own(jXg3`)~?(yD%k!_fBKj_!%1 za=yFw)OO9PAc6a&8-PC&K-xf;$TBAyYwV+|Q`#U`)2|ha`G0JrxJ2U2&?Tlw*LQCg($Ryft#`R}lr= zR>^k`scOD&45snp3phL6G4yduTYa>M>o zmL*jB4xbq;t#ulePTl1W@sb233ovI@ug$JGz*u`q&gT&G9%cC=Sxjv`sBDLf*OJpg z1Wslt1qO-)_)%`ct7bJ%wW*@@n+!2bxS)Y8MujLnMsw*Fk+e@A ztsrS_MdZ?*z2zy$+d`MS9&0W_caEA%_vxd@E01^6)@{}@Q?da%R0Yv1n`_DS`(!40 zJT)NEpoF}v?BVdGOt0M8J`7?A_v%#kMwwRHYKeF!f^g)@wF~~_d$K`@Z*dq50DTl> zA2TtQ)-gcQ#VZHfl`SV`ZYG+hqRq$nii%%hJwVlm+s0mJ#9kpqUJTN5%IO{09dz{o zj%ga>v+aF@d!)*tTunp1ptfo_)?e|G~Xq zo~JwAwbrV)R=tI;RbPFtP-^qyeAdHVeH*DI0K#wV>(^YiF8kkXG%zG?XTV22&0<(E zIkcxyHi(ho`@!3BkSM^AX_ak%8hds?;v!bcbHWhJ>WB+#Z=>T4jKfQ9$flVa3oEqm z_p50jh<-i_f{8iSvPKYLp!1iob{jskzk=gT(eF068TPi6_s@;CuV-tj*|gJ3@|5Mt zE!`;fu59(!!tp014vNha;Xk!0Rmx8Xd53e^B-_~EAjK%kFw^NtIoOfY{cS>%EEX7K z`FS`3z2y_;P|M_vs5$M`2K4rXcKB8QAn}F3>uY|=v0F((cwSc`l-XkasD%$%40nxn zclSPq3iR<_>;|N85U87#v!%iNQYOA_;T~{$`O0??2CKE@QZY)uzx118dVKTglR+wp zw$DqdSKqjk)@ZcT4pWW??_!$mv^adn$fE;^AKjUSrBsem`K zPVy4TJA6$#q@ul9b-LdEWFN7F1BwJVw@)~7hJ%KI^{{dSHcZomy7qaRy92{Uxvixa z>vAj-X5k5SB+u$`0Q;1e1FbIBug}Gs5edn@cO#Aoj!Li-A{_I-m>mpMq}=tI=S3Ak z5AMm12YbFa7?*&F(1$jgw15j0^`2*jyr7>a{eEw-ka0yweHIgAB0TLb==(uPUNUf| zTtc5DVA9a))TiK}bUyGalZ!@BY}ROr=@-(?GO1NW@~^V%k#>BFlfsjhgOr76iO$I;d43&i&cvGV>3{Z^7n^XcPL-M4`x?_d2fv>IhNU z=SZYXN?$NfcLuJ%ueZ93Y4=0N(|i)#gG^LxrcH?;qfDRD{e=(QNT86yEd51G#(b@< zc{(N^rUNrfn-cYt4s_rylS)L5XYJ@@YzsE;ngN6)9iq(UbO`%%-JAYpX$?5(ECT>V z@(JrlPTPIvinb|0glS4)@;(cLGxaCwiHf%k@{5#kjCFQ0n&W-L>^(tc2+yr~qzkN= zbag$;mq1rvU$5>67(!q33<4 ze)8I)TnCu#&o*ua#qRB52MAE4>FAF%F(_-kQ#9a=-%g-ChODfETGf6G6`Pbk-cQ?01mlOhxkA&ceaZ;;_yjYh38c!&3Kjz4Z<@rdATUN3F&K&VP`D^-6P_u@ zqjD(1onbPSB2;ofP=n5RD~WW?<>~j=9$(KeGH9dtOPzj-fYxZ@>^kGTx!