From ccf45f98f24a1aaa8d5b6b01c4ba5bad46ebee9b Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Tue, 27 Feb 2024 01:07:47 +0100 Subject: [PATCH] Add NIST CSF v2 This is the day of publication ;-) --- .../library/libraries/nist_csf-2.0-en.yaml | 2779 +++++++++++++++++ tools/convert_framework.py | 8 +- tools/csf2-tools/csf20.xlsx | Bin 0 -> 39202 bytes tools/csf2-tools/csfv2.py | 87 + tools/nist_csf-2.0-en.xlsx | Bin 0 -> 35603 bytes tools/nist_csf-2.0-en.yaml | 2779 +++++++++++++++++ 6 files changed, 5651 insertions(+), 2 deletions(-) create mode 100644 backend/library/libraries/nist_csf-2.0-en.yaml create mode 100644 tools/csf2-tools/csf20.xlsx create mode 100644 tools/csf2-tools/csfv2.py create mode 100644 tools/nist_csf-2.0-en.xlsx create mode 100644 tools/nist_csf-2.0-en.yaml diff --git a/backend/library/libraries/nist_csf-2.0-en.yaml b/backend/library/libraries/nist_csf-2.0-en.yaml new file mode 100644 index 000000000..6452a17c4 --- /dev/null +++ b/backend/library/libraries/nist_csf-2.0-en.yaml @@ -0,0 +1,2779 @@ +urn: urn:intuitem:risk:library:nist-csf-2.0 +locale: en +ref_id: NIST-CSF-2.0 +name: NIST CSF version 2.0 +description: National Institute of Standards and Technology - Cybersecurity Framework +copyright: With the exception of material marked as copyrighted, information presented + on NIST sites are considered public information and may be distributed or copied. +version: 1 +provider: NIST +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:nist-csf-2.0 + ref_id: NIST-CSF-2.0 + name: NIST CSF v2.0 + description: NIST Cybersecurity Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + assessable: false + depth: 1 + ref_id: GV + name: GOVERN + description: The organization's cybersecurity risk management strategy, expectations, + and policy are established, communicated, and monitored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OC + name: Organizational Context + description: The circumstances - mission, stakeholder expectations, dependencies, + and legal, regulatory, and contractual requirements - surrounding the organization's + cybersecurity risk management decisions are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-01 + description: The organizational mission is understood and informs cybersecurity + risk management + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Share the organization''s mission (e.g., through vision and mission statements, + marketing, and service strategies) to provide a basis for identifying risks + that may impede that mission' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-02 + description: Internal and external stakeholders are understood, and their needs + and expectations regarding cybersecurity risk management are understood and + considered + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify relevant internal stakeholders and their cybersecurity-related + expectations (e.g., performance and risk expectations of officers, directors, + and advisors; cultural expectations of employees) + + Ex2: Identify relevant external stakeholders and their cybersecurity-related + expectations (e.g., privacy expectations of customers, business expectations + of partnerships, compliance expectations of regulators, ethics expectations + of society)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-03 + description: Legal, regulatory, and contractual requirements regarding cybersecurity + - including privacy and civil liberties obligations - are understood and managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine a process to track and manage legal and regulatory requirements + regarding protection of individuals'' information (e.g., Health Insurance + Portability and Accountability Act, California Consumer Privacy Act, General + Data Protection Regulation) + + Ex2: Determine a process to track and manage contractual requirements for + cybersecurity management of supplier, customer, and partner information + + Ex3: Align the organization''s cybersecurity strategy with legal, regulatory, + and contractual requirements' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-04 + description: Critical objectives, capabilities, and services that stakeholders + depend on or expect from the organization are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Establish criteria for determining the criticality of capabilities and + services as viewed by internal and external stakeholders + + Ex2: Determine (e.g., from a business impact analysis) assets and business + operations that are vital to achieving mission objectives and the potential + impact of a loss (or partial loss) of such operations + + Ex3: Establish and communicate resilience objectives (e.g., recovery time + objectives) for delivering critical capabilities and services in various operating + states (e.g., under attack, during recovery, normal operation)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-05 + description: Outcomes, capabilities, and services that the organization depends + on are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + name: Examples + description: 'Ex1: Create an inventory of the organization''s dependencies on + external resources (e.g., facilities, cloud-based hosting providers) and their + relationships to organizational assets and business functions + + Ex2: Identify and document external dependencies that are potential points + of failure for the organization''s critical capabilities and services, and + share that information with appropriate personnel + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RM + name: Risk Management Strategy + description: The organization's priorities, constraints, risk tolerance and + appetite statements, and assumptions are established, communicated, and used + to support operational risk decisions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-01 + description: Risk management objectives are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update near-term and long-term cybersecurity risk management objectives + as part of annual strategic planning and when major changes occur + + Ex2: Establish measurable objectives for cybersecurity risk management (e.g., + manage the quality of user training, ensure adequate risk protection for industrial + control systems) + + Ex3: Senior leaders agree about cybersecurity objectives and use them for + measuring and managing risk and performance' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-02 + description: Risk appetite and risk tolerance statements are established, communicated, + and maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine and communicate risk appetite statements that convey expectations + about the appropriate level of risk for the organization + + Ex2: Translate risk appetite statements into specific, measurable, and broadly + understandable risk tolerance statements + + Ex3: Refine organizational objectives and risk appetite periodically based + on known risk exposure and residual risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-03 + description: Cybersecurity risk management activities and outcomes are included + in enterprise risk management processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks + (e.g., compliance, financial, operational, regulatory, reputational, safety) + + Ex2: Include cybersecurity risk managers in enterprise risk management planning + + Ex3: Establish criteria for escalating cybersecurity risks within enterprise + risk management' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-04 + description: Strategic direction that describes appropriate risk response options + is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various + classifications of data + + Ex2: Determine whether to purchase cybersecurity insurance + + Ex3: Document conditions under which shared responsibility models are acceptable + (e.g., outsourcing certain cybersecurity functions, having a third party perform + financial transactions on behalf of the organization, using public cloud-based + services)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-05 + description: Lines of communication across the organization are established + for cybersecurity risks, including risks from suppliers and other third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine how to update senior executives, directors, and management + on the organization''s cybersecurity posture at agreed-upon intervals + + Ex2: Identify how all departments across the organization - such as management, + operations, internal auditors, legal, acquisition, physical security, and + HR - will communicate with each other about cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-06 + description: A standardized method for calculating, documenting, categorizing, + and prioritizing cybersecurity risks is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish criteria for using a quantitative approach to cybersecurity + risk analysis, and specify probability and exposure formulas + + Ex2: Create and use templates (e.g., a risk register) to document cybersecurity + risk information (e.g., risk description, exposure, treatment, and ownership) + + Ex3: Establish criteria for risk prioritization at the appropriate levels + within the enterprise + + Ex4: Use a consistent list of risk categories to support integrating, aggregating, + and comparing cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-07 + description: Strategic opportunities (i.e., positive risks) are characterized + and are included in organizational cybersecurity risk discussions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define and communicate guidance and methods for identifying opportunities + and including them in risk discussions (e.g., strengths, weaknesses, opportunities, + and threats [SWOT] analysis) + + Ex2: Identify stretch goals and document them + + Ex3: Calculate, document, and prioritize positive risks alongside negative + risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RR + name: Roles, Responsibilities, and Authorities + description: Cybersecurity roles, responsibilities, and authorities to foster + accountability, performance assessment, and continuous improvement are established + and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-01 + description: Organizational leadership is responsible and accountable for cybersecurity + risk and fosters a culture that is risk-aware, ethical, and continually improving + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in + developing, implementing, and assessing the organization''s cybersecurity + strategy + + Ex2: Share leaders'' expectations regarding a secure and ethical culture, + especially when current events present the opportunity to highlight positive + or negative examples of cybersecurity risk management + + Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk + strategy and review and update it at least annually and after major events + + Ex4: Conduct reviews to ensure adequate authority and coordination among those + responsible for managing cybersecurity risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-02 + description: Roles, responsibilities, and authorities related to cybersecurity + risk management are established, communicated, understood, and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Document risk management roles and responsibilities in policy + + Ex2: Document who is responsible and accountable for cybersecurity risk management + activities and how those teams and individuals are to be consulted and informed + + Ex3: Include cybersecurity responsibilities and performance requirements in + personnel descriptions + + Ex4: Document performance goals for personnel with cybersecurity risk management + responsibilities, and periodically measure performance to identify areas for + improvement + + Ex5: Clearly articulate cybersecurity responsibilities within operations, + risk functions, and internal audit functions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-03 + description: Adequate resources are allocated commensurate with the cybersecurity + risk strategy, roles, responsibilities, and policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct periodic management reviews to ensure that those given cybersecurity + risk management responsibilities have the necessary authority + + Ex2: Identify resource allocation and investment in line with risk tolerance + and response + + Ex3: Provide adequate and sufficient people, process, and technical resources + to support the cybersecurity strategy' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-04 + description: Cybersecurity is included in human resources practices + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Integrate cybersecurity risk management considerations into human resources + processes (e.g., personnel screening, onboarding, change notification, offboarding) + + Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, + and retention decisions + + Ex3: Conduct background checks prior to onboarding new personnel for sensitive + roles, and periodically repeat background checks for personnel with such roles + + Ex4: Define and enforce obligations for personnel to be aware of, adhere to, + and uphold security policies as they relate to their roles' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.PO + name: Policy + description: Organizational cybersecurity policy is established, communicated, + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-01 + description: Policy for managing cybersecurity risks is established based on + organizational context, cybersecurity strategy, and priorities and is communicated + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Create, disseminate, and maintain an understandable, usable risk management + policy with statements of management intent, expectations, and direction + + Ex2: Periodically review policy and supporting processes and procedures to + ensure that they align with risk management strategy objectives and priorities, + as well as the high-level direction of the cybersecurity policy + + Ex3: Require approval from senior management on policy + + Ex4: Communicate cybersecurity risk management policy and supporting processes + and procedures across the organization + + Ex5: Require personnel to acknowledge receipt of policy when first hired, + annually, and whenever policy is updated' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-02 + description: Policy for managing cybersecurity risks is reviewed, updated, communicated, + and enforced to reflect changes in requirements, threats, technology, and + organizational mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update policy based on periodic reviews of cybersecurity risk management + results to ensure that policy and supporting processes and procedures adequately + maintain risk at an acceptable level + + Ex2: Provide a timeline for reviewing changes to the organization''s risk + environment (e.g., changes in risk or in the organization''s mission objectives), + and communicate recommended policy updates + + Ex3: Update policy to reflect changes in legal and regulatory requirements + + Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial + intelligence) and changes to the business (e.g., acquisition of a new business, + new contract requirements)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OV + name: Oversight + description: Results of organization-wide cybersecurity risk management activities + and performance are used to inform, improve, and adjust the risk management + strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-01 + description: Cybersecurity risk management strategy outcomes are reviewed to + inform and adjust strategy and direction + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Measure how well the risk management strategy and risk results have helped + leaders make decisions and achieve organizational objectives + + Ex2: Examine whether cybersecurity risk strategies that impede operations + or innovation should be adjusted' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-02 + description: The cybersecurity risk management strategy is reviewed and adjusted + to ensure coverage of organizational requirements and risks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review audit findings to confirm whether the existing cybersecurity strategy + has ensured compliance with internal and external requirements + + Ex2: Review the performance oversight of those in cybersecurity-related roles + to determine whether policy changes are necessary + + Ex3: Review strategy in light of cybersecurity incidents' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-03 + description: Organizational cybersecurity risk management performance is evaluated + and reviewed for adjustments needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review key performance indicators (KPIs) to ensure that organization-wide + policies and procedures achieve objectives + + Ex2: Review key risk indicators (KRIs) to identify risks the organization + faces, including likelihood and potential impact + + Ex3: Collect and communicate metrics on cybersecurity risk management with + senior leadership' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.SC + name: Cybersecurity Supply Chain Risk Management + description: Cyber supply chain risk management processes are identified, established, + managed, monitored, and improved by organizational stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-01 + description: A cybersecurity supply chain risk management program, strategy, + objectives, policies, and processes are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + name: Examples + description: 'Ex1: Establish a strategy that expresses the objectives of the + cybersecurity supply chain risk management program + + Ex2: Develop the cybersecurity supply chain risk management program, including + a plan (with milestones), policies, and procedures that guide implementation + and improvement of the program, and share the policies and procedures with + the organizational stakeholders + + Ex3: Develop and implement program processes based on the strategy, objectives, + policies, and procedures that are agreed upon and performed by the organizational + stakeholders + + Ex4: Establish a cross-organizational mechanism that ensures alignment between + functions that contribute to cybersecurity supply chain risk management, such + as cybersecurity, IT, operations, legal, human resources, and engineering + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-02 + description: Cybersecurity roles and responsibilities for suppliers, customers, + and partners are established, communicated, and coordinated internally and + externally + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + name: Examples + description: 'Ex1: Identify one or more specific roles or positions that will + be responsible and accountable for planning, resourcing, and executing cybersecurity + supply chain risk management activities + + Ex2: Document cybersecurity supply chain risk management roles and responsibilities + in policy + + Ex3: Create responsibility matrixes to document who will be responsible and + accountable for cybersecurity supply chain risk management activities and + how those teams and individuals will be consulted and informed + + Ex4: Include cybersecurity supply chain risk management responsibilities and + performance requirements in personnel descriptions to ensure clarity and improve + accountability + + Ex5: Document performance goals for personnel with cybersecurity risk management-specific + responsibilities, and periodically measure them to demonstrate and improve + performance + + Ex6: Develop roles and responsibilities for suppliers, customers, and business + partners to address shared responsibilities for applicable cybersecurity risks, + and integrate them into organizational policies and applicable third-party + agreements + + Ex7: Internally communicate cybersecurity supply chain risk management roles + and responsibilities for third parties + + Ex8: Establish rules and protocols for information sharing and reporting processes + between the organization and its suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-03 + description: Cybersecurity supply chain risk management is integrated into cybersecurity + and enterprise risk management, risk assessment, and improvement processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + name: Examples + description: 'Ex1: Identify areas of alignment and overlap with cybersecurity + and enterprise risk management + + Ex2: Establish integrated control sets for cybersecurity risk management and + cybersecurity supply chain risk management + + Ex3: Integrate cybersecurity supply chain risk management into improvement + processes + + Ex4: Escalate material cybersecurity risks in supply chains to senior management, + and address them at the enterprise risk management level + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-04 + description: Suppliers are known and prioritized by criticality + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + name: Examples + description: 'Ex1: Develop criteria for supplier criticality based on, for example, + the sensitivity of data processed or possessed by suppliers, the degree of + access to the organization''s systems, and the importance of the products + or services to the organization''s mission + + Ex2: Keep a record of all suppliers, and prioritize suppliers based on the + criticality criteria + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-05 + description: Requirements to address cybersecurity risks in supply chains are + established, prioritized, and integrated into contracts and other types of + agreements with suppliers and other relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + name: Examples + description: 'Ex1: Establish security requirements for suppliers, products, + and services commensurate with their criticality level and potential impact + if compromised + + Ex2: Include all cybersecurity and supply chain requirements that third parties + must follow and how compliance with the requirements may be verified in default + contractual language + + Ex3: Define the rules and protocols for information sharing between the organization + and its suppliers and sub-tier suppliers in agreements + + Ex4: Manage risk by including security requirements in agreements based on + their criticality and potential impact if compromised + + Ex5: Define security requirements in service-level agreements (SLAs) for monitoring + suppliers for acceptable security performance throughout the supplier relationship + lifecycle + + Ex6: Contractually require suppliers to disclose cybersecurity features, functions, + and vulnerabilities of their products and services for the life of the product + or the term of service + + Ex7: Contractually require suppliers to provide and maintain a current component + inventory (e.g., software or hardware bill of materials) for critical products + + Ex8: Contractually require suppliers to vet their employees and guard against + insider threats + + Ex9: Contractually require suppliers to provide evidence of performing acceptable + security practices through, for example, self-attestation, conformance to + known standards, certifications, or inspections + + Ex10: Specify in contracts and other agreements the rights and responsibilities + of the organization, its suppliers, and their supply chains, with respect + to potential cybersecurity risks + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-06 + description: Planning and due diligence are performed to reduce risks before + entering into formal supplier or other third-party relationships + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + name: Examples + description: 'Ex1: Perform thorough due diligence on prospective suppliers that + is consistent with procurement planning and commensurate with the level of + risk, criticality, and complexity of each supplier relationship + + Ex2: Assess the suitability of the technology and cybersecurity capabilities + and the risk management practices of prospective suppliers + + Ex3: Conduct supplier risk assessments against business and applicable cybersecurity + requirements + + Ex4: Assess the authenticity, integrity, and security of critical products + prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-07 + description: The risks posed by a supplier, their products and services, and + other third parties are understood, recorded, prioritized, assessed, responded + to, and monitored over the course of the relationship + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + name: Examples + description: 'Ex1: Adjust assessment formats and frequencies based on the third + party''s reputation and the criticality of the products or services they provide + + Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity + requirements, such as self-attestations, warranties, certifications, and other + artifacts + + Ex3: Monitor critical suppliers to ensure that they are fulfilling their security + obligations throughout the supplier relationship lifecycle using a variety + of methods and techniques, such as inspections, audits, tests, or other forms + of evaluation + + Ex4: Monitor critical suppliers, services, and products for changes to their + risk profiles, and reevaluate supplier criticality and risk impact accordingly + + Ex5: Plan for unexpected supplier and supply chain-related interruptions to + ensure business continuity + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-08 + description: Relevant suppliers and other third parties are included in incident + planning, response, and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + name: Examples + description: 'Ex1: Define and use rules and protocols for reporting incident + response and recovery activities and the status between the organization and + its suppliers + + Ex2: Identify and document the roles and responsibilities of the organization + and its suppliers for incident response + + Ex3: Include critical suppliers in incident response exercises and simulations + + Ex4: Define and coordinate crisis communication methods and protocols between + the organization and its critical suppliers + + Ex5: Conduct collaborative lessons learned sessions with critical suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-09 + description: Supply chain security practices are integrated into cybersecurity + and enterprise risk management programs, and their performance is monitored + throughout the technology product and service life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + name: Examples + description: 'Ex1: Policies and