From 8ab02f1d89c80c2d63bd9d538a7dbe8cbc795f64 Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sun, 28 Apr 2024 14:16:01 +0200 Subject: [PATCH 1/2] Add CJIS Security Policy Framework --- README.md | 4 +- .../library/libraries/cjis-policy-5.9.4.yaml | 10098 ++++++++++++++++ tools/cjis/cjis-policy-5.9.4.xlsx | Bin 0 -> 97083 bytes 3 files changed, 10100 insertions(+), 2 deletions(-) create mode 100644 backend/library/libraries/cjis-policy-5.9.4.yaml create mode 100644 tools/cjis/cjis-policy-5.9.4.xlsx diff --git a/README.md b/README.md index d0e286c3b..e9f445c04 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant 29. CSA CCM (Cloud Controls Matrix)\* 30. FADP (Federal Act on Data Protection) πŸ‡¨πŸ‡­ 31. NIST SP 800-171 rev2 πŸ‡ΊπŸ‡Έ +32. CJIS Security Policy 5.9.4 πŸ•΅
@@ -120,10 +121,9 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the - SOX - MASVS - FedRAMP -- FBI CJIS - NCSC Cyber Assessment Framework (CAF) - UK Cyber Essentials -- and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ πŸ˜‰ +- and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open and license-free standard, we'll do it for you, _free of charge_ πŸ˜‰ ### Add your own framework diff --git a/backend/library/libraries/cjis-policy-5.9.4.yaml b/backend/library/libraries/cjis-policy-5.9.4.yaml new file mode 100644 index 000000000..ee48910d1 --- /dev/null +++ b/backend/library/libraries/cjis-policy-5.9.4.yaml @@ -0,0 +1,10098 @@ +urn: urn:intuitem:risk:library:cjis-policy-5.9.4 +locale: en +ref_id: CJIS-POLICY-5.9.4 +name: Criminal Justice Information Services (CJIS) Security Policy +description: The Criminal Justice Information Services (CJIS) Security Policy is a + set of standards and guidelines developed by the FBI to help secure criminal justice + information (CJI), such as fingerprints, criminal histories, and other data. The + policy aims to provide appropriate controls to protect the full lifecycle of CJI, + ensuring that it is securely handled, stored, and transmitted. +copyright: US CJIS +version: 1 +provider: US CJIS +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:cjis-policy-5.9.4 + ref_id: CJIS-POLICY-5.9.4 + name: Criminal Justice Information Services (CJIS) Security Policy + description: The Criminal Justice Information Services (CJIS) Security Policy + is a set of standards and guidelines developed by the FBI to help secure criminal + justice information (CJI), such as fingerprints, criminal histories, and other + data. The policy aims to provide appropriate controls to protect the full lifecycle + of CJI, ensuring that it is securely handled, stored, and transmitted. + requirement_nodes: + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + assessable: false + depth: 1 + name: CJIS Security Policy Sections 1 - 4 (Introduction, Approach, Roles & Responsibilities, + and CJI/PII) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Relationship to Local Security Policy and Other Policies + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: "The local agency may complement the CJIS Security Policy with\ + \ a local policy, or the agency may develop their own stand-alone security\ + \ policy; however, the CJIS Security Policy shall always be the minimum standard\ + \ and local policy may augment, or increase the standards,\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: '...and local policy may augment, or increase the standards, but + shall not detract from the CJIS Security Policy standards.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: The agency shall develop, disseminate, and maintain formal, documented + procedures to facilitate the implementation of the CJIS Security Policy and, + where applicable, the local security policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: The policies and procedures shall be consistent with applicable + laws, Executive Orders, directives, policies, regulations, standards, and + guidance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: CJIS Systems Agencies (CSA) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node8 + description: The head of each CSA shall appoint a CJIS Systems Officer (CSO). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node8 + description: Such decisions shall be documented and kept current. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: CJIS Systems Officer (CSO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: Pursuant to The Bylaws for the CJIS Advisory Policy Board and Working + Groups, the role of CSO shall not be outsourced. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 'The CSO shall set, maintain, and enforce the following:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 1. Standards for the selection, supervision, and separation of + personnel who have access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node15 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 2. Policy governing the operation of computers, access devices, + circuits, hubs, routers, firewalls, and other components that comprise and + support a telecommunications network and related CJIS systems used to process, + store, or transmit CJI, guaranteeing the priority, confidentiality, integrity, + and availability of service needed by the criminal justice community. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node16 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: a. Ensure appropriate use, enforce system discipline, and ensure + CJIS Division operating procedures are followed by all users of the respective + services and information. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node17 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: b. Ensure state/federal agency compliance with policies approved + by the APB and adopted by the FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node18 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: c. Ensure the appointment of the CSA ISO and determine the extent + of authority to the CSA ISO. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node19 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: d. Ensure the designation of a Terminal Agency Coordinator (TAC) + within each agency with device access to CJIS systems. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node20 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: e. Ensure each agency having access to CJI has someone designated + as the Local Agency Security Officer (LASO). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node21 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: f. Ensure the LASO receives enhanced security awareness training + (ref. Section 5.2). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node22 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: g. Approve access to FBI CJIS systems. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node23 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: h. Assume ultimate responsibility for managing the security of + CJIS systems within their state and/or agency. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node24 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: i. Perform other related duties outlined by the user agreements + with the FBI CJIS Division. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node25 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 3. Outsourcing of Criminal Justice Functions + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node26 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: a. Responsibility for the management of the approved security + requirements shall remain with the CJA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node27 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: b. Responsibility for the management control of network security + shall remain with the CJA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node28 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Contracting Government Agency (CGA) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node29 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node28 + description: A CGA is a government agency, whether a CJA or a NCJA, that enters + into an agreement with a private contractor subject to the CJIS Security Addendum. + The CGA entering into an agreement with a contractor shall appoint an Agency + Coordinator. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Agency Coordinator (AC) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node31 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: The AC shall be responsible for the supervision and integrity of + the system, training and continuing education of employees and operators, + scheduling of initial training and testing, and certification testing and + all required reports by NCIC. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 'The AC shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node33 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 1. Understand the communications, records capabilities, and needs + of the Contractor which is accessing federal and state records through or + because of its relationship with the CGA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node34 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 2. Participate in related meetings and provide input and comments + for system improvement. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node35 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 3. Receive information from the CGA (e.g., system updates) and + disseminate it to appropriate Contractor employees. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node36 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 4. Maintain and update manuals applicable to the effectuation + of the agreement, and provide them to the Contractor. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node37 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: "5. Maintain up-to-date records of Contractor\u2019s employees\ + \ who access the system, including name, date of birth, social security number,\ + \ date fingerprint card(s) submitted, date security clearance issued, and\ + \ date initially trained, tested, certified or recertified (if applicable)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node38 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 6. Train or ensure the training of Contractor personnel. If Contractor + personnel access NCIC, schedule the operators for testing or a certification + exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule + new operators for the certification exam within six (6) months of assignment. Schedule + certified operators for biennial re-certification testing within thirty (30) + days prior to the expiration of certification. Schedule operators for other + mandated class. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node39 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 7. The AC will not permit an untrained/untested or non-certified + Contractor employee to access CJI or systems supporting CJI where access to + CJI can be gained. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node40 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 8. Where appropriate, ensure compliance by the Contractor with + NCIC validation requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node41 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 9. Provide completed applicant fingerprint cards on each Contractor + employee who accesses the system to the CJA (or, where appropriate, CSA) for + criminal background investigation prior to such employee accessing the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node42 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 10. Any other responsibility for the AC promulgated by the FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: CJIS System Agency Information Secrurity Officer (CSA ISO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node44 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 'The CSA ISO shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node45 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 1. Serve as the security point of contact (POC) to the FBI CJIS + Division ISO. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node46 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: "2. Document technical compliance with the CJIS Security Policy\ + \ with the goal to assure the confidentiality, integrity, and availability\ + \ of criminal justice information to the user community throughout the CSA\u2019\ + s user community, to include the local level." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node47 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 3. Document and provide assistance for implementing the security-related + controls for the Interface Agency and its users. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node48 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 4. Establish a security incident response and reporting procedure + to discover, investigate, document, and report to the CSA, the affected criminal + justice agency, and the FBI CJIS Division ISO major incidents that significantly + endanger the security or integrity of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Local Agency Security Officer (LASO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 'Each LASO shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node51 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 1. Identify who is using the CSA approved hardware, software, + and firmware and ensure no unauthorized individuals or processes have access + to the same. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node52 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 2. Identify and document how the equipment is connected to the + state system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node53 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 3. Ensure that personnel security screening procedures are being + followed as stated in this policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node54 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 4. Ensure the approved and appropriate security measures are in + place and working as expected. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node55 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 5. Support policy compliance and ensure CSA ISO is promptly informed + of security incidents. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: FBI CJIS Division Information Security Officer (FBI CJIS ISO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 'The FBI CJIS ISO shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node58 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 1. Maintain the CJIS Security Policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node59 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 2. Disseminate the FBI Director approved CJIS Security Policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node60 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: "3. Serve as a liaison with the CSA\u2019s ISO and with other\ + \ personnel across the CJIS community and in this regard provide technical\ + \ guidance as to the intent and implementation of operational and technical\ + \ policy issues." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node61 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 4. Serve as a point-of-contact (POC) for computer incident notification + and distribution of security alerts to the CSOs and ISOs. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node62 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 5. Assist with developing audit compliance guidelines as well + as identifying and reconciling security-related issues. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node63 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 6. Develop and participate in information security training programs + for the CSOs and ISOs, and provide a means by which to acquire feedback to + measure the effectiveness and success of such training. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node64 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 7. Maintain a security policy resource center (SPRC) on FBI.gov + and keep the CSOs and ISOs updated on pertinent information. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node65 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Compact Officer + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node66 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node65 + description: "Pursuant to the National Crime Prevention and Privacy Compact,\ + \ each party state shall appoint a Compact Officer\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node67 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node65 + description: '...Compact Officer who shall ensure that Compact provisions and + rules, procedures, and standards established by the Compact Council are complied + with in their respective state.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node68 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Proper Access, Use, and Dissemination of CHRI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node69 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node68 + description: The III shall be accessed only for an authorized purpose. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node70 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node68 + description: Further, CHRI shall only be used for an authorized purpose consistent + with the purpose for which III was accessed. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Proper Access, Use, and Dissemination of NCIC Restricted Files Information + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node72 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: Proper access to, use, and dissemination of data from restricted + files shall be consistent with the access, use, and dissemination policies + concerning the III described in Title 28, Part 20, CFR, and the NCIC Operating + Manual. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node73 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 'The restricted files, which shall be protected as CHRI, are as + follows:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node74 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 1. Gang File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node75 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 2. Threat Screening Center File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node76 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 3. Supervised Release File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node77 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 4. National Sex Offender Registry File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node78 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 5. Historical Protection Order File of the NCIC + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node79 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 6. Identity Theft File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node80 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 7. Protective Interest File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node81 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 8. Person With Information [PWI] data in the Missing Person Files + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node82 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 9. Violent Person File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node83 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 10. NICS Denied Transaction File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node84 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: For Other Authorized Purposes + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node85 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node84 + description: 'Non-restricted files information shall not be disseminated commercially. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node86 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node84 + description: 'Agencies shall not disseminate restricted files information for + purposes other than law enforcement. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node87 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Storage + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node88 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node87 + description: 'When CHRI is stored, agencies shall establish appropriate administrative, + technical and physical safeguards to ensure the security and confidentiality + of the information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node89 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node87 + description: These records shall be stored for extended periods only when they + are key elements for the integrity and/or utility of case files and/or criminal + record files. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node90 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Justification + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node91 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node90 + description: In addition to the use of purpose codes and logging information, + all users shall provide a reason for all III inquiries whenever requested + by NCIC System Managers, CSAs, local agency administrators, or their representatives. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node92 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Personally Identifiable Information (PII) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node93 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node92 + description: 'PII shall be extracted from CJI for the purpose of official business + only. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node94 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node92 + description: Agencies shall develop policies, based on state and local privacy + rules, to ensure appropriate controls are applied when handling PII extracted + from CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-1: Information Exchange Agreements' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node96 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: 'Policy Area 1: Information Exchange Agreements' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node97 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node96 + description: The information shared through communication mediums shall be protected + with appropriate security safeguards. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Information Exchange + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node99 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: Before exchanging CJI, agencies shall put formal agreements in + place that specify security controls. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node100 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: Information exchange agreements for agencies sharing CJI data that + is sent to and/or received from the FBI CJIS shall specify the security controls + and conditions described in this document. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node101 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: 'Information exchange agreements shall be supported by documentation + committing both parties to the terms of information exchange. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node102 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: Law Enforcement and civil agencies shall have a local policy to + validate a requestor of CJI as an authorized recipient before disseminating + CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node103 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Information Handling + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node104 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node103 + description: Procedures for handling and storage of information shall be established + to protect that information from unauthorized disclosure, alteration or misuse. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node105 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node103 + description: Using the requirements in this policy as a starting point, the + procedures shall apply to the handling, processing, storing, and communication + of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: State and Federal Agency User Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node107 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: Each CSA head or SIB Chief shall execute a signed written user + agreement with the FBI CJIS Division stating their willingness to demonstrate + conformity with this policy before accessing and participating in CJIS records + information programs. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node108 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: 'This agreement shall include the standards and sanctions governing + utilization of CJIS systems. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node109 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: "As coordinated through the particular CSA or SIB Chief, each Interface\ + \ Agency shall also allow the FBI to periodically test the ability to penetrate\ + \ the FBI\u2019s network through the external network connection or system\ + \ per authorization of Department of Justice (DOJ) Order 2640.2F." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node110 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: All user agreements with the FBI CJIS Division shall be coordinated + with the CSA head. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Criminal Justice Agency User Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node112 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: Any CJA receiving access to FBI CJI shall enter into a signed written + agreement with the appropriate signatory authority of the CSA providing the + access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node113 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: The written agreement shall specify the FBI CJIS systems and services + to which the agency will have access, and the FBI CJIS Division policies to + which the agency must adhere. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: 'These agreements shall include:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node115 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "1.\_Audit." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node116 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "2.\_Dissemination." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node117 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "3.\_Hit confirmation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node118 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "4.\_Logging." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node119 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "5.\_Quality Assurance (QA)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node120 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "6.\_Screening (Pre-Employment)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node121 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "7.\_Security." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node122 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "8.\_Timeliness." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node123 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "9.\_Training." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node124 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: 10. Use of the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node125 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: 11. Validation. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Inter-Agency and Management Control Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node127 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + description: 'A NCJA (government) designated to perform criminal justice functions + for a CJA shall be eligible for access to the CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node128 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + description: 'Access shall be permitted when such designation is authorized + pursuant to Executive Order, statute, regulation, or inter-agency agreement. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node129 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + description: The NCJA shall sign and execute a management control agreement + (MCA) with the CJA, which stipulates management control of the criminal justice + function remains solely with the CJA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Private Contractor User Agreements and CJIS Security Addendum + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node131 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: "Private contractors who perform criminal justice functions shall\ + \ meet the same training and certification criteria required by governmental\ + \ agencies performing a similar function, and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node132 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: '...and shall be subject to the same extent of audit review as + are local user agencies.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node133 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: All private contractors who perform criminal justice functions + shall acknowledge, via signing of the Security Addendum Certification page, + and abide by all aspects of the CJIS Security Addendum. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node134 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: Modifications to the CJIS Security Addendum shall be enacted only + by the FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node135 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: '1. Private contractors designated to perform criminal justice + functions for a CJA shall be eligible for access to CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node136 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: "Access shall be permitted pursuant to an agreement which specifically\ + \ identifies the agency\u2019s purpose and scope of providing services for\ + \ the administration of criminal justice." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node137 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: The agreement between the CJA and the private contractor shall + incorporate the CJIS Security Addendum approved by the Director of the FBI, + acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 + (a)(7). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node138 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: '2. Private contractors designated to perform criminal justice + functions on behalf of a NCJA (government) shall be eligible for access to + CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node139 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: "Access shall be permitted pursuant to an agreement which specifically\ + \ identifies the agency\u2019s purpose and scope of providing services for\ + \ the administration of criminal justice. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node140 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: The agreement between the NCJA and the private contractor shall + incorporate the CJIS Security Addendum approved by the Director of the FBI, + acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 + (a)(7). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Agency User Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node142 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: A NCJA (public) designated to request civil fingerprint-based background + checks, with the full consent of the individual to whom a background check + is taking place, for noncriminal justice functions, shall be eligible for + access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node143 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: 'Access shall be permitted when such designation is authorized + pursuant to federal law or state statute approved by the U.S. Attorney General. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node144 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: 'A NCJA (public) receiving access to FBI CJI shall enter into a + signed written agreement with the appropriate signatory authority of the CSA/SIB + providing the access. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node145 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: A NCJA (private) designated to request civil fingerprint-based + background checks, with the full consent of the individual to whom a background + check is taking place, for noncriminal justice functions, shall be eligible + for access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node146 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: 'Access shall be permitted when such designation is authorized + pursuant to federal law or state statute approved by the U.S. Attorney General. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node147 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: A NCJA (private) receiving access to FBI CJI shall enter into a + signed written agreement with the appropriate signatory authority of the CSA, + SIB, or authorized agency providing the access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node148 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: All NCJAs accessing CJI shall be subject to all pertinent areas + of the CJIS Security Policy (see appendix J for supplemental guidance). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node149 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: "Each NCJA that directly accesses FBI CJI shall also allow the\ + \ FBI to periodically test the ability to penetrate the FBI\u2019s network\ + \ through the external network connection or system per authorization of Department\ + \ of Justice (DOJ) Order 2640.2F." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Outsourcing Standards for Channelers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node151 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: Channelers designated to request civil fingerprint-based background + checks or noncriminal justice ancillary functions on behalf of a NCJA (public) + or NCJA (private) for noncriminal justice functions shall be eligible for + access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node152 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: Access shall be permitted when such designation is authorized pursuant + to federal law or state statute approved by the U.S. Attorney General. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node153 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: All Channelers accessing CJI shall be subject to the terms and + conditions described in the Compact Council Security and Management Control + Outsourcing Standard. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node154 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: Each Channeler that directly accesses CJI shall also allow the + FBI to conduct periodic penetration testing. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node155 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: "Channelers leveraging CJI to perform civil functions on behalf\ + \ of an Authorized Recipient shall meet the same training and certification\ + \ criteria required by governmental agencies performing a similar function\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node156 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: '...and shall be subject to the same extent of audit review as + are local user agencies.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Outsourcing Standards for Non-Channelers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node158 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: Contractors designated to perform noncriminal justice ancillary + functions on behalf of a NCJA (public) or NCJA (private) for noncriminal justice + functions shall be eligible for access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node159 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: Access shall be permitted when such designation is authorized pursuant + to federal law or state statute approved by the U.S. Attorney General. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node160 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: All contractors accessing CJI shall be subject to the terms and + conditions described in the Compact Council Outsourcing Standard for Non-Channelers. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node161 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: "Contractors leveraging CJI to perform civil functions on behalf\ + \ of an Authorized Recipient shall meet the same training and certification\ + \ criteria required by governmental agencies performing a similar function,\ + \ and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node162 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: '...and shall be subject to the same extent of audit review as + are local user agencies.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Monitoring, Review, and Delivery of Services + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node164 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + description: 'As specified in the inter-agency agreements, MCAs, and contractual + agreements with private contractors, the services, reports and records provided + by the service provider shall be regularly monitored and reviewed. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node165 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + description: 'The CJA, authorized agency, or FBI shall maintain sufficient overall + control and visibility into all security aspects to include, but not limited + to, identification of vulnerabilities and information security incident reporting/response. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node166 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + description: The incident reporting/response process used by the service provider + shall conform to the incident reporting/response specifications provided in + this policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node167 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Managing Changes to Service Providers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node168 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node167 + description: Any changes to services provided by a service provider shall be + managed by the CJA, authorized agency, or FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node169 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node167 + description: Evaluation of the risks to the agency shall be undertaken based + on the criticality of the data, system, and the impact of the change. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node170 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Secondary Dissemination + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node171 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node170 + description: "If CHRI is released to another authorized agency, and that agency\ + \ was not part of the releasing agency\u2019s primary information exchange\ + \ agreement(s), the releasing agency shall log such dissemination." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node172 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Secondary Dissemination of Non-CHRI CJI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node173 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node172 + description: Dissemination shall conform to the local policy validating the + requestor of the CJI as an employee or contractor of a law enforcement agency + or civil agency requiring the CJI to perform their mission or a member of + the public receiving CJI via authorized dissemination. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-2: Awareness and Training (AT)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: Policy and Procedures + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node176 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to all personnel\ + \ when their unescorted logical or physical access to any information system\ + \ results in the ability, right, or privilege to view, modify, or make use\ + \ of unencrypted CJI:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node177 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "1.\_\_\_\_\_ Organization-level awareness and training policy\ + \ that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node178 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node179 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node180 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ awareness and training policy and the associated awareness and training\ + \ controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node181 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security awareness and training responsibilities to manage the development,\ + \ documentation, and dissemination of the awareness and training policy nd\ + \ procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node182 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "c.\_\_\_\_\_\_ Review and update the current awareness and training:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node183 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "1.\_\_\_\_\_ Policy annually and following changes in the information\ + \ system operating environment, when security incidents occur, or when changes\ + \ to the CJIS Security Policy are made; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node184 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "2.\_\_\_\_\_ Procedures annually and following changes in the\ + \ information system operating environment, when security incidents occur,\ + \ or when changes to the CJIS Security Policy are made." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: Literacy Training and Awareness + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node186 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "a.