=N9%M`VQ zF2p(-9M|vzQNKiGUd7+Xo%m3BWif{k_qd-|7&FKe*H;?T>NhE#wd!QP?d7ppgMp-w z-Ar%9-&p3OfJJaV42iz1L;w%My=B{}dW&sA>JTKXyU$y7*}Qc0J=up+_@uPK?Db4Y z7I}$0-1@z%Krvb$%5}I#rg1kXRbjZ6Di{a3s57ud_*uLgHNqU5&vn1cXU`mY9V-c4 zV5=%D5k;HjcYFm%2TbevcAFmC_Suiweob-j zi<`HerT*lA@>KR^OB#+W&JGqIw4F7~aQe*y`b-E_)t;Jms=27F&a6ms)FlyN_TC>7 zmOMdVfXIX@hX+=stviGt&xtIN*3yp*~c9tQ|d)ufN;}e_NXEif`zt=pE*WP-|&1-vaOc58EE^J_1Y#~-e#W`X` zi3N{}@9+Z0`}gjL--#Cc5-?Y%X}0ftgkWAYS^kzrp)CxdiZo77uQrIXL z+R}1`^kkll(@tQImN*%Lp|YL%D4x}H<6ceAobJwJ&1B_3ltj{A9})i=M|-Hi#*b3) z^}9w{Xc$Bl;%#wkgg+YTKsCtD0*_QuS)8W(ZkL{gj*)ju2d!kg+YH0Ui9dZcsC``O1^R>PGS zh787a8g2aC3`Iu(Q8#N0K}ImWmNhu4;wd!zM_WyI0LcpmO=AQTgQ4xQuda&d=qFq_ zE%he{Me7hN=34eJjP#*FE~dNkPkB70>&H%HW51x zw_fc2^rjBQ?V1cT8qMVS=VItGaa{wK;R413lS69CObVNXqPmU-yxM(Lv#yf zEQN$6Bva7xjSg%s1T9oplYX6I9We?#iJSjC*wE<^>w-1{UlfAw5q-*zLj41mCk}hX z%6*6ASI{-z9O&j4{kfy$GRu;#rEXc;go7(x9aWr~gUxwbkrhAB$*+`77gh>QjQ(Y2 ze80qRi9-<&;yR0+PdP`89NIVrBX^B>ayguFw?@tJ>EnI_gwLp!D{IX zz6xfB8OQg7OEnyLs$V%mL&tp+V1kM|^m}{#Rnu_BG!|5$qZXaq2x?87O0^Ce?Rc!p z1iH0;jI;&h>V2k3N5-p@>qXYLFZ2loeAfhS;5mm|W?N#Qh$aav(5;-l~J})iqcYUr^jwelBty^iac)m(aQHT9*0e zMZPh3uz)RtpE4PUtZfA3NHwPVNkyap&-S{-pn#uobSecFVI2Hq*wa`}-e2A4WGN#X#xSF&k$Hw9pWy6EBtpaH5=(#x4V#Ba zoTrnjSvFr_8yj!DEZreo&y>ap6Z=I7g7%myLgg3}Q@x4@y%&4bnb4Z)ks^-_Cn6tm zG#<-OpX$1O5fcG&Lkjz;fvu3dH_7$tQSm{&&rU^-J^_^F#pgfS0?I ziArV~hGqXvXDc?Z*(bFgHRt%0bh*c=!g$9wS;QzXC%+h^3m4Z!2 zs;>g0s=)hOzYBUD;Vj#0&BYGk?GPNBQXFHZZJd^}^G~81c>dmaab@y5M3`WyXO%8w z;c4syI}tCto4I&Tx+MR|Z8<$Eo<+#3@c9%e{~%;agCStHBFNPE$>JwI3KH5XB0Gi- z2;%{tCxdW8`u|yq7nWQ6qkQcd>XX0_00}oiUoc1Xdd@@fLyN_lIshqvb6SgL} zCMZ93I(K~W6LjpY4YN!(4 zaSywJbG*rI6E5nwgo%rn6T05UtgMHQH;vHit%=r<^W?%LTiFzDGOiTy*PB9Sq(0+Re)Ge&G&2_`IgaDtq*EP3L^y04OtsdY_peh^xVE5VV&AL^p)Im>n zuV}fNPEGXvi$J*!9P+*|CoOAHbBuW#Cnc-Ew?4F=cp+03)p$_Z&wH_h{?~p1DxLz2 zKRp^iS+xbGSigKiQH>~+#+bSGl4cbCar%s@=W$_7!>LX}%Sd%&HylaP2&gFY)dOg9 zAxUPM<>#f7f;hRs2hbOUkTVDQ@21WK=ysSs^ZP=FqbF-7SZJuYP|UJ{MkG4TqvEkP z2e8!rpi5kkW@-rcS5cgon*W%1i+s(}&zJy&gIN_8$!