procedures require provenance records for all + acquired technology products and services + + Ex2: Periodically provide risk reporting to leaders about how acquired components + are proven to be untampered and authentic + + Ex3: Communicate regularly among cybersecurity risk managers and operations + personnel about the need to acquire software patches, updates, and upgrades + only from authenticated and trustworthy software providers + + Ex4: Review policies to ensure that they require approved supplier personnel + to perform maintenance on supplier products + + Ex5: Policies and procedure require checking upgrades to critical hardware + for unauthorized changes + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-10 + description: Cybersecurity supply chain risk management plans include provisions + for activities that occur after the conclusion of a partnership or service + agreement + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + name: Examples + description: 'Ex1: Establish processes for terminating critical relationships + under both normal and adverse circumstances + + Ex2: Define and implement plans for component end-of-life maintenance support + and obsolescence + + Ex3: Verify that supplier access to organization resources is deactivated + promptly when it is no longer needed + + Ex4: Verify that assets containing the organization''s data are returned or + properly disposed of in a timely, controlled, and safe manner + + Ex5: Develop and execute a plan for terminating or transitioning supplier + relationships that takes supply chain security risk and resiliency into account + + Ex6: Mitigate risks to data and systems created by supplier termination + + Ex7: Manage data leakage risks associated with supplier termination + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY + description: The organization's current cybersecurity risks are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.AM + name: Asset Management + description: Assets (e.g., data, hardware, software, systems, facilities, services, + people) that enable the organization to achieve business purposes are identified + and managed consistent with their relative importance to organizational objectives + and the organization's risk strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-01 + description: Inventories of hardware managed by the organization are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, + and mobile devices + + Ex2: Constantly monitor networks to detect new hardware and automatically + update inventories' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-02 + description: Inventories of software, services, and systems managed by the organization + are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of software and services, including + commercial-off-the-shelf, open-source, custom applications, API services, + and cloud-based applications and services + + Ex2: Constantly monitor all platforms, including containers and virtual machines, + for software and service inventory changes + + Ex3: Maintain an inventory of the organization''s systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-03 + description: Representations of the organization's authorized network communication + and internal and external network data flows are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Maintain baselines of communication and data flows within the organization''s + wired and wireless networks + + Ex2: Maintain baselines of communication and data flows between the organization + and third parties + + Ex3: Maintain baselines of communication and data flows for the organization''s + infrastructure-as-a-service (IaaS) usage + + Ex4: Maintain documentation of expected network ports, protocols, and services + that are typically used among authorized systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-04 + description: Inventories of services provided by suppliers are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + name: Examples + description: 'Ex1: Inventory all external services used by the organization, + including third-party infrastructure-as-a-service (IaaS), platform-as-a-service + (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally + hosted application services + + Ex2: Update the inventory when a new external service is going to be utilized + to ensure adequate cybersecurity risk management monitoring of the organization''s + use of that service + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-05 + description: Assets are prioritized based on classification, criticality, resources, + and impact on the mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define criteria for prioritizing each class of assets + + Ex2: Apply the prioritization criteria to assets + + Ex3: Track the asset priorities and update them periodically or when significant + changes to the organization occur' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-07 + description: Inventories of data and corresponding metadata for designated data + types are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain a list of the designated data types of interest (e.g., personally + identifiable information, protected health information, financial account + numbers, organization intellectual property, operational technology data) + + Ex2: Continuously discover and analyze ad hoc data to identify new instances + of designated data types + + Ex3: Assign data classifications to designated data types through tags or + labels + + Ex4: Track the provenance, data owner, and geolocation of each instance of + designated data types' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-08 + description: Systems, hardware, software, services, and data are managed throughout + their life cycles + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Integrate cybersecurity considerations throughout the life cycles of + systems, hardware, software, and services + + Ex2: Integrate cybersecurity considerations into product life cycles + + Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., + shadow IT) + + Ex4: Periodically identify redundant systems, hardware, software, and services + that unnecessarily increase the organization''s attack surface + + Ex5: Properly configure and secure systems, hardware, software, and services + prior to their deployment in production + + Ex6: Update inventories when systems, hardware, software, and services are + moved or transferred within the organization + + Ex7: Securely destroy stored data based on the organization''s data retention + policy using the prescribed destruction method, and keep and manage a record + of the destructions + + Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, + reassigned, or sent for repairs or replacement + + Ex9: Offer methods for destroying paper, storage media, and other physical + forms of data storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.RA + name: Risk Assessment + description: The cybersecurity risk to the organization, assets, and individuals + is understood by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-01 + description: Vulnerabilities in assets are identified, validated, and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use vulnerability management technologies to identify unpatched and misconfigured + software + + Ex2: Assess network and system architectures for design and implementation + weaknesses that affect cybersecurity + + Ex3: Review, analyze, or test organization-developed software to identify + design, coding, and default configuration vulnerabilities + + Ex4: Assess facilities that house critical computing assets for physical vulnerabilities + and resilience issues + + Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities + in products and services + + Ex6: Review processes and procedures for weaknesses that could be exploited + to affect cybersecurity' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-02 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure cybersecurity tools and technologies with detection or response + capabilities to securely ingest cyber threat intelligence feeds + + Ex2: Receive and review advisories from reputable third parties on current + threat actors and their tactics, techniques, and procedures (TTPs) + + Ex3: Monitor sources of cyber threat intelligence for information on the types + of vulnerabilities that emerging technologies may have' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-03 + description: Internal and external threats to the organization are identified + and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use cyber threat intelligence to maintain awareness of the types of threat + actors likely to target the organization and the TTPs they are likely to use + + Ex2: Perform threat hunting to look for signs of threat actors within the + environment + + Ex3: Implement processes for identifying internal threat actors' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-04 + description: Potential impacts and likelihoods of threats exploiting vulnerabilities + are identified and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Business leaders and cybersecurity risk management practitioners work + together to estimate the likelihood and impact of risk scenarios and record + them in risk registers + + Ex2: Enumerate the potential business impacts of unauthorized access to the + organization''s communications, systems, and data processed in or by those + systems + + Ex3: Account for the potential impacts of cascading failures for systems of + systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-05 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + understand inherent risk and inform risk response prioritization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Develop threat models to better understand risks to the data and identify + appropriate risk responses + + Ex2: Prioritize cybersecurity resource allocations and investments based on + estimated likelihoods and impacts' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-06 + description: Risk responses are chosen, prioritized, planned, tracked, and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply the vulnerability management plan''s criteria for deciding whether + to accept, transfer, mitigate, or avoid risk + + Ex2: Apply the vulnerability management plan''s criteria for selecting compensating + controls to mitigate risk + + Ex3: Track the progress of risk response implementation (e.g., plan of action + and milestones [POA&M], risk register, risk detail report) + + Ex4: Use risk assessment findings to inform risk response decisions and actions + + Ex5: Communicate planned risk responses to affected stakeholders in priority + order' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-07 + description: Changes and exceptions are managed, assessed for risk impact, recorded, + and tracked + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + name: Examples + description: 'Ex1: Implement and follow procedures for the formal documentation, + review, testing, and approval of proposed changes and requested exceptions + + Ex2: Document the possible risks of making or not making each proposed change, + and provide guidance on rolling back changes + + Ex3: Document the risks related to each requested exception and the plan for + responding to those risks + + Ex4: Periodically review risks that were accepted based upon planned future + actions or milestones' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-08 + description: Processes for receiving, analyzing, and responding to vulnerability + disclosures are established + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct vulnerability information sharing between the organization and + its suppliers following the rules and protocols defined in contracts + + Ex2: Assign responsibilities and verify the execution of procedures for processing, + analyzing the impact of, and responding to cybersecurity threat, vulnerability, + or incident disclosures by suppliers, customers, partners, and government + cybersecurity organizations' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-09 + description: The authenticity and integrity of hardware and software are assessed + prior to acquisition and use + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + name: Examples + description: 'Ex1: Assess the authenticity and cybersecurity of critical technology + products and services prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-10 + description: Critical suppliers are assessed prior to acquisition + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + name: Examples + description: 'Ex1: Conduct supplier risk assessments against business and applicable + cybersecurity requirements, including the supply chain' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.IM + name: Improvement + description: Improvements to organizational cybersecurity risk management processes, + procedures and activities are identified across all CSF Functions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-01 + description: Improvements are identified from evaluations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform self-assessments of critical services that take current threats + and TTPs into consideration + + Ex2: Invest in third-party assessments or independent audits of the effectiveness + of the organization''s cybersecurity program to identify areas that need improvement + + Ex3: Constantly evaluate compliance with selected cybersecurity requirements + through automated means' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-02 + description: Improvements are identified from security tests and exercises, + including those done in coordination with suppliers and relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify improvements for future incident response activities based on + findings from incident response assessments (e.g., tabletop exercises and + simulations, tests, internal reviews, independent audits) + + Ex2: Identify improvements for future business continuity, disaster recovery, + and incident response activities based on exercises performed in coordination + with critical service providers and product suppliers + + Ex3: Involve internal stakeholders (e.g., senior executives, legal department, + HR) in security tests and exercises as appropriate + + Ex4: Perform penetration testing to identify opportunities to improve the + security posture of selected high-risk systems as approved by leadership + + Ex5: Exercise contingency plans for responding to and recovering from the + discovery that products or services did not originate with the contracted + supplier or partner or were altered before receipt + + Ex6: Collect and analyze performance metrics using security tools and services + to inform improvements to the cybersecurity program' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-03 + description: Improvements are identified from execution of operational processes, + procedures, and activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Conduct collaborative lessons learned sessions with suppliers + + Ex2: Annually review cybersecurity policies, processes, and procedures to + take lessons learned into account + + Ex3: Use metrics to assess operational cybersecurity performance over time' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-04 + description: Incident response plans and other cybersecurity plans that affect + operations are established, communicated, maintained, and improved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish contingency plans (e.g., incident response, business continuity, + disaster recovery) for responding to and recovering from adverse events that + can interfere with operations, expose confidential information, or otherwise + endanger the organization''s mission and viability + + Ex2: Include contact and communication information, processes for handling + common scenarios, and criteria for prioritization, escalation, and elevation + in all contingency plans + + Ex3: Create a vulnerability management plan to identify and assess all types + of vulnerabilities and to prioritize, test, and implement risk responses + + Ex4: Communicate cybersecurity plans (including updates) to those responsible + for carrying them out and to affected parties + + Ex5: Review and update all cybersecurity plans annually or when a need for + significant improvements is identified' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT + description: Safeguards to manage the organization's cybersecurity risks are + used + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AA + name: Identity Management, Authentication, and Access Control + description: Access to physical and logical assets is limited to authorized + users, services, and hardware and managed commensurate with the assessed + risk of unauthorized access + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-01 + description: Identities and credentials for authorized users, services, and + hardware are managed by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Initiate requests for new access or additional access for employees, + contractors, and others, and track, review, and fulfill the requests, with + permission from system or data owners when needed + + Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, + cryptographic keys (i.e., key management), and other credentials + + Ex3: Select a unique identifier for each device from immutable hardware characteristics + or an identifier securely provisioned to the device + + Ex4: Physically label authorized hardware with an identifier for inventory + and servicing purposes' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-02 + description: Identities are proofed and bound to credentials based on the context + of interactions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Verify a person''s claimed identity at enrollment time using government-issued + identity credentials (e.g., passport, visa, driver''s license) + + Ex2: Issue a different credential for each person (i.e., no credential sharing)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-03 + description: Users, services, and hardware are authenticated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require multifactor authentication + + Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar + authenticators + + Ex3: Periodically reauthenticate users, services, and hardware based on risk + (e.g., in zero trust architectures) + + Ex4: Ensure that authorized personnel can access accounts essential for protecting + safety under emergency conditions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-04 + description: Identity assertions are protected, conveyed, and verified + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect identity assertions that are used to convey authentication and + user information through single sign-on systems + + Ex2: Protect identity assertions that are used to convey authentication and + user information between federated systems + + Ex3: Implement standards-based approaches for identity assertions in all contexts, + and follow all guidance for the generation (e.g., data models, metadata), + protection (e.g., digital signing, encryption), and verification (e.g., signature + validation) of identity assertions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-05 + description: Access permissions, entitlements, and authorizations are defined + in a policy, managed, enforced, and reviewed, and incorporate the principles + of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review logical and physical access privileges periodically and whenever + someone changes roles or leaves the organization, and promptly rescind privileges + that are no longer needed + + Ex2: Take attributes of the requester and the requested resource into account + for authorization decisions (e.g., geolocation, day/time, requester endpoint''s + cyber health) + + Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust + architecture) + + Ex4: Periodically review the privileges associated with critical business + functions to confirm proper separation of duties' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-06 + description: Physical access to assets is managed, monitored, and enforced commensurate + with risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use security guards, security cameras, locked entrances, alarm systems, + and other physical controls to monitor facilities and restrict access + + Ex2: Employ additional physical security controls for areas that contain high-risk + assets + + Ex3: Escort guests, vendors, and other third parties within areas that contain + business-critical assets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AT + name: Awareness and Training + description: The organization's personnel are provided with cybersecurity awareness + and training so that they can perform their cybersecurity-related tasks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-01 + description: Personnel are provided with awareness and training so that they + possess the knowledge and skills to perform general tasks with cybersecurity + risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Provide basic cybersecurity awareness and training to employees, contractors, + partners, suppliers, and all other users of the organization''s non-public + resources + + Ex2: Train personnel to recognize social engineering attempts and other common + attacks, report attacks and suspicious activity, comply with acceptable use + policies, and perform basic cyber hygiene tasks (e.g., patching software, + choosing passwords, protecting credentials) + + Ex3: Explain the consequences of cybersecurity policy violations, both to + individual users and the organization as a whole + + Ex4: Periodically assess or test users on their understanding of basic cybersecurity + practices + + Ex5: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-02 + description: Individuals in specialized roles are provided with awareness and + training so that they possess the knowledge and skills to perform relevant + tasks with cybersecurity risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify the specialized roles within the organization that require additional + cybersecurity training, such as physical and cybersecurity personnel, finance + personnel, senior leadership, and anyone with access to business-critical + data + + Ex2: Provide role-based cybersecurity awareness and training to all those + in specialized roles, including contractors, partners, suppliers, and other + third parties + + Ex3: Periodically assess or test users on their understanding of cybersecurity + practices for their specialized roles + + Ex4: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.DS + name: Data Security + description: Data are managed consistent with the organization's risk strategy + to protect the confidentiality, integrity, and availability of information + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-01 + description: The confidentiality, integrity, and availability of data-at-rest + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of stored data in files, databases, virtual + machine disk images, container images, and other resources + + Ex2: Use full disk encryption to protect data stored on user endpoints + + Ex3: Confirm the integrity of software by validating signatures + + Ex4: Restrict the use of removable media to prevent data exfiltration + + Ex5: Physically secure removable media containing unencrypted sensitive information, + such as within locked offices or file cabinets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-02 + description: The confidentiality, integrity, and availability of data-in-transit + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of network communications + + Ex2: Automatically encrypt or block outbound emails and other communications + that contain sensitive data, depending on the data classification + + Ex3: Block access to personal email, file sharing, file storage services, + and other personal communications applications and services from organizational + systems and networks + + Ex4: Prevent reuse of sensitive data from production environments (e.g., customer + records) in development, testing, and other non-production environments' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-10 + description: The confidentiality, integrity, and availability of data-in-use + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Remove data that must remain confidential (e.g., from processors and + memory) as soon as it is no longer needed + + Ex2: Protect data in use from access by other users and processes of the same + platform' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-11 + description: Backups of data are created, protected, maintained, and tested + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Continuously back up critical data in near-real-time, and back up other + data frequently at agreed-upon schedules + + Ex2: Test backups and restores for all types of data sources at least annually + + Ex3: Securely store some backups offline and offsite so that an incident or + disaster will not damage them + + Ex4: Enforce geographic separation and geolocation restrictions for data backup + storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.PS + name: Platform Security + description: The hardware, software (e.g., firmware, operating systems, applications), + and services of physical and virtual platforms are managed consistent with + the organization's risk strategy to protect their confidentiality, integrity, + and availability + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-01 + description: Configuration management practices are established and applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish, test, deploy, and maintain hardened baselines that enforce + the organization''s cybersecurity policies and provide only essential capabilities + (i.e., principle of least functionality) + + Ex2: Review all default configuration settings that may potentially impact + cybersecurity when installing or upgrading software + + Ex3: Monitor implemented software for deviations from approved baselines' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-02 + description: Software is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform routine and emergency patching within the timeframes specified + in the vulnerability management plan + + Ex2: Update container images, and deploy new container instances to replace + rather than update existing instances + + Ex3: Replace end-of-life software and service versions with supported, maintained + versions + + Ex4: Uninstall