\_\_\_\_\_ Provide security and privacy literacy training to\ + \ system users (including managers, senior executives, and contractors):" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node187 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "1.\_\_\_\_\_ As part of initial training for new users prior to\ + \ accessing CJI and annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node188 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "2.\_\_\_\_\_ When required by system changes or within 30 days\ + \ of any security event for individuals involved in the event;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node189 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "b.\_\_\_\_\_ Employ one or more of the following techniques to\ + \ increase the security and privacy awareness of system users:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node190 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "1.\_\_\_\_\_ Displaying posters " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node191 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "2.\_\_\_\_\_ Offering supplies inscribed with security and privacy\ + \ reminders" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node192 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "3.\_\_\_\_\_ Displaying logon screen messages " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node193 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "4.\_\_\_\_\_ Generating email advisories or notices from organizational\ + \ officials" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node194 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "5.\_\_\_\_\_ Conducting awareness events " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node195 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "c.\_\_\_\_\_\_ Update literacy training and awareness content\ + \ annually and following changes in the information system operating environment,\ + \ when security incidents occur, or when changes are made in the CJIS Security\ + \ Policy; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node196 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "d.\_\_\_\_\_ Incorporate lessons learned from internal or external\ + \ security incidents or breaches into literacy training and awareness techniques." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node197 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: LITERACY TRAINING AND AWARENESS | INSIDER THREAT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node198 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node197 + description: Provide literacy training on recognizing and reporting potential + indicators of insider threat. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node199 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: LITERACY TRAINING AND AWARENESS | SOCIAL ENGINEERING AND MINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node200 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node199 + description: Provide literacy training on recognizing and reporting potential + and actual instances of social engineering and social mining. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: ROLE-BASED TRAINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node202 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_\_ Provide role-based security and privacy training\ + \ to personnel with the following roles and responsibilities: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node203 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "\xB7\_\_\_\_\_\_\_ All individuals with unescorted access to a\ + \ physically secure location; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node204 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "\xB7\_\_\_\_\_\_\_ General User: A user, but not a process, who\ + \ is authorized to use an information system; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node205 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "\xB7\_\_\_\_\_\_\_ Privileged User: A user that is authorized\ + \ (and, therefore, trusted) to perform security-relevant functions that general\ + \ users are not authorized to perform:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node206 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "1.\_\_\_\_\_ Before authorizing access to the system, information,\ + \ or performing assigned duties, and annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node207 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "2.\_\_\_\_\_ When required by system changes;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node208 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_\_ Update role-based training content annually and following\ + \ audits of the CSA and local agencies\_; changes in the information system\ + \ operating environment; security incidents; or when changes are made to the\ + \ CJIS Security Policy;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node209 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "c.\_\_\_\_\_\_ Incorporate lessons learned from internal or external\ + \ security incidents or breaches into role-based training;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node210 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d.\_\_\_\_\_ Incorporate the minimum following topics into the\ + \ appropriate role-based training content:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node211 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "1.\_\_\_\_ All individuals with unescorted access to a physically\ + \ secure location:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node212 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Access, Use and Dissemination of Criminal History Record\ + \ Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted\ + \ Files Information Penalties" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node213 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ Reporting Security Events" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node214 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: c. Training + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node215 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d.\_\_\_\_ System Use Notification" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node216 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "e.\_\_\_\_\_ Physical Access Authorizations " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node217 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "f.\_\_\_\_\_ Physical Access Control " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node218 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "g.\_\_\_\_ Monitoring Physical Access " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node219 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "h.\_\_\_\_ Visitor Control" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node220 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "i.\_\_\_\_\_\_ Personnel Sanctions" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node221 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "2.\_\_\_\_ General User: A user, but not a process, who is authorized\ + \ to use an information system. In addition to AT-3 (d) (1) above, include\ + \ the following topics:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node222 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Criminal Justice Information" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node223 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ Proper Access, Use, and Dissemination of NCIC Non-Restricted\ + \ Files Information" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node224 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "c.\_\_\_\_\_ Personally Identifiable Information" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node225 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d.\_\_\_\_ Information Handling" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node226 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: e. Media Storage + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node227 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: f. Media Access + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node228 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "g.\_\_\_\_ Audit Monitoring, Analysis, and Reporting" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node229 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "h.\_\_\_\_ Access Enforcement" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node230 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "i.\_\_\_\_\_\_ Least Privilege" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node231 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "j.\_\_\_\_\_\_ System Access Control" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node232 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "k.\_\_\_\_ Access Control Criteria" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node233 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "l.\_\_\_\_\_\_ System Use Notification" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node234 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "m.\_\_ Session Lock" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node235 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "n.\_\_\_\_ Personally Owned Information Systems" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node236 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "o.\_\_\_\_ Password" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node237 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "p.\_\_\_\_ Access Control for Display Medium" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node238 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "q.\_\_\_\_ Encryption" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node239 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "r.\_\_\_\_\_ Malicious Code Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node240 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "s.\_\_\_\_\_ Spam and Spyware Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node241 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "t.\_\_\_\_\_\_ Cellular Devices" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node242 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "u.\_\_\_\_ Mobile Device Management" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node243 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "v.\_\_\_\_\_ Wireless Device Risk Mitigations" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node244 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "w.\_\_\_ Wireless Device Malicious Code Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node245 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "x.\_\_\_\_ Literacy Training and Awareness/Social Engineering\ + \ and Mining" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node246 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "y.\_\_\_\_\_ Identification and Authentication (Organizational\ + \ Users)" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node247 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "z.\_\_\_\_\_ Media Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node248 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "3.\_\_\_\_ Privileged User: A user that is authorized (and, therefore,\ + \ trusted) to perform security-relevant functions that general users are not\ + \ authorized to perform. In addition to AT-3 (d) (1) and (2) above, include\ + \ the following topics:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node249 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Access Control" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node250 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ System and Communications Protection and Information\ + \ Integrity" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node251 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: c. Patch Management + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node252 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d. Data backup and storage\u2014centralized or decentralized approach" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node253 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "e.\_\_\_\_\_ Most recent changes to the CJIS Security Policy" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node254 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "4.\_\_\_\_ Organizational Personnel with Security Responsibilities:\ + \ Personnel with the responsibility to ensure the confidentiality, integrity,\ + \ and availability of CJI and the implementation of technology in a manner\ + \ compliant with the CJISSECPOL. In addition to AT-3 (d) (1), (2), and (3)\ + \ above, include the following topics:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node255 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Local Agency Security Officer Role" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node256 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ Authorized Recipient Security Officer Role" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node257 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: c. Additional state/local/tribal/federal agency LASO roles + and responsibilities + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node258 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: d. Summary of audit findings from previous state audits of + local agencies + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node259 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: e. Findings from the last FBI CJIS Division audit + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node260 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: ROLE-BASED TRAINING | PROCESSING PERSONALLY IDENTIFIABLE INFORMATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node261 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node260 + description: Provide all personnel when their unescorted logical or physical + access to any information system results in the ability, right, or privilege + to view, modify, or make use of unencrypted CJI with initial and annual training + in the employment and operation of personally identifiable information processing + and transparency controls. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node262 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: TRAINING RECORDS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node263 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node262 + description: "a.\_\_\_\_\_ Document and monitor information security and privacy\ + \ training activities, including security and privacy awareness training and\ + \ specific role-based security and privacy training; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node264 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node262 + description: "b.\_\_\_\_\_ Retain individual training records for a minimum\ + \ of three years." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-3: Incident Response (IR)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node267 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "a.\_\_\_\_\_\_\_\_ Develop, document, and disseminate to all personnel\ + \ when their unescorted logical or physical access to any information system\ + \ results in the ability, right, or privilege to view, modify, or make use\ + \ of unencrypted CJI:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node268 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "1.\_\_\_\_\_ Agency-level incident response policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node269 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node270 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node271 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ incident response policy and the associated incident response controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node272 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "b.\_\_\_\_\_ Designate an individual with security responsibilities\ + \ to manage the development, documentation, and dissemination of the incident\ + \ response policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node273 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "c.\_\_\_\_\_\_ Review and update the current incident response:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node274 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node275 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE TRAINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node277 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "a.\_\_\_\_\_ Provide incident response training to system users\ + \ consistent with assigned roles and responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node278 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "1.\_\_\_\_\_ Prior to assuming an incident response role or responsibility\ + \ or acquiring system access;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node279 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "2.\_\_\_\_\_ When required by system changes; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node280 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "3.\_\_\_\_\_ Annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node281 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "b.\_\_\_\_\_ Review and update incident response training content\ + \ annually and following any security incidents involving unauthorized access\ + \ to CJI or systems used to process, store, or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node282 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (3) INCIDENT RESPONSE TRAINING | BREACH + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node283 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node282 + description: "Provide incident response training on how to identify and respond\ + \ to a breach, including the organization\u2019s process for reporting a breach." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node284 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE TESTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node285 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node284 + description: 'Test the effectiveness of the incident response capability for + the system annually using the following tests: tabletop or walk-through exercises; + simulations; or other agency-appropriate tests.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node286 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node287 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node286 + description: Coordinate incident response testing with organizational elements + responsible for related plans. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT HANDLING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node289 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "a.\_\_\_\_\_ Implement an incident handling capability for incidents\ + \ that is consistent with the incident response plan and includes preparation,\ + \ detection and analysis, containment, eradication, and recovery;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node290 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "b.\_\_\_\_\_ Coordinate incident handling activities with contingency\ + \ planning activities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node291 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "c.\_\_\_\_\_\_ Incorporate lessons learned from ongoing incident\ + \ handling activities into incident response procedures, training, and testing,\ + \ and implement the resulting changes accordingly; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node292 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "d.\_\_\_\_\_ Ensure the rigor, intensity, scope, and results of\ + \ incident handling activities are comparable and predictable across the organization." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node293 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node294 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node293 + description: Support the incident handling process using automated mechanisms + (e.g., online incident management systems and tools that support the collection + of live response data, full network packet capture, and forensic analysis. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node295 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT MONITORING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node296 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node295 + description: Track and document incidents. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node297 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT REPORTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node298 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node297 + description: "a.\_\_\_\_\_ Require personnel to report suspected incidents to\ + \ the organizational incident response capability immediately but not to exceed\ + \ one (1) hour after discovery; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node299 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node297 + description: "b.\_\_\_\_ Report incident information to organizational personnel\ + \ with incident handling responsibilities, and if confirmed, notify the CSO,\ + \ SIB Chief, or Interface Agency Official." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node300 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT REPORTING | AUTOMATED REPORTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node301 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node300 + description: Report incidents using automated mechanisms. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node302 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (3) INCIDENT REPORTING | SUPPLY CHAIN COORDINATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node303 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node302 + description: Provide incident information to the provider of the product or + service and other organizations involved in the supply chain or supply chain + governance for systems or system components related to the incident. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node304 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE ASSISTANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node305 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node304 + description: Provide an incident response support resource, integral to the + organizational incident response capability, that offers advice and assistance + to users of the system for the handling and reporting of incidents. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node306 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY + OF INFORMATION AND SUPPORT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node307 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node306 + description: Increase the availability of incident response information and + support using automated mechanisms described in the discussion. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE PLAN + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node309 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "a.\_\_\_\_\_ Develop an incident response plan that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node310 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "1.\_\_\_\_\_ Provides the organization with a roadmap for implementing\ + \ its incident response capability;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node311 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "2.\_\_\_\_\_ Describes the structure and organization of the incident\ + \ response capability;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node312 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "3.\_\_\_\_\_ Provides a high-level approach for how the incident\ + \ response capability fits into the overall organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node313 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "4.\_\_\_\_\_ Meets the unique requirements of the organization,\ + \ which relate to mission, size, structure, and functions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node314 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "5.\_\_\_\_\_ Defines reportable incidents;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node315 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "6.\_\_\_\_\_ Provides metrics for measuring the incident response\ + \ capability within the organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node316 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "7.\_\_\_\_\_ Defines the resources and management support needed\ + \ to effectively maintain and mature an incident response capability;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node317 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "8.\_\_\_\_\_ Addresses the sharing of incident information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node318 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "9.\_\_\_\_\_ Is reviewed and approved by the organization\u2019\ + s/agency\u2019s executive leadership annually; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node319 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "10.\_\_ Explicitly designates responsibility for incident response\ + \ to organizational personnel with incident reporting responsibilities and\ + \ CSO or CJIS WAN Official." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node320 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "b.\_\_\_\_\_ Distribute copies of the incident response plan to\ + \ organizational personnel with incident handling responsibilities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node321 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "c.\_\_\_\_\_\_ Update the incident response plan to address system\ + \ and organizational changes or problems encountered during plan implementation,\ + \ execution, or testing;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node322 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "d.\_\_\_\_\_ Communicate incident response plan changes to organizational\ + \ personnel with incident handling responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node323 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "e.\_\_\_\_\_ Protect the incident response plan from unauthorized\ + \ disclosure and modification." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT RESPONSE PLAN | BREACHES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node325 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: 'Include the following in the Incident Response Plan for breaches + involving personally identifiable information:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node326 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: "(a)\_\_\_ A process to determine if notice to individuals or other\ + \ organizations, including oversight organizations, is needed;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node327 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: "(b)\_\_\_ An assessment process to determine the extent of the\ + \ harm, embarrassment, inconvenience, or unfairness to affected individuals\ + \ and any mechanisms to mitigate such harms; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node328 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: "(c)\_\_\_\_ Identification of applicable privacy requirements." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-4: Audit and Accountability' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node331 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with audit and accountability responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node332 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "1.