>fjv4hJd-z}_yB6BS$)134m z+xCBD+V)hM%o}xc7yA}QAO^p|-CLQ8KtPS69P%XGhDG9AEqy_?H5_npoy@9&=EdUa zcr%vCv+(0a5PTt0bEB-pO^paK&YF$RVe9PvR8In1;=T&O%?APh^bp&oz6XRwi`$|al{@tked z;8UYXS5Q-q@m>r)xrmmQcu*Q9Z)tuJyrt!M5G&Uc?_MGra0vxALnoXE-Q6?2;i@6k z;BCXj?G=WdUl<){bzUZSykQfmo)Js!iQ(prB;rF+B@On22Q@_GzfrqZ9a#=E58t#q$(}9K$=^t5He0N9NV}iC2PzV38YGfih8zfUXAiK9&3(k(u`dT_E6N_=MbPPv7f9LG zA7~=WN?2I9zy;f38eDS89dy`#qnV@b`WVuKD)#t+zG$K6>ZTiWpEc~9X|)+cn8s}^ zv61CUT8x8U1TV>BC7<)YWAiWS34`w`6z>Dz3W)sp?H?QhgRRRPrj%^h^s;2!;U_)j zh+6WYtU|yqN=Vi`<|q+=?uOS(nlR6Q!C0WALK^f(f=3EwOl+{JxebB)WyL9DsKP|R z!tMUNlVX6_GZ^Z&SO#Zdh zrq0%kgB$Qe*9}|oVJ^@v3|?@CnaP2vN?SZqmOS}G1Sbu+aWm5x9YY;@*I-sU2glE| z)0y+k{F))Fgz?Zs#Of?7b^o^FcSKrXo{#9Vqj8r76X*l!GFI!);n&Q$K~BNi;$PM8 zz6pB!2^95B1yM`^yX!VVh5n2rKjr8BD{9W+#Bib5Zv!elCUVF?R^iQM>c>fxAO}kc zlrvQ*)g0kW(myL)6-mk1kxbr#0ZOo|oUod&K>R!Dgz#UiEQErGR_)H0DLpqOxwkfm z1=s5WK4U)Huc?Zz{VbTjxl)7{!e8i)nA_Nb9-Z3hRhDvU;XLZ1Z2|cL!7wyNt<|j( zbp~G}8t+|yOHY^@x#Go4y09iSx6HGS2{I5$D|2cf>KeFzu#hPL<0fkOju6^Kk?8e% zVNiVSJ0j|55WYGxq5Y-r?haSH^|yI6B;3LB;TV1R#jNr>J?&%q`u_EEb(H;CZ`u80ga>qEvlb!|JLYN- zvkK8(o!fz{bq5=Se`g)=GzF*q{P&9?8NcSO5Am=4Y`oWTb8Y)y{hE1%1-PZNU$?qv z9E4VV;Nf538o^ci0Xk!-Z?_G;i7&kkhK}dfj=XV6Ftd2kQFEuWZkZ5NG1N`|?TAXV zjJdXz7|(4KRfzWnA*eF;uTPA8x+;L5`-@{`CoPk<4`gL{yeP~5VEY(gAy;}nlxcEX zgbdMcwatv_N;omkI5C00J&a_?>JvMWBQdrhQ7H=Qx`flUdpcN}*if+&u!Z)o62YznUjq^Gf+ZXc0#Vw8~ zoV{uOh{=wfu>lBkhT{}$werS}d}u;p@UW`_}P5W7dcm$1(M{oMm( zcZt=u<;25wq%UG}$yD^yTcI~`dw}0>gW!va*q?@55xc#FCf#x|la#|Yj+Nq@zrMoM z-F8R}c_|$EwGNV5OYY?)jq7m5*2h3qjALE5)c9J--^l^;mnrP#EEb$YEgYn{!=H7Y z&zz9V#aErhg!K6e-1Gb<19%<9$NJ3y+&|Gx0;rKu;yzhQxhX5&g%4G!kn7tiZgS5A znAX+3>IKv!)nN&df8Gwq*-mM%cg-|@CvDNnRtj#6Wf93CmN3VNNdAnjVgzYXsGcxnxB}Gq7E?r8 zEWTm(a`^MNE#oVN!