and remove unauthorized software and services that pose undue + risks + + Ex5: Uninstall and remove any unnecessary software components (e.g., operating + system utilities) that attackers might misuse + + Ex6: Define and implement plans for software and service end-of-life maintenance + support and obsolescence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-03 + description: Hardware is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Replace hardware when it lacks needed security capabilities or when it + cannot support software with needed security capabilities + + Ex2: Define and implement plans for hardware end-of-life maintenance support + and obsolescence + + Ex3: Perform hardware disposal in a secure, responsible, and auditable manner' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-04 + description: Log records are generated and made available for continuous monitoring + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure all operating systems, applications, and services (including + cloud-based services) to generate log records + + Ex2: Configure log generators to securely share their logs with the organization''s + logging infrastructure systems and services + + Ex3: Configure log generators to record the data needed by zero-trust architectures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-05 + description: Installation and execution of unauthorized software are prevented + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: When risk warrants it, restrict software execution to permitted products + only or deny the execution of prohibited and unauthorized software + + Ex2: Verify the source of new software and the software''s integrity before + installing it + + Ex3: Configure platforms to use only approved DNS services that block access + to known malicious domains + + Ex4: Configure platforms to allow the installation of organization-approved + software only' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-06 + description: Secure software development practices are integrated, and their + performance is monitored throughout the software development life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect all components of organization-developed software from tampering + and unauthorized access + + Ex2: Secure all software produced by the organization, with minimal vulnerabilities + in their releases + + Ex3: Maintain the software used in production environments, and securely dispose + of software once it is no longer needed' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.IR + name: Technology Infrastructure Resilience + description: Security architectures are managed with the organization's risk + strategy to protect asset confidentiality, integrity, and availability, and + organizational resilience + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-01 + description: Networks and environments are protected from unauthorized logical + access and usage + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Logically segment organization networks and cloud-based platforms according + to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), + and permit required communications only between segments + + Ex2: Logically segment organization networks from external networks, and permit + only necessary communications to enter the organization''s networks from the + external networks + + Ex3: Implement zero trust architectures to restrict network access to each + resource to the minimum necessary + + Ex4: Check the cyber health of endpoints before allowing them to access and + use production resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-02 + description: The organization's technology assets are protected from environmental + threats + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Protect organizational equipment from known environmental threats, such + as flooding, fire, wind, and excessive heat and humidity + + Ex2: Include protection from environmental threats and provisions for adequate + operating infrastructure in requirements for service providers that operate + systems on the organization''s behalf' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-03 + description: Mechanisms are implemented to achieve resilience requirements in + normal and adverse situations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Avoid single points of failure in systems and infrastructure + + Ex2: Use load balancing to increase capacity and improve reliability + + Ex3: Use high-availability components like redundant storage and power supplies + to improve system reliability' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-04 + description: Adequate resource capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + name: Examples + description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth, + and other resources + + Ex2: Forecast future needs, and scale resources accordingly' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT + description: Possible cybersecurity attacks and compromises are found and analyzed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.CM + name: Continuous Monitoring + description: Assets are monitored to find anomalies, indicators of compromise, + and other potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-01 + description: Networks and network services are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + name: Examples + description: 'Ex1: Monitor DNS, BGP, and other network services for adverse + events + + Ex2: Monitor wired and wireless networks for connections from unauthorized + endpoints + + Ex3: Monitor facilities for unauthorized or rogue wireless networks + + Ex4: Compare actual network flows against baselines to detect deviations + + Ex5: Monitor network communications to identify changes in security postures + for zero trust purposes + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-02 + description: The physical environment is monitored to find potentially adverse + events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + name: Examples + description: 'Ex1: Monitor logs from physical access control systems (e.g., + badge readers) to find unusual access patterns (e.g., deviations from the + norm) and failed access attempts + + Ex2: Review and monitor physical access records (e.g., from visitor registration, + sign-in sheets) + + Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms) + for signs of tampering + + Ex4: Monitor the physical environment using alarm systems, cameras, and security + guards + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-03 + description: Personnel activity and technology usage are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + name: Examples + description: 'Ex1: Use behavior analytics software to detect anomalous user + activity to mitigate insider threats + + Ex2: Monitor logs from logical access control systems to find unusual access + patterns and failed access attempts + + Ex3: Continuously monitor deception technology, including user accounts, for + any usage + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-06 + description: External service provider activities and services are monitored + to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + name: Examples + description: 'Ex1: Monitor remote and onsite administration and maintenance + activities that external providers perform on organizational systems + + Ex2: Monitor activity from cloud-based services, internet service providers, + and other service providers for deviations from expected behavior + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-09 + description: Computing hardware and software, runtime environments, and their + data are monitored to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + name: Examples + description: 'Ex1: Monitor email, web, file sharing, collaboration services, + and other common attack vectors to detect malware, phishing, data leaks and + exfiltration, and other adverse events + + Ex2: Monitor authentication attempts to identify attacks against credentials + and unauthorized credential reuse + + Ex3: Monitor software configurations for deviations from security baselines + + Ex4: Monitor hardware and software for signs of tampering + + Ex5: Use technologies with a presence on endpoints to detect cyber health + issues (e.g., missing patches, malware infections, unauthorized software), + and redirect the endpoints to a remediation environment before access is authorized + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.AE + name: Adverse Event Analysis + description: Anomalies, indicators of compromise, and other potentially adverse + events are analyzed to characterize the events and detect cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-02 + description: Potentially adverse events are analyzed to better understand associated + activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + name: Examples + description: 'Ex1: Use security information and event management (SIEM) or other + tools to continuously monitor log events for known malicious and suspicious + activity + + Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to + improve detection accuracy and characterize threat actors, their methods, + and indicators of compromise + + Ex3: Regularly conduct manual reviews of log events for technologies that + cannot be sufficiently monitored through automation + + Ex4: Use log analysis tools to generate reports on their findings + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-03 + description: Information is correlated from multiple sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + name: Examples + description: 'Ex1: Constantly transfer log data generated by other sources to + a relatively small number of log servers + + Ex2: Use event correlation technology (e.g., SIEM) to collect information + captured by multiple sources + + Ex3: Utilize cyber threat intelligence to help correlate events among log + sources + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-04 + description: The estimated impact and scope of adverse events are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + name: Examples + description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and + review and refine the estimates + + Ex2: A person creates their own estimates of impact and scope + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-06 + description: Information on adverse events is provided to authorized staff and + tools + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + name: Examples + description: 'Ex1: Use cybersecurity software to generate alerts and provide + them to the security operations center (SOC), incident responders, and incident + response tools + + Ex2: Incident responders and other authorized personnel can access log analysis + findings at all times + + Ex3: Automatically create and assign tickets in the organization''s ticketing + system when certain types of alerts occur + + Ex4: Manually create and assign tickets in the organization''s ticketing system + when technical staff discover indicators of compromise + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-07 + description: Cyber threat intelligence and other contextual information are + integrated into the analysis + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + name: Examples + description: 'Ex1: Securely provide cyber threat intelligence feeds to detection + technologies, processes, and personnel + + Ex2: Securely provide information from asset inventories to detection technologies, + processes, and personnel + + Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s + technologies from suppliers, vendors, and third-party security advisories + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-08 + description: Incidents are declared when adverse events meet the defined incident + criteria + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + name: Examples + description: 'Ex1: Apply incident criteria to known and assumed characteristics + of activity in order to determine whether an incident should be declared + + Ex2: Take known false positives into account when applying incident criteria + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND + description: Actions regarding a detected cybersecurity incident are taken + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MA + name: Incident Management + description: Responses to detected cybersecurity incidents are managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-01 + description: The incident response plan is executed in coordination with relevant + third parties once an incident is declared + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + name: Examples + description: 'Ex1: Detection technologies automatically report confirmed incidents + + Ex2: Request incident response assistance from the organization''s incident + response outsourcer + + Ex3: Designate an incident lead for each incident + + Ex4: Initiate execution of additional cybersecurity plans as needed to support + incident response (for example, business continuity and disaster recovery) + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-02 + description: Incident reports are triaged and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related + and necessitate incident response activities + + Ex2: Apply criteria to estimate the severity of an incident' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-03 + description: Incidents are categorized and prioritized + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Further review and categorize incidents based on the type of incident + (e.g., data breach, ransomware, DDoS, account compromise) + + Ex2: Prioritize incidents based on their scope, likely impact, and time-critical + nature + + Ex3: Select incident response strategies for active incidents by balancing + the need to quickly recover from an incident with the need to observe the + attacker or conduct a more thorough investigation' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-04 + description: Incidents are escalated or elevated as needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Track and validate the status of all ongoing incidents + + Ex2: Coordinate incident escalation or elevation with designated internal + and external stakeholders' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-05 + description: The criteria for initiating incident recovery are applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply incident recovery criteria to known and assumed characteristics + of the incident to determine whether incident recovery processes should be + initiated + + Ex2: Take the possible operational disruption of incident recovery activities + into account' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.AN + name: Incident Analysis + description: Investigations are conducted to ensure effective response and support + forensics and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-03 + description: Analysis is performed to establish what has taken place during + an incident and the root cause of the incident + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Determine the sequence of events that occurred during the incident and + which assets and resources were involved in each event + + Ex2: Attempt to determine what vulnerabilities, threats, and threat actors + were directly or indirectly involved in the incident + + Ex3: Analyze the incident to find the underlying, systemic root causes + + Ex4: Check any cyber deception technology for additional information on attacker + behavior' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-06 + description: Actions performed during an investigation are recorded, and the + records' integrity and provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require each incident responder and others (e.g., system administrators, + cybersecurity engineers) who perform incident response tasks to record their + actions and make the record immutable + + Ex2: Require the incident lead to document the incident in detail and be responsible + for preserving the integrity of the documentation and the sources of all information + being reported' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-07 + description: Incident data and metadata are collected, and their integrity and + provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident + data and metadata (e.g., data source, date/time of collection) based on evidence + preservation and chain-of-custody procedures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-08 + description: An incident's magnitude is estimated and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review other potential targets of the incident to search for indicators + of compromise and evidence of persistence + + Ex2: Automatically run tools on targets to look for indicators of compromise + and evidence of persistence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.CO + name: Incident Response Reporting and Communication + description: Response activities are coordinated with internal and external + stakeholders as required by laws, regulations, or policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-02 + description: Internal and external stakeholders are notified of incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Follow the organization''s breach notification procedures after discovering + a data breach incident, including notifying affected customers + + Ex2: Notify business partners and customers of incidents in accordance with + contractual requirements + + Ex3: Notify law enforcement agencies and regulatory bodies of incidents based + on criteria in the incident response plan and management approval' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-03 + description: Information is shared with designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share information consistent with response plans and information + sharing agreements + + Ex2: Voluntarily share information about an attacker''s observed TTPs, with + all sensitive data removed, with an Information Sharing and Analysis Center + (ISAC) + + Ex3: Notify HR when malicious insider activity occurs + + Ex4: Regularly update senior leadership on the status of major incidents + + Ex5: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex6: Coordinate crisis communication methods between the organization and + its critical suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MI + name: Incident Mitigation + description: Activities are performed to prevent expansion of an event and mitigate + its effects + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-01 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity + features of other technologies (e.g., operating systems, network infrastructure + devices) automatically perform containment actions + + Ex2: Allow incident responders to manually select and perform containment + actions + + Ex3: Allow a third party (e.g., internet service provider, managed security + service provider) to perform containment actions on behalf of the organization + + Ex4: Automatically transfer compromised endpoints to a remediation virtual + local area network (VLAN)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-02 + description: Incidents are eradicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies and cybersecurity features of other technologies + (e.g., operating systems, network infrastructure devices) automatically perform + eradication actions + + Ex2: Allow incident responders to manually select and perform eradication + actions + + Ex3: Allow a third party (e.g., managed security service provider) to perform + eradication actions on behalf of the organization' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER + description: Assets and operations affected by a cybersecurity incident are + restored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.RP + name: Incident Recovery Plan Execution + description: Restoration activities are performed to ensure operational availability + of systems and services affected by cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-01 + description: The recovery portion of the incident response plan is executed + once initiated from the incident response process + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Begin recovery procedures during or after incident response processes + + Ex2: Make all individuals with recovery responsibilities aware of the plans + for recovery and the authorizations required to implement each aspect of the + plans' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-02 + description: Recovery actions are selected, scoped, prioritized, and performed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Select recovery actions based on the criteria defined in the incident + response plan and available resources + + Ex2: Change planned recovery actions based on a reassessment of organizational + needs and resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-03 + description: The integrity of backups and other restoration assets is verified + before using them for restoration + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restoration assets for indicators of compromise, file corruption, + and other integrity issues before use' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-04 + description: Critical mission functions and cybersecurity risk management are + considered to establish post-incident operational norms + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use business impact and system categorization records (including service + delivery objectives) to validate that essential services are restored in the + appropriate order + + Ex2: Work with system owners to confirm the successful restoration of systems + and the return to normal operations + + Ex3: Monitor the performance of restored systems to verify the adequacy of + the restoration' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-05 + description: The integrity of restored assets is verified, systems and services + are restored, and normal operating status is confirmed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restored assets for indicators of compromise and remediation of + root causes of the incident before production use + + Ex2: Verify the correctness and adequacy of the restoration actions taken + before putting a restored system online' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-06 + description: The end of incident recovery is declared based on criteria, and + incident-related documentation is completed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Prepare an after-action report that documents the incident itself, the + response and recovery actions taken, and lessons learned + + Ex2: Declare the end of incident recovery once the criteria are met' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.CO + name: Incident Recovery Communication + description: Restoration activities are coordinated with internal and external + parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-03 + description: Recovery activities and progress in restoring operational capabilities + are communicated to designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share recovery information, including restoration progress, + consistent with response plans and information sharing agreements + + Ex2: Regularly update senior leadership on recovery status and restoration + progress for major incidents + + Ex3: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex4: Coordinate crisis communication between the organization and its critical + suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-04 + description: Public updates on incident recovery are shared using approved methods + and messaging + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Follow the organization''s breach notification procedures for recovering + from a data breach incident + + Ex2: Explain the steps being taken to recover from the incident and to prevent + a recurrence' diff --git a/tools/convert_framework.py b/tools/convert_framework.py index 027d4ad17..ca8354caa 100644 --- a/tools/convert_framework.py +++ b/tools/convert_framework.py @@ -75,6 +75,7 @@ library_vars_dict = defaultdict(dict) library_vars_dict_reverse = defaultdict(dict) library_vars_dict_arg = defaultdict(dict) +urn_unicity_checker = set() if len(sys.argv) <= 1: print("missing input file parameter") @@ -155,9 +156,12 @@ def read_header(row): annotation = row[header['annotation']].value if 'annotation' in header else None level = row[header['level']].value if 'level' in header else None maturity = row[header['maturity']].value if 'maturity' in header else None - ref_id_urn = ref_id.lower().replace(' ', '-') if ref_id else \ - name.lower().replace(' ', '-') if name else f"node{counter}" + ref_id_urn = ref_id.lower().replace(' ', '-') if ref_id else f"node{counter}" urn = f"{root_nodes_urn}:{ref_id_urn}" + if urn in urn_unicity_checker: + print("URN duplicate:", urn) + exit(1) + urn_unicity_checker.add(urn) if depth == current_depth + 1: parent_for_depth[depth]=current_node_urn parent_urn = parent_for_depth[depth] diff --git a/tools/csf2-tools/csf20.xlsx b/tools/csf2-tools/csf20.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..f0d9dda839db2e75272961dbe82bafdfc5029baa GIT binary patch literal 39202 zcmeFX^OqpO^CjB0ZM%D>ZQHhO+qP}Hr_E{Gwr$(qp3nE~d;50xKiI7wvd*~`Co3y% z+>8@hAtwn8f&u^r00961KnP%Pm2IX22mlZV0sw#v00E>aXlvtSY~!S>_qBNdJ)@WgTo*+QH!q(r$Fj1P2ZE z>pT=}K6*@D-Ds0cfHeE&eg!6>U4Ds5EHhLz9>4wUwP6*+?V(nfa*Z(W zwy{6+2>Y|h3l`>-o;vsYzr;Zzi99#ZTy%=%2-OrR4HQ}(-clvI94T5D7xfH*w&+6Q zI^i~_w!zxFSn;Hpu zjBG@!Vz8O^9^geSlp4S3BiMW=-9^S3*v2+$%ZZIMlEEOdrr9YT&JmJjXQc}8DIFPY zVe65-G{o_;DVYU701IB=HWt+!;CL^t_lk)C|13O*!>t_yPj} z`2Ge4ko*71vPqea_~9qkq<&Nf{Ub|V2V*No+TZ`i|0~D;gEja+e0pVqv}`{eOvts^ zN9f4&;$|FzfTSzGSUaJTkDvGkd{cBG3HD|;ISzsnRv@sbZ>P`4*!m_{^w|jE(;ic0 zBoYcI@n6@fkkmJOXK*SqhZGU}%H07(m&M1$r*u&XcM6xzSgMMavV6(WZDNu6TcJ9H z>EEhYkjTY2A!yv`{u)El>RSdc)qslvikDR(wau(~XNl99zRM{kr?9+X>{1tV>8K-) z2BxdkUL#h7kFQwDie~KQwFWs397OKAMpixdLYdvjpI*OYvPKk$n2=r=rbUNI^B#RQ z8kug#v)u<+A^R&vZbkzl@yoV;GSvSn5`Uhg)cYTgwEc(#3jhMp&5HKFbmD63U}<1$ zYxysG{ddg({-m&boD0?+VD@Bzkou)p_zB{! z-ob$Z0MNk!0N{TtenRGd43;8gZQFS|6mQWzUJSP?Y*BZpUmE?Pdu&0*g=Q^?k>hY5SP1YN}|P;`^}-oCd*&c&0wIF|Fg5@k4Wl zz7cR6sOqYC_O3*{Zd_hpm&V2`6Prs|Ab@>Gtq?iWAUFB3h<8CvN#OWkXH$ zIA+Z?ikg3rLKqeVI)#9M{AS>JKITd) zv*#E-hzvalcakvMnqX&}j-SHH=}_GDW+WGI&$PQ%cCrsssKG)u#;aV+xhPA!);ywh znh>Ue^FOO(RExz|g+j7dFI~LfL5P|*!Qbil{qidd&#Y)A?VScs_IeB=wXOo+mLfA- z>Xah=fxO>n;B9y`bJ?7hJx2z-aMeh{Q}7Kr!MHQ7RSEiCoJ7r@Nbj7dr^aVxx9LQbc(NHnu1ZiXuM67*7vXjiXx3~HF= zwDCQ%t4h5~NSAM5YzpGY6Dq#dbnDt`l{KZ%W0`b2X8%m?Hz_-B#OvoUsoR%DlWtX7 zI5Kb=&NSRw9&RE|HD91ECH{WwW7ip4-rTG%H;}e=&^T}npeWpSW=4`q#AwHzO-dS( zdijn`PU{co|D9&0M45xtf69Ykd;kF0|I&=3le?9%!a>(7V1U+_)uKJF(3#X z5wlVy`ld^U)p(p#*8&0@5e7oX$~?+u7j?0Kc?H?A^h@@sktzDaGXAt9ar8Kx@#%Mi zxUi0%2pfvRGdV*-YT1(OW-YM}eZD3K?<}=s&V(H0(Zu++XKYS(=^_f@k}H5^G<6Z= zyI-3#aMoE`aR9H@Vm5l5IdxAGU5KO2r0xZ4-ex@GAgaa5Vce>SSU~cfp!3sOT=#15 z{-Lq9lctC0=a7si_VL`gqydoT@;M0+MTi+EJTZ=Q9Ssyo6jiZm61SD23|WdUWS94l=!fyeX}#8Uhz!B8C#PqyJ9#YH_n5@#0f{81E~Vep@+Xd@NdfSaUMUJ4 zs5p$?+Bqg(zGPkzyA{~^Sw&8{f$^!;*4R>6G)|c_wXf{yHfA2ZLmsx#&a7Qcf|kBt zdym-z&cKbaNTI-q2t#;{X}rd%H8c=yV>DgU`&yl$6d(cexB^*tyOAzlRx)DqGvuYw zOM1wUt#a2#4Qz36e5exUK|pyR=GS0e)h78>JkN3$!^ zp1mh2$3ozK9A^Gv<>nfkgs12$(zy4h#1T#_HD(3tc7_D!>U(?fN{>RFf0Um*>T98! z1y#UDSQ{FArbmIgBTe4B8u&AHs=QQ;x6C+4eegA_1@hWL(N6% zfmYkhmOqHe53)={!fi_qz&P@x-2k@QWw}JK?m8LrKO0p-ci-3^7cj3rX*ZFrca1L@ zy-PZ4nkEwXE=VX~QkFZ`kIsSCLwGNs$}GLPcdaUxQ1}vZgQl4~i@Plz0v1;!J5ya) zfyxL=Fm#xn-Ev{%kKf}vzoCP;d7aC?kto3;{s7?F_Acj2+(ynkNpVTR-%C1k5TBho zG5w1iPhiNV?3gctNHBeRtymympAJnCg2Rqi-{y-_-@=29zi$PoMjuN_1KY~Eem{wQ z?ara+s}$zzs%HARWO|-NX9@3c1iGEH0Q&}!2acLy!0h!rsu26O!tLb^a=RHCFV<-{ z|CzP8>s6Y~q8pR#;&3n9gq8_7f=AQO<em*KukO-L}$v5PobR} z1rX|ZLDC<{d{)wb%Yz~U%*+q0^&pmBk68LUjLShJV>cqA^NTORz?GJ9;hOvFsB?Ij zHP-Ptu_7%Wnuz33d>Q)c1&?SnYTCU1!b6s9Ut(QQVb>@IQ&wzQ6ZzEJ;d(#zY7ZDS zK8+ww_5kq8BVOT@zlq9}F6t0BCjrDq(+<%PwAnyC8`=xf!%zj*yIVb)UYaXu2V;Rp zgXSbEFI?qxbDaX8zC}7|0hp0&s?owg9OL4HYX+h<1(<9G)I=NpDE)pMvQ+`kK#l4p z|NQl6x?-zca}c~0LDADl(!uaPb^H+M{(feHGG+d<=!?Q?Ik3tHSkD5T)#CiSiU+u- z0h7yosJN2RjOo)Q%}_G$VlKaZ9?F8HtEl^LKl=&OyZ+{!EnoWA+ZAIBXQ6(7AGTbG z?Zu9#&&u@zO$VUy%Mn}`&skGnd@yTX*zAE9`leOW`Xo+gFbx~0Qy=GK$u`!}4G`#T zZS-&M!2og#-O9liOmss4GlKpIGO;Sf`X0uxJ)QCvAwep|kYzjx`#w^bcYOrDlf_TF zcUzhmc!=NPmO4E`S1{&0VpAZ}%FCVr8l6Z7hpgKjZeNd)$KUR^gXpw5-_W?T#zhRu zDI0_`DaNh%Uth!DpO3C5-QQp9@VZ~4(W%BC6~13zi_P1gNgiqz!IU~*uNA7gzK?gb zzAs<+x*UzqAUP?!$XLkXG9#oO6NYYlhESQj=@FUYQbba}AaVR{LeJtOXm&=i7}2X` zt&n+8-YZPemK($>QJg0}=pugY&>vS$2hRh*KWdRe%c_jdakr`^+sD#(*-diy zgdgtAQUyOqXj6eB)|urnWKndGK+21K4^2bbb8VU?X}EBgF!qw_QaoS^drM`LrO*69 z6$_prjP9kiMCZ3_GS1vDEt^h1{}X!9C(>8nGr{j8kY+se?pADfp}^itPmTQnQ86NX zXZ6d(ctecp<{^PDM#Pb*Sn?>|@Awz{Ct=9Ik<&Z9<}ix_g~!#Ldk{M;-qguSO^S*cK4RYuX%2Egj@Oyq%<&)N`+$c)i25-?d(b6dtKsr4 z*{~o6@nzKin;H;Z+`6P`f2N8)$2A zbSfO4c71}ICJ|~96oJ-9ZT8xJS=&frUw?Nst~RIGLT9W89R1C+?+oyc3n(em&+DMn z;4ZmEzP@~?p)fSHm>h{`s=|k?VZNt_$;e4Em$G^HGY3h1bJqicZbn%dA?RJSEsK~U z$`bIUpwpfxo=~PGm1qt68;{BIspKHtY|c})XUH?XmR-_)U`m#xhPv+qj3v9u)>y6- zV)OTof6`WPvsODpl_AB!2T89uMw#mWn_d~#ZON&a^I0WWO@wclBEq(< zFt*ASm|dNU3=Ye+2vESltTS9EK_H$VJ>W&d1dvs>+*_J zVSwJGX59MjF?DH`fD2OYnCbT1*)3F+Hc?Q5d3~gx-FPpbx#n33A<-`D7`yp5GiV;k zw*4`1kTGh7(oV6m4@@u1ac#Nj)5C>s9BLm_c&F`B%JKN z^|wTW(pMS{Lbk4R=ZrG@QRuKca}N?SWb5yI_?7 zm(K0CXdQ0^7BJNAO$_C;rZ!!3R*xo$n%OeYLXjQ#_uXSYSz-H`kuEQcescuP<89uw z+iY8cy-EM&Y|Pk-4X=GU<}KE3K9JonTY{c=K587$$69naszCjj%7uRYhB=!>k7WK8 zoDlAn#?1Y#W4t!HojhKgnBnN!IUIoMt7oiaoo<#gru9M}HaL;TeE1!&_tt=BjBH0o z&7R_2=WEgbZK7}3#)S7m008K+2LQnMuSEZ^KzB4VHgbg2J9zk)