&AB>Xkyg7#>qF*;HXRQdWMP|=h36x!O4r}FF@3n_fpEfp;m)N+o^J&~mr;6>N`95|vj7N6S zyWCOrBpV>|wO(_Q{8w}GL~fJnS>KE$J5cX5F{*0&GHuO2ufbYB5G_VK2=CLdkKz-Gl(!PD$bp5ppBNXdy0j|IL3ebkf_~|ClX>(6u0fe zCd}NN@y#8-6W>>vam12Go`XL@+kq2t!5UEL-~`)Bku0L<+K|Ul$bOm*#~n^^e~NiE z=%6@Q)m-zsmCM>R3fE{XE-7jKRc^mF$aB!sptgs<=myh#v8mQiLKuzR%w^YLbpFEw zM2h#B6@FfG)@u1C$~(};;FQ>===@xyJ}_sZumCAz)*DPQps^Dq2lp&o|K$gx6=5nx_rOPRYnVMxA zbX5ho$Zs*EKj~cv8aZN)ypVs#qsH;b$a*x9nde*Q&{X@|r=`-}C#$#%7d3ldVO5}Z z38$45i>WPD9g_pX@OLaW96yZ?E-$Q%ML2(<_IRkfG}*m|FXm<_JapN_(XU_GJa#^w zR0J3e?w*WCmX+q|!Cao!8Eigemk%3K8%|7`H=_HHcP+*{TLRu(@SuX90#?0>losTJ z@P+uY)A+-+<(=$i*?uCtyXUC9o92I-DJ^6YvymJVe}erj zl`&4iAzox%1ldlGEzZGaASdqPZ9vPCiB{ zX?+MkO?qdKk<*StkwLRMiuwMf)!;31A$EQ6a(7H>m48ytqtiGI*=RCBKM5^!^q$6@ znwOK1u-(V)@wtDL+FOz)Z)dd2*YQIP!TPEtkUUMod?Kdben-_e&E6Fb7^2<{yn=e=Np&nf+KZnnK-V(22XL7JwgdXNhLxGWAi2S|b2Xma>_nL_@y zOFynEQ(f!&%I1MoLM!_Q5;p5m&>~gq+cjOC(IGRVQzyyz)jYo42TU%s7v5ObkAwSz zi?6o#NG%W}Og26#ttKx`4@fk|ul|05LhU?{1Lb`<_pv2`xG2+GEJ+b|aQe$8v-FJe z$9d7Sduq-|3oggK(Gq%|;1HeY+DDtTRtYkZL)KndO1s;EKLe zCg}}jl4Sch!Z3Wnp`xcf#qnT_RT9UC;p@@q)@^ zGi+(ZM~^Yh1D!};1P~9Fp=OqCm#s+c?kwr9E92;Z$$Tcn?Db9EQ1CVHbT1^}Gw{(L z-jnh=X?W>fOqIwKC8wejrQfc(k2DDv-f`ylf{t77F7!}x(&PPkJ$i@48yzDy?OP`G zDRPQiJ+XS*${{~FVBV!AehkJtVz`L|tUUAf8A;(7B#5(YImNouUmf+V>@w$Z4jhS) zz{d*k#$z8n_2VhqPH$?lXRsM74~lFpJ>+qEdpVzJMLnfWx7*X;V7fnkc3Ev(4xI%L zJAe7uIGNWL48E`#r5{5nR-9SBMDZlQZkkP;TA-F?tLpFqkF^5=-?jc1GWJC4802=1kYyFmy{2sQNSCqxA1 zN~0m=pg9-Gez|(iCh*F14J8GPoM=QKTWJVOW_p%?ilUSb4Ud(y3@<5l(Z<77QWiUL z>!Q&O3jV}rs8E*7#5Rk8D(7FJIz-u=3R|`dEkG|~`3;=#0Q@8IvUFu=duvxSDO7dB z5vqHW#AS(MO~l2l%uU<4$dT;3gSQ)JZR5I2k{V|A3}wS;m@}elEv4?1YOpUqg3wqC zMx})_w56%6bYJSy);ComMUvJsRVsc+qXzao0GSXkDact%C|M}={S1tAv-z(>Idzer zqONQabd@a#N2}~jyCLWRtzsEkd5goA=)$a_Vn?shryLyMqlv&C5cR3*(05o%b(mzu z#JFJ!yUk_7KO4#lMd~z{GawIp?