@wL=&b}aI%iF7kn5{)e4q(U4V7Pl%snFpX)vh7GbFq-xPPH(hmN&FG4C^HAixOk z-Zk26GhX^u^8}@#qWaRlP@{+<7{v!&oKoKFu5n?gUZLR1n#Cx~>X(nh2V9K)-j^~7 zX$$kzLRaj>D9^Fw>+`60-%I$Z#?~_z3hUpMWX_I-kKp&`;mPpq<^;amQ z7VxM9`8$&+k3$+JT3OMgAZSgj2B;o#t^|Xq6mx?1WwdoX`mM%kxp&bxBw_s`-;Cuuuc<{A#kf;Q{V8{;!{Oe&pPsWexu@(hwt*ML^0Emq@<2F zW(TzLuV9LU^i_E#*$>B)_P$&r^ZY5>*;(5YN7P})$P2sGryVF*Ir^|j+VTz^J&6{q z;KTL>wZA{p&{>fZdy**-zcB3xR#?_1c|vi<`#D2N*~w53vH(t^0UAXCSaxv%w&Ef9 zJONOqdtLql}>6Dcl!3fG^rp#Kbw+LtjKBd}hmhWI;Nzb21+ zS>k3tCL}SYfOrn{z)gq6w|J`1n$8SReQ8?WOlL@CQj4yLR)1ZE;_K$-`ttC6e|((w z>u!JFU)99Q9-eN-`g(so6@HyR@6Wf_@SgLAtk1V!e}BCm<8SADe|?<4PKUg`KE~31 zclhRhf1hspj^Ey=Zhzl)58ubqPH&fA-mKesyglrWU)TAICNAA{P$TaMF{qpacT9AZCB+qkABY<-7he` z+F#Vt*mywo($+1^5$MhOz&54g+50LO=6zM3BN^^tb5!BOB`oLprF^YA`B% z@ahu4L0u>VdV)#4lnEf7PYSgZ(_}DTX(>3Q6Jan5^h}=m6cM*jgVv~%heww$XiMjeTL$}F0&_t)U@G)en=mP zy~wIybEe_}|Clw#&aNX^Fl2oQzq#vEr-cl?Y^HBXvs4Hm9*?tJ8i6}Tkc;Vj^AWOn zEmZ7p?X-(>o_($AJ#lV|;whPsBNS0-32Tg&SDw8e+dYgV1>J;rMaKv(3U3yen;XQ? z9-P21Lj;Lz<(8ir!m`rK(V$Cw!_gw$!h>jZ6U`leA-)PgkJjtIdHOy;$M*?A$HyH$ zbdoFM{l|%U&S6a-7*&Fv2Q$E=vqtF?KwMs=g8Bg(LwQad*j}uqZ0KysJZ&ci^%ZZe z2&D6l7{?8#yKyuLETwD~3da3Co29{FjAx3q2+;z`!-@_Htff7HG>PgSc;vZn6jE_- zQRQaYza&^nM*{J(pBJ9x(+Hk1gXQqyo43oqrQ!=)g~_x| zj|84ZLvfD4SHK8|%M#A4HrBF;;HliO!G=yu+j_DJ(|<2`rWrFna*1_`CfGJSa7{7I z3)^#LoC-aS1lrTUf)J1RP7`ybAk=3C)>Vocg*t{ahJlpx7} zqGpHxK1=x&x^zpNdyP41s z#5YVMUguRCc0$iJJphvET2d3(-u5vnl@5eGHHt#HdrqAb94O%0L z_eg@+aY2|%=}Jd`G-J~RAAmvz5pXo|J-J+RgyJrT^)H?ias69CN2knVnc9Aql_Y{) za%_J;8q)_dIwfxI>H=N&4;8`&b9*ro)ekT_CTZm4{F5nL#6M?^k+PuxOqyPLq2EoUrbG+^KzHq6u4IpaB}mCb;vfVTchES zNIR)qJA|3E#a&xjxDq{*{SZhZz^I)i$SI_#ee$ejBZ*s0^2sBwzd<7wbkxRX=>kFa zu5RYxl3Vr~#5_*JX65VE&!zKBPY4))umnMT9(O-%o&? zYa}KYXFMTEEuFZm{GJiXan)s~5+O-+MQuTy6@NIZnP=mI#*vL0eAEEfzU7zdp-X8q z*jiI&$Z9kHe2E-A9KkWq3U|z1e|ChjjgntGXnVe9{CU=@MW!O#gqaO{Gey$>6Ep#| zEwNE36ddy&TZGXzJhxwoFxX&WFg$b#c?5KA7xqW(?4V@-?4-PmNcj1UoK_8Ef4Cwe znGE44<6-)-VrnaU;P8a0_I)e z;z2;`X1U@&vqs2xew>FmCoQUVS^p&+QS@F=#Hl%KD`UUnw6#v>_H8bWg!zC`C2m2^ zfgPkp5&Vx@BLT|48Qb5;lavgEr~lr? z9|i)-KcXz|>XO0q!(De*d8pF{`n-$!_vM}g=J|kgtn|eZN~ko4HHH^}&$DVkz~y$u zSbhV!Xr`i(0DGf;TsZBFn4DZ*>s4L+=08$x`T-KJ{Lb$_b3uf+@1QQHsJ0fNAG3cp zxwtTR0TK!bfojj9%}Gigr1DT~u=E!Kp@0B_gYp9|Pl#2y(gl%#+vMEy1#maf(M{Z*02M7BOeANOs;F|nKbZkNqg29dIF-l zq!bW>Hk?^vmOSwg#hW4gL=TwVaUUl)=O1{lZWcT?@v9^jKac*j>c@rE1pRyfWa}S6 z^O_1`R&?hLxj63kfQyK=JDz$j4`>>G*8GK44u^a7Q0?3`711lWWfs(~nliLm=K02q zHsKMeM{23<^<%Om_Dp`J+?N6xjp&+SO$V~}O8h5>bhDf?PL|=5* zKhhXE`75fjnY9N@fccMx{2$8mXRYBeZDishl?Px0rM%33!q7}fR`BL5JsTxbF|V&= z4cwUhSB#ODQ;|GBj}n|jPQ&2AU`3%IP-j6L95b#N@yAP0S=nWeer%!X;|hc`GCgwC z7=BO{yj5%M^@kqW?AvZ${e_i%9#hSgd>lg!MUmj7+yr_-feS?_uEbt3yR#L=vW`5P zj77LX7Xs=N&l>;0xIbKO-JdQYuf|HJW7p*`Q7F_$5q1cDS>GY$4Ao~lwD>EY7Ik^I z^*`_luL4R7kf(Vlyqf}L?#@nP_mTN_c|7_FWhXCI>=$-e*7j#BaaT1IdV->6%v4(7 zNe|t>#b_OaZDP6zHac4|y?yzvs--Kn{HD16GL0j=`7xMT zuvC*andzlq{)R+BL7GGpzoabkRiMg<(rWDse6Ry`c!UG>D*ms}a{ItWB9Cm?U?6nC z$A&E_BD;9***k4D^|L>+8r~>0dx5+_pEG3?cJfuTbH`;+tfGdB#l%7z_~g}2C{z(z z8iw`FDIQlDDnh`G`JC8R4h9r%b!dN7X;UO-=Y!cTqFiVS=~8r(n^WAjZ-O>(FH66Z*$RmJ7(8XQMEM?c<5hPAbU-&j;F zC?JvhD<*m6k8Tq;R5B(q!h-9wR7L@rWIZ=05AiHcZB*_QL=fu}DqUDWQ_K9zu|C^( zkxlT}#a#G768od~WDQlv=)@33v1!TJ7B@&Pw9#|7#JmDBsDtyxs-otkiY027fgp(M z+se$fGfc!>&~|P9W(f6Y?Vb_c2@;1aW#mv z-=icFr5m5}%X%;R3sVDNtm{AP{-0a5P)3|as!Ra@hDLz_P<||aS_&M^^c{?i6rCK* zZA}03m-NEh(h*zS;nG#~h1cn%Uz;)@NyO0edh6%!Wm|$t>h59~zxi=U|1P|A9>7ES zZ1gEO<=OJKBSS@b1@?|0abb(3QjqHeID~?>vU)nXY|j0Dx35m>YOwiQLA4H-$Jax< zX!;+M$BwcTTD;H4ec54Ox1=U*oyq(9>WN5E)e`TAYufMETpz3T-~H1nmyx0s)$1QO z7wVjv>CQg|FKbDkE1Gk|6sOl3O>R@>(80Znu~hT#T<`Bq*KXgxQ;}!#EEVtNp0_9O zzMr3kl{FE%p7$OvW8?Vidxx>GU)Lz#?7kt>-A3r{;obMI#9k~F<87l67B)PYuaTm@ zJIfilXXW$gom1m`9h5JN!d<_|s6X$XKl&Km$FB}^x4!S5E{-p5bA8pSSvdy%qJLGf-rAf}xOFnit^<87bWCdMn2sEWOFthz&&}YyRG1okCZ)L;tzELJB2(Hw!`|N#)fW#pm=cFM zSy%cUaf13*LbWrDb?}U%)t`)GOv6!k6SH@77Y-V#hk0x0yPt%K&xds9pQHmjClZsK zb=$8T8L3}H|JHZ7pP!DJkMJ|qu) zPtxbMB~jS+!gZvTB0{wBL$gHwc97mBGiiBEHEHqG7HJCwLF^_2eZDd-+VL?kq?+I=Y0MR$=1~OD#`NoOp=3GRFI4w_=rOyuxSj!Fn ziZ@2PAyxPo$>kvaOorh#SV(T`xXKX}o$*6PY8vZOI*vV_Z z*`*uTJ-cyhivu1u!$_-mbmQ3f1og$=Z;8}f)zW`x1pDr2`J5s2=_rHmVfh#dZZ?)6 ze5|#VOSo2G9lDJrvRn``Wmnt%@m_o9h=Uc}p02vsvQ`3_pBpwLA*^01++g_754P7A zN$13t!G}sf0U8`2`?Vce|o@OcbuN08X$58?)^UDmU)TFJ~U(rqu>FvJ0k}$ zlRgplG6l<7+=Cpx55~bh@OhX~%o8=qK|+wS?)`SN#7>uVSsk||lSeZRT_TNu0|dJl zrfrVWgOiP@m5FK=I?6{F|GL@HkF$_=4RA%??mHM$%>aIjeE24-O1k8k<|UU#QL4bU zvaqk)A0L*PY}kxQiGQ)AFR_u0&ef=yLbDT25&Q226IIIh$Kcn$u#X&V=-%n@U(1yh zEaFt*9taoT&0AiiSD@i61eQPvo1c2op(+3}nb-2c&XDM^sr%?WZx&Iq_D0l>X}vTR zjkm>aw5C|^s&zZe0b8toZd}T%sX8>jTZJRqBuK+TE@YeNr6uh8&W7qCZIj(vBW)jH zn>>hkVW+o3>1m*;aY|6(h5(4~^+~lPV?~9F1>FFibb}$B2^dcNo**ig_r!}93g1YO zsgkUi2{Uc*l{&_^?`$8I<@K5 zfNA+AGo<+|pK><7gn=DNzdDtXkJ(ESp zJ@=gzYIeaT9iZhb3D5my?mcTipE>QBp9WeZ-l3g{bu|w;XvIX617jafi34O<9A>U2 z-cj6;vN^igD{k(@V!~{~lriv^StiJK_rzTWHRp zrt0GoB}ypn03eYS75E4yeT7l$NPGF6xx~fCpwdFCWax3G;cP`dJin}2>N{;V6c&|miU4U(2g~`FLSW(oveNPD&$H*x%aJ%jULB#+jvlpSeT>PFkf7d)JK0V9 zA7|_eO|IR;OwdjwA?|h6YFpuXX$f(P1>5vY)}Q_o@C%uCFGJg1x2UAFQ72toxrS!qiyIcRwMaW%upsfR)#fxJ`0R>J<;n1*&F zMH|#bFmR3`_&c@-63&Ey4ZQ0Br0%41t*dOBX=Qof;P{GZ-{-FJ8<$uXdyTRws+zAt zYXv$svJ_0Bt<2+w-G*gUm7XmO3gU%a`EM_rz6tp}!;8g;OtiY{^P!sY| z!VzZ|s-t`1Mak*LOFiw8&yu8Mob~6?ZP&3T%u0T34GkfZk~_sXZ&x^I1VxCEHUCnt#Y{Z*LpBDV)^k>JFUZo=GAKs zzAKq>AI60bm9vQ$OP_omQMXl)q@oBEGGA!nF1jf?`Upnv5*(mQ3U}@bRc<@jY?j5k zxA?9aEBXC<%c1EP25k%>GHM3v zUm!0bd5ieRscu^;bZJr?oo7b+LAe#wfgjApij>)JOHOCBE(TL9Bi{QUuiX@gn1%xF)hl=l6qT1sgApmykjc;szq3B{i}b7wUM{j1kQV~2rk zHr3Jy(KZEoQ>!ZSL#9Cq=?LNC3?R|@rUxT(zw#$whe}VS17(XFuBm0hSQl5z)v5{l zTF*j+07xi&pEIY~pW_lhZHRVDm2A4(2ZX_4q3aWBWO+J{k>*5YUKl}4a|3{1(q(!?H-5p1XOx{F@wp>{ap6MQkKTZ{gbB|IwJXu*Vd}8LOXYM{g;b=<=S;rw#l%KoK2=nsZ^#+O6UqvTR@~`MG{mOa zx(qU$5s?=4i(YQfot}5WvCG$cBrAvlcZ&6QWynaD!7@mEh%n;qU?ym#3vgiJtqtxr z`k_c2Yd#;|RP}x9fjU^Y%tI6y#EoB}D~ipBr4lb}1>T7QwHr@WVToyaCZMRxOy%G5 z&|ZK*k)61QH0$$Lk$Y@nBkbX=eoH6!RV}i~GAhg4BQ&5=C1#wI6hYyzy^uE4*ryUM z9i%KK1v_xdmje-d&6sQvD1#W3o*2m;I9GnKjayuVun9cswmOhGW?bC$@`w^bY+z#x zb8SqG)I$WIXFUn3SfY5~tdzEPcq0($G=dv?Bpb4KOj1;*1B}-SlNg;0ryMnLZW!D9pqW`zy?6 z`FYbg3@<9&XFh#RO9py^L--r<^FasW3p!s*Pj}(Qds_r@#3JB**TGH|$=nEot(Vc1 zF}c9%zGYE>Di~6L30In`$IeqJAUrDECKydlItqZaYBU?v2^B|O!@tDVhw5b_sG-J_ zO}bEa0P_epv~cmQ{C9w7fK};2u8a}EVNE(c2Uj2)gRHYZL4J3A)O})^qhrnIur?=? z{1)d4g`KMhOtp#$G&ady*)2U`$Ts@O7exMM@T-I%_6OM+@zD@=#1)N0N$T%O3%=QT zK)>keHX2hLyIp|ZYNm)d5p!s=Lbo@n;?cnt{tj*nfrwPHf-`5&v7H=yn=Jnw-=Qyr zjUq8(wjkG&r_PxtQe>n$!YdSrVjC!nyGh|-_>$zikQ~P;yDduSDzg%72qE!qa&ZU( zq|&m`;SrL)Z5fNsG%^1iZF`xYF z64n-%$HTm&=*r`DZ}$Ee9{V-&3>kdN3-B+A)D@u2IS)>n%A$~AdVoOSlEX|_Q@$WT z6kj#IqGN9)8|kpP5)5JgkUFF7XS9wDZN7r12%EsB@uAk~V%Y)JIX!8He1!dq8c7&9 z45jnMEJGs=SNJ%JIWEi;_zRVqlk8yT2|wp6=oIgcOcxVE+f2LqNX9VL0?!GZhI@rJ zt4hG&Q@i<;9=~F3zVM~w$!wW(n{qFvat`3=;B{(k*lnm~Bht(9(} zb7ID=J=}^PZ9WaZ^_e`h8vu3~rybPhW+M}zCJHRZM9(iKdR3x^t+IpRz+M=Z&?O8p zvg8l0SXm$AIlSPHH&pTVEpIQIr@9TLV+4D%i2|Xeyonw_?tPZyCIB{V? z;augJoJm`QvR52)5@p)>dhcM|53g{e8Wom1EZOdk3j|M@KGvyq%UGxatYMd)zc00Q7?!8wg zBQE`@c_&Wk_$Ec7@of-X@?#F(Qv1D#KF3}-;qe!v#VOSWhK)qI=zyI(PA@ zGi#fVOK>1dCHoQzlLECzxs9X8tl(<4gG^qy!27{mqg9yL zp9SAFR^Y;dFboJT^fj9$&zmFa;x9RUV31s5;0a@Eia8!;5A#6|_h?%joVqV;XM za$4R5XS9YG7z!QeDm~qr^O3Yq*})s8N5Q&59uK@faNOoZ9yk9<0gaG}T!!VuP9~J6 zIvYdoCHWr$WZ5vbH>kFSj?gi}R@Sc9_%#|sp6CpTO|OPgB1!uEb50yu+R zlyv+}G3_aDR(&C|pF3yW898lc0c#6Nq)HoC$@d&|q_V6s> zF$eE=kvoM)j24yhm?Zpl>++-FFMu3~>+jFVX%zZ$N5WBn8(1-ovETa-MX2_laqacd z>o8363L)bD@^jE$=#67{YA#e21wn?@e}Xb+4RTfoAFzNd2L2kKf;sTM3J0DzsCzLO z*Ol+06BpfRjC>A=5YF4*X0?asJswsl{-2~z7% z$HPT>5%hy&XcRE_%|nKadA~H7bTP-TpvKXU>8=pP4=>|#`@@H~z#|Dd*FyrP1y!ZG z`0Cq3Yi-d?C%~|F-$?!J z4oXm$$%gO7F{4*SECKk{AE4D3n;3Y3m>q3vXlmW(ONJ zM1`5Hc|_{4HO|HXAF#inIE`tGT>$)DjKpW43K>OU4eC5D|7@CGMz%qogX^k|4BnPl zh)_JVIYiA3Pgdp-i%S}TalNTi(yU?19(;-cV)t~zDK+g5kE!w@SiqfP%F~S9I=pl% z$%hcJHYC5W$2BS23+FvVBXMSwtqr?VvtTudGKMeudxiypB(m!=qiY@Gj(JRMc7Y>p zQKYw#yeQ(_`PsN7LtM$92|vgjLH?}Ci=r1^!=Vu!#ePbYOsq44kxyWGp%!ZcBQXh2 z)E%`oE-Y!%qe0(@nxat7h_C`d-*cw1@*GeZLpTq>0SwD&00IMccO8c>4f)USU{tl+ z9EhcAkMZEEp$L0Ds^S5+>F_$_!;gqcwo!ua4|~8TP$F;*I9fdK>DC?7NlKLnvRip9 z(xn~eqCkl+PJpUuj$fypJrqe^%Z?wY?RtG=9nu`DpP=Gw?)BOQM#b&HiMCO_noq3! z#e@rfh;@e=%7<|zihVIC1sDa(<;vFsP1MpK!Vyo~zk9v74&XSg4_qwhBVUW;5d3Z} z9y!-wdvl$8G3vs^uwc%(v@0goR}ykv|}lmvEA?g_1FBp!E?O}H3e z(_xIPUA5U#XsMFVtY~_cGg>(YQip(}iJ4#+_pZ1J(KjbzUquP$5GdmRegoQ;Qk0CN z^biZfu*>J+-7|YfYO)m2SPmJ(qL#tK54;IR?a=wDNnc;w_!+xAR))-1njMV`1@6OE zOtzdYSzFK`j&WD0NKDKFX=r*ou%D)VCvgQ0e)i_f0r#csC5ak#R%CM65g}XJV)F-| zi7zPVvjwr54bR*}c0T2|TVFyfyxH5O!M1aJk#N}=iQ_WQ^kdap@o*+6je8YxaPMP( zABkqx=5oiz<zNdF8<)iGXSwoNg`YHTqjt)KybKBG zCY)#PE1#iW6`Ozj%|0XohuVPaWcHY{Y3)%M@Di#?fQ#uNi6obt9b3Hpgt?cV&SXJK~} zQ@-u!TYmyf;4aQ2kg#sVkgu0P&6of5GaS2%(F6}PRL+Iu*}M$`?@JhA@L(Fs^{ho1 z0BW1Eb@k5MC8DZ@his*`VyOx(YOQGr!f58KdyPP@4&@P|b}9F(2x6j=b|{F%WLU4U z0oyRDzaw16;tA`qkY@|zemI% zLJ|NJi6VZb>5)miptVph7y_h65|19jFHe|Sk|@1xCAYfvIO8`cyYDN4u8XL@yu2c% zVCsd$SN5BVyl@|R6oYASfs|^|1(q1X8@NxRmW&dpRTLSTr`|4UR0n*vIoI@c%fMGztQ5SBmY5}e=bx5@wSiekk#V7o>3)UdIjh~GT3@$uZUYEG} zc|m0g>C@n=sR@=?VLwIEXZ=ZIVk4lQx(m82l-<@nX0_{u`qu*X7*k{GR3(1b3f5Ui z*$?_{vx9fs$*W2+iR5@81MIuu`6A`JRgavje zQB|l1RJdY00b}JKFmoiQ4)@E@8TO71Fuwn6d!PntSi_QqtCNUg`;9WMsCA-ZCv9JV zG{)jk`qEn8IpZNYoa0+ymT!hylJ$n(O(O~=HW`P>*jlF3)UF+uK;gX?jqLLT$BQi2 zfz*mb!qx_U?1PILj9pAF|DXYIz-t!;>J3h3-s5;dU2BHpNzoe8n&m?-mahz`ENVmT zfa-XU^E`0h;E%x;B4u$8KZ}bpCG^o+5wz49Q0fx2wQLq9+@9lm_XUBl_-Q0guSP0xBzMN~GdQpc3I~QGfMHXK0hRMk5-_4p1DSIYHA|QM-7k z<1Iozvd}t!2vbQx9KC2TZWF$sIP+zv@_@4n}RXJt>nSO)`+Si0K>79x(#3|xIp$=hO0 zQ)Y6;Qbrwxtj%CMXqR%?&~^)icIe(17EOaz%dNES?JaP?YZ@hA2Hi(`Ezr^_^YfZs zoM^71(rGEX3VV^JVg`-RdBUu0#@0binEb=XC-|;vF;TlRLkd~a+Hf{vWR&cP+ zub}5+tFnSFy14SN^VQ|Bb>>1#L*6xjQwF_n!o*-B)|e&o;f6x;2xQCa6_Y59K|!p+ zfEyp-)~^iCtE@XqDjHOBb?y3Ro^!v+yV;6>Xup9TghNLA4V0Va&;e;*xkjIm7NpU-7s?A&2@n)`B@D z_YXd~k25nc_E;Iu`j2%i1=yz8m?A@xsAvJIW1$YzR$q{MhQ@D}FEHC@=`#E|zFtH( zgq%ZD7EXf>(m})g_rrw72iaT_q17Q!1|-FA9d$mF0~Z8F^m1h|W#?d_XO)uEC7qko z;2k(!(aicaM{)43DPfO>xp})jdpe|B?WZG6H9xKw$1?gF-p4#)FxR7KdqG3cf0ESa7^=RY;0OFy@;}NK845r!%pHd;OVWEYU z#0b37P0^8}&_&i2Yg2+CZMAMor!3Xx7-EOCGj6VwKkqxpsv#?HIkgBwTUf1Cr#B{L z1V9{Y(NhOyEl{k$YTGsx(hO@@MyE?FC=aPgv7;V@GGwMf$V4qBSP+sqOevN2tOk&B zz-u05hVLC#5F|l2nMZL7%32Dbt5TH6j-X31*0dD;h@z5y;{mTw6n?%{4U%O6Ao&S$ zTtdbJZiVjDtdO;lNk4zTQr+XwSLYyjTJL{(d-iko_)ot)iCny$ym|Zc$CID_GkbjU zX87H|DfPOW11qOg!ekK%hL=X!q0c=YK#BZtIQ-RRdTwRx77yv^t9MbJll<;Bv(hjO z8b@9f283TL6@!nQ&MiWw*%5VFV*gRl&{Mzy(%DBo(;xReZ#y? zyCTBQQ-MKVC~D9lb_SyfW#z4F;(+%G6pyzZrt0&*QQP9e(q4$oPqu}$ah!{H^kac_ zKK}0cx7~?%I}s;V2Z-}ONTNM{>7Mcq+i_t~I&q;ue}kAtHg1 zr-Z1{y!Pdfd%RG=cp`R5RK+qq0Hm-T`ANj&=LQ^w4qv()B8zQi*BC*xt#fU9hHHO6 z0XLFnuL`f(fE(PUqcIwLv-;aE#o-i(yS*RhyTxHoTL=hS;4Tb7Su|llE6z)x=!;{d zSI6xNqGXui+nDND@mYX$U@nl;pbno_sq)q7$z-AoBA5OAScj9t*N)^WQ|lyppeGk? z1DH<6F~`d3oD2Ofid!^7V( z-+@ZmUP!bDarapF3KHAmN%TLCSnq3tg8RDLT4< z*1lG_shGk9@QX*!pFeu`@<)*8MSgOQ=E3~Mqd)L#%};0&VU8RxdbR25Hv1Wh1N9}p zwaC{6vQPQm_xwT&hRzzM1bi{@%evtgpEak5k6re8UH;H+@|k(@NS3;}FppmT^FM9f z9_M_cFZw2T`m^p*Ro*X{cz7MnxTPx-6bL9Njxso9lQ_eGAjrEOdBW_db$6gnmxZJI z@*@t8_;M;GIQva-{7rcGb-Zx`E4i8@-og_j%EkQ~7SGAsPjKI&S~NLuUr6Rb?(#Tq zkMm##O5@bakR7 z&Z`d7??7xN!)c3UB{806VoW)V zFw=eq?rpnAuB7y(2cb;5a@XzLaR;1hMY-TnrQw#*)frc0maw<$60*`wS(h)t5^iAV zes0R75V&V<<&cXFVo*oAa`hz!8MRbi8uZJxrskoN`o$fy+fP}XQrf~0QIvo`xRHc` zEqoov($AJUvin$~3}R+704^$Iv2EfK%{?(Q9x4weT5pFYS=*?&SR2AsXt$|FaOB0> z{HAac@?R53v|o_uL@dv4T}_$#c7l?-!uR3PprYiJCr(Gauh5``O&w}8bem+TEU3{? z5UdTx8ZD%s1%r5xi>Kx(rUzH~91@8q9}l^di^2vN$yfR^4FoiJu3@BS81CGaNrjpWiY zS1hu(k<>xkx!IKUl?*0>%V;C+VLLHJk=n5A0>>=i7?~pPcTH4ud{=}ho&E|4CFGr6 z!%IEj%qB{&-~+AJpjt#gtZQn>xOVV0w~XPDC*y>xDD^9Jk?0FcLvIRKURl>Q?WRGV ztSQd%!9kPEjDS|H#Z7(j~ka5r#i z&FZQpbyb{OC8d_5Z(kp| zjmkOPOr5E{EXmocX!0#P7;q>mw)vUL7qE1qY7XPBIl4$93OINQXFJBK<9DUcUPTi7 z_@ys_8|M&65EnC%%u^9Qv4YSNu3*4G!?mCiIX>hzbk56>pG^WmV}hWOV7b4dD7*+Z zB9tQ}_mE)Xp#tW$VfV1FR3l%_5OB@;Y6g1hmM)zjxIOc<#Aw|Qu@35fC@C=7&4xb` zSru;4=B~QJtsw%%)zzl{CDi9IB}Z&XM>B9Ug6lbo>!}O8-<4F`0>*af*-L^*m*o-t z;usn_rUcnyIANnBsY^_)RVwl5MKL#vyf3ku7HiNY505(z_5rVM6kt!2vux00(}T7G zX(KQOr1uO)4Um3XAzmh>KGU2mnau*MxGL1u+7`au2fUC`pgU*e?gXvT-=I#{$s5zG>!i=8_j7zhdz0~yD;x+4W7L-vt4CC6g{e+7lS zRTn-LF%MW{BT^9q8l>%|jPZ!Bu7NS|Xpbrx5mr_)JTX!s^aka6Sd3@0d@~f}sCY!v zoMXmsdG^RH%poFHM3O((&mzzWSwJHJHHsZ;88E|IMfg@cbY9JEIkqe z@=U>7=}=BopA!O^1hQ@y2fLfLGbX>2wlfQ#C<0l;d#_JoNCpApO_%A?UOf4u*tRq2oo?wWL};80P-H-x(q)DAS8js`-K?6E+ZD<3bz%eysX4U zS=XNgtzdWBuC>4!Ha!YxD5ipVXk8t6gF4PF?NE9JB?O-*BIt;LTs$voIXaK`(=d%g zk;D`u_ANT^u#>>{)Y4AkNU^GGn6k_CBzJG?KpH-%E%X%8CnYq$QHlN^dMGo>75jhT z&now(x0=WOce7N`27~^c_^wf=nS%YePjQ#7X!}}cKpqMR^ecUL*zc~NC*mv%F_6mW zfC;D#qO1c`fOqbi^a8O_fr~l@jq!WZox9&V_btY#IoG1gw(-Hs`|7wThNv|%r_Q~V z<_@~{NXr!Xgg5>1vZl@xm$Jv?l?kf`{ykfg(P{W%53<5PWUpr8awtia5I?uBEy5Xj zJIlp0Wsw)9?>RW53B2Oo1Q6Lvh|*B|D19^R;mHMkq_u(G>7fLb>T`<!D>s{{BGdI8zp79x@uj|F^bPC8*0S#Y!CJ* zx1tBwyabJ(^nsTKMnf7}Ke~HbcWt_-_uN!CMY=@wJ5anQS(^2(rW&ao>esZ2;~s6t zIvBifj8(w~x$;TcJd9pJiWYlj9b^8CJPma$zq%_ID?m=5FM8Y@+1-omRt=x#T8^yVYa9S?88b&q>$;dF<;VLht;+szP zYt>?A;0Uv_YOX9Sz5Jpsz{fspPr@j?li#?eFoB@8C_o?*>`c`n^OH|1%y#Kb?H2UV zmoc)UA+nt%ZVbWf##uVb;*g@sO7CM0zkCV}*ngu$sw*W)gro@WyAp~I>6c5PGZ`tHG^3#f?^W!^L zd{m1XrPJkBI~sb_$<0l6u}iQ#7Y$t%c#bz0}2m}uc3R5b)<^fQseo2;N`*kL5pWXm3d zj^xjyphkiQ2d^b6Y{-)&2g)e<*=SXDF(HN^GRW*h!7~&`bnCDw#g>ZUOwuI!387Z1 zDVYam`$66=O&jf<=rQPkYc#coQfQBtfXONIi~EaKI)YvGpg#M%f6;Sl5HHdD4d-{r zvhU}5kD~T)>IXq|_i~QG-ankl^H)(I7mj^Bh8N}-gDq?5C{dmr&k#2fc*q63mgi~6 zAsLAxUB0Hxl6aEVP4+GiBHl>J911;?Bfe{-=|QG#YKa&>yM zJk-D_lM$IwT489Hg+iD5KYIo%tO&PlUld-CgZ0Y=(BXx;p}+unh6!EVm0E_(AkF9I z>n-JCd}ByvtQ8=B#7TFssps;d$+VKR!^hol>g$8`2YG(Vfn?zo16qgQSs457frNo> zLhD6Lyg*pQ&aNz>E!GHUbJE=k<*V+gHx)(e=Od09eI-d9oE06&$JP*h3Gg4l#R3x_ z&75RsJC?ZU^b>x;RrG>$2of^;wFgQi`+#p0a+l-q2x2u+R9=GB-PY3^?_082tb15! z0AWQ4$8*gJ7~S?D4~>{~Am(>yM?e4W+X}$DrAn{eb{yNM-gufHCK`vySV?2tgP5Z7 zIGsxjd|a z`fAc8i8ilz@-C7}+UOZi9)}G48X&`PV;wb%5~D9M`hFv$&rM2!Ik14^GtOtLM6WQ- z@s892s<9_F87|kXM+V+R1ApXlkXjS_HYXrGk2Q2?20mI#)>P2UHuw+9svMUX3U%wf zW~A8(9g}eQaU%9R4(-Ba$T3|P7;GU_>M^|Fn^ zvby!M^$&^-S`Bi*MH&z{n8$?qAUi&DaB~#OLiZakgHko?O9asv7QrnNs zD7HY^(qvN>qPxD!M7226Tok}m@tV2N4l&jTjW<%8rRd;~yRJI9%(ez$ht>8>`Jqyz zO4_Vb?G-l#TJ_W&+#IqkOO!Ff*I;~7eO^FtYhZ3KYpLAVh!GHIw5Cc!822)t11^UM zp)&@fRMdKt>_l(kv)hQF$5In=*ppJz0`(ik&_iwmH0CuDU*{tsVcZN0Zz4q;z|6Z z(;d`PZ68xxnhfDVTT|2l(IuHKs5D2wN3J1Am+Gkft|Eu>+zrZ^E+zPc(SEY7S|;l_ z1~RS;B2@RFjLTaxioD#3W7&BaL32}X9C(lPR*U&Y`Kg%rwIDJ|CpdH4*oXVyf z3A0&BB8uM%cP9P0;t@n57CGiJuILQ+;?ei~!n5X73^abo-nzMi9d(vPOSUl8qk;c( zBjEOA$8^uGN)4*)?5d&vCL$?vNM@J~5)21A3brB}4$Kh+8`(1wuOjijL;4x;t%V3H z$M6!(rVO3i92F#j5{kM>bJp3J3xT&#J^!neBka5BPA-@h*c2q>!yjqYjTh4w7P6r* z%Q=@>KmG(5)?UR>OO26ChZmF)vx%*WTquwPsEJsx-g{f0iK z?Gup;r$UrdjgskM&fd-Prn#~sGV84FHIjrH1lG|bp|$&6RcnzYLk_ZP8cauY8J8g2 z@{s5$<}7gXh4RGZq^fwa0GAl-ju8|GyQl$$ijKX#{rTg`Pyd-cK6x{=dgIV}PS4(d zeEa%i_W1NH3P<@vzA(!k6E4C~R&&=~Nz*o2c~IMoy*!fsfsOUfThSh6uiOZaz4o~; zp|nZ`Az(*TbK)a?`YMk1wf)V!ikurb{~+4P&>7r%IAV{N1@xtWTrq&*Ux1Fp7kq}P zAdah3HvsNA7zlv)@}je$g3s~KNcxmcL*(eB+o>vMwQ{U zlXUkdJ;=BG9hi?NgY5@suzkXwwTQZ^ZienqdVyM*Z(Nf39Qw0^WJ&c>%`($<$8 z9o1``mw2FEaCmazaX7a$?2B66|t74YT42Tk1~85__{v{_7Hx^$Iet2?>D3VAecOy5NNa4CY4Rb|33=~S z4ey!KWD`Q5v*=_Rg!Ccr^Xn*y+<4{0-Uq_c6^svcNL|xI*20^X)2f>l;|#Vw4E_O=dvA;{!B$}Kvf^aH!UA*P&zp-m{SEm69x{aCyWxBoKonm zfK?7|c>}^pgI@?T1F|WTMgaCb0>CvwGBhtRZz<+2!zvB=knRJQ$5wTauR2rt_y`_Q zrbx^^a5ioNiYQSt;9^NuN`p9Y^EihPxbCZ zBMwec`~tdU?h41zcCW-hX@@qg(3-3`@&cmGHZ}YFW@A$wEDl)3((a=H(?Gjf#_|Q z!~=PNJP=E#^b9f1$9d|Ql0N)KYzco4r6hY`k4y!-t z40hPsN859t@SvlC<*R#QL*d}0T#ci!8F=a0D`;tI=V6RqM}GB;!+azSshJPhM%8>% z<6YTuA;&jcnY`>)hm15t$$icsqz6%h|IgmlHMebK+4rs5|G@Ig+Etb_-j|(COkI?|JJ&}Lq6852J%fY=+GNp^gyxzFaI~OZACdZp>RkY=^}bTx z+iK$cn@JBA;ajzkggYVf?7a^$`bQM&kBg1F&;-ixm;{O1w|dZq6`;qs?#^|7A~frg zq&u0+iT;u3AKz#P4VKB^0tR9agUiEC`Hn*WphbbV^-qw$8Bs+jo$mQ+! zQ+>*F1OuD?Q!8H22l+^DD-l4w{RX0=hkmgVwj)gb(K zDk$9(4BA**QLfW;xCz%CHL*k<21|KeS;%(VhUvm{G+oSAck^VPllv zQ!~o?=?=yv;Z`LwBC-C1CVl(RV!5KcJH{LkM``E_k2K)*D(BrOz8tzt?SDML$Yp^? zX+Ah~Xf^2=U!v=WD)Kcse!IdLEVk)gsi2Kz(1pP0Mo_%LJb=cV5#s4U7YR*>wp@G_ z^>{l#u9BGfdU%Q0y2Pfm85rj6zI-6ZL{;j#m&RSP4cU<=mtgXq`!XBsc{dp=@~P9k zSSgCj9#d~N@3}CquVXOt=7eJ(vX#U^AVAX^oN=qgM)&^17tWk5l6EBE*}?=TSk?D>(` zLNHS|JhV;l(IdfxFE}MBTzVHsq65&ffG!1SIuprm;B5={HvFU!6Q~!nAK}(S8z)EJ zO{2P38;)2~R9J+w;Z_b8H<-kHGuXzqeS zlB2(C_jK$ABGTV1t@cTD8hT|3RqKSRI0VTMDPvZa6Bv!Etcdp?C`3ctbn88^gV^;( z*$RAf*IO))NJGWLb-bd~_`Z7oo|!}l^ZSy9KSeoxEy^ispJR^E8zofheJ)l9a`h<#vWnB5(-CF}Z)kD2lOiBPT+K zN&nk7-UB!$fOhA^^O!w-CbHPQhwvDE3{){8ua$lOsm1QyzC?THD!2Z+`?ad~x8<7C zL?T}TaVVFxJB6Wp{%#6G_Yo|?AOx?3;s?8oHyESvmEY#`a>ZY$u~_mZwG~5HnL_pu zbBgfK-3y%g{x4Bf*53+eqOs!v85<-ub*ZWQT0{FZ+5aU6Ho%5lqlijlL4QAtaimm+ zz`Og{rEptdBGfigtQYu0s)sjR{?{dn1pY4u5NKtSiGu~9p4~^88=b|N948KtB|{F( zZh8P&AzxnQ{UufWt>Z%tVdDUl+BMfp`zggygO8*oAOBXvoU5DNRn`Z3F| z1kaYlciQUECUjaMFX^aRNq+4tA2(PWC2~~1aOgGn%{)hz6&@28&@hNF!EhKQs|z1- z&%rNU(=Um;Y9UR}4>=w>%JeIIksM!&9FMqI`Evu>jPPf*U&B8Gxu9Ul%y*d?J`$3K zWRxMR0e1m%Mj3CmEZ1nGxM$@isl7Q5FPtOFZs^Q>$>AmCLdojZEstMc;4bELy0gf$puVXD%m%VfmhrPrFgUf#c@zyOmZJ_5mlv-}Y+ymJGe8a7$x3dT^ z9kZGAs1EjX9rmwdC%AS}Q(XTf#uT;Vv>oCAe4gD1k}Suze3#I*jMjJux_%Kzt}{BRp0nmeel!FR)L z8~w7%%-c0NAnbWl1qzGZVInPoaSKoBv6-HOlL`X5| zQoBK|K-VSW`GEV)D^eUWM1n7sXMkA&s(iv4*b?X;={5Osr}8(X%d>9*mL3M^Fh}L& zXkJW+HL1sp8rwcK@B*^=>Rt$VpYFIq=IY93HqHu0|k?oTyoePfWY z*iq5nWKm3KYy9sTOVkLW9^6@@LUQKVSwq7jD~Lp{1_V}3mCQJ- znP7p;Z+xtk2 z4~bfUB4DVfF*~8bd4Qv$s4CnB5Dr^vtU6uU^tDz*?_c^u68)gx#`G(fqCfU;z6cL* zlO5$YcHoRZAP9vqCx8%7vvU0)B^?Pr3MIvGj(-vN+XjKXs)WQRnOFP4QKKyT|4~jI zxm+mFmYQgL%teMRP^R`6kS(wSB>JJ$s)5C{U_%i30VVf`7kG)fRXbidnoob39--f< zXGgro5^|1@7Q3p^yllp1pyhrZ6J_c0Ky$>3_*Xt%oc&&$?V0kSTWuk?9p|CCW>Upa zo`u;3+6jJ{L2;X=dDvLvC*f;7WkfUbVb)bMlCafK+~iI?;j8;QSlW>zPKgI7Trlfg z!H{Q)9aPlRL1YzNRVcP;z~bD`{Td|<_goQ8V~InQ zI7H9q5d9OWvVw{afK9=~fN^`!4*DQ0KWVlvrz%$$1=0hUB1`LN{4OB`k>i;I=;a6A zd7JUeX2lR+wUXd=zTD}??YA)hhSZ0N`O#{GEXoWmzdOh+kIwx7F4oqYXPBeMr&*8Z z{uJwUm&UqFTQV;`KT!>nfCnQv#NrDS7B zu=Fi4xhDO~rN!b=gN8Gmfr=wf-9OLpFAyrg=wTEjjilVzmzNuRb{|FR>SV!$EP@?3 z?%d8NZZBYm!C93s#>*CXnK{$)?d~*8TGUg!)NkdsQpDr))k3>n@@Tb>3QzK_IuJ`v zJ7DCHuSZh6()duKnEXK-(bPNjOp-=>BMGr#N6XepD3y=6t2powdBc<{>QX=~5Q7^S zNjYC}T8MLPT<4?N5(aCqwLb6SUhr@PV}^tZ$uT{@jN;Di9l<*Yj_eMc`s@#zbW0@c zACjC|_H#AOkb5U>l|&-B2NJ(|I=_r$+x5Ix{VAVlHnI-{b|Z%CNLGBf&bKiX62Qrsy2r8<$h{Nc7FYKa9-knea8PRN(dFOGS`@JQ!JyO1!{-}NYd(5debbu zRh=M+L)5SwkfiYQR*d@)BBf{%KZ(t&f9 zVW?T)m$R?PszWweiNe`AndNXal4Kj^e-CD`FhbZaKnI^}FfbrrAV?|mFizotb(%lP zZ{cQ#<_6ob711(5**r&c|K3Or!VcQaS2BjEk%q+wVT{z8*m`rKFal_0X36Q$+6{MPwyI*Ms~@{A(Sp&s{p8yy&dIzi*+0|5nRY&R#S-dsC3x@} zEMWbKx=iP>@nF_03NT6!`C^O|`Aim|PbK56_IUZ$DTk?>DgY(96?E5sHxvQ4^urCZ z84z9@ZPch)L{X+C<(d|@DWtc}aPso+xV~9(H0N$SvH^S2e67l!v2U07ARf4 z(3>^1vygsdR)Fcm?!$qZo#%_^y<`|4U@Lq`*_c{fJkkQuTsmOz zEem+7pqhi@zACX%5bxRv{Q9vW;8G`~n05<7TF~{Z3CGtyFEbijL4-Oo#0qq8wBYzD zT2hS|+sW#H(n6vPmv4o6Xe30T|KpiKo_%B@5zSByHsSN)h6gf+G9SD{X9%fxZ+VB| zm1;L^v4j%t4p2Y0o#z;JCXF)9AG@Bz4dCrdjr&nti@XL$A8*I zTwEvq5&q$PYZ$<}ST$?>y923)r~r4xcs;Y#pqQ|vD9%Xs_`iTPI-=3?q!CR9IscZ{ zT4U!Z{hjkI${qj^7!^aO>lMDYxH(M*YD;*MZVa; z<$gQ(`Ts7$muBmcDI}pI@5bA6c#82T2$JhN?f~j(HRM0RxP~qclAEYLI8Z@j-6aUb z4yH{Cm_ECYgDsgy>I6fenn#I7y+eBftXGwwC;+0}ILRc7=vx*6b78a=Fc@xHKEVLc z`5ms=DU~Tq_3(z(C3Iz!gfijIoNW*Ih@!|-UA@~K3d@DDWO7haMih6d9Ou9_ycPkk ze05a!8mC~@RP^IJTw>3Dm$k8G8g%9n7xzB@B3R9d&)QbAeyB~QxF=|g;OwCe$-Z=L zsmeA8*64i0Yz%k>P%5`p;*uf5PP1%kR%|1Sz{QwEEl&b$%d_@A+-h-2gP1~0N`%eX zI~mIuzjd(+$P%e>{qVOxEVLB7(EL0W$>pc?+KTmm}Kz^Obf8S zWT%EDcQIWaaqTh7F%chfghSLWwhj2v1GA6TpBR&+fj@wlJDL%Qm;oTc!U}B^rpS3# zE$|7;J{rd-*o2ptrB1hJ8IsK*tb{wSsfOD{J)}18X#^8^7}*4JByO^%4Ln3s=hQPL z`Vl+QsGU`b1j8bigU+W$&eg$~)#gr@}RA%ylwg{uC2kNBH!f25(5-HoIV))ffBS z)Xp*~=D%OTgUJ~=M*{Xb0lu!G9YbKS60Uk%y||8X)_?XPjjC# zdk2I>L@_TpbMh!#Y|$J`SfB0+a00rt_zKF#k8Y=nNppetIn4yX^~ir5Q$ggWPaR$emEyIF-IL|U!ar?qrjGlYRStz)|Z1jC4XiKQ23{_$OqfD5~G(7D@_+=d0y?HphK{p7%JP}O> zlH5ShLlkql6g7apzyJZ@03+6?X{h2*<@)j*W^{8%W%40aGhipt`ByYFqjEmahNZPp0;99D4h)VDEnd8C%HS z0`r6K&fWtgrwT(XJUM@tNQ!~dZl!@V;9ovNf0F@y6o%9uc-_Zmk;pd}0Boe~q8YUv zzI!gD_nBUR&kxQ{wEuyW0E7}`BZCK0*X0P+LntA#fWo=GOwkexd+=f~7d*&)kgp|( z^nQJHe)jPV04tkA)@6ylmhYfXSit?b_E#VU zu%~1}1dh9`C+IX;Q3dF2gDYX%uE?%E46(hVnE=Y=Ee*eGOvkXdY!)=nv#LzY87*sS znEEfK(#HB%nC(tLMl)i%_Qui-&*#J?0A%hKW%!DhD zwg)u1TGJXyrhG=bxr38wa`W&K>fUej@;%hkC>+Od+Te1&i}_;yFzTH^=Iz!8?q1mh zwHBza%*Zddu6B0-p*p~00x&%yBp^`=$`IveEFRpFRfH7aiee0N8pUWc7^!#u>#NTv zSj)N10R##*eNHTb3%9!cabNpACzIQZp7{0~T?>uLPJ3V+D>( z&N%^d6f!Akm!P*bawLH~<5BB?y=?!EdR8`bivDn`>xrb>y5A4}I)jbB9_Iw|8^&Zn zyNh)?=Vh|QVd@P*oP8L4BRDEQ{sp9s-%H&1ZF`)@5r$r#U0rm zng*{Xadxu#f+ddA+!jAvnC5GIMJ-=1&a?5bTM7o;mo+=YWN#qH9)#N?!!?jDb30v7nu+(jBlBw zvStT7Uv%n1Zg?8?O3{!L}GR?^TRqv}!CB&P`Cn=a{I z7M2sp=;7=NB8enGyYopKj=oop=&^YedMB{h36}|3qWEV(!QEbiHwf-fMioFPFUxu2 zC!nV9_zYjmY2Igy1b;gi(x8$l2PQspHi1}zAk_ym8O>v{40$+QGuT6LSg|fBR#>Yj zC%t-ty9@-+qe<1|ja%gHP*N4U6-+_fF@v@vwTl-Fg#@4k!x^AeMsN)J3>EOG`jWk( zM)(4G0G}fW{hS&>NjYh7xJ4TgKj$r#*B4k`e`zW~=>z6CoSp2A zYo~5W`+@P6CZUrx#fH|GVH5v|o@)q#)(Byq6nd2l_4YbFEw8YqH>|l$-aF)kf+)S( zMdhl+BWDQ_x@awsPJqB)?t?^FV1{_0Hy*Jv3%d%lC3e6EJUT|H{#U>WMK-tDk%-SK z(mrepFWa{kj;sezPXoZ*8PrhD5^>&BuVrr z^_G>_$7gW2V9yWYY}rg_c(t%k66^F()*fkvKtw!}T&cTM&KZy^>@C78M0dq2#ZB>% zJCt-gzrfr18eSqdLd|hAwS1F6Vb{nn5Zdw_m-4g>m$pez(6h|z#4UG%ZIBfMLHb-Z z;J-+19Xn{2dkmT=GolM4sCUH1f!^e^a!#$tekPkJ2726|`9Y5`ChWtBlXfTv4zN^< zFEA2{1SG+b9ZtLQz{Y@-$3MOLE3+M{UqCJ%pfvpS>Ugy->%ph2s>(b5)FfLFFOi>< z9EcjxQ*b?&9{`+ERzWz#;C?axv4)^D|LK*O8NyQG)rbH5kF8#Bh(GyH&p?X=ByG^0 z{A(5>4^QGfu~YJs&rZry08c6S-jbDJo$M%3_VNdBcS4wYL70RC#Zv?KsV;_aTk+aG z6k=>jsz%dE!jZNuLmmn2Fs34xY0m~}Z5x3}9e;|#1vwA8f@w`z)Of~axrR^?j@fJk!=jWXk91q2Rz1=wJS|3nEFIjFY4W_7|qBWp+HkVduQ%+mx~1Iww&K8XG$0f z@~0RvHg#tStr2<5DD?2F~;>x}$ilND|5w_c&DeQ;>)LGC14a&~PKF&wF zOoa0Om*6f_*&{n+50_GgBIah^L|92UgV+Y_##o*j=&pjw4&k!(9%-#d?OlgcQ%m~} zy*FurP$Y!jYY4sf-lUgMMIexX2+{(ANE1OodRIV7C<03FBHcpoND~l2MG%B9-g|#@ zum0|T@O|gZ>^VEL&-3oP@4LG*J3I4)%C|6?;roYxGxw1ApEu~#l~$q=6Xxl@aWmai zb{r++8e~W zax}#FCs!KrjSV@&^$aO{V4!M(fvb1Co+X$SU({JG$#sxNbp5ESE^3$j;sxEcBwnSE z7&-Oe!%>nw;(s(S=~&zXy``-|yL{rjqH}fv)y&b+bOusB$)HGf)nkkfNCMpLP?o#A z>$i%3jZw}dBy;L~eMQ|->AT%kd*aBpj@UqHw7o*#jd@48_6L(Z&N)5&Yhv5`&2p~0 z+maUPi|DzisN86Hu(@Hfra`;#;MzyASCi!$ z<79P5G#bv~3veVR%f{7guRdE$7y8g?>Gi{DpJFwX%GV18$CJkX5N_chzAU=Uv<~E{ zVprl*K8_{|$Ri)8JP&$N8T;nsAZGZE_*~fXiNy9DqH0E^Z+H5?CiVvg-lqU&r1Gd& zma+0v`a5Jm$CY|s_PFtIu-WO3#0rZKw9JYk1nnbvxkh;kN_4a3&swzO$nwv29>-|8Di+UqO7 zC${dbW7mVf>~{^^yA~L9Yd7Ybm|c2!x3THczG=9??s5leIF{kAA`>3r>>V5Pt&!^k zpjlba%mM06d<)MwsBSYQo8zXW=#vbc(5rX@;Qsc|6WejRL8Geas}JP@#rF9zK=bp7 z0@Wwk>r-?wT2c%NfaltLy6%Ec9#@c@Xv7Iva}UB41GtDGnp;YyXF%S7)eit1wC`G( zHJ<U3eHO*Hy-I8ix~)JG@lEZA-&4ym<&y@D4ks*|*?C zXHcTNuXcL$AiSbYK@ZFO#=%;_WOk>UCcx-83Bg%>7`lv2K;?>=LjO``AKQ zO7AIEl>$&h#o!(!Kvx#i;GGdGJ~01oIgp!MsF zpK!l6^02n<8REv#B(B`FTVSBiCAFJa1F5jJ_Dzv|;Yt<4T|y6Z9(-@muiJ515RDV^ z7fF9dF?c}gkZFOJn-xzd3R&5U?W}CDZmtwm%qo}ZX_PeeE|&SC@1IgO84DH734LwG zAWU9kxegjef{RnfNSmWv@HOKJWHTCG;btD)MTd>OidVKI-HAKtvx~d-HRCSt$ATq= zh|igAt0obvwC}65V8bj@%KcTV-hN%|o^&RrP-j|DtD6E2`1SY3?n+mfL$@2D5Wkul z;D&0a{uX5}NViS!WRvSWWd_HiL$dQ?pS?(3A)k}(#ca7l3xE7wq$%;uiadk;z047t zd~S&9w0uiSVdHRd2W*8I7&CVib2CF|$lcY0C=_nUK0T=L_~DYY zliY9{?($-=rOGPe>(JKnnD7JTuL~9%Z-hJ7r^Nemq>6@+>dKGu+#N~xdgfRs8z#?0 zMflnp-zIev^cIalnBw1o?jI~}Xb3jRv7z@ZZKwpY*MeB%-nQ{I_Pz4ukg=ep2Hw^m z;Z>a_lb#J6hX)1N1ORi!rQvjsnlW%fw91*I)5{nd=PPF$6f1M`W%~fGgy)9&hB|V` zc1BMMR@vIUlcsS)nzFo{+)av)OKP19-E`bz+GS2cOJR6B8q}n?3hdFc_Hz7LSvnzP z0MvD6tT0wkS5~Z!$;WA%J?BVgXIwDlu&-?k5iYl~EGDc#K*uUnpgu%{5!s79B}p88 z{|?SJl-ZqM6*SbfZZ4mFM_BCT;H7=AL>TJP;Wy99u?ktGX4#y>h(X4*WTE`Hagmv{ zL%gHWYucw%Bi&!=0@Zw!UiUm*j+q`3v^AV`FZsr!^5Kw^E5#7i_aY+<0xiVhBE{Z^ zV3JOx{bqKz#80xe-x?;0Vd}Z)u-?I&Sj14?lzz9J7}t?aV*(ao-3-WLHEx20%aG9+ z5Owldd@!#lu&sF4ix|u~;kqBw9Ib<9mgg5hKX?bi}j)b!Z+V((G2gV^F4fTlBnF@A?P#!4x3pQtD}2O4d0UC*uXv zTP|`}l@+qk;7N{14Vywv&qHV^fO0cnPT#~HuJ8Pq3wQgo8s%cLIP4+~Uy|nh(LI-7 z9`PMRHa__NqxqIQMnmUI(E|%v28fT; zQOu8j7=NqgSu|^?QP0D;b|Jvi5cX$VX*YV<^6NHab;I95gxA0e43;j$>3&a<5`~35>zG;UG=FByss_A(7t9^W34C7q{6(&JrAbK zjf6=Gobm0Olse; zXTDb9VPaI=j`8{0Q3mOtE8{bI_j9`VPqSeVFKYWM0_t;N zLyrg8JBlna0=5y35joUO+QQO_WY!UJrJe@D(r58slN;2JH}@f0KCLsMmmj54@G*-? zM~%YFcPQ>xW#BZBBV*>#neVlvBrMpHLY@~_1STuPZKF43@Ct5a19I_Kg95BP7G=M)dD#-*cPIKNWfP>WE>n*C+z9ZaMpJ3FGV^Q%1_X8H7Dx5DvJ5~VJE_#N zhJ4S%5xBYgP?c7dz{EqNwK#4PgV#8R_`GuqTLmR2gg?cKe^;5pNzG{yp=m%nT6oqU7yVGZ7O3I~5Po==-T(^2Y~gQ0+2EUJqiC$x4oyOXa9n zsdrSGb)XGmy$QUzKG?gyUQ#M@(?F;RI7Cn|yaP$YZKsI&oMX3CTWh4GtwP=rDSK;V zgH6ZbQ8VI;cq{{_9OMD7{6;<8cT4v{H3lcUw8ypK?(%)dm{S~lTYx1!Xx^=SQ` z-D>hAqg8Gbkt$4dtogjQR0ETz7-DrW51H8>ZmP~BFtp9K^>8UPu5TgOl_#p~8_ess zc`ByQlPAzYLjHvUT?e(P7>vMd&h>A>^osm1A;_2b<#E;F^P5(`n=d~V4kjY%wavCnJ!y^;o7iSnQWwa#Z@?xWT zIPTM{s-?@)9VmT4Zba$XP1c&o!