>Hk6iJ6woN$jTuBP6+DZ#2khC@m{=kek*jjb{QI9*14kO3S(2QVW={IqACoh zKhK}%;fInMd{&08RZEA)vaU$ZgwnQ!LY&$G6}iv3%9U}&-Nx*;$*$}jtsGU>GIdfK-fFIkC=>)n( zqE!wBLjh{IX)Z!!GZ;^F29i6k7cz;qRD9aBVovYRCB_uI=Bwf7$r;2+Xh*GA{PxbG z5bX+v7yG%?B0oTW;CyXE)*nGG%XvksKq|Q}Eo%w>L{VW&oTH|3cn3E3kM0+#rgb#9rI}zjB|($zlYXq>P$=F zBGkHm))=99N&XU>YVP-znf%tP>SD3URqTq*>KuWpYnU~sv?IRizN+P$i6H^XiO;uf zBi&bdqgPYaqf?CFlKq|SMQu(^gB4#)URc)eI^rC2F++X5=U!&>^cS`LOMPu&1Ai;F zT2pd6k4g#7RoUVTW_urDMzDLjz-m#TM#*udA)Jt)BS8psLpX#zfCFV z5=G2~oI5XRci*_TN=ibbyFK61LDE;7Dr-%?<^q{2fiF$ylR;S1zEzK;P)lw_z!d&n zWGg@^jTT{zJ@Cq694V2WOBmszH0afi-pe~*niG<`4EWp<+?iTvF-qR83DC#{)BaHf zE75YKV?j!nk;&n%?4Bh39*8%63fi0OBMi4!oNM0tGu;^TdOPS$Jyo|$zCUJ| z^H62FrR5n05}&nt>_XR0dtD$hq0rpx4zI1-;S60ssn1?B{d!@vUg+8F-CStP51Uv^ z9<@v_a!URFH1{Y<-04(fL)h%kS>IXu`}Znqnq)X$ksx4(kOG=MvFAgRS>YCA*D1WI zr*wPXE(F@R4{6@&%di;*LdRtICcN|Q_(l;2Di|URN<2A*Y@sPj9Ck-zMEnyBD36HX z2N!rjh?sC}G<&WAGVH-K@*hqBtNr66Szk96e;BoGL9U-Xk%9q z+~DhNanHVltBwmfu#v}BzKC8C?d2+VGZXjK@8kXE;ipii-}~)B=ljiQZl`ZGa_8&g z!-A0CqhV)`;On&^pWoa4iO~DQ%LDO7$H&!86LMH*19GmAZ`5qlkiPEY9kJit&);E+ z#2?SEM>|c7JA&po=C8hEmT6ZnX*EUz-&l4Y#~u$q7H)EFetx(-JaT|)I$HZ!5DcJkvuT7U+*L<9h3tX4WnACsd%0uNMB0F*E-A$NwT5Yn`IkSJA@FzdZY zU}Yhhehds!28C2alE4`nd|7lNF|$Cc^kNn7@s4c8kz#GCX$NQ) zyrU6+oYtIi1R2qsT3+08`zJirBs{Z)kdmhdDZ5bATM?=mGXMI3h6xo()?h0#R47g2 zWe;KalR86LZ{?kBPfq@@c#kK-j4@E3!TRP57Bp8VlEG;rkDO|jxKiJ)#l=h_L&c?< zHj^YfF|^uJ?WHy}V}5$njTXIXex$)`m^Tt!%Imh zSf`mTj8=h&Q_M^$REzJ8Aff78?&@GAhGQ=)7{~=$=#mb1zMOEW#95f(;sTxIg$rwE z{|1Zrm%!iEF6shI{p0%}Wpo;#HZ?m+1NahJPEpvw?hy~apip(B8qF<#A&_+;i7Siw zLf-=bXTs*~bs_~hda+2JiGD`nWz~mY1`3E6u7>PRCv#_nzqym3Z-{RxD^^_sn}o>< z(suw8T!I8EBQ~;zr!YR>tt5wj+L$kPh>So>AGvB7UA66gLmj}d}kapCj4m0%q#+*h?UsoY?6H?HMxr}F_e3Zkx(7`1)%tr;M~Ssyq% zh9ieYFVJ7|Jvf^)iS1|L5O69gmF z_T`s;O0p705HTb`_Ym}PP8JakKi?LgE&}-`I8(vWGA_SVD+vU>UMq@^f6J+#R-x!H zlCzd1%kPh#zP(?3y7ULr#ZrC@Vqzw+yd_*_zt8^^DMHTGMfLtPVeE9=PWf1fAtrB&){*cDL!