_yRzgb)jrKJem&-?o~{aw%xw1*f%nUQEBlW?;$f zNUB~Di8r5hjurKG6TNI$FVjv*{x8RIaD}j{X@me`YzR33@Q-<(4%jSD!3O|n{|@S3 zf3|7}-vBq?07vs+KR1;9&$Ktz`<39Cg(&A2Y;%3=YEAYFK_+(MI3nG=Q6j=W%in=$ z#fO=nv49s?AoDN4Htc-FYP$W24Z>>C!x4xZKW+ajPk>YP84=bLBM|^V^$X7d)iVk4iJ@w4_H DOR5ph literal 0 HcmV?d00001 diff --git a/tools/csf2-tools/csfv2.py b/tools/csf2-tools/csfv2.py new file mode 100644 index 000000000..715f7950f --- /dev/null +++ b/tools/csf2-tools/csfv2.py @@ -0,0 +1,87 @@ +import openpyxl +import sys +import re +import yaml +from pprint import pprint +from collections import defaultdict + +if len(sys.argv) <= 1: + print("missing input file parameter") + exit() +input_file_name = sys.argv[1] +ref_name = re.sub(r"\.\w+$", "", input_file_name).lower() +output_file_name = ref_name + ".yaml" + +print("parsing", input_file_name) + +# Define variable to load the dataframe +dataframe = openpyxl.load_workbook(input_file_name) +wb_output = openpyxl.Workbook() +ws = wb_output.active + +def error(message): + print("Error:", message) + exit(1) + + +def read_header(row): + i = 0 + header = {} + for v in row: + v = str(v.value).lower() + header[v] = i + i += 1 + return header + +ws.cell(row=1, column=1, value='assessable') +ws.cell(row=1, column=2, value='depth') +ws.cell(row=1, column=3, value='ref_id') +ws.cell(row=1, column=4, value='name') +ws.cell(row=1, column=5, value='description') +line = 2 +for tab in dataframe: + print("parsing tab", tab.title) + title = tab.title + print("...processing content") + for row in tab: + if any([r.value for r in row]): + (v1, v2, v3, v4) = (r.value for r in row[0:4]) + if v1: + if ':' in v1: + print(v1) + q = re.match("(\w+) \((\w+)\): (.*)", v1) + function_name = q.group(1) + function_id = q.group(2) + function_description = q.group(3) + ws.cell(row=line, column=2, value=1) + ws.cell(row=line, column=3, value=function_id) + ws.cell(row=line, column=4, value=function_name) + ws.cell(row=line, column=5, value=function_description) + line += 1 + elif v2: + q = re.match("([\w\s,]+) \((\w+.\w+)\): (.*)", v2) + category_name = q.group(1) + category_id = q.group(2) + category_description = q.group(3) + ws.cell(row=line, column=2, value=2) + ws.cell(row=line, column=3, value=category_id) + ws.cell(row=line, column=4, value=category_name) + ws.cell(row=line, column=5, value=category_description) + line += 1 + elif v3: + q = re.match("(\w+.\w+-\d+): (.*)", v3) + subcategory_id = q.group(1) + subcategory_description = q.group(2) + ws.cell(row=line, column=1, value='x') + ws.cell(row=line, column=2, value=3) + ws.cell(row=line, column=3, value=subcategory_id) + ws.cell(row=line, column=5, value=subcategory_description) + line += 1 + ws.cell(row=line, column=2, value=4) + ws.cell(row=line, column=4, value='Examples') + ws.cell(row=line, column=5, value=v4) + line += 1 + + + +wb_output.save('nist_csf-2.0-en.xlsx') diff --git a/tools/nist_csf-2.0-en.xlsx b/tools/nist_csf-2.0-en.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..850428a2efcf78dc1f93edfd0fb8f397b0ef5de2 GIT binary patch literal 35603 zcmeFXdIZQHhO+qP|UFWa_l+eYv6-gNqQ&ixP0ok`95GBT4Id45AR z<)wf@kO9B|AOHXW2mlb#ceafI0RYfJ0RWHyAb_-l>};J)Y@PL#J?u@KbZFgetnmv$ zfXMR!fd1M4-}OJ(14GHPwgdFgBezK}uqw4mSbOv`NFjqi*lfiO;A5CVL<_``FhQ+( zSo)czu)+KrB??%dpS})8aHE$arc~kPT~s2yXA#ia$IT9pid}Mfk6Z}^6lE#Tu#ydc z$cOXK%k~|R{upLl)FLv-Hzh-rp`r%+!0bC2?`z}-tL$k4Do`xo9B0qACdW7dMcJA# z44AwF(lj(Ca#lZGBoX=w#&DZ`D^u%Kq8=+!cPSR?R_iv`>7 zoBC<56D1L%LaYi2y2^v-jyA_-aZzx$Xu}2xu#$XP8GoAUQeo8c```sEssYOzL^PvB zFyo@ecMrxgvP+-5i4#tLp8RS-Ie-K@y<7*{oJeeqE0!>|NIja+olk!&;@CY@Ytf z@AnrNK>q(H&Sn*QqNjhvN&nLx)IV|RIht5I(b4|b{(nXJKUj(X+oxA2%E%4ULx`E^o)f3re{Oh<6ew`}#|4!8OMe5o2xll3~LuV+H|>`E~n#O>Ay+$6SmNyc{rB zMdXT$z$5B?bl@~~j?-GeF-U~Ot z&(f-4LL!x5hobUi1Za-PXzUoi)dDUHDqYuv*0-|dUnI?D`K_jwp2P5kb4Xt;WT1>W z8JexvdXHHXJilYAD4BCu)EnkHauRyz8C&-~3TO2qeS6c$W{)WnG9$h*&Weqa+_V1Mc*{dsY+H!~(KzBp~Jh?x12VaoKAsn5bT3PO zrbT3q0=(M^=8!M+_`99WF0)QdT#ql-+&u==cmz~Zek@I6pv9Liss<3KM{a?3(*EEm zu!bRYoG}NdvFJ}pp79EMxUrOjWpNo$MD&}dv7f03K z3#k7SIqa0tARYfgt05Qw0Ng(${*m*)GgGXhW4A$%?335@3;)jJlK8M(USKHCT5Kb@ zxxuSC!Z2iMXtpW~sPcW=DGL$uu+WUa-eAYhd%EK^eY{*c)-47oYMBy$M~$B=uU)2C zgXs8Zb^#Y|My*6K*^CIe{zs@bG>=cGmW7+T$@dPPKO@+9C6%Eh)T~hdL^@5-z__A7 zAGNH$uoR?UF$vNjDqB=wt_U&PhM)gviqI!%e4)u4)DKF# zf3JYjr#1?a0F^P#RVxUwZtvc@gt=ZMwvo+XbrZnX^9=?VyU>*kI>%Z?9CqWZgh$AH zBc6924~!W)PO+Y2x_>jC6M3k}nPuy5;0~9@^NV^nT0Q+6y=M4IWjCVH!%oD?wo}yD zog;;l!>0PGk;!`!O06Qty`$-s3uTQs(!ywkZd4Iy`2=0c6ayxh!5V>cTk9jXePA=* zv8unJYIJj>c{9#)+(zXHt{JAx)i23pY?>Z4GgiZX-huaCIy>A`+(EhiQpR*6|Io!yPGxyD>LLJi` z_+fwZZs(a?kOCXJ4#+%HWPt7zOO$?7p^dKgLFvwkY^8FYmB{8xJ63*=3r<^7#WbSh4vzDS)o!r1$r$S&&V)r(f3TXsVsxU(fQiiOJC+{*8~Nl^N=oyU<@ch64XRTE4(>hNt-dMP2Y zt2?tTYB*gOINg|w!d5MZ)JG2Yn-h8kVA~-ofU5)s+71%4#Ftxxw|^A>_W;SDSPnb= z5A)%Fn8W-p%$=M)tWBK$D=-$TY}#(pL;K*>`@uimOt>CWLt3NBC;@}E81QrH*G1Bh z3A!*4lQ?l+?TW3-9uyAJUP}=xEbSA(O&6=xAe+xdA8VShcR(;0RxY8aWkLJ-kOyLj zt|+J|6rfDr1!#Du^!lY~y1`%hPNoY16j+D0&aglUTDO}dZa{6*gR(WVCUUZ8!ZgGf zG&TMtAQQt5QY0i(Z4pr$ztiC-W{&D0C2O)S-Ls%=;c!w%8@IP@lG~hV0xYv;&LK9> zFAbHmjN<1!i(rpS71h*kgYF^ftacgGozIMC&pkwgjMWK6A|j5=I@(QBC6Er)^SnOn zbJsLGqNaG3VTVHs`#_?`N&2aU^gfL2P{~~*Z72bzLL_n1G|z!?#KTgqY9OanzqS`{_>k5=T z)938!b+Luw7P4dT;Oq2p>sToXnB`qMFdtXwHv<=j+O_z)bOh`+yTUHbE=DfKs4BlH zd&Vz=ySf}pQ@(SDvAb^fusePS00I8duD<=V%UO~c^54-z+#8ho!;vVF)O~X5>+9ZTE-FHNlrqw{4N;;+#CuN&lu1pVe zaDQ}ScG{tL=s$kTBw4*}1VxCenC_$K%-ej|B2F(@c^aYOEA#8>gjn>GyTWB64rmUw*Lw5&gLdICUpPV8UBm@D~)MeEH?Nav@@O zV5!stRtLj1$w=%99m_NXw|0CAt`3y(2L6CTi+QPl9Z&KNFmZp~g))b%LYaUr!LTDq zO-*HMGO!Oc9BZ1_!>?KU&<@XQfr&W+gv5tx6lFR!AmPS%G3F?({v6-i1yBFt0gYgc zS#hd#cns}L@89k!cOepD5{MTwN8r{#;RxgZlaMN(4tjF6n%s zDNVq;h&P2iZh1gMbxQa7Ka?j()z-Q?{aC}KrKwjm*OwV`4RveqF{&_f2ymv-Ro$A8 z6ED#{fb`Abm#&>Twl1Qx0QTsCrK+in)0%eO8@UVA0avRc8#$8Qica?=A68I|Y@64v z-5O(t5t#Acnp%BzYM9M6D&ThfsCs&Rs~cK5vV;9t@xyGWcimLeqSM1z@&o3qn*3H_ zFP@;!7{+7kv1mQ8ch8c5c}4h`rt>8l&>p3!!P2V2st~p-aSMLfC@HZuXq; z$W~zPL3;~WoyZd*B-2pi@^jkFfpAXH7z|~v7w@lixqKr39uD8PtG9i*(KuWjzOVTO zN7kD?YFaz*_iHmh-*1MG!*ez|JiqbX!rqG9yvS0_^Tpy67GqBkJHgM;)lGuASkfyxaS#2Yo zRQc|2{;Q*}I2v$>45~|m@1lvEeL6E5Sx|L=w&uDdP_LsJS7x*$CR@BCVZ1vy*&Mak zu};cTX zO+rd{lS5@pZ5s{KH#$ovQ)SPr9L@>x@aZ1Gw@4@H_nf#?*&pIB4igh#y%8!0NDumi z1B|s)DDIr3(M7hx#ZTAmH2k}Xi+1|uYPzkrjS?4xA%#SE(^=_{jE-4xoRG3kbyLhz z6Kils5Q4}>Jhk3;Iya`_zF>TN))k$%iU)0l?w*`B{qsjs5jjXC?ie?E>h7)g?3+aJmr>xeogJUGH(W+{Mv2<&Z>dCFe;b*r*C{s4~EIrETkT$z*rUJCQROmNKMo15(U$&Nd`Kz&@H&))vg}KX{!@|_oJgTkd2u9 zWHD+ifXqx@AFudE!F{x*&A$1@EcR;JR{1J2}VgEv! z5-+&6Iz2AYWIl&=Wf84FR~R3~L+o~j}QQ8x{>C;GL-netTlvnK8bOtG>; zfd0cu(HC25HEu61sN(8sF}$UK&aWW(u8!akFDz!>H)4nv^yyL_$cvC-&t*Uv=<8p_ zY-95{K{F$=kV01vJyUCxO4df+$|+KoVZBcpXU3RLMpc6V=lnQfo6OZqNqS5tp5lo9 zJF7f@3aO1&EwTYjuyyn&+PS9%h*o)^;LkB6j294XyY#icdBCN*JB$G6>-b48e%MFv zG>6n+F^ja1W!{LmJbRonA;fx6qjBLavf=Wc8I)+u2SSc9$OPeo3g%*kU5cn4QKP3pGah;FeeXc+ zcpb;utjE$uWOM$#<@c1B4Qv{(_;0{tTx9$@9@$gC#_6ZL7Q)wx{w5WOg3mZBt~i>w z7B2W4`??60bY`-RdgRT^z$STH0xjn@hThl$+qv_s#g&HBNu!hF{qy$ed$f-FT7ygb z;&VD?;)`+Q#fv%T82V_sUh@PW_kF*Q{S&M9eOyN3i{&q%_I-b{fgiE|(Z4E3i|zMc z(e>ZUv4Q9$yqbT#s{Oy71pWW(I-JZ+Oq`wQ{`2}zZpu#DjLo8l551*&#)-e>K!=zv zj90-zb-Asyg~B%f3`K2aT!DW1FahE~bDgN$TlHeDr}EYKhrjpzKXl&?*)l8mke#+hj;@mU;BL zN4$7Bz2`&%E=(;#c4ZKZDEIK?u}n3cigVIkMsc{Kdx&(Hm2EQejzvPzrYg$9%J1kN z{m%Lwc1K|RCD<|jOA9R{1f#Y8$6aLD4k|*Hw)*Xl)DFZXExnsI=WcihzF#A?)WieD zD@_Sz@5qGm)2%&X^j1SCs58#8oI=l&;Kds{~_}Go19{08$=HuTo>r=KY;m= z9JIuYCV*VgyFe)_;q`g5KyD=`F!6K9kU48KA{CA|NT1u$U^RIBsHzPctBugx;dE5x za~)}C+2Q;9SYPrCH zpqvd~2{qYsya8Zh1Ed3}oNe#5`ncKoA5*q}M+MuS7H9z{H$x)FMY01fS^fQcy^WDy ztx`Vv5{V>;7Ac$(KzRTX^_|mIFSXH1O`TDyz#7Y~>i*#QuorKFAHhBzMU&eVUscFm zXTqw$n%$Kf-Mdd*_v@o)<2BP9O*V0ov^wZ;Is;7(7veX`V|nFS@mr$zA22`Rfa)tOmHZ>|PD1kDPOmF!X((xl5N=jo z9G{w}2XuJ0xqg;*ie`dlR$Q98_FuE4|1NRn_S=X&B>;d_Y(N0ye-{4+3r^++jwZ%R z&W;wgX8&otrhKgIh}K=M-GG1KLf+wL0T#HeM_oycz#ZK-Q4buTE?z(c;I)&-64h-J zMIH&7zb^l-_-3o+6pmrQ*#{VJ6_!^%u9@+z=z8VZ{Tv=zu5-I?>hM+jeU7W;`Mpal z)|d@;>G6HNB=z?E4j$X_TDX3?^4O&fc6?rw&2HZ${l0C>`8`bAw%XmbUT)j*Xm0zxwex*F7ca{T!&}ecfc~{C3*C^jf)f+O}HVrf#$8UHQFEqkSp+ zG2OC$ioEZ)bpHB%cYQf;*HZfRWZ8U9<2upx{*2y==5>AFOke9w$nDZ~fH7IGe)DPa zo|<)x=@E+OiHc z;q$WHuvv9hf9f=eBgxX!Pf?|+o`LoY&wHC*uD^L5Y{8OwjNA43c~RjQYaIvJGovJCczP+1pjRWUp z`?g%%-~9O7<7_zYr|atr6R}m>Fo%phR{9eUq0`>ZX=G8CI-}+i=G&0tx4p-AXw%uUJfNStZ4~vm`zif6Zg9t$VO^c}#)SKE zHOA7ioMlVJi7KW-N|#BhLOE?8_uDx-V(Y+o%5KM$Ey`7VjZGMs_tTw$llnP`YNhvM z1CD`{%LM@(a(Al7cDOEWz5JRn-Qs6m@HHVY1D)fVSjQyL}jZpUoo-UzwS>F0?Jw*@t=M8;ZB2vv(`q^}EzO`CZtqJIFp}x&y7X zHsmW&HIdSu8S%P@r!)P6HeKbqekgI-Q!4Q&Z}_ABO`1+W6D4-TEejK35Zq zd+TPv=K@MPjoEBc>w(Ay09DUrjbFBnifF}XtLrc6)IrMa*ZbDdKCn`!#~OcQ$SlW$ zdM9ngP4L=F&F2St3x+$62=vZodqGt5TfKee3ZmCX9iu@K}E@))evJZXl0IE&da?A7eGFLl?wuN%okY?}VD->_?xW$(VZ zUU-Ykf#-&KurrQ)rfY3atiN}U_98gdY?BH+^IN8lQmOfqi03`xvW8D%uYV!O5vF{l%~i%mQ_%T2xHuYc6O{#y0)nztTHO<<}e+sAe|#`<)5(y;w92*|0V z2I@z~3vXIDlc@e(x_w))q>sN}zgW@0pv`P0N)KxeHI2CFD$ zhbg3+NA-L_+9R0VT*d{^?={3b@P0z7@-?z#bGjKwG71J0MzigQHsmT=LM7(ef(`p9 z550iL)whH3*+kj@pK&=DI`^uYNe*l0InmJ1# z{)N0Z3os0h%42t{_4~m;sn19UicUL4CfDLIaT+|VGi!rtzVRAt1;#b23eIC4=F+A0 z>s*dfv#e0xu9t?d_;lABt7yaxm8A!{68~!mA52z!2oB4?_lOf8_mJsz5D{}gM>HB! z0U$Jc1Wen;de(p>pn-FTF1QGM0+=;}6h@U37vrj_i*?9+d0owrUc-M$S5!wKc$Coj zdJt6rAPgW!D_qmkSr)GCrz69OZdIqVyO@f&4iM}ipAQF)La{p%Ct#)+z2%a{NRMgu zyLz4a9w81s?aN}m20`>YMt87Khi`5*3sAUz5T50t(&`)$5LSZaY;BV~0i0{5qudep zCw4!bV-WVhT3(r${OZg_AZ`kw%n9R2BjT4dVb2q`7nHDfY0kHADc22xfkoH9_n}rx z2z5VTk3$Ork*&hwHgvGZKKc(=aKF7b6-Pa%jvfg{_h@dTtpqwVfp(F(QZUsRFIq1< z);)VR$jF`l{_m*y)T>(uD4j$#>8$N>lVv>&+EW9SAeoM-Wv4O=0mQZb{Ef>1i;wxi z3$CQ$=$cZmh8GKI3{sqbr&u_oI6-)ch!7s|X%tu%09C+Wp9IQB?4?cDte}ImuZ`Mnv#qNZt-y6#Oz03^cLNb=j#%!A zDXCl6HCOkpCrB}`rX+~7Gb>UMedL>Tz|aL%?2v%UH*BY9{irkS$?P_O#_sqg7-;&` zZE6bqrlI)A7f!BN1!j5KZ71CNroR|__G-!3hjVfPdfcx!ShK11&)of}to&?!cg;oR zASV*RVfFZ1gP_`dhQnTQOE#mrougpS%%kV{f>pS$NbzYRe~Y+CP7|t@w2XT(Pqr0v zU~}TlVgBl{YaC=xxB|lmEYN@TGJ2ef=K23)+3%{4nYu&mBa`0YV z=(L)rfy{{39*7L8L&M$zqEA&z_!z+bSP~3ex2EaE3I_8bjVH1*>VG0vxVD%Sv;2XQ z%qz3K-ait7m+04sAjGkl(^p90*G6`aHQ2h4krKs{gdJ8 zPKJ*qf9OwHa0d?_HR|T!e`Oy34S`<)jm?g&4l1g$<`W919vDGliVCC{amE8nso>k# z0;>pIszkipm*N`gJR)oSRk%(KpNE8Tj~%};$hQqt=XJr5c{D{Oyhy;vwypgbYfMIl zyj(XiTSu(}e)NgQu0xf*VL%&;912pd=1dZ(!b?x;2|0&;ho887~-a}-tEx~Oi5)iyl6DCdeNC0zdBfu7Z$Gtcf_8SIvX1oUa4(Jkj|Ns z$Id8b4j>!3;K9+B} z(;KRZ?er5r*4teJKqNxDYiN~kJtY&yK`@8d{_1de3hD2!x2R#5M}ub0q0I~LaBA`y z+^;ndo!c|fI;AK`n?pMDeol5g3kI34ht>sztq%w})M;w#HaVThmijq-XE0;$x)wgt zPoCPiB=Ada7yMBM_F*y~SSEdiZQioI@?z$J$#C*lv-z%LDN&XfnQ&d1HZ6Fhkss(9 zV4|M_)K@|~m0kz@Rh-3zyPUr#%ygcQI{sYa>To|`5O+q(>Ptobmb+I%Qp1+fdnBN(;^C3w`k8l9K^U+UBr3>>oK9S|d?hFj`N5|ZoPVu@@zG~nGEQaKY98Qu1(Pk#d?Fv0^MVq~%W zB4d(n6n?%!a)9Z{C5`yrPEY??7%ULCJ{DtsJt964B!pmxvLWQqOk6??_ts&^d?sBhUW28LpyIZN zoqv$nZf9;4eDoZe5og^LS}V3MDbdmyGhM(4$URPv?kF9dOmrKdW&se;z?!-G7L24Q zfS6z%$2d)(h-nQ*udVmhjy+fs2ui|yI0C=6`|1R)kRYF`f7Su*6PHRLatD(Zc1)=ds3LW5qAjbAEV*t{ z8N1I=7}x)F5>5H30)WABX<9`bi0W??1{|eda3;KiWqYV|?VBlsAFGseb(Uy{PJQ)?@uFx2rT|jQtQ{-t7uGt($qPN5D=iSA}VuTc|X&e-P;4G&Uo_<`qKvlX4qYiN^mgrdp+&Hk ziMf?3@LHwfU+DR1gUvI60VhwC_6s`t{hVvx14)^^mJ`r-`=XZ+O#fQQ3B;ycSY3w%u3!C?y@rzq*I0DRiPX5bAr^6f}8TcKyv(#a_An3h)ji7|Q4S_*Xci&Hye* zmDs6!+n}`o`vt+ubkg>MJa6FB&-K{qPW&1avMmn%vT@rn7zR~{$fEXXTVjL~H|872 z4{&6BFkeT|*;HsJ9etp%m;#T3(87@0_*A4D{ICId+x#|U%hKAUng}?ZXOf5d`V~}X z0bTi8d@q{@G_`?%7&BY;^|Cb%$ACs)J7%!e#o8Pfa;j><8}KQxkV*i5PPG)$BGE89 zOpW9`RFO%-a5vjY*+O;$A%bIxl0jY05G|v*`AS0GC)PZ{Mha=P69p2)BI5S-fKcFY z!;oy4IO-f9M4P$nN(LaqCm(85sf6QUzxv2n zgpq$MEGV1AT%)XjA;VF(5u1qvIGP0S6`nL;Hi$ExAryvSIi+lf@f*LMo!uqy4cYsGif?JCROYG<;IpeyEo@eBkV0c8v;?+8r4og%u9r2aIdSRFyaZlqB#HC@??M1Y-M8>Iwcr zP$Qd#2PvJ3l?}G~G$AOYE))ent_-uxrty zd6L`xxUz$h&rre<4S@s^l0g~C(PZ)qXzCl#!H**@-~{Jzr`Sa);~*>*UA>*UEC`Vk zrv(Z_!?;7_$dqz+zg;fLw0d-_j`Oh9r5S(dn6(&C^-fbm21q9UV@S-x0AN6?Jh|Zc zk%iH$#)7~L16pcXKjkSQF^KV`3Gvmb8FH+GA$nm<76w~yI*h4Imm^~(tKGv5;=+EC zCxL|O%~N3kA*2u#AdavC#i8bcLZs4;X$pyTI>zhJ=!&dsq)%)QhvJAe_mak7gAb%X?%nEaL~>&*$wX`?U=eif{u3L{xcO6V6scGK~V)HfL3afvnzesc@!Pb&slX5<($XmnI6 z9Zj2g`N}am4j}_NaZW*zFP?+Em#w+px5)PpNO}I|8LAd9Qk59QC?_dkqE~(Kh#cuE zj`IgW?GZCI@5wXq*r`JGcquGX4I2%$vPRwoPklBu*Hl!TUR@EwL@4AG6#Tv{{Hg@GC{CZV9|EE(SD(A%j>u84kUjV#iQ_0~eRQc^FObtDrMA=x3Nw;G?{`S~ zxa9A9(N^e09YX#shZF%>gc3}ifJ?2Z%`$)S4UyOv6|vfMB@RNXjj(mEvwg0Y) z`Zr&}s#!TRCsa3w=};~)2fkqNiD8swDVD5QkBmGkNGr1JS|w6p4F$+kO_A6&(FQ-b z33tcQG$O8KpvNT7VivARF#?uWa(WwcJGr{Ud zBb|~f3(iSuLgdMo`99=e+$$d`8Ui9{y@5Sk;ZmJ9i}3rx-JIlwR_v`IL1ZU5av)$g z#Z|`~H?Ir7Uxa>U-T#@b-Ng5q4zyY_8(R;M7xSajTYbygnwGnK@Zp$M;44~ymLj3B zO+-&k5_TDS_#^FUx1Ee_ysWl@Nd;n$+*gS9!_I* z0m{q#L?w9n3T!SaDPJt7J`f8eQ8sJvOZawaO=l0ME<9fHO7ozku}e8L2M5kyOF)}q zDB`h!@$&4~Kj#oam)$hOgQR8Zia3sbl=gyV!p=%a57OUKlLS{=? zZZ5i*?wuzQZ&HM`{`0h*SLaWn_yz4=c!*F&)uSbS6oOVfSM1Vb=+HnerbSiaq)rB8 zUv$&C{%B2s1)+wFjdd##YCo6#bTs^A)!!=C8pVj?9Ct*?^fouS)50G&erPa`%A`0$ z3gaa#WhfJrdlVQtI8@=#g`I(xv(8o_|4v207v|a2%i#AAT#)2L``vjrkbGe!ZH)Uz zxOpLYB1=S_)0S=PcKqW6eh+!(csD(93AXdT1qZ5|-8=BaE0?}+RF)Mg3dvI@V(2is zpRft8kJlmf9&ca3AS`44BkS*3)S!pd1v7E#yNopN80+VJqlPSXlQ7D-ws=;sA|SjT{7__@=DqAf=W=qqI_K2~GLs`7 zM~M^Y7kd56sn|z(_+>|NZ%=6;Sv=hTB4G{y8aS5`eq_C$%^X^hFYJP&22-9d)7JFH zNfR0$p6H2ZoOmV#S|c~qLs^C?{~bY$Q;w*#RrAQS1ziuM!>0z zhhkiGGILFw|0l9h)p_$k?3q0%T4wPPmq|;MS&vrvo>(>i30&v2kxsbaoKZ2Q=&S_8 zKQ}Bwn56xAo5Hz=AFwgR_&llf5<1teIl(GYY#=IXj;TaM{NDxmcb{e@WyvT;$(EYE$@k-MYR}Tt*Purb+gS?0b z>_vJj#qr)k$MOk8pr%6>GOR2QnUHkK&OUxSco2cjo+$~`>d2y)Rxk}G8Wx%R>R)u8 zx8Q04$*PE&2N`4{t$R_33=#Zug<%DH_t)VNC@}iyrJ-FIR`~-GPQ>~FtRL8!f4}=_ zQLziw5o9Y+#j!d#GG90tf9y))yQP$r8TO!VIBIqwB**)NZ+`A$xu$TjF6>a*PgjH= z)y)@&+#b|vATO9xlj#56m?X+kqkvN7!3TdI)QKOv3^^%)RX95Jf7B30}#lA~J4AU-b|v=;2@uuy1`<b*<|hHn!ju6uCA#E)Z-g>vg*MF6HdLHy3{1JS4-f&;QVa zeM1Kdida4Z5*Rfe8|g@T<4Rqdi7-)5^n!CQ*{B%*8U7;y@U+-f!US#qN1yK`9JgVO z@Jk*1$#bYbp3?=M_x_V58R$GZ3NvotGYKw*k6v2%2K8_VC);4|ymmATC;!Tna7i-04Lxy*{Y|UItL3)L zfVuSp@wbPfKEohbOnbi_K~+?Aasxrf!>ar|-q`c9nc?+(nKo`gv=BINV_0_lX@{>4 zZsO&t-Ot0%2i&iY?+iR^3fYeHKEEMJM4DLHVVbuui>2oTx^JE{56!Q*FW$$!y~^5= zRKLU!G?>PLUdI^!P2x;5L-Aau>eH>lNlHCnxlZHYKv!Io)Qusy=@U;;Qzbz(vgEot zk!&nH{xg+wOkap(qnW#q09CoO5iP1V^{aA7-?LSF3}62uI` zp_BRGuBQ;B9Upc&n!WBz?s8-nDr6*ap$^>JtkxG_+=L~7uE+|XT`7c2rZ|H@^0Xmd zRQ9U=1dP^>P{EKbKw32_4A8Moa)DHoEIr9XYO?CooqKyd~F;sd&*heiY1QKV{1J8^j)CO#~YF(85T{JKIxTjLf zLZ%Y)4g_CyEJs*%L^Uh0P@TV#)In?mS}Yed9N}&{+0VPemE{p3%!#(I%oF zB#6k}L!8`rDrLHhww5!Szo3hN;Xfvwoz`^U8`*Mon=jjD)SN3*^~6REVZ}FGKlxJ@ zW5Rt&-dyLq0?9&Ky2hJAW=`dDYWl(P&499mvZKQ;L&g*?8BA={l2hJEX&^G~^7~`= z+@o0rU;T;*Y7DIB0dg45bam{g(@mlccx+p6T4GL6k#=24I6)UkoJ_X;0g8iu!_%nw ztP6o9^E_zWl>PZX(#bWhiKFrpB{Ycgb^qoA?VAB`)W2X$7zbm z7p@<&)KImIuqxL~TSvA0mzs7jy~aa0q`APsd4A`;ePsvQbDPgmRr{m6yYV znP)}?=|CrZu{2e@&{wMAsC4^BnT5MDW-Sx%u}M9cK}-Va@nzna1(w@bCCE^%&dV68 zkaa1KhBwvcj_Z$I(9d9GCdFZk^*%-9lCiG_Q*^6%W((8V7CF6IuAJ#ln#SVz?T{1#Lvjp?q`A; zEQ?dyrva(%#)!pq5-t(kh5eWDHX7X{cPTNvnYS76YWsYWUY!gC^EI-xE6Sh&uYCZtiF#>1v$H`wuMJmwMil7w1A|yicE||1+hUUt4wm}G_skAt z6P6rAHv|{=j2xVS#%Ns+xi`WJjaQ|ng18%%a>wYY_~dcBDU|Tvg#=RdA!S1w9wE&z zmO<5@;{0vHL4jU6bOivTLG!+_nEtc*XI42DW{<@YcT9fXmSlrp117t zgJ>B5FF1mVnn71NGr>_N=W{p0Qouw2{RY;>+KZizQyw-`E}jL7fqg5dGZqzNa7mTQ zoIhj*)l-64fHx9s8S9ruo^~iEmwf@5MziUT>B|Z7d~e2KoFC9j>XnAL_svC%i$crX zAXJ075?JuJ57%A6`A#tFCcZE=r0G^|Y4duS9By*yFQXiLC8nY3{f<5Tq&wsxqT1kA zp*xeV!@l{jS1oK)AdrvR93o`v29C6d0KMYrnHqL&riaZXYH-M>T~KJE zD^x@UcQuP!Q9E(CDErG8b0*U5Ocr7mw|`_Gr9BlsaF?-sCRK*;T)Cujj#|Tr>Ud?X zrZ^JTMX`Qqh4%D^z1z@MRCpp#ItO~%N=zywUYT5JkAJ3u;imJ1bJeNN9(q*dB6&l8 zd?o{1q!I{=%bK}p|B+DJ;2(9~%16gy~{Y^wU~dC_SRo zK98o5S|sbg{2`;A$(BMCl%l;}{m1`Uh2xN<=nkooNZiZq_Vz-eNq);G6z{;0J5yw3 z!u7=zEKt#DnW=);(@h71#N_jHdLCXz$Mjm~fIjXCpFtN;1=X-Q{qnsjQdl0IPnV{l zXYwZ<)1X~(iYx(sdIOiFggRI5v~Gfz*rWX=FoCw3?mpyul6`!06D&inl{Maql-2N8 z)UO|NMCT3HEYQlIsky*GDjLd?#B^wn%VvelhqDCDzgfa`P-mma+8#oU+xweUSS@nQ z>53sCN}UF+#ByIl1e2|?`^cu7-@5xrQV=i}0K*Q8P2rK2i$CvTDvzJGCcU2#=n)>v zd-OiZirTGoFr1$mCn%VSX2Xf6Q`rszeot%eYZhvi!Ui#iVR*hsG}_g6shmnrM1@VG zGD)s*MA0!S8$;NWL-tkD1zsw=MUm>drp5!iYF!JF$39n7Q%Yg2FiCzExlLPv;Uo7w zbY?G@FWR@^Rb$&mPI3gKP}f?^(3oiJAK18KHkIC&$)i80#6H)^^ARz(5%Xq*O2}_= z;G7NIDY59o7Vm111dvf4h2ITw{}-8Gy>SD32S9eXWd&=1-qXUAl@%>H%RNqbd_tv; z_}^W~gV8n_EdsJ_e(m&md1~5{&S2t0*{k_-bAgY$wut5DyoLgf34X?zX8Ui9i7}sb zSwr!xg4~`hgo^B^ig(V^!^g|0e#PPe3EGB%!*JK8fPPOC&kEMoKEO!K?h1kQFf8`DbyJAYE22v&Am>~s5H|! zp{T4AKieJMZzy-m-=FJW&FE`42a;Zy9-Nsp~U zY=erXxvMQ0rKR0?6k{K3dDFJDHULRQtVKPXCp8^83vOCWy?T^km^sB=lL$9POQQO725FuYSnWubmCqHKCkN4YCz$84?Y z(*`$3jM&Pxg2pQ5hnxANX9rkBfT$u^{8oOsP#AKUSc^g5y-GKeG;3Sdm$>w*^qFAi zi31mGb;?5R*_9MlRgOcO>`P#Gccm*U3cMiVXl)1esjE^JN}nxFFdiA%)zMOIZ8|gq z!p+Zvmdk#PQZGy@eW`L-JWWJaw&N-Q*BQ08&%Ykl4F#eWccc~KFY37thcuT4yGUFr zM8eC^#S@S3FL&}W``ta&Nz!NM zT8om0j3n{;QKUz@B>lXkhb{pT>zGaDNV}UBU{+IqD#@i#zh(Dlx~0!4>YD>QLfo4; z_h_y*t+A}75z#XwY#}%()0sVA@Obid{1h;f^RYPtoLCEyg_5*GQ56Arq1%!e{!V%6 z3Y{=$*uZ#Ar+46skYiZA1 zpkL)B5<61UeQ?&AWVZ}fe=u?TK~zZSOJs(B;%igB8;5x2g(rNxQ$1)7PnGsHawNjV zAh>&mb{SNRF0>F0Bt)c3dL^0;y)>A7NBB~-P;`v2av%^zlAZe{&y;@c!*vL+`^kBEq z8OJZd&7ujD3E3OKstU_vuseM79Em2Esa@fhiDZwHugq7}9MR&=fK#$ipLnf2l7>s+ zOxAHX0Yf`Tr8ZpA(2uIA7nJ3GsiTy!*5Io|W39y14~?6*=L1a{o^c|hUgqwjR98m& z-Zo`um`MdQt7LE*5YBnGXX2=n6kBoHTqIQ+zA=6-O(eORR2(sSLX~XM@}p|qP$3!L zK-r4;-U%_1{UKJvQ&(|k&65H?%~C3_S&6=LKsm*bOvVvM6Ts5-TFbLBM~9u39czpF z3Q~l)uy%Jvx-x-038+vHRRmj2S2c^Mmnj(7>!LbS{AO(BLQ-#_D8sz2OQeltk<@^j zp`hI#^Br1^fGe+7TlH97>ls@?T8mbDiC$QEofeV=W7On$$h6&y3{^ot11AKH*{kp8 z`p=z2a%7KpJUDp~9g>X+q$Ef z(v|sa%Tw37hA@%$Zuf5aNCB#M-x_NUc_-coEBaDP0a-F#1x{vr^4|iI6=MsPCbQUz zCj!P3N|*00mk%Et`VoMxJZ7%CT!_Xs{xtS+oCOTwatC;Qax_go1V9g?9T5xiRn5xE zzxhiq@lBL`1VI)TJRLu!V!!Oj95#@L7$w(dv_3TShuTHCrY>(`0X*$8X_-@SIH=wd z7)1f`NB2?(6kl_tBy7zfZ;=(MWbLTy-BGQ^^7vB_Ne=-o(fq~D>i(}6_qQ%VL+5o{ zv=17KBaS$&nD5=ZGluClkU*oH^fI7~3XI-5@+VyhyC=`T1_Kj6q#Xod(DLb9Q zw&37ah=u6oKxw<=0%zYrH;y&n`>Gd=M3PU2l8_7dV+xVyQrChE+D7dED6r5fMCay& zMKMb5$6~<AlDi&DUS+XX*t9_#SkVx{n=Oy$?GS4q+{WL zOT9?3+Z`z}V|2~$j`ony8XaBWu*Wn{5~OrCEe_qrmk{5RhyvV1nO@ODyP6s7ZVK+L z{nK_bowwi|D(WrZxoUic#u*VLG$bAHr^C+n&&YC&CcV?SOd?!Ly0-ct4P(vu)h>PP zK#+(%csk4bSldW{|0y!Zjsi2h?VT&Ds?68bIfS7t#0L)9M6CyaP{>IP9NH6&-M4)3 zsA7FLhGhl$wGMy-O$1kr*FBLkH9TCP^;3r?1Y@k)z~wy;5eoR8$aE2&hkCCk=hkN> zUZ0tG*}cMqedHgg<2zY5dGylkQ?`roUiqI zc(!-`)nvz@QVcz*{<0F;p(XLDR9t~o0&`{?qZA@0`P(u%-Ose%#(LXCl+yet zD?Ze=H&8f?QBr&UfK5__ThK;K!68hm*}!uv!u{XlT?z0BBIn^Q>{cb(w#6hdtdh-$ zq-)_r?;YlQ^#ZaOK@Nx+p5Ak7Mn@=L-5pOYa941ewBW>xB&;J|iTQkpaG}z%?~ZFb z00h*y>ukj6aJV=c(kDs$=W{WNOyj>Y?XwUac!)xzfVx+>+@JF=oZytMINemVX%IG4 zco<%5*?jzPJD^HX&AdI@x}4doxD1DLIG52h6iP6d?BB6avup2C2*Q7w{gU5btda#o zZ(Je<=~?tL#4S5n8Rumk4uZxbiYWmRoXl?E%roxmri)wRbY2+M(b63mt!3Dil1kNB zes~9!rRf&+VcM8{^bQi5=q5+43Y2lCh1;fuCh`QE>?p#~S{a%h+Mt!}D%jNH&mXUR zWC6pMjNrG$nRZ+nCC=*s^nkkz!CZhM$Agus=U;JbQ>KqhJH2-RUP6Ekab+CF5T{{r zfltdtDA!EYjs)tLq;^ZF$emtB{(y=r9!`tusxmsRBDFv;!ydB4AAQw7H*M6~d5Q7}ju%CH zt{trnHlW%E&mDpR(s=ObhC2bFOkV|ipH-<3R*B+F8Rm;qx!^rDMJ%92)sd1S{!$Rgib z91}@H-hD37oNp(WafRezu~vW=Ln+t?rID0S5~jHElQ#1Rw3xO?Y1cl0J?$exZv-nX zKp}UAV)+x+y^N2K{B4(D(PuhhE%+9F|i>FgOG_9i^9a}faRCb zyn67KQZol|VaTOno4WesA|zslgmfHW0wI}HcndjXns7RRss>OESr9Rbig{?^)Buzw z03DE$5=QI-O-)Eq!*JIK9w5H98Z>$MA8sP7 zw}l2n_#C5@jbhOmcpb*jg_kiz+7d--j6jSwI=Tc!p=S79_+rlFGIzDKqj`p^MZID_ z^mz#abQ-5H5)JdQWcH)=`5O03k9zeV=J09Ac0EzB0J9Hy%~HexY9<%EZR%iPj%kow zLr~r18&)Ldg&L3jRi(&U*0Z7`)xVownP!$)0NN7Ig?XKt9FLE z1|x=1kLs7a8d`0`P~w_o`Md0R7yf~}%d}R)ya0%P#A5kP@?qKD`N-@uYtQ%CkzW7X zkOpahan5r?J~B*B)h7XmfL42c`Oq-=BZR`s(3PCkXkHS}j34019-rBMXHr=N+DKYMYv(dw3 zlrc>8haRHni}C{|x&<;!+{V%YQ?x~b1tDiuJnQ%oOE~lF{p6cvJuR{1PF@)DtQvVr zT!c@5z-c;#E`S{L<(S~j5%M0$0$~`H6@`^PG|-ZJ(or6^5~t$?N3lTWJJvpP98ce^ zJx74p8e`~6$!~8Dz5rVQYRC>$TYGXu9m_r!nS`<52LjKC)JEQ@%#Q4cFKTt(4+z@0 zSaMBJ>O8>+vAR=3yU@qF*HE`hrzN$taq)C;4^aM>jfc2&6d-=?I>|s*5`;C|R5PgD z>fvvX#jL~5&o5tAoHb9<(36(M$LRw`+B)Vm+7O`1DpDaw-{GtfDUb2nJ7&6bC*XO+SN7E}Xy+*d%Xpryu>IxGC8&J?#uCLW zAT7Nj1DEdapPTtEYlB37s=l9I!TMp*zdZ64W1H(`xmXZoe^0x?WjRjFSP(*O;%CxI zdQ2H0V@~p2vU<)A02TTa6Zs~98`Hw|RNbfAt$~tUphu`=Z4|KdCQ+r~+COqevh#Qr zvmT#wh=&E)&naAVR4>e!!Va5Y415W^8$l0EZ#3dGK{tt;pUvQAlxN^ zzyVUH$G}Z>7ONQVnI6FG#lW1daGoOEX~b|7hYZZxsf*AHfzz$s`tOj!ig(B7IxVLU zOQ+*pbqB*0Sa__%y9hxFXB%i$LaX0$5A_L36NfY>K2b=f!Ibx@^%MDtg3G93T|Zbe??TnHH(Ap1v>bw3&DF>9x`_vHJEu?C`5?_MX z_11(jl;PyU3{CBjt;G`bML93Uq9prSObDM!+=pIfI|u19M0VRYmbHS!(4U-Ri0F>bx$04qF{x@djInm@1JTQOs^&NM@PJu%Z* zF8EX6LZ{7%4>oPz8;pM4&FhR_-=ry`-t!({+cMBwofGEt+2y3q|qLi_+gDAYO)m-q(?kw1ta0CfTnb#eh zfBeGnH3Up4P@vm40wHCrs{FQFHAILYNUV&4NwLed@^RRO6AtG9t~IZ=oHk3k0VkhinNFc(iLA8KImInYK0y<*1Xk6r?n0Xh;<)P{-Z5 z1y6&jkbk*=AtNAA!`vNKu6IE!>sSb}L$FvM9bv2!dxp5>W{wmlHv~UJ;V6@Nn>Yjv z9=1%B41cF1I)}kDr6gmqHnte7Ks_A+6+Iu%QkW8Tx|kPmueYrhINbXpOI{$q9PR~f z(URvfloAn25w2kJN?A8bG$Bbx%^^8h>O=g!{8rm-Gl(IpG0V9vU6cuPVwa&+L=UO_ zZ7Q=V)Y2BD1eC@S#Otdj`7JFna}%wQeMko*es~Ay_jNx=VkQODhDxAvsp;AYE)Fmx8*!W*VMk(VFgB{!e`MS-_m?3hw$B~~7yQV^4*qH*A_r)7B4(&xey4P38_}ooPMisSt(_1c)t{(jLr-k-6+8O}P znOpUpRNg}<(TJy75B7Lt(o9xy@Mu9ltllW|xiu-tf2mKVD}J3meV#c8B)8U&h3HWY zZ(#vKo&TDc4>?c3q7D-z_?iG*2HObegn)q={?W#_M4YXUc}>4;T$4OBAXjRVt42q2 z&`*P!LjZK)7N!aTyFoiZq8R}A`$#XGZZ14^+e#srAG$VkB~MYq?GOnCqT7I|;Jm1g z5ZelECAAhYe7v5WQDaZxge1;+2c~Ei12@(|L#J`mz*GLiyH}z-$)w^HUf^(U08w|i z85T_#e_yYmNOf?O@Y9{wnX`Y{Za8-_g3J!=Tu{wk1IZBE4Ytav8v$e9hh9~dsAA2< zQv}odz$)XAd@u+IYHh^YkbP+#)d3wL&T5=0|EX3OXfG18>6I@=H`Zf-k|=7X(hR7(NgMF(yNT6xgvik~r)oi! z8LHmApd@qG&&T|*TJL5wCZo<2&AHA=N@Tt42OqSJ^@zLlY8BZE2arMmv1+qu@M82S zsW_AEV3y6KgJ)!~_HXv$mPMr-01KFuOMj9R69DDKbL1&N2YNhG5Mb~9H_IDr!^-7( zN(kh+-|VEFy&tXY4g>*giiWwDSZ24)6nKAZRBgur4_aUX}~$4l7MV3 zm^d3D1odsF$43Gwq$r4{<1ajUFpq|p@qM+FnbH~FrRf2dE$5kTFrd$cU;y&n3fR$H z>u+tWt}Kpc6WvMYi!lHLo+fHACeaiMZFBH;Iv2f}=HzdSb+TlzHbkXRt>C~EM(@R$ zkk7TNJriK$qF=R-I@h^i3oAh1>*SrUs(w?Zn9`V#mGq_zpY%H)1Zv*a#e2SWM#0H& z{d}hhef01^g4X+;J{gh4abE-u2kjDG<^dd>M)N>VpRP6Z$qWa9h>rh~l{0Qxcl&<3 zVfjQ<8b$b+w$0306VW^h9mQbn3&}-p-Y%ayW<<2F;>^Dowimvn^G<^dH_-Bo#ZhX0 zbR$X*JeD{GrUi3|2l$}GjCT<+DbaAhxl`S*=Fx!MPpR``30)a)8LE0KP3hX@12KMr zRn2>E?ivEQ3vGuRH$SzWD39G<-0tkYgX4>HahFP-afHzZgQYn@jJ@zlkKr_YzpF{p zy)6!Vj@y{&G0IL76Z&S>t5V5ho=ht^0OE(;W%0{3Qm)K&X#Mo@dp%IINyn0}3YaHf zJU9Zy!BM%tC~O#(!oYAoh=FK7lI7P;<1{}iWe(ouhl>uHy#$m8MuH~`c16oh^v{x4 z89hpH6bmM0IO}ig902;WDsJnqIo%cyDa7$Ma>8%j27`{TIwt&LbEx1I8m`J0FqZcmXkMn?i<)j zQByBvx`c$xTDl;&9auaqT1D*uX}za$ufnHf^4DDKS4?aEy+r>OrU40mY_( zvi#l&@(2OXei;S<#IGy82jL=*PaOcrr61-3p@{SZ9Acgpi1;-MYX@-(<;ZhR?$ZI; z;!%g`G-n^CLdbl75K5m@BhCo9q8UvQcVn$;oz;TPJ=|flVA5Cc=V~RjN{ha_i)=c7 z2a12C$Lj_=iNbr*zA8nt?zz}NkjTCYgyvN*GB^}gnF&Jj{Pf74l_Poo>95;jzW_F; zS`t@ofpX}C&$Mz};Nu4-u2)N&ZhK*)B4kD8J)SmhQ!ar6OuEbA5wnPdkjEp!&^(S^ zH8GSJa8gVT!P*@AwDSE|9>n6)I6dS%1Sb*H>XPf@r5k*9{ri!^pUQ1)U@1XZ<0qX`Su0t&Wp++8jm2F9^qKUSI z4^Ahax!JwCJ83x-5KQ^4F4xI6k9DY?>L{WY>0AXxYLo{fo7kE)YfRZ9I#{jBgAR~) z%7<|IHY%oszG9Guwe72|zkTct9Y%3|?;tsO08hRLWB5@!=Tzzk{dEk677MW&bG%_$ zLpk;sI1N2b(JzfUZ=Sc6wuJVqo=(eI=x@jWARB(cZp8jd%hpuyMS#~&T6SM!DdmWS zLCQ+yPvHPXXOkPxFGt&RyU{<^T|s3u!!qO5zmH$CiU8x-HC^7M;_tdufc)M%7b8L- zeko(5=h${}T;tQ#XUyFaHM^IDbp3t*&ri50U9n*df2nlh)U`Qm(qI}UJwsZK)N}6c zStA`a_MW|F=F93FkSHKPh#1n$jjdPusrkc56-Z2Vd03yxeAbnRoITzlh=!rt+a=P5t~^1<1fGVS z5CB#6u{Ke?eBdO|pD8*J_g0^^ZX0WKcPTPpNP@<=_;MjOF9?y}9iLGsyll zMC^?VnjE=$);HcC+j-)Sxd&7buYP39%gSUrJYAVm)5S4)`=|3Qd_v@>kmp7T_6+f2FGh~IG1tMEH8rg=A+S>jPA`8oLjz|b zK4v}jH4(Xfh`7HSyVjTvnE_}7~yFa5;``yK&$gd41kX+ z@UOZGo+LEo*C5jKT;?W0Pg4WLBNOg->`PBRPaeSziwm4f_<4zENa@tzX1vx?t!9E`%teWsEM)KI-`+ zqaB(?PthL(EcitKQIgG6F&mVqyt&KbE`O)3M_6{Y@{NgOsL{vj_fb~$(yZ|N| zo9YSMxpv65CtfG?>nSeZPryRd#NzD9~M|n zd;8u2J7K0J}1ktRI`Xnbp|sr+IFX7EInegUV3W#QteRxucr+vGPUa(Qr7Ku&nsF zWZ9&uOmUnO>?dLa^ol6@YuA*+d#+C+9zkV&JSDLukY~JKDe2Ck00;1 zI?cvnmuKi~a*4cQIlC*nB$9mquh<5V0B)jZQx8kHXcOsVnURp~&0H%c5U4hUad4^33lPMF>En6BqOL2lwUH5!OWU7(pF$j)O78Xqu|iqurmvHF zc-uG-T4$>QB$LkHA`6~ru})XYO^}%$#;gsw$EIrO4*JGkfVFJ#=T=#K{@e$@ck`S? z7lv%hevkXsI&ARvs&0-@4Sw>4UkL3PtTnQEe*#l)Ikm>JtV3OwVKPCSWmvf-llqhG z5z8rPaDK7}eSRFW`8ee^;!hMwTkB{DST3K0yNM|%1QNrXHdX_>V$eN%&PQhC2VR<+ z&JCJg|9gMh2B1}cCrnCEd>^(?#e7lV!!hYkJH4k2%ariVNSF^!QkBSDw&Wh8wEL)^ zFn2E{6ctYzt!wyF0iiFW-a*Q!4vK!Zd?j@UM?4G`=?#UxbW-YJ$St>@f0lJm$4JZ< zd3NcJOQ&F8q(jFw(Cw821lUnBd8If&)z4R%iafV_2W(jsMV~;>rWmvF=@1cn?I%jw zmCX6rcPV*IAy3ftpuBv1n;;;S*|Yt!F)8%cMT2ZKMop+NR6m+2jygGn$zd>I30W0C zyWUl|xObxo?uu|bud7V>L3t#xeL_A)c<-q#F7zZ9>j5Pa%(dDvtm94un8s3B*Wxkv zn_jD$zzIBDDhlNRE_kpQFP0m@`>~CWj5dNCn5jV5W?<~AA(xbxv%ZK5{nNoGf0_sO zSv~cxRl4f3neV-;QE~b<%&8QhIXiX#`iObM9q7cq=nbgi#nK9V4kMHJMWYDAcIAxy z<3~PF&FY@JNp17-+Cr2m7@Hcx4mq!aF*lIhuj&l_zGZD8(D3TXJ}n#KKxkZEpS`@a z{x-TI{g)m5{$x5enQOi_5-CUVjsv74wB&%=KDA6z=M)d{;y4l4#y#hov4bFLEK)YBr z`ozc!P#yhuZBmJVtfUJ>l$|o5NE=N>ODRXGkcCGCOIz;-zQEw_XcG!?MB|9BBqn+O zG+6l~9KVO9z`6H_MkwmtY0CjqIms%rhrpaAl0#V{&BDfJGu0^bEYOdEK7L)W_XjHU z+I~(Kab^g#o}v(-nIB>-ex0tg5%(}tZ;(=7m$s>=#M20kxoD^UOk^aa#yYD04H zNm#|1VGwV%^@JX1yO0Z()(wqy%Lb-ISv?v521O-v6Ufo0)tuX zr2JSfi_0#kS0r7RxSt)pw}BeKzq!9$1@}PV7gJ63sZ(@e2xkuthzUqN^Y0}1Xt8(_ z0-(2h)3-4s{;;&Zi-$Sr>5V#~gP=9={L!h0CJX|@7H_s2v2|8M;{x3|q95>LBM2FM z-8?QC{cAN0cA>O!e^r@Q9!#IozvXgzY?mj%>}6YwT!}zBZG$h7CmR~JN4UJT1c}Ds&g@LD+v+1o zI!Jk+{Pw}LZZ!HMee1tJhB@CT5k8hRKaaxP^`}nd0Yrwi@w8J2Zj*@UJrqn4$C-%w zaYaeGoi@?0Kq$WLj)xS#nC=}e1oRxB9%5%!PPCR?e_7vY*heI@ri_Pa|8WXc+N~JM zkaX#4an5l~TE?`;i^|U_oB=_@RbapD6 zcbgz)JESyFtNwf>pWB6Pe40(_LZ|7>7Q~pNBo&I$$N+vgg4)}3!`EZds4d5q3Ncy^ zh;$V#OQ%BXT@+k5CVn0s{2?@hA%?%B#Oo)#0H+1s1=wK@P?R>$k1ky2kgi5V4L+b8 z4@-IOd-;AfA*EvgoKzkeAaE?L2hx~KbQR-TZm($dPTc2!kadAepsij*Y*+srPB$$kE*&I`_d$pai@9u z+UvkoGxzGaL3+PGpq&jnxdqwKv?JU=6dEw)Y6;1!>8qy8TgB4xE?;tXHTz{ zW`^C?a?PgBgPoh(^VbXh|G1$ikTJzj94Y`neaipup1n+e_mj^`l#X2|Kp44Be#J$2 z#@Oe{Xx^);m=fF6{=IyayyFnnKLC1X`TKgSzEMtXoK$N9jOW)i{{T$mThN>_I3I-> z^mt+tQr&#=cn$RH{fHw&F^PzQbbfY7ARgiD+n*8m#_sz}1z?dt5Ns%|k(GleP|YAj zLI+rltnw^&qP^N5jkE3uCaq)UDaEJ3nE5okh>m{H1FFdhb@q-{zlMq}*U5bEbt@$%c^z13 z7-;Nz_lN79+jS(EC$VO~7ji&+azL&bvMaCQxqWcNOwBa_b{jG?%iz-Ck9XyG;HT`5 zT)?L;n|bMlnUBJI&2okT8@>0ZX*u)}#L|AI$|E&2n41I)eZgD{{;(CZksGD>RaXDmO%5@|R$ z;Mb{Jq&1Kt(K2Z1^ZGRM_V&C?zuoKo`LOKw`MmI>*Vi21_w{L;-p@C&*O$}#+Ugi`^(4Y>*?`h=DOE+1-Hi+Q9c^@)|}$vNo~rriHuoW zg$UTA8eE3v+O2`HqvmD5+^gB2&{JitoE=@0Yikx?@qA*lthRFggm2ngS)Xc@ZvjHT z%ub|82bVJSqjtZkgg7U@2NYXh5sQIm41YZZKOwlUMcsIbgd&H3I65o^w@eO&mb05Z zSn=iKn++`NZOLTL#iQW3I1SKpuH)3WIi`p0YK$EV42|ihiY`y|Pe@yV!uz7?&o2aM z<#QP*2%72(H1f0986el*eE(#rshVFo+DXvv5=;yN8PU6WS4WJoF1E2Rg*sU=r63zi zCg}}Aer`cx!BWp_a=Qkz3s0a}l`emuYJKA@vmt3|ILT=X)VsN)r<(jo&daZ^n&0ZZ z7fAGaT2j7!|2X#G`XmIyQ@{+ z`kI435fWHY9D$2Z?Wxs);gtrkcHEOa-pjU`$0MQgIUp zvETuRWV)FXT)f^338W)M%{;~3LA6^XSPER9B#|VMF-6T{#NAo7Q?BSOgGN**P}FTc z+a4dSn5M0_6QwQU)@M_I7-bqoAGL!P(y=ehnkbz*g=^(1|&FXDK+H0Q_c_heb|eNzA+ z1*H62#4-A={mu8)>pEU0HgIaIhd1YVz1dkcwbKh`Rr5QU{)L`|`$&89O6PLD>$=ql z`-!rHReBppR37u{fZr`aUdH)@ONO?p=(%sYVOGG%l3N}IFk^=PB z==BXbP7=#bAh0%|*!6s(!DRF#Jh)WnoJ2TlRJt>B+&nZMe{nQt6nBkvhR!+joNpD8 zzJmat{D^}HXOmoWe1glS9WV3vFOlyUc*0R#dRLt3Bay==SN#YUwkoFP@(jCdy-Z^- zBY6sAsYhqY3e9V}U!`hkC(ggqaQGs^Nta&Vk%OMYrRFJfe=$1S1&y8zk?Jge1z6jN zH}|M|aYuxkN`7_k4#LzOB*&qa`;Lb(3JVK5#ijR(t4%_iPgR@8Uy%-v?w~(5gOoVb zzIq|ZPD8$1lz%Q(`$(MesdMy#g`J9X^se=Nv7Mk$)%|32yYqHWgh+D*I@u&2_|$Z| zA;ONNbi23u(jqxSA}aYyYQ8E0aT1A>ZeD{bMH)Mu1f5O8LKaW=kk{1)Wq4`zT{T9XXwB{oxWua;WMB{yLx@ zAX%n)){@SALFHB-(TWr;YhQyP71@b!{48WTx#>qpdpk%p88KCQV18yh0$T`=d5shW z$B0F*&h%sm#hB3ys(Nkz&vrxgSg8_Ib5?ZQ=Y&y@nzrv6_D*f-V}=b&;Ca$VisNU1v>2xsS*1 zdZ5T-lTmhq63W*!@u~ZbK~HovchGll>Pw*C|7H#DsCAdhnX5`#ru6LSNWpwxEd+O( z$h7ofv%tTjVL{+Y(0Hpvx%u4y=s29hQKcglte-eCNS4wk!|MG_3bgAJ+{qK7(}&`Q zu*&a;+2hqwVNw;TY|oQb-ULQ`S6UrH{kHX#u4c>N%|?6=g)Z4f2UTto)o#Bafs#aP z3e+Y82%klr6h&t*TBkirR!ksvl2S$IgVg1_;pl-*it*LNSZ6^MFt3TI>_u2oJv$Q} zi=o>?S*zJQN4MbXL5ZO`T8u%K7UQmGwUUa#k*wOgS&w0;JMd&0SDAVWL0Y1c>%CN} zt+lsiS726^qwWLBWIYt0wnd%Ub`6duT~_V{^d^FIU03b;BFc_#UHRf>Rlap@#TM~L z-k-UkBFy{gi~{`NY02&{A2r%i85~eDpT4;#u(K%V`+H@dPGz(Gf|1BL$lCsu@Ic;mO)i&sMhX4-FiR?