$KfYCMbO zEc&s;kgk4ZTk#NYpMq6cd(ku=#{Rh5)n+O; zZxXq5Xg9te6*wNn&I=u&32ldbZ;h=}Kk~l8DLWkw&rGlSn6}O5rCY}X$YiwYg7lH* z9P+8wY^^O&&yw{JYO9RGLXdJdW2-d%#QM8x0&LssvjWv4%W!DDxnc)IPu3DrkWiTaLS|Ur@NgxiJb0(DU@XkY4 zZcW-RTtA5)SZsKVv+2rp%PARpjn68qj|&Qb=X$w@1wsq-a!RI#_9?2XK^8eo+dGx~?AS8DXbges;oaw3d#%?V@~GPV*n? zF}!_tx2|K3X*LzKm!_I+R}}eTX?7@eZ1|&oDJ>L}zTP@)i;)D!LWJyVRl#O$OFEQZ zSM_XK>JV`yO_HJM%~dT=hJ>DTIp<--y!YZ0WxGPj3mm4nzfeWlFhZMbj8)`mX*k&Y zDJ-CY0YtaqljiK;(s1JT*I$_y-zbndiwEk(-^V2Jm{ix-d=z#(hbx!!m~<{kW3U_7 z5%FhEUTeSP5AcrA&r2Atqa&3pU?->wC8LU}=_%e^=CK{`*d`rIP(yyxp)>l6{gnwq zwxX8H?k0lq?L6&Qk6nFTw!2T7%AMmiKhc zPV|TA&H5NH7jD983Q}HGBoI`c1blIPd*gP~uMgbnhJP2{ZH`qgKV}dgHn1QjO3#-K z0i*@Jmgoc8PX~KYDG?@)>KH%g=?Iapja(u?>uJYWCA=Evi3X7=oqchO#}4vv7>nPyV0`m}yMB*sid|RGnMn+?i#b3FP`gd8Pco z${xYf4b8DFl7_C+K;i1O2{tyoD_#6pPJmte88TB%mh3wcwpBk~BVEVmH6OJdPf!DS z2OO`>Kqt-_It}{4kP5ACmbpZnvR-kWn$T|RKzJTne+|ZV+rt3(OF$C6wr7rkVU2yq zkD6Gc{tPi`Lcnw+N3;g8El7jbTT6r7bwO&>tJPtwQ-l7=5L#XK2SuNFjZ*tl?=CJN zv)8(m+;VQ3KAeb2WUQU@hqem8mdA>ZMz1F*HBc0YO&YWMOIheJ6N2`OoGhinRr^(&f@c*eTa?IRlVMCxE9;b

^8j4&4+%5ZIa@T141X0#Z*Ia?@g$VitW8d{BJ;_*57P6Fe;##U$;pws%7D6VJdnc=hnYHs zJ496GvD#ywAPVdL`LsyvJ=)+2tyrP_uzXeFQ#q$h)-P^)ongDZ?LaR+NWb!db;Vt0 zP}pxrxaAM(J78_RGFe@&bASp<%7qlv6?HvD3PnnV#H*2h=(_azLJmMRnLJo&%vjz+ zs+u(Slk_?L!l(Evu(2=3qb9@tW~$H{Vm5lfBL0n@s7(gIupo`1=g(8tC(ZJCP2W{n z$OxiIy%4SBQlz~D4D?{O8f@uQqc<9?a+${I7)Xa+raRtYhvIT$3D5e?-IF2i}x$SQ^nycbj?uR@m^S>S zx%AiN(GK#Cg!Fkct{$Iy^O>EDaE%>E-3Hx{&tZZJu|fLvSg#D29Dt-%%wZe;kMRlZ1NTnsUEX|)+x;xS^I|XT+{-N z-Q3=aZM!SZ?Wo<9H|ISD@w?6xu-}%XKi#VDB8GR;_XU_-)(6+GEqq%cMIhhX5xqKDzKPxGb6qw9Wp#KMXG<3@HJV zKruz2STKA#ufBFsH1_t2j<+=NK%~aCT|=1zeE|osGwD@~HvS0&-7*9mL@xo4jj7*d zdUzB4lt#o2lkV(+RPfgf%f;_Cz%JIdjyyRbT5=-;yFU4G6l1 z84{iBn6{rpvRSpEtj8Ekk53k)czQhZsm8ocs_Ff1n(pkXh^xD+y0=k1Jt)3>C{Cn< zJ&^(;8E=}))f>Ef&8usW=EUnTRtuFD+u+)NJ6Y=U6RMpSf4Q(^WAM zGc^>GR8i{z9ZlO&*~F2#FtvY-cMPMaKboiAV}Sh(Zw_?Ixz|93;pRgzR!