-8$k3OhmwSkxHuHxis z`Vyt{mgM7Gj{+h6_Sv6W5jfP*%XY`Chd`Or9gEMXw|vPA9$CeOw>z0vl*kDhEqfLB#%<&@V?9-W7SKWu24u*+POXPefhc4=^F=ln7y z!Yowf0MweNs9x3;+wYwq;K#5CS^OIr>NQMK+JS;dX)8^WLW8fp@0) zC>Eu>cSN}wv47$SKwj}FO@Q-QADl#swj=eB4&{LG z-^+j-*b`CGRXZ*7fu%d}liRlAnM*Q5yE!6xmsn=jJz57n&B|Jl<6{HSbzzSkmyz^% zPaM+X(kOdm^9BeLl7khdZ{uW^KgBm3iR%0Fl>wV=ds3Ug{K6U^bCI&!5c%r$X0o7u zbuawX@+?LGvu`T_n%vncoy52;r>NlkX4pWry_E*exw!yTzq&mD6s*o1FMAUX9Tnua zEqd5FW=>8H;PLv!;|KuW-gsA5!n1wMyq{%W6+M&)yoDk2b8*u)ypck^0Gqv^ed&Dl z0HCdrt6Xglhkjl%R9s`EY)Q6y(UP42&+TchP^|#3()lDRK##{v7Qju7;WyR$e(JZE zwRI|kEq(YwbqEOEo&bx~@(Cx*4);8Zi<6CILEDBmy+I*^dYM9UpE0R7-N#k@?KY;w zlmGgt=chh2*wtWHq0=1=IHASAfq*w+j%oVuV zHljl9yHLLUG=A4yU3EbDLY(U1`2pCLNl&)xUdfO+Wc%mpX(p$ivC@5*oixf0=N}O2s%B88+j4M~*EFY0_)v`&Zt7JIi{@adwXw(!a1Oc9Z3$}#fVeNYGmG$sYK%JPnzOH z%wpD^1M26`P3xtEcX#hPQ9d1QpZ(Y&nK9{>y)?FKk7h6Jd@S}d?aAAW4Fab1q*B1s znsr}g&#@&?o!L;@xv5VX;p1JN>^?(us}hSUVn}L z1_C(|!?nxVL~t>rnkaKlcU++1X>o?h8qpspG?6``eNt=2g?ZALtq z{~|)Pvgo$u$t!2=h?N*z6|(usvI$|ORcl6!wBu{q zSSXa0Qd?YV%^5O~4)fhkU{$*cXZh5XCyy>r;d%;?2*~fl?#Nk1OM#rGFc+c5T!O{- zEn;n6hW;%kno}|J`M);aNC{d+CzZW>mn0|`WA93xyD-bkR?q!S^5QZi-44W_CO!FY z)dBA*$PewGOq-6=P5rm-LF!P--^)_4_pHrSIA>;hZISn!C(;)n;FVDiFVw=Jm&tfe zZXUs3=8V`;pSirLu3R`W%f{_|eH{s~*B&L|q6w@N^Vnoo7hdCVr(MOUX{=6R474~Z zn)o|lb_{xIgW)wTW@2Ity>JaI-CI|3V`*6iPvTRxFV?@73&EttqH`oG&3BoM?OKz%10Y*9E zU|5^d9-+cTnC&si8i)r=dS2T4JY}I8748zuav+KKUttI@Po`L=!ku2oa_-(ZsL$d! ziFZI33l~x13u7Qv6ZqD&6mu}nI*f3^rxfx;{4PF8)9i7ck+9s(e+tGLZK*jmPOL;YOv%y-9}%M2srk>6O$d4IS~CltUqLzhY6X_9S(Vk_opLzL zy@BoQMczm|cKzg09Nb&>)nnq38ZfzS?*T(O3_`qiSd+!=*4Ma_K-ravg>v83s= zbR_der^@aoy}rMGlfZrwyhpHcAc;t@WIowNw@&+AtiCB>6?PAd_qn=%Go|r$Z=dCR zMM3zdbE|sn+t{uHlVXUevgarQz)_gYv>veSbDI1QCl1KAZlNo*fdu50xCh?vssiT? zt`^$zMGREn;~eF*&SN`DTtO%`t4|)?6e1v!BdtzVWo6bo4X`G?YKcpB>>TP`FZ-KT zv=(<9nh|H;SEa(HIgV}V*;nV?@1x0`?f(jfPA0SF<9~sfb_}Lwh=iQnzjWp{!}!@R4%5 z$QGNJJ*P+L_Cu8`2j>)f$Psx#olBAWv7sMmf?WJvEWpx;t8Z$bW+!EIvmc4rRr=gS zb&A92{+9Gug(?#z+rIU&qdT2{a%#V4X>|VpRZYUYcr0EVu76X{wgI;7RE0ejnJwCW zg-S0hd-**GIP-SU)U{2U-k}x!^x!cpdktpef-(ChbPDciwNQ_zBRzXFYe|%ropB~j zb`i?$ZB5;=X_tk{X%j3(wpCRwy;{1(`xq>z_ z;&m=zjW~6#04&^qTxM?2k4P88TiD4O--&?73DK#YmOh(GInJ5&{e7ad6WO&@Pae$@ z5wB{gOnv3Mi}LxLu21MKbw*hnb{4{6<6dbE4VKaR*+%WPZg)#tO>&JRaD{h~*QQ5k z7rE)L#8`Yw-RjkX4T7d@)zq^u)EMMrB@tdt+Bt;UEKQxhNl;TKyzd#(Me91TT%czA zY|UQDR+6}1x7x?&wMY#v_8lnikG{mB(q;<(k&xG@ak3Bv$J8E~KK#*DudkoQ>c7{$ z$G4Whx;(PF+0{nZ@8S&REOKyeKiMlTONlplm)9t>RK2mFY-#@R<-&$+0{iJ|9 zb6H(}@cdRS9vBNCmz7Th-uY0mdbnN3zrNo7(d+$n_vhcEZ~q#C`=4o<*j4|{%j6_= z2W_1UlZ=vZCoOg7)HnIPNm|k(QJiJoUeo(K5{CHpv{)}sFGVK@F>CW6-2XU=%Om4E zBK^(SWcJO=hWO1CZfs|y;Am&>L~ms0X!3XXmY@LS{}F_LyDln0`kPc9A^6{<@`FFM z@fs3T_U4qS2^B&1OfPJ#5V=z>6OOj`i)hX@-;m?;+=#&Y<9<%z^YPr3Iyh39F_B`pF<5VUeHjS zB<)WKYOE^L;N?5}LT}|;0A=PMu&8fj7-sCjqoxEz#EW)-=P#^(1A~kx1OQ#)PA9;8 zx$|lqe(Ibg$16*2XUv{rxJ{zH6Tn?{CkEA9WE7=8FbaLb^wOfw`25y5yHdkZNQahd z2R*XVcKwj;taaqUas{tSyPvQ>Zw7H#PKi~!Gw*Z7r}Y>h~X2zGm!H8F2a9ipn<*p|4YDc7yZ|fl^|<{&G^lI81fk= z`mBLn8f@4EMJhR#pAW`8Rxi`ksE4Sj#gaI5ReN2P%5i?AaAL!!r^lOt>D0U)S}-ER zHzbukBc-bET>j*sTpsrL+*n&d5UL?8fk@pfuB85SPu@6LJ}`+_ju0u4Y?Bq%8LEMfC2SyaZJcp=`7n}rtCaLi!`fY&00j@)!-*nt_uTDgRL{1=H zJT5CfpMBcTy!Xc!c>EtH`P!w}`rg=A7IRfvqZ$)@F$4T)li8E3VSNW3A#HuHviJ3j zI79pHf1chQ)%21Y4kf2fp0Qi~zC-eFhC4tY+HW?y|DDQ67+agh->HlN`fqmS{~fx2 zziSKI**crpI{#4dus3ni{hQkg(*Gwwvnm7e!?(1|cWeAjh4~*x_IGvsa5S-YqNn@& z`cFlv@)CpBZ*lQ&F|7Yk0|4m%W_$kT+WWVzo1LSTp`D%8-_QOZaX6@=KsvrZ-0)lL zn`!Ysj`#0s{l@uEgnt_GPg3>&*53bqn7@R7{~yKrKUM$9Oa0%f>)-v>x9UGxs{aY_ zPX^Kd25|hIqx>(!|1Un#f1>=8r0~B{R5Abk1plNg{3pUcXGQ-Tfz0NAwBuiMr2j#sC1g2m}E5zxwEZs{fx&>VK-+hWv;6e>JcQ(xBhb{+n>n0K?z0XAl2-_P+qY CeH||V literal 0 HcmV?d00001 diff --git a/tools/nist_csf-2.0-en.yaml b/tools/nist_csf-2.0-en.yaml new file mode 100644 index 000000000..6452a17c4 --- /dev/null +++ b/tools/nist_csf-2.0-en.yaml @@ -0,0 +1,2779 @@ +urn: urn:intuitem:risk:library:nist-csf-2.0 +locale: en +ref_id: NIST-CSF-2.0 +name: NIST CSF version 2.0 +description: National Institute of Standards and Technology - Cybersecurity Framework +copyright: With the exception of material marked as copyrighted, information presented + on NIST sites are considered public information and may be distributed or copied. +version: 1 +provider: NIST +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:nist-csf-2.0 + ref_id: NIST-CSF-2.0 + name: NIST CSF v2.0 + description: NIST Cybersecurity Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + assessable: false + depth: 1 + ref_id: GV + name: GOVERN + description: The organization's cybersecurity risk management strategy, expectations, + and policy are established, communicated, and monitored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OC + name: Organizational Context + description: The circumstances - mission, stakeholder expectations, dependencies, + and legal, regulatory, and contractual requirements - surrounding the organization's + cybersecurity risk management decisions are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-01 + description: The organizational mission is understood and informs cybersecurity + risk management + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Share the organization''s mission (e.g., through vision and mission statements, + marketing, and service strategies) to provide a basis for identifying risks + that may impede that mission' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-02 + description: Internal and external stakeholders are understood, and their needs + and expectations regarding cybersecurity risk management are understood and + considered + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify relevant internal stakeholders and their cybersecurity-related + expectations (e.g., performance and risk expectations of officers, directors, + and advisors; cultural expectations of employees) + + Ex2: Identify relevant external stakeholders and their cybersecurity-related + expectations (e.g., privacy expectations of customers, business expectations + of partnerships, compliance expectations of regulators, ethics expectations + of society)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-03 + description: Legal, regulatory, and contractual requirements regarding cybersecurity + - including privacy and civil liberties obligations - are understood and managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine a process to track and manage legal and regulatory requirements + regarding protection of individuals'' information (e.g., Health Insurance + Portability and Accountability Act, California Consumer Privacy Act, General + Data Protection Regulation) + + Ex2: Determine a process to track and manage contractual requirements for + cybersecurity management of supplier, customer, and partner information + + Ex3: Align the organization''s cybersecurity strategy with legal, regulatory, + and contractual requirements' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-04 + description: Critical objectives, capabilities, and services that stakeholders + depend on or expect from the organization are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Establish criteria for determining the criticality of capabilities and + services as viewed by internal and external stakeholders + + Ex2: Determine (e.g., from a business impact analysis) assets and business + operations that are vital to achieving mission objectives and the potential + impact of a loss (or partial loss) of such operations + + Ex3: Establish and communicate resilience objectives (e.g., recovery time + objectives) for delivering critical capabilities and services in various operating + states (e.g., under attack, during recovery, normal operation)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-05 + description: Outcomes, capabilities, and services that the organization depends + on are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + name: Examples + description: 'Ex1: Create an inventory of the organization''s dependencies on + external resources (e.g., facilities, cloud-based hosting providers) and their + relationships to organizational assets and business functions + + Ex2: Identify and document external dependencies that are potential points + of failure for the organization''s critical capabilities and services, and + share that information with appropriate personnel + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RM + name: Risk Management Strategy + description: The organization's priorities, constraints, risk tolerance and + appetite statements, and assumptions are established, communicated, and used + to support operational risk decisions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-01 + description: Risk management objectives are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update near-term and long-term cybersecurity risk management objectives + as part of annual strategic planning and when major changes occur + + Ex2: Establish measurable objectives for cybersecurity risk management (e.g., + manage the quality of user training, ensure adequate risk protection for industrial + control systems) + + Ex3: Senior leaders agree about cybersecurity objectives and use them for + measuring and managing risk and performance' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-02 + description: Risk appetite and risk tolerance statements are established, communicated, + and maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine and communicate risk appetite statements that convey expectations + about the appropriate level of risk for the organization + + Ex2: Translate risk appetite statements into specific, measurable, and broadly + understandable risk tolerance statements + + Ex3: Refine organizational objectives and risk appetite periodically based + on known risk exposure and residual risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-03 + description: Cybersecurity risk management activities and outcomes are included + in enterprise risk management processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks + (e.g., compliance, financial, operational, regulatory, reputational, safety) + + Ex2: Include cybersecurity risk managers in enterprise risk management planning + + Ex3: Establish criteria for escalating cybersecurity risks within enterprise + risk management' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-04 + description: Strategic direction that describes appropriate risk response options + is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various + classifications of data + + Ex2: Determine whether to purchase cybersecurity insurance + + Ex3: Document conditions under which shared responsibility models are acceptable + (e.g., outsourcing certain cybersecurity functions, having a third party perform + financial transactions on behalf of the organization, using public cloud-based + services)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-05 + description: Lines of communication across the organization are established + for cybersecurity risks, including risks from suppliers and other third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine how to update senior executives, directors, and management + on the organization''s cybersecurity posture at agreed-upon intervals + + Ex2: Identify how all departments across the organization - such as management, + operations, internal auditors, legal, acquisition, physical security, and + HR - will communicate with each other about cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-06 + description: A standardized method for calculating, documenting, categorizing, + and prioritizing cybersecurity risks is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish criteria for using a quantitative approach to cybersecurity + risk analysis, and specify probability and exposure formulas + + Ex2: Create and use templates (e.g., a risk register) to document cybersecurity + risk information (e.g., risk description, exposure, treatment, and ownership) + + Ex3: Establish criteria for risk prioritization at the appropriate levels + within the enterprise + + Ex4: Use a consistent list of risk categories to support integrating, aggregating, + and comparing cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-07 + description: Strategic opportunities (i.e., positive risks) are characterized + and are included in organizational cybersecurity risk discussions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define and communicate guidance and methods for identifying opportunities + and including them in risk discussions (e.g., strengths, weaknesses, opportunities, + and threats [SWOT] analysis) + + Ex2: Identify stretch goals and document them + + Ex3: Calculate, document, and prioritize positive risks alongside negative + risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RR + name: Roles, Responsibilities, and Authorities + description: Cybersecurity roles, responsibilities, and authorities to foster + accountability, performance assessment, and continuous improvement are established + and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-01 + description: Organizational leadership is responsible and accountable for cybersecurity + risk and fosters a culture that is risk-aware, ethical, and continually improving + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in + developing, implementing, and assessing the organization''s cybersecurity + strategy + + Ex2: Share leaders'' expectations regarding a secure and ethical culture, + especially when current events present the opportunity to highlight positive + or negative examples of cybersecurity risk management + + Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk + strategy and review and update it at least annually and after major events + + Ex4: Conduct reviews to ensure adequate authority and coordination among those + responsible for managing cybersecurity risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-02 + description: Roles, responsibilities, and authorities related to cybersecurity + risk management are established, communicated, understood, and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Document risk management roles and responsibilities in policy + + Ex2: Document who is responsible and accountable for cybersecurity risk management + activities and how those teams and individuals are to be consulted and informed + + Ex3: Include cybersecurity responsibilities and performance requirements in + personnel descriptions + + Ex4: Document performance goals for personnel with cybersecurity risk management + responsibilities, and periodically measure performance to identify areas for + improvement + + Ex5: Clearly articulate cybersecurity responsibilities within operations, + risk functions, and internal audit functions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-03 + description: Adequate resources are allocated commensurate with the cybersecurity + risk strategy, roles, responsibilities, and policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct periodic management reviews to ensure that those given cybersecurity + risk management responsibilities have the necessary authority + + Ex2: Identify resource allocation and investment in line with risk tolerance + and response + + Ex3: Provide adequate and sufficient people, process, and technical resources + to support the cybersecurity strategy' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-04 + description: Cybersecurity is included in human resources practices + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Integrate cybersecurity risk management considerations into human resources + processes (e.g., personnel screening, onboarding, change notification, offboarding) + + Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, + and retention decisions + + Ex3: Conduct background checks prior to onboarding new personnel for sensitive + roles, and periodically repeat background checks for personnel with such roles + + Ex4: Define and enforce obligations for personnel to be aware of, adhere to, + and uphold security policies as they relate to their roles' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.PO + name: Policy + description: Organizational cybersecurity policy is established, communicated, + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-01 + description: Policy for managing cybersecurity risks is established based on + organizational context, cybersecurity strategy, and priorities and is communicated + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Create, disseminate, and maintain an understandable, usable risk management + policy with statements of management intent, expectations, and direction + + Ex2: Periodically review policy and supporting processes and procedures to + ensure that they align with risk management strategy objectives and priorities, + as well as the high-level direction of the cybersecurity policy + + Ex3: Require approval from senior management on policy + + Ex4: Communicate cybersecurity risk management policy and supporting processes + and procedures across the organization + + Ex5: Require personnel to acknowledge receipt of policy when first hired, + annually, and whenever policy is updated' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-02 + description: Policy for managing cybersecurity risks is reviewed, updated, communicated, + and enforced to reflect changes in requirements, threats, technology, and + organizational mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update policy based on periodic reviews of cybersecurity risk management + results to ensure that policy and supporting processes and procedures adequately + maintain risk at an acceptable level + + Ex2: Provide a timeline for reviewing changes to the organization''s risk + environment (e.g., changes in risk or in the organization''s mission objectives), + and communicate recommended policy updates + + Ex3: Update policy to reflect changes in legal and regulatory requirements + + Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial + intelligence) and changes to the business (e.g., acquisition of a new business, + new contract requirements)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OV + name: Oversight + description: Results of organization-wide cybersecurity risk management activities + and performance are used to inform, improve, and adjust the risk management + strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-01 + description: Cybersecurity risk management strategy outcomes are reviewed to + inform and adjust strategy and direction + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Measure how well the risk management strategy and risk results have helped + leaders make decisions and achieve organizational objectives + + Ex2: Examine whether cybersecurity risk strategies that impede operations + or innovation should be adjusted' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-02 + description: The cybersecurity risk management strategy is reviewed and adjusted + to ensure coverage of organizational requirements and risks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review audit findings to confirm whether the existing cybersecurity strategy + has ensured compliance with internal and external requirements + + Ex2: Review the performance oversight of those in cybersecurity-related roles + to determine whether policy changes are necessary + + Ex3: Review strategy in light of cybersecurity incidents' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-03 + description: Organizational cybersecurity risk management performance is evaluated + and reviewed for adjustments needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review key performance indicators (KPIs) to ensure that organization-wide + policies and procedures achieve objectives + + Ex2: Review key risk indicators (KRIs) to identify risks the organization + faces, including likelihood and potential impact + + Ex3: Collect and communicate metrics on cybersecurity risk management with + senior leadership' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.SC + name: Cybersecurity Supply Chain Risk Management + description: Cyber supply chain risk management processes are identified, established, + managed, monitored, and improved by organizational stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-01 + description: A cybersecurity supply chain risk management program, strategy, + objectives, policies, and processes are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + name: Examples + description: 'Ex1: Establish a strategy that expresses the objectives of the + cybersecurity supply chain risk management program + + Ex2: Develop the cybersecurity supply chain risk management program, including + a plan (with milestones), policies, and procedures that guide implementation + and improvement of the program, and share the policies and procedures with + the organizational stakeholders + + Ex3: Develop and implement program processes based on the strategy, objectives, + policies, and procedures that are agreed upon and performed by the organizational + stakeholders + + Ex4: Establish a cross-organizational mechanism that ensures alignment between + functions that contribute to cybersecurity supply chain risk management, such + as cybersecurity, IT, operations, legal, human resources, and engineering + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-02 + description: Cybersecurity roles and responsibilities for suppliers, customers, + and partners are established, communicated, and coordinated internally and + externally + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + name: Examples + description: 'Ex1: Identify one or more specific roles or positions that will + be responsible and accountable for planning, resourcing, and executing cybersecurity + supply chain risk management activities + + Ex2: Document cybersecurity supply chain risk management roles and responsibilities + in policy + + Ex3: Create responsibility matrixes to document who will be responsible and + accountable for cybersecurity supply chain risk management activities and + how those teams and individuals will be consulted and informed + + Ex4: Include cybersecurity supply chain risk management responsibilities and + performance requirements in personnel descriptions to ensure clarity and improve + accountability + + Ex5: Document performance goals for personnel with cybersecurity risk management-specific + responsibilities, and periodically measure them to demonstrate and improve + performance + + Ex6: Develop roles and responsibilities for suppliers, customers, and business + partners to address shared responsibilities for applicable cybersecurity risks, + and integrate them into organizational policies and applicable third-party + agreements + + Ex7: Internally communicate cybersecurity supply chain risk management roles + and responsibilities for third parties + + Ex8: Establish rules and protocols for information sharing and reporting processes + between the organization and its suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-03 + description: Cybersecurity supply chain risk management is integrated into cybersecurity + and enterprise risk management, risk assessment, and improvement processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + name: Examples + description: 'Ex1: Identify areas of alignment and overlap with cybersecurity + and enterprise risk management + + Ex2: Establish integrated control sets for cybersecurity risk management and + cybersecurity supply chain risk management + + Ex3: Integrate cybersecurity supply chain risk management into improvement + processes + + Ex4: Escalate material cybersecurity risks in supply chains to senior management, + and address them at the enterprise risk management level + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-04 + description: Suppliers are known and prioritized by criticality + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + name: Examples + description: 'Ex1: Develop criteria for supplier criticality based on, for example, + the sensitivity of data processed or possessed by suppliers, the degree of + access to the organization''s systems, and the importance of the products + or services to the organization''s mission + + Ex2: Keep a record of all suppliers, and prioritize suppliers based on the + criticality criteria + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-05 + description: Requirements to address cybersecurity risks in supply chains are + established, prioritized, and integrated into contracts and other types of + agreements with suppliers and other relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + name: Examples + description: 'Ex1: Establish security requirements for suppliers, products, + and services commensurate with their criticality level and potential impact + if compromised + + Ex2: Include all cybersecurity and supply chain requirements that third parties + must follow and how compliance with the requirements may be verified in default + contractual language + + Ex3: Define the rules and protocols for information sharing between the organization + and its suppliers and sub-tier suppliers in agreements + + Ex4: Manage risk by including security requirements in agreements based on + their criticality and potential impact if compromised + + Ex5: Define security requirements in service-level agreements (SLAs) for monitoring + suppliers for acceptable security performance throughout the supplier relationship + lifecycle + + Ex6: Contractually require suppliers to disclose cybersecurity features, functions, + and vulnerabilities of their products and services for the life of the product + or the term of service + + Ex7: Contractually require suppliers to provide and maintain a current component + inventory (e.g., software or hardware bill of materials) for critical products + + Ex8: Contractually require suppliers to vet their employees and guard against + insider threats + + Ex9: Contractually require suppliers to provide evidence of performing acceptable + security practices through, for example, self-attestation, conformance to + known standards, certifications, or inspections + + Ex10: Specify in contracts and other agreements the rights and responsibilities + of the organization, its suppliers, and their supply chains, with respect + to potential cybersecurity risks + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-06 + description: Planning and due diligence are performed to reduce risks before + entering into formal supplier or other third-party relationships + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + name: Examples + description: 'Ex1: Perform thorough due diligence on prospective suppliers that + is consistent with procurement planning and commensurate with the level of + risk, criticality, and complexity of each supplier relationship + + Ex2: Assess the suitability of the technology and cybersecurity capabilities + and the risk management practices of prospective suppliers + + Ex3: Conduct supplier risk assessments against business and applicable cybersecurity + requirements + + Ex4: Assess the authenticity, integrity, and security of critical products + prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-07 + description: The risks posed by a supplier, their products and services, and + other third parties are understood, recorded, prioritized, assessed, responded + to, and monitored over the course of the relationship + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + name: Examples + description: 'Ex1: Adjust assessment formats and frequencies based on the third + party''s reputation and the criticality of the products or services they provide + + Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity + requirements, such as self-attestations, warranties, certifications, and other + artifacts + + Ex3: Monitor critical suppliers to ensure that they are fulfilling their security + obligations throughout the supplier relationship lifecycle using a variety + of methods and techniques, such as inspections, audits, tests, or other forms + of evaluation + + Ex4: Monitor critical suppliers, services, and products for changes to their + risk profiles, and reevaluate supplier criticality and risk impact accordingly + + Ex5: Plan for unexpected supplier and supply chain-related interruptions to + ensure business continuity + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-08 + description: Relevant suppliers and other third parties are included in incident + planning, response, and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + name: Examples + description: 'Ex1: Define and use rules and protocols for reporting incident + response and recovery activities and the status between the organization and + its suppliers + + Ex2: Identify and document the roles and responsibilities of the organization + and its suppliers for incident response + + Ex3: Include critical suppliers in incident response exercises and simulations + + Ex4: Define and coordinate crisis communication methods and protocols between + the organization and its critical suppliers + + Ex5: Conduct collaborative lessons learned sessions with critical suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-09 + description: Supply chain security practices are integrated into cybersecurity + and enterprise risk management programs, and their performance is monitored + throughout the technology product and service life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + name: Examples + description: 'Ex1: Policies and procedures require provenance records for all + acquired technology products and services + + Ex2: Periodically provide risk reporting to leaders about how acquired components + are proven to be untampered and authentic + + Ex3: Communicate regularly among cybersecurity risk managers and operations + personnel about the need to acquire software patches, updates, and upgrades + only from authenticated and trustworthy software providers + + Ex4: Review policies to ensure that they require approved supplier personnel + to perform maintenance on supplier products + + Ex5: Policies and procedure require checking upgrades to critical hardware + for unauthorized changes + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-10 + description: Cybersecurity supply chain risk management plans include provisions + for activities that occur after the conclusion of a partnership or service + agreement + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + name: Examples + description: 'Ex1: Establish processes for terminating critical relationships + under both normal and adverse circumstances + + Ex2: Define and implement plans for component end-of-life maintenance support + and obsolescence + + Ex3: Verify that supplier access to organization resources is deactivated + promptly when it is no longer needed + + Ex4: Verify that assets containing the organization''s data are returned or + properly disposed of in a timely, controlled, and safe manner + + Ex5: Develop and execute a plan for terminating or transitioning supplier + relationships that takes supply chain security risk and resiliency into account + + Ex6: Mitigate risks to data and systems created by supplier termination + + Ex7: Manage data leakage risks associated with supplier termination + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY + description: The organization's current cybersecurity risks are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.AM + name: Asset Management + description: Assets (e.g., data, hardware, software, systems, facilities, services, + people) that enable the organization to achieve business purposes are identified + and managed consistent with their relative importance to organizational objectives + and the organization's risk strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-01 + description: Inventories of hardware managed by the organization are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, + and mobile devices + + Ex2: Constantly monitor networks to detect new hardware and automatically + update inventories' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-02 + description: Inventories of software, services, and systems managed by the organization + are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of software and services, including + commercial-off-the-shelf, open-source, custom applications, API services, + and cloud-based applications and services + + Ex2: Constantly monitor all platforms, including containers and virtual machines, + for software and service inventory changes + + Ex3: Maintain an inventory of the organization''s systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-03 + description: Representations of the organization's authorized network communication + and internal and external network data flows are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Maintain baselines of communication and data flows within the organization''s + wired and wireless networks + + Ex2: Maintain baselines of communication and data flows between the organization + and third parties + + Ex3: Maintain baselines of communication and data flows for the organization''s + infrastructure-as-a-service (IaaS) usage + + Ex4: Maintain documentation of expected network ports, protocols, and services + that are typically used among authorized systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-04 + description: Inventories of services provided by suppliers are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + name: Examples + description: 'Ex1: Inventory all external services used by the organization, + including third-party infrastructure-as-a-service (IaaS), platform-as-a-service + (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally + hosted application services + + Ex2: Update the inventory when a new external service is going to be utilized + to ensure adequate cybersecurity risk management monitoring of the organization''s + use of that service + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-05 + description: Assets are prioritized based on classification, criticality, resources, + and impact on the mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define criteria for prioritizing each class of assets + + Ex2: Apply the prioritization criteria to assets + + Ex3: Track the asset priorities and update them periodically or when significant + changes to the organization occur' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-07 + description: Inventories of data and corresponding metadata for designated data + types are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain a list of the designated data types of interest (e.g., personally + identifiable information, protected health information, financial account + numbers, organization intellectual property, operational technology data) + + Ex2: Continuously discover and analyze ad hoc data to identify new instances + of designated data types + + Ex3: Assign data classifications to designated data types through tags or + labels + + Ex4: Track the provenance, data owner, and geolocation of each instance of + designated data types' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-08 + description: Systems, hardware, software, services, and data are managed throughout + their life cycles + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Integrate cybersecurity considerations throughout the life cycles of + systems, hardware, software, and services + + Ex2: Integrate cybersecurity considerations into product life cycles + + Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., + shadow IT) + + Ex4: Periodically identify redundant systems, hardware, software, and services + that unnecessarily increase the organization''s attack surface + + Ex5: Properly configure and secure systems, hardware, software, and services + prior to their deployment in production + + Ex6: Update inventories when systems, hardware, software, and services are + moved or transferred within the organization + + Ex7: Securely destroy stored data based on the organization''s data retention + policy using the prescribed destruction method, and keep and manage a record + of the destructions + + Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, + reassigned, or sent for repairs or replacement + + Ex9: Offer methods for destroying paper, storage media, and other physical + forms of data storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.RA + name: Risk Assessment + description: The cybersecurity risk to the organization, assets, and individuals + is understood by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-01 + description: Vulnerabilities in assets are identified, validated, and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use vulnerability management technologies to identify unpatched and misconfigured + software + + Ex2: Assess network and system architectures for design and implementation + weaknesses that affect cybersecurity + + Ex3: Review, analyze, or test organization-developed software to identify + design, coding, and default configuration vulnerabilities + + Ex4: Assess facilities that house critical computing assets for physical vulnerabilities + and resilience issues + + Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities + in products and services + + Ex6: Review processes and procedures for weaknesses that could be exploited + to affect cybersecurity' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-02 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure cybersecurity tools and technologies with detection or response + capabilities to securely ingest cyber threat intelligence feeds + + Ex2: Receive and review advisories from reputable third parties on current + threat actors and their tactics, techniques, and procedures (TTPs) + + Ex3: Monitor sources of cyber threat intelligence for information on the types + of vulnerabilities that emerging technologies may have' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-03 + description: Internal and external threats to the organization are identified + and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use cyber threat intelligence to maintain awareness of the types of threat + actors likely to target the organization and the TTPs they are likely to use + + Ex2: Perform threat hunting to look for signs of threat actors within the + environment + + Ex3: Implement processes for identifying internal threat actors' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-04 + description: Potential impacts and likelihoods of threats exploiting vulnerabilities + are identified and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Business leaders and cybersecurity risk management practitioners work + together to estimate the likelihood and impact of risk scenarios and record + them in risk registers + + Ex2: Enumerate the potential business impacts of unauthorized access to the + organization''s communications, systems, and data processed in or by those + systems + + Ex3: Account for the potential impacts of cascading failures for systems of + systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-05 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + understand inherent risk and inform risk response prioritization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Develop threat models to better understand risks to the data and identify + appropriate risk responses + + Ex2: Prioritize cybersecurity resource allocations and investments based on + estimated likelihoods and impacts' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-06 + description: Risk responses are chosen, prioritized, planned, tracked, and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply the vulnerability management plan''s criteria for deciding whether + to accept, transfer, mitigate, or avoid risk + + Ex2: Apply the vulnerability management plan''s criteria for selecting compensating + controls to mitigate risk + + Ex3: Track the progress of risk response implementation (e.g., plan of action + and milestones [POA&M], risk register, risk detail report) + + Ex4: Use risk assessment findings to inform risk response decisions and actions + + Ex5: Communicate planned risk responses to affected stakeholders in priority + order' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-07 + description: Changes and exceptions are managed, assessed for risk impact, recorded, + and tracked + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + name: Examples + description: 'Ex1: Implement and follow procedures for the formal documentation, + review, testing, and approval of proposed changes and requested exceptions + + Ex2: Document the possible risks of making or not making each proposed change, + and provide guidance on rolling back changes + + Ex3: Document the risks related to each requested exception and the plan for + responding to those risks + + Ex4: Periodically review risks that were accepted based upon planned future + actions or milestones' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-08 + description: Processes for receiving, analyzing, and responding to vulnerability + disclosures are established + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct vulnerability information sharing between the organization and + its suppliers following the rules and protocols defined in contracts + + Ex2: Assign responsibilities and verify the execution of procedures for processing, + analyzing the impact of, and responding to cybersecurity threat, vulnerability, + or incident disclosures by suppliers, customers, partners, and government + cybersecurity organizations' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-09 + description: The authenticity and integrity of hardware and software are assessed + prior to acquisition and use + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + name: Examples + description: 'Ex1: Assess the authenticity and cybersecurity of critical technology + products and services prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-10 + description: Critical suppliers are assessed prior to acquisition + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + name: Examples + description: 'Ex1: Conduct supplier risk assessments against business and applicable + cybersecurity requirements, including the supply chain' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.IM + name: Improvement + description: Improvements to organizational cybersecurity risk management processes, + procedures and activities are identified across all CSF Functions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-01 + description: Improvements are identified from evaluations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform self-assessments of critical services that take current threats + and TTPs into consideration + + Ex2: Invest in third-party assessments or independent audits of the effectiveness + of the organization''s cybersecurity program to identify areas that need improvement + + Ex3: Constantly evaluate compliance with selected cybersecurity requirements + through automated means' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-02 + description: Improvements are identified from security tests and exercises, + including those done in coordination with suppliers and relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify improvements for future incident response activities based on + findings from incident response assessments (e.g., tabletop exercises and + simulations, tests, internal reviews, independent audits) + + Ex2: Identify improvements for future business continuity, disaster recovery, + and incident response activities based on exercises performed in coordination + with critical service providers and product suppliers + + Ex3: Involve internal stakeholders (e.g., senior executives, legal department, + HR) in security tests and exercises as appropriate + + Ex4: Perform penetration testing to identify opportunities to improve the + security posture of selected high-risk systems as approved by leadership + + Ex5: Exercise contingency plans for responding to and recovering from the + discovery that products or services did not originate with the contracted + supplier or partner or were altered before receipt + + Ex6: Collect and analyze performance metrics using security tools and services + to inform improvements to the cybersecurity program' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-03 + description: Improvements are identified from execution of operational processes, + procedures, and activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Conduct collaborative lessons learned sessions with suppliers + + Ex2: Annually review cybersecurity policies, processes, and procedures to + take lessons learned into account + + Ex3: Use metrics to assess operational cybersecurity performance over time' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-04 + description: Incident response plans and other cybersecurity plans that affect + operations are established, communicated, maintained, and improved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish contingency plans (e.g., incident response, business continuity, + disaster recovery) for responding to and recovering from adverse events that + can interfere with operations, expose confidential information, or otherwise + endanger the organization''s mission and viability + + Ex2: Include contact and communication information, processes for handling + common scenarios, and criteria for prioritization, escalation, and elevation + in all contingency plans + + Ex3: Create a vulnerability management plan to identify and assess all types + of vulnerabilities and to prioritize, test, and implement risk responses + + Ex4: Communicate cybersecurity plans (including updates) to those responsible + for carrying them out and to affected parties + + Ex5: Review and update all cybersecurity plans annually or when a need for + significant improvements is identified' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT + description: Safeguards to manage the organization's cybersecurity risks are + used + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AA + name: Identity Management, Authentication, and Access Control + description: Access to physical and logical assets is limited to authorized + users, services, and hardware and managed commensurate with the assessed + risk of unauthorized access + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-01 + description: Identities and credentials for authorized users, services, and + hardware are managed by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Initiate requests for new access or additional access for employees, + contractors, and others, and track, review, and fulfill the requests, with + permission from system or data owners when needed + + Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, + cryptographic keys (i.e., key management), and other credentials + + Ex3: Select a unique identifier for each device from immutable hardware characteristics + or an identifier securely provisioned to the device + + Ex4: Physically label authorized hardware with an identifier for inventory + and servicing purposes' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-02 + description: Identities are proofed and bound to credentials based on the context + of interactions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Verify a person''s claimed identity at enrollment time using government-issued + identity credentials (e.g., passport, visa, driver''s license) + + Ex2: Issue a different credential for each person (i.e., no credential sharing)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-03 + description: Users, services, and hardware are authenticated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require multifactor authentication + + Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar + authenticators + + Ex3: Periodically reauthenticate users, services, and hardware based on risk + (e.g., in zero trust architectures) + + Ex4: Ensure that authorized personnel can access accounts essential for protecting + safety under emergency conditions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-04 + description: Identity assertions are protected, conveyed, and verified + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect identity assertions that are used to convey authentication and + user information through single sign-on systems + + Ex2: Protect identity assertions that are used to convey authentication and + user information between federated systems + + Ex3: Implement standards-based approaches for identity assertions in all contexts, + and follow all guidance for the generation (e.g., data models, metadata), + protection (e.g., digital signing, encryption), and verification (e.g., signature + validation) of identity assertions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-05 + description: Access permissions, entitlements, and authorizations are defined + in a policy, managed, enforced, and reviewed, and incorporate the principles + of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review logical and physical access privileges periodically and whenever + someone changes roles or leaves the organization, and promptly rescind privileges + that are no longer needed + + Ex2: Take attributes of the requester and the requested resource into account + for authorization decisions (e.g., geolocation, day/time, requester endpoint''s + cyber health) + + Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust + architecture) + + Ex4: Periodically review the privileges associated with critical business + functions to confirm proper separation of duties' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-06 + description: Physical access to assets is managed, monitored, and enforced commensurate + with risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use security guards, security cameras, locked entrances, alarm systems, + and other physical controls to monitor facilities and restrict access + + Ex2: Employ additional physical security controls for areas that contain high-risk + assets + + Ex3: Escort guests, vendors, and other third parties within areas that contain + business-critical assets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AT + name: Awareness and Training + description: The organization's personnel are provided with cybersecurity awareness + and training so that they can perform their cybersecurity-related tasks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-01 + description: Personnel are provided with awareness and training so that they + possess the knowledge and skills to perform general tasks with cybersecurity + risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Provide basic cybersecurity awareness and training to employees, contractors, + partners, suppliers, and all other users of the organization''s non-public + resources + + Ex2: Train personnel to recognize social engineering attempts and other common + attacks, report attacks and suspicious activity, comply with acceptable use + policies, and perform basic cyber hygiene tasks (e.g., patching software, + choosing passwords, protecting credentials) + + Ex3: Explain the consequences of cybersecurity policy violations, both to + individual users and the organization as a whole + + Ex4: Periodically assess or test users on their understanding of basic cybersecurity + practices + + Ex5: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-02 + description: Individuals in specialized roles are provided with awareness and + training so that they possess the knowledge and skills to perform relevant + tasks with cybersecurity risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify the specialized roles within the organization that require additional + cybersecurity training, such as physical and cybersecurity personnel, finance + personnel, senior leadership, and anyone with access to business-critical + data + + Ex2: Provide role-based cybersecurity awareness and training to all those + in specialized roles, including contractors, partners, suppliers, and other + third parties + + Ex3: Periodically assess or test users on their understanding of cybersecurity + practices for their specialized roles + + Ex4: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.DS + name: Data Security + description: Data are managed consistent with the organization's risk strategy + to protect the confidentiality, integrity, and availability of information + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-01 + description: The confidentiality, integrity, and availability of data-at-rest + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of stored data in files, databases, virtual + machine disk images, container images, and other resources + + Ex2: Use full disk encryption to protect data stored on user endpoints + + Ex3: Confirm the integrity of software by validating signatures + + Ex4: Restrict the use of removable media to prevent data exfiltration + + Ex5: Physically secure removable media containing unencrypted sensitive information, + such as within locked offices or file cabinets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-02 + description: The confidentiality, integrity, and availability of data-in-transit + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of network communications + + Ex2: Automatically encrypt or block outbound emails and other communications + that contain sensitive data, depending on the data classification + + Ex3: Block access to personal email, file sharing, file storage services, + and other personal communications applications and services from organizational + systems and networks + + Ex4: Prevent reuse of sensitive data from production environments (e.g., customer + records) in development, testing, and other non-production environments' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-10 + description: The confidentiality, integrity, and availability of data-in-use + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Remove data that must remain confidential (e.g., from processors and + memory) as soon as it is no longer needed + + Ex2: Protect data in use from access by other users and processes of the same + platform' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-11 + description: Backups of data are created, protected, maintained, and tested + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Continuously back up critical data in near-real-time, and back up other + data frequently at agreed-upon schedules + + Ex2: Test backups and restores for all types of data sources at least annually + + Ex3: Securely store some backups offline and offsite so that an incident or + disaster will not damage them + + Ex4: Enforce geographic separation and geolocation restrictions for data backup + storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.PS + name: Platform Security + description: The hardware, software (e.g., firmware, operating systems, applications), + and services of physical and virtual platforms are managed consistent with + the organization's risk strategy to protect their confidentiality, integrity, + and availability + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-01 + description: Configuration management practices are established and applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish, test, deploy, and maintain hardened baselines that enforce + the organization''s cybersecurity policies and provide only essential capabilities + (i.e., principle of least functionality) + + Ex2: Review all default configuration settings that may potentially impact + cybersecurity when installing or upgrading software + + Ex3: Monitor implemented software for deviations from approved baselines' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-02 + description: Software is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform routine and emergency patching within the timeframes specified + in the vulnerability management plan + + Ex2: Update container images, and deploy new container instances to replace + rather than update existing instances + + Ex3: Replace end-of-life software and service versions with supported, maintained + versions + + Ex4: Uninstall and remove unauthorized software and services that pose undue + risks + + Ex5: Uninstall and remove any unnecessary software components (e.g., operating + system utilities) that attackers might misuse + + Ex6: Define and implement plans for software and service end-of-life maintenance + support and obsolescence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-03 + description: Hardware is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Replace hardware when it lacks needed security capabilities or when it + cannot support software with needed security capabilities + + Ex2: Define and implement plans for hardware end-of-life maintenance support + and obsolescence + + Ex3: Perform hardware disposal in a secure, responsible, and auditable manner' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-04 + description: Log records are generated and made available for continuous monitoring + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure all operating systems, applications, and services (including + cloud-based services) to generate log records + + Ex2: Configure log generators to securely share their logs with the organization''s + logging infrastructure systems and services + + Ex3: Configure log generators to record the data needed by zero-trust architectures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-05 + description: Installation and execution of unauthorized software are prevented + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: When risk warrants it, restrict software execution to permitted products + only or deny the execution of prohibited and unauthorized software + + Ex2: Verify the source of new software and the software''s integrity before + installing it + + Ex3: Configure platforms to use only approved DNS services that block access + to known malicious domains + + Ex4: Configure platforms to allow the installation of organization-approved + software only' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-06 + description: Secure software development practices are integrated, and their + performance is monitored throughout the software development life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect all components of organization-developed software from tampering + and unauthorized access + + Ex2: Secure all software produced by the organization, with minimal vulnerabilities + in their releases + + Ex3: Maintain the software used in production environments, and securely dispose + of software once it is no longer needed' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.IR + name: Technology Infrastructure Resilience + description: Security architectures are managed with the organization's risk + strategy to protect asset confidentiality, integrity, and availability, and + organizational resilience + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-01 + description: Networks and environments are protected from unauthorized logical + access and usage + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Logically segment organization networks and cloud-based platforms according + to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), + and permit required communications only between segments + + Ex2: Logically segment organization networks from external networks, and permit + only necessary communications to enter the organization''s networks from the + external networks + + Ex3: Implement zero trust architectures to restrict network access to each + resource to the minimum necessary + + Ex4: Check the cyber health of endpoints before allowing them to access and + use production resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-02 + description: The organization's technology assets are protected from environmental + threats + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Protect organizational equipment from known environmental threats, such + as flooding, fire, wind, and excessive heat and humidity + + Ex2: Include protection from environmental threats and provisions for adequate + operating infrastructure in requirements for service providers that operate + systems on the organization''s behalf' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-03 + description: Mechanisms are implemented to achieve resilience requirements in + normal and adverse situations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Avoid single points of failure in systems and infrastructure + + Ex2: Use load balancing to increase capacity and improve reliability + + Ex3: Use high-availability components like redundant storage and power supplies + to improve system reliability' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-04 + description: Adequate resource capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + name: Examples + description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth, + and other resources + + Ex2: Forecast future needs, and scale resources accordingly' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT + description: Possible cybersecurity attacks and compromises are found and analyzed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.CM + name: Continuous Monitoring + description: Assets are monitored to find anomalies, indicators of compromise, + and other potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-01 + description: Networks and network services are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + name: Examples + description: 'Ex1: Monitor DNS, BGP, and other network services for adverse + events + + Ex2: Monitor wired and wireless networks for connections from unauthorized + endpoints + + Ex3: Monitor facilities for unauthorized or rogue wireless networks + + Ex4: Compare actual network flows against baselines to detect deviations + + Ex5: Monitor network communications to identify changes in security postures + for zero trust purposes + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-02 + description: The physical environment is monitored to find potentially adverse + events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + name: Examples + description: 'Ex1: Monitor logs from physical access control systems (e.g., + badge readers) to find unusual access patterns (e.g., deviations from the + norm) and failed access attempts + + Ex2: Review and monitor physical access records (e.g., from visitor registration, + sign-in sheets) + + Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms) + for signs of tampering + + Ex4: Monitor the physical environment using alarm systems, cameras, and security + guards + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-03 + description: Personnel activity and technology usage are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + name: Examples + description: 'Ex1: Use behavior analytics software to detect anomalous user + activity to mitigate insider threats + + Ex2: Monitor logs from logical access control systems to find unusual access + patterns and failed access attempts + + Ex3: Continuously monitor deception technology, including user accounts, for + any usage + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-06 + description: External service provider activities and services are monitored + to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + name: Examples + description: 'Ex1: Monitor remote and onsite administration and maintenance + activities that external providers perform on organizational systems + + Ex2: Monitor activity from cloud-based services, internet service providers, + and other service providers for deviations from expected behavior + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-09 + description: Computing hardware and software, runtime environments, and their + data are monitored to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + name: Examples + description: 'Ex1: Monitor email, web, file sharing, collaboration services, + and other common attack vectors to detect malware, phishing, data leaks and + exfiltration, and other adverse events + + Ex2: Monitor authentication attempts to identify attacks against credentials + and unauthorized credential reuse + + Ex3: Monitor software configurations for deviations from security baselines + + Ex4: Monitor hardware and software for signs of tampering + + Ex5: Use technologies with a presence on endpoints to detect cyber health + issues (e.g., missing patches, malware infections, unauthorized software), + and redirect the endpoints to a remediation environment before access is authorized + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.AE + name: Adverse Event Analysis + description: Anomalies, indicators of compromise, and other potentially adverse + events are analyzed to characterize the events and detect cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-02 + description: Potentially adverse events are analyzed to better understand associated + activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + name: Examples + description: 'Ex1: Use security information and event management (SIEM) or other + tools to continuously monitor log events for known malicious and suspicious + activity + + Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to + improve detection accuracy and characterize threat actors, their methods, + and indicators of compromise + + Ex3: Regularly conduct manual reviews of log events for technologies that + cannot be sufficiently monitored through automation + + Ex4: Use log analysis tools to generate reports on their findings + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-03 + description: Information is correlated from multiple sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + name: Examples + description: 'Ex1: Constantly transfer log data generated by other sources to + a relatively small number of log servers + + Ex2: Use event correlation technology (e.g., SIEM) to collect information + captured by multiple sources + + Ex3: Utilize cyber threat intelligence to help correlate events among log + sources + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-04 + description: The estimated impact and scope of adverse events are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + name: Examples + description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and + review and refine the estimates + + Ex2: A person creates their own estimates of impact and scope + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-06 + description: Information on adverse events is provided to authorized staff and + tools + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + name: Examples + description: 'Ex1: Use cybersecurity software to generate alerts and provide + them to the security operations center (SOC), incident responders, and incident + response tools + + Ex2: Incident responders and other authorized personnel can access log analysis + findings at all times + + Ex3: Automatically create and assign tickets in the organization''s ticketing + system when certain types of alerts occur + + Ex4: Manually create and assign tickets in the organization''s ticketing system + when technical staff discover indicators of compromise + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-07 + description: Cyber threat intelligence and other contextual information are + integrated into the analysis + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + name: Examples + description: 'Ex1: Securely provide cyber threat intelligence feeds to detection + technologies, processes, and personnel + + Ex2: Securely provide information from asset inventories to detection technologies, + processes, and personnel + + Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s + technologies from suppliers, vendors, and third-party security advisories + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-08 + description: Incidents are declared when adverse events meet the defined incident + criteria + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + name: Examples + description: 'Ex1: Apply incident criteria to known and assumed characteristics + of activity in order to determine whether an incident should be declared + + Ex2: Take known false positives into account when applying incident criteria + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND + description: Actions regarding a detected cybersecurity incident are taken + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MA + name: Incident Management + description: Responses to detected cybersecurity incidents are managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-01 + description: The incident response plan is executed in coordination with relevant + third parties once an incident is declared + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + name: Examples + description: 'Ex1: Detection technologies automatically report confirmed incidents + + Ex2: Request incident response assistance from the organization''s incident + response outsourcer + + Ex3: Designate an incident lead for each incident + + Ex4: Initiate execution of additional cybersecurity plans as needed to support + incident response (for example, business continuity and disaster recovery) + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-02 + description: Incident reports are triaged and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related + and necessitate incident response activities + + Ex2: Apply criteria to estimate the severity of an incident' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-03 + description: Incidents are categorized and prioritized + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Further review and categorize incidents based on the type of incident + (e.g., data breach, ransomware, DDoS, account compromise) + + Ex2: Prioritize incidents based on their scope, likely impact, and time-critical + nature + + Ex3: Select incident response strategies for active incidents by balancing + the need to quickly recover from an incident with the need to observe the + attacker or conduct a more thorough investigation' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-04 + description: Incidents are escalated or elevated as needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Track and validate the status of all ongoing incidents + + Ex2: Coordinate incident escalation or elevation with designated internal + and external stakeholders' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-05 + description: The criteria for initiating incident recovery are applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply incident recovery criteria to known and assumed characteristics + of the incident to determine whether incident recovery processes should be + initiated + + Ex2: Take the possible operational disruption of incident recovery activities + into account' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.AN + name: Incident Analysis + description: Investigations are conducted to ensure effective response and support + forensics and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-03 + description: Analysis is performed to establish what has taken place during + an incident and the root cause of the incident + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Determine the sequence of events that occurred during the incident and + which assets and resources were involved in each event + + Ex2: Attempt to determine what vulnerabilities, threats, and threat actors + were directly or indirectly involved in the incident + + Ex3: Analyze the incident to find the underlying, systemic root causes + + Ex4: Check any cyber deception technology for additional information on attacker + behavior' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-06 + description: Actions performed during an investigation are recorded, and the + records' integrity and provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require each incident responder and others (e.g., system administrators, + cybersecurity engineers) who perform incident response tasks to record their + actions and make the record immutable + + Ex2: Require the incident lead to document the incident in detail and be responsible + for preserving the integrity of the documentation and the sources of all information + being reported' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-07 + description: Incident data and metadata are collected, and their integrity and + provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident + data and metadata (e.g., data source, date/time of collection) based on evidence + preservation and chain-of-custody procedures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-08 + description: An incident's magnitude is estimated and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review other potential targets of the incident to search for indicators + of compromise and evidence of persistence + + Ex2: Automatically run tools on targets to look for indicators of compromise + and evidence of persistence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.CO + name: Incident Response Reporting and Communication + description: Response activities are coordinated with internal and external + stakeholders as required by laws, regulations, or policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-02 + description: Internal and external stakeholders are notified of incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Follow the organization''s breach notification procedures after discovering + a data breach incident, including notifying affected customers + + Ex2: Notify business partners and customers of incidents in accordance with + contractual requirements + + Ex3: Notify law enforcement agencies and regulatory bodies of incidents based + on criteria in the incident response plan and management approval' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-03 + description: Information is shared with designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share information consistent with response plans and information + sharing agreements + + Ex2: Voluntarily share information about an attacker''s observed TTPs, with + all sensitive data removed, with an Information Sharing and Analysis Center + (ISAC) + + Ex3: Notify HR when malicious insider activity occurs + + Ex4: Regularly update senior leadership on the status of major incidents + + Ex5: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex6: Coordinate crisis communication methods between the organization and + its critical suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MI + name: Incident Mitigation + description: Activities are performed to prevent expansion of an event and mitigate + its effects + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-01 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity + features of other technologies (e.g., operating systems, network infrastructure + devices) automatically perform containment actions + + Ex2: Allow incident responders to manually select and perform containment + actions + + Ex3: Allow a third party (e.g., internet service provider, managed security + service provider) to perform containment actions on behalf of the organization + + Ex4: Automatically transfer compromised endpoints to a remediation virtual + local area network (VLAN)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-02 + description: Incidents are eradicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies and cybersecurity features of other technologies + (e.g., operating systems, network infrastructure devices) automatically perform + eradication actions + + Ex2: Allow incident responders to manually select and perform eradication + actions + + Ex3: Allow a third party (e.g., managed security service provider) to perform + eradication actions on behalf of the organization' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER + description: Assets and operations affected by a cybersecurity incident are + restored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.RP + name: Incident Recovery Plan Execution + description: Restoration activities are performed to ensure operational availability + of systems and services affected by cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-01 + description: The recovery portion of the incident response plan is executed + once initiated from the incident response process + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Begin recovery procedures during or after incident response processes + + Ex2: Make all individuals with recovery responsibilities aware of the plans + for recovery and the authorizations required to implement each aspect of the + plans' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-02 + description: Recovery actions are selected, scoped, prioritized, and performed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Select recovery actions based on the criteria defined in the incident + response plan and available resources + + Ex2: Change planned recovery actions based on a reassessment of organizational + needs and resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-03 + description: The integrity of backups and other restoration assets is verified + before using them for restoration + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restoration assets for indicators of compromise, file corruption, + and other integrity issues before use' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-04 + description: Critical mission functions and cybersecurity risk management are + considered to establish post-incident operational norms + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use business impact and system categorization records (including service + delivery objectives) to validate that essential services are restored in the + appropriate order + + Ex2: Work with system owners to confirm the successful restoration of systems + and the return to normal operations + + Ex3: Monitor the performance of restored systems to verify the adequacy of + the restoration' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-05 + description: The integrity of restored assets is verified, systems and services + are restored, and normal operating status is confirmed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restored assets for indicators of compromise and remediation of + root causes of the incident before production use + + Ex2: Verify the correctness and adequacy of the restoration actions taken + before putting a restored system online' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-06 + description: The end of incident recovery is declared based on criteria, and + incident-related documentation is completed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Prepare an after-action report that documents the incident itself, the + response and recovery actions taken, and lessons learned + + Ex2: Declare the end of incident recovery once the criteria are met' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.CO + name: Incident Recovery Communication + description: Restoration activities are coordinated with internal and external + parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-03 + description: Recovery activities and progress in restoring operational capabilities + are communicated to designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share recovery information, including restoration progress, + consistent with response plans and information sharing agreements + + Ex2: Regularly update senior leadership on recovery status and restoration + progress for major incidents + + Ex3: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex4: Coordinate crisis communication between the organization and its critical + suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-04 + description: Public updates on incident recovery are shared using approved methods + and messaging + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Follow the organization''s breach notification procedures for recovering + from a data breach incident + + Ex2: Explain the steps being taken to recover from the incident and to prevent + a recurrence'