+Cy zr=*X3wsP@Bd8@8lU|evi>>3`xt=*Qm2jvT>=a z(2U6a_IHuFhPO>YNWnfE_JaIPeOKsf`BYTf`Fidz<`=Mm?$|rIJz*IxVgAG*!@}MA}N3XrO5*U3jM!* z)hEkFtuSMRJcPVM7q$;1GK{85v&s>HgJ-kG*GJh0GUzKJ)R;0*+R?mSs6WHey6zRU9H^Lr zPK;p~A1P$Cgv47>p6TS<*FTlK>g%mETdhu(p$u+uxXI60Yw`LXc7-ORlBxJ!cDpry zkcasls}C}3Omq7d-w<<^2yRbMb@nMr&xFj&O)Z#pXaQUjO&Sy7YrU zq9mWHpFDvv-wym{4 z)`KEGh(#MNgkG4(dK~?wz0#?Hzm7h>j}53)kus?J)5}QU3G-JkrxHEz*-7o-TFpPq%^^2Y?}IARzhAR1$D|3^c`~7gXUDlV45i}$SCU_ z_81|FY+my_Cz#3X<8BpnL>%=mk`uXxyWKC~@|$P_)B+$mAa3Niw9r80AZ?;)X=niU z&JwnhPLQ>ZoP9Z2Oy?PFMgE)PbaS0xkig{u}choX!3} z@Bh`-qZ5^7dx5;)fcy|0_Rg$dQIlB-_|@GNSRL8hl(uTuPlYJ$deX^d*R-6EEV!SO z#B`vSI2KoM-65P=n@S4@9>^bGv0t=WbXcVI>@mcaDx*-YBNBUh~y|XgotHCTavnsbyyw{ zt{^o5_5FEP9eNW%6cX$^2RDMq>rO*n$kUBTNpx00eT;Lqg43YwgqM>eu{;kBa+s)N znk$RmJBq_~iJRselUXZ06pbu*R63NkO?JbZx=RHbKVBnzMQKgT%3ULb--hXlPs-28 z5XlW5OZkUDnMx{qs@9L|^d##zpCE`PpnB7de2bDF5W5v7_Vvr{ce; zn3dFRzru_VdI5fq6nGwyWqTMYtie)G@1<1(BJEA6l^z>Hn@GwcQCmW6S6Eg@1a&Hr z(D~Jm%*@wi)qBc#1Q4nM*bl+Lv8~WsOu4r57HUl;Ll1`YLC_jOH~(TH=r?(Sp)0q` z4BrUTl8mU_szSE{^$>rchoo0#vJ8I3a;8>cV{rvo?j-^*GgH>1eOt< zINUdrHr<<_`{GLvCY-$`a`aG74R`R2LvhWEZEBEzkgTx-GnmsBn%hZu=3D7P{Gs74 zc<+$Fw&z14Nw(iIj%PkQqyV`gcE9bF+0{8(uMf@vlm7+abwu%ua~*W+B#$Y{Yeu*y z(!<4|k0+nlb71&^stGZeP~&F?aO4Z%kNX;+tv4Q}2whZBlocC40~I8JVtD_ixD54IH1BWSKQX<}4h}Yd^8T-O z9s`$yGl7`{fLg$y&_6B=*#8q1{NEP-6U1_o$wm|q01X@n2;x6fL4aF||5A2w{bFn8 z^4|)6R7}}y4$M;(|IeiCpI0If1~3}wYH4O?_V+8xe=`tD5?pu>%v%=W?*Qh%OweNe zAK?ECXZ}|!)&4hzsWBiRfjywWYW?S>4)iJzhKr@Kvze)?tFx88#eXfxe+E+jWrMKv zzvB2Stoomx{P#KPzifbjz_fyZ{FfQ)e;WArq5hu+z&ieE;C}}G|5X3?-ua*Ev0eXA b|DV2ENfr`Vbs!)Jz&~hU9T@li`Sia41Q(Mj literal 0 HcmV?d00001