\_\_\_\_\_ Agency and system-level audit and accountability\ + \ policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node333 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node334 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node335 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ audit and accountability policy and the associated audit and accountability\ + \ controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node336 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security responsibilities to manage the development, documentation, and\ + \ dissemination of the audit and accountability policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node337 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "c.\_\_\_\_\_\_ Review and update the current audit and accountability:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node338 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node339 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: EVENT LOGGING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node341 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "a.\_\_\_\_\_ Identify the types of events that the system is capable\ + \ of logging in support of the audit function: authentication, file use, user/group\ + \ management, events sufficient to establish what occurred, the sources of\ + \ events, outcomes of events, and operational transactions (e.g., NCIC, III);" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node342 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "b.\_\_\_\_\_ Coordinate the event logging function with other\ + \ organizational entities requiring audit- related information to guide and\ + \ inform the selection criteria for events to be logged;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node343 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "c.\_\_\_\_\_\_ Specify the following event types for logging within\ + \ the system: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node344 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: 'All successful and unsuccessful:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node345 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "1.\_\_\_\_ System log-on attempts" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node346 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "2.\_\_\_\_ Attempts to use:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node347 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "a.\_\_\_\_ Access permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node348 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "b.\_\_\_\_ Create permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node349 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "c.\_\_\_\_\_ Write permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node350 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "d.\_\_\_\_ Delete permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node351 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "e.\_\_\_\_\_ Change permission on a user account, file, directory,\ + \ or other system resource." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node352 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "3.\_\_\_\_ Attempts to change account passwords" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node353 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "4.\_\_\_\_ Actions by privileged accounts (i.e., root, Oracle,\ + \ DBA, admin, etc.)" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node354 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "5.\_\_\_\_ Attempts for users to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node355 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "a.\_\_\_\_ Access the audit log file;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node356 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "b.\_\_\_\_ Modify the audit log file;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node357 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "c.\_\_\_\_\_ Destroy the audit log file;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node358 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "d.\_\_\_\_\_ Provide a rationale for why the event types selected\ + \ for logging are deemed to be adequate to support after-the-fact investigations\ + \ of incidents; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node359 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "e.\_\_\_\_\_ Review and update the event types selected for logging\ + \ annually." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: CONTENT OF AUDIT RECORDS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node361 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: 'Ensure that audit records contain information that establishes + the following:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node362 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "a.\_\_\_\_\_ What type of event occurred;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node363 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "b.\_\_\_\_\_ When the event occurred;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node364 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "c.\_\_\_\_\_\_ Where the event occurred;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node365 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "d.\_\_\_\_\_ Source of the event;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node366 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "e.\_\_\_\_\_ Outcome of the event; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node367 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "f.\_\_\_\_\_\_ Identity of any individuals, subjects, or objects/entities\ + \ associated with the event." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(1)\_\_\_ CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node369 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: 'Generate audit records containing the following additional information: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node370 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "a.\_\_\_\_ Session, connection, transaction, and activity duration;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node371 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "b.\_\_\_\_ Source and destination addresses;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node372 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "c.\_\_\_\_\_ Object or filename involved; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node373 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "d.\_\_\_\_ Number of bytes received and bytes sent (for client-server\ + \ transactions) in the audit records for audit events identified by type,\ + \ location, or subject." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node374 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "e.\_\_\_\_\_ The III portion of the log shall clearly identify:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node375 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "1.\_\_\_\_ The operator" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node376 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "2.\_\_\_\_ The authorized receiving agency" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node377 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "3.\_\_\_\_ The requestor" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node378 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "4.\_\_\_\_ The secondary recipient" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node379 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(3)\_\_\_ CONTENT OF AUDIT RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION\ + \ ELEMENTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node380 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node379 + description: 'Limit personally identifiable information contained in audit records + to the following elements identified in the privacy risk assessment: minimum + PII necessary to achieve the purpose for which it is collected (see Section + 4.3).' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node381 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT LOG STORAGE CAPACITY + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node382 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node381 + description: Allocate audit log storage capacity to accommodate the collection + of audit logs to meet retention requirements (AU-11). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node383 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: RESPONSE TO AUDIT LOGGING PROCESS FAILURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node384 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node383 + description: "a.\_\_\_\_\_ Alert organizational personnel with audit and accountability\ + \ responsibilities and system/network administrators within one (1) hour in\ + \ the event of an audit logging process failure; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node385 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node383 + description: "b.\_\_\_\_\_ Take the following additional actions: restart all\ + \ audit logging processes and verify system(s) are logging properly." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node387 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + description: "a.\_\_\_\_\_ Review and analyze system audit records weekly for\ + \ indications of inappropriate or unusual activity and the potential impact\ + \ of the inappropriate or unusual activity;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node388 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + description: "b.\_\_\_\_\_ Report findings to organizational personnel with\ + \ audit review, analysis, and reporting responsibilities and organizational\ + \ personnel with information security and privacy responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node389 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + description: "c.\_\_\_\_\_\_ Adjust the level of audit record review, analysis,\ + \ and reporting within the system when there is a change in risk based on\ + \ law enforcement information, intelligence information, or other credible\ + \ sources of information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node390 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(1)\_\_\_ AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUTOMATED PROCESS\ + \ INTEGRATION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node391 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node390 + description: Integrate audit record review, analysis, and reporting processes + using automated mechanisms. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node392 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(3)\_\_\_ AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT\ + \ RECORD REPOSITORIES" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node393 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node392 + description: Analyze and correlate audit records across different repositories + to gain organization-wide situational awareness. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node394 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD REDUCTION AND REPORT GENERATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node395 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node394 + description: "a.\_\_\_\_\_ Supports on-demand audit record review, analysis,\ + \ and reporting requirements and after- the-fact investigations of incidents;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node396 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node394 + description: "b.\_\_\_\_\_ Does not alter the original content or time ordering\ + \ of audit records." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node397 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(1)\_\_\_ AUDIT RECORD REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node398 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node397 + description: 'Provide and implement the capability to process, sort, and search + audit records for events of interest based on the following content: information + included in AU-3.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node399 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: TIME STAMPS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node400 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node399 + description: "a.\_\_\_\_\_ Use internal system clocks to generate time stamps\ + \ for audit records;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node401 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node399 + description: "b.\_\_\_\_\_ Record time stamps for audit records that meet hundredths\ + \ of a second (i.e., hh:mm:ss:00) interval and that use Coordinated Universal\ + \ Time, have a fixed local time offset from Coordinated Universal Time, or\ + \ that include the local time offset as part of the time stamp." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node402 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: PROTECTION OF AUDIT INFORMATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node403 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node402 + description: "a.\_\_\_\_\_ Protect audit information and audit logging tools\ + \ from unauthorized access, modification, and deletion; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node404 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node402 + description: "b.\_\_\_\_\_ Alert organizational personnel with audit and accountability\ + \ responsibilities, organizational personnel with information security and\ + \ privacy responsibilities, and system/network administrators upon detection\ + \ of unauthorized access, modification, or deletion of audit information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node405 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(4)\_\_\_ PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED\ + \ USERS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node406 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node405 + description: Authorize access to management of audit logging functionality to + only organizational personnel with audit and accountability responsibilities, + organizational personnel with information security and privacy responsibilities, + and system/network administrators. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node407 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD RETENTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node408 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node407 + description: Retain audit records for a minimum of one (1) year or until it + is determined they are no longer needed for administrative, legal, audit, + or other operational purposes to provide support for after-the-fact investigations + of incidents and to meet regulatory and organizational information retention + requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD GENERATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node410 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + description: "a.\_\_\_\_\_ Provide audit record generation capability for the\ + \ event types the system is capable of auditing as defined in AU-2a on all\ + \ systems generating required audit logs;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node411 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + description: "b.\_\_\_\_\_ Allow organizational personnel with audit record\ + \ generation responsibilities, organizational personnel with information security\ + \ and privacy responsibilities, and system/network administrators to select\ + \ the event types that are to be logged by specific components of the system;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node412 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + description: "c.\_\_\_\_\_\_ Generate audit records for the event types defined\ + \ in AU-2c that include the audit record content defined in AU-3." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-5: Access Control (AC)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node415 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to: organizational\ + \ personnel with access control responsibilities" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node416 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "1.\_\_\_\_\_ Agency-level access control policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node417 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node418 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node419 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ access control policy and the associated access controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node420 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "b.\_\_\_\_\_ Designate an individual with security responsibilities\ + \ to manage the development, documentation, and dissemination of the access\ + \ control policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node421 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "c.\_\_\_\_\_\_ Review and update the current access control:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node422 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node423 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: ACCOUNT MANAGEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node425 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "a.\_\_\_\_\_ Define and document the types of accounts allowed\ + \ and specifically prohibited for use within the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node426 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "b.\_\_\_\_\_ Assign account managers;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node427 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "c.\_\_\_\_\_\_ Require conditions for group and role membership;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node428 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "d.\_\_\_\_\_ Specify:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node429 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "1.\_\_\_\_\_ Authorized users of the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node430 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "2.\_\_\_\_\_ Group and role membership; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node431 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "3.\_\_\_\_\_ Access authorizations (i.e., privileges) and attributes\ + \ listed for each account;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node432 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Attribute Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node433 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Email Address Text + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node434 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node435 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Federation Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node436 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Given Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node437 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Identity Provider Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node438 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Sur Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node439 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Telephone Number + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node440 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Identity Provider Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node441 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Unique Subject Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node442 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Counter Terrorism Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node443 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Criminal History Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node444 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Criminal Intelligence Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node445 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Criminal Investigative Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node446 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Display Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node447 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Government Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node448 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Local Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node449 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: NCIC Certification Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node450 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: NDEx Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node451 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: PCII Certification Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node452 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: 28 CFR Certification Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node453 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer ORI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node454 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer Organization General Category Code + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node455 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer State Code + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node456 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Public Safety Officer Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node457 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Sworn Law Enforcement Officer Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node458 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Authenticator Assurance Level + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node459 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Federation Assurance Level + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node460 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Identity Assurance Level + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node461 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Intelligence Analyst Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node462 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "e.\_\_\_\_\_ Require approvals by organizational personnel with\ + \ account management responsibilities for requests to create accounts;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node463 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "f.\_\_\_\_\_\_ Create, enable, modify, disable, and remove accounts\ + \ in accordance with agency policy;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node464 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "g.\_\_\_\_\_ Monitor the use of accounts;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node465 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "h.\_\_\_\_\_ Notify account managers and system/network administrators\ + \ within:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node466 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "1.\_\_\_\_\_ One day when accounts are no longer required;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node467 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "2.\_\_\_\_\_ One day when users are terminated or transferred;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node468 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "3.\_\_\_\_\_ One day when system usage or need-to-know changes\ + \ for an individual;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node469 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "i.\_\_\_\_\_\_\_ Authorize access to the system based on:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node470 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "1.\_\_\_\_\_ A valid access authorization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node471 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "2.\_\_\_\_\_ Intended system usage; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node472 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "3.\_\_\_\_\_ Attributes as listed in AC-2(d)(3);" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node473 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "j.\_\_\_\_\_\_\_ Review accounts for compliance with account management\ + \ requirements at least annually;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node474 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "k.\_\_\_\_\_ Establish and implement a process for changing shared\ + \ or group account authenticators (if deployed) when individuals are removed\ + \ from the group; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node475 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "l.\_\_\_\_\_\_\_ Align account management processes with personnel\ + \ termination and transfer processes." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node476 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node477 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node476 + description: Support the management of system accounts using automated mechanisms + including email, phone, and text notifications. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node478 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ ACCOUNT MANAGEMENT | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT\ + \ MANAGEMENT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node479 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node478 + description: Automatically remove temporary and emergency accounts within 72 + hours. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(3)\_\_\_ ACCOUNT MANAGEMENT | DISABLE ACCOUNTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node481 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: 'Disable accounts within one (1) week when the accounts:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node482 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(a)\_\_\_ Have expired;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node483 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(b)\_\_\_ Are no longer associated with a user or individual;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node484 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(c)\_\_\_\_ Are in violation of organizational policy; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node485 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(d)\_\_\_ Have been inactive for 90 calendar days. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node486 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(4)\_\_\_ ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node487 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node486 + description: Automatically audit account creation, modification, enabling, disabling, + and removal actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node488 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(5)\_\_\_ ACCOUNT MANAGEMENT | INACTIVITY LOGOUT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node489 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node488 + description: 'Require that users log out when a work period has been completed. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node490 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (13) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node491 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node490 + description: Disable accounts of individuals within 30 minutes of discovery + of direct threats to the confidentiality, integrity, or availability of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node492 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: ACCESS ENFORCEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node493 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node492 + description: Enforce approved authorizations for logical access to information + and system resources in accordance with applicable access control policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node494 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (14) ACCESS ENFORCEMENT | INDIVIDUAL ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node495 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node494 + description: Provide automated or manual processes to enable individuals to + have access to elements of their personally identifiable information. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node496 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: INFORMATION FLOW ENFORCEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node497 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node496 + description: Enforce approved authorizations for controlling the flow of information + within the system and between connected systems by preventing CJI from being + transmitted unencrypted across the public network, blocking outside traffic + that claims to be from within the agency, and not passing any web requests + to the public network that are not from agency controlled or internal boundary + protection devices (e.g., proxies, gateways, firewalls, or routers). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node498 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: SEPARATION OF DUTIES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node499 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node498 + description: "a.\_\_\_\_\_ Identify and document separation of duties based\ + \ on specific duties, operations, or information systems, as necessary, to\ + \ mitigate risk to CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node500 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node498 + description: "b.\_\_\_\_\_ Define system access authorizations to support separation\ + \ of duties." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node501 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: LEAST PRIVILEGE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node502 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node501 + description: Employ the principle of least privilege, allowing only authorized + accesses for users (or processes acting on behalf of users) that are necessary + to accomplish assigned organizational tasks. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node504 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + description: 'Authorize access for personnel including, security administrators, + system and network administrators, and other privileged users with access + to system control, monitoring, or administration functions (e.g., system administrators, + information security personnel, maintainers, system programmers, etc.) to:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node505 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + description: "(a)\_\_\_ Established system accounts, configured access authorizations\ + \ (i.e., permissions, privileges), set events to be audited, set intrusion\ + \ detection parameters, and other security functions; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node506 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + description: "(b)\_\_\_ Security-relevant information in hardware, software,\ + \ and firmware." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node507 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node508 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node507 + description: Require that users of system accounts (or roles) with access to + privileged security functions or security-relevant information (e.g., audit + logs), use non-privileged accounts or roles, when accessing nonsecurity functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node509 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(5)\_\_\_ LEAST PRIVILEGE | PRIVILEGED ACCOUNTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node510 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node509 + description: Restrict privileged accounts on the system to privileged users. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node511 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(7)\_\_\_ LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node512 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node511 + description: "a.\_\_\_\_\_ Reviews annually the privileges assigned to non-privileged\ + \ and privileged users to validate the need for such privileges; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node513 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node511 + description: "b.\_\_\_\_ Reassign or remove privileges, if necessary, to correctly\ + \ reflect organizational mission and business needs." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node514 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(9)\_\_\_ LEAST PRIVILEGE | LOG USE OF PRIVILEGED FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node515 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node514 + description: Log the execution of privileged functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node516 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED + FUNCTIONS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node517 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node516 + description: Prevent non-privileged users from executing privileged functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node518 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: UNSUCCESSFUL LOGON ATTEMPTS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node519 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node518 + description: "a.\_\_\_\_\_ Enforce a limit of five (5) consecutive invalid logon\ + \ attempts by a user during a 15-minute time period; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node520 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node518 + description: "b.\_\_\_\_\_ Automatically lock the account or node until released\ + \ by an administrator when the maximum number of unsuccessful attempts is\ + \ exceeded." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: SYSTEM USE NOTIFICATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node522 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "a.\_\_\_\_\_ Display a system use notification message to users\ + \ before granting access to the system that provides privacy and security\ + \ notices consistent with applicable laws, executive orders, directives, regulations,\ + \ policies, standards, and guidelines and state that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node523 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "1.\_\_\_\_\_ Users are accessing a restricted information system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node524 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "2.\_\_\_\_\_ System usage may be monitored, recorded, and subject\ + \ to audit;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node525 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "3.\_\_\_\_\_ Unauthorized use of the system is prohibited and\ + \ subject to criminal and civil penalties; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node526 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "4.\_\_\_\_\_ Use of the system indicates consent to monitoring\ + \ and recording;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node527 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "b.\_\_\_\_\_ Retain the notification message or banner on the\ + \ screen until users acknowledge the usage conditions and take explicit actions\ + \ to log on to or further access the system; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node528 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "c.\_\_\_\_\_\_ For publicly accessible systems:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node529 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "1.\_\_\_\_\_ Display system use information consistent with applicable\ + \ laws, executive orders, directives, regulations, policies, standards, and\ + \ guidelines, before granting further access to the publicly accessible system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node530 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "2.\_\_\_\_\_ Display references, if any, to monitoring, recording,\ + \ or auditing that are consistent with privacy accommodations for such systems\ + \ that generally prohibit those activities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node531 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "3.\_\_\_\_\_ Include a description of the authorized uses of the\ + \ system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: DEVICE LOCK + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node533 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + description: "a.\_\_\_\_\_ Prevent further access to the system by initiating\ + \ a device lock after a maximum of 30 minutes of inactivity and requiring\ + \ the user to initiate a device lock before leaving the system unattended." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node534 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + description: 'NOTE: In the interest of safety, devices that are: (1) part of + a criminal justice conveyance; or (2) used to perform dispatch functions and + located within a physically secure location; or (3) terminals designated solely + for the purpose of receiving alert notifications (i.e., receive only terminals + or ROT) used within physically secure location facilities that remain staffed + when in operation, are exempt from this requirement.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node535 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + description: "b.\_\_\_\_\_ Retain the device lock until the user reestablishes\ + \ access using established identification and authentication procedures." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node536 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (1) DEVICE LOCK | PATTERN-HIDING DISPLAYS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node537 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node536 + description: Conceal, via the device lock, information previously visible on + the display with a publicly viewable image. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node538 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: SESSION TERMINATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node539 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node538 + description: Automatically terminate a user session after a user has been logged + out. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node540 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node541 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node540 + description: "a.\_\_\_\_\_\_ Identify any specific user actions that can be\ + \ performed on the system without identification or authentication consistent\ + \ with organizational mission and business functions; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node542 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node540 + description: "b.\_\_\_\_\_ Document and provide supporting rationale in the\ + \ security plan for the system, user actions not requiring identification\ + \ or authentication." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node543 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: REMOTE ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node544 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node543 + description: "a.\_\_\_\_\_ Establish and document usage restrictions, configuration/connection\ + \ requirements, and implementation guidance for each type of remote access\ + \ allowed; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node545 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node543 + description: "b.\_\_\_\_\_ Authorize each type of remote access to the system\ + \ prior to allowing such connections." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node546 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ REMOTE ACCESS | MONITORING AND CONTROL" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node547 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node546 + description: Employ automated mechanisms to monitor and control remote access + methods. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node548 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY AND INTEGRITY\ + \ USING ENCRYPTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node549 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node548 + description: Implement cryptographic mechanisms to protect the confidentiality + and integrity of remote access sessions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node550 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(3)\_\_\_ REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node551 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node550 + description: Route remote accesses through authorized and managed network access + control points. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node552 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(4)\_\_\_ REMOTE ACCESS | PRIVILEGED COMMANDS AND ACCESS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node553 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node552 + description: "(a)\_\_\_ Authorize the execution of privileged commands and access\ + \ to security-relevant information via remote access only in a format that\ + \ provides assessable evidence and for the following needs: compelling operational\ + \ needs; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node554 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node552 + description: "(b)\_\_\_ Document the rationale for remote access in the security\ + \ plan for the system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node555 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: WIRELESS ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node556 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node555 + description: "a.\_\_\_\_\_ Establish configuration requirements, connection\ + \ requirements, and implementation guidance for each type of wireless access;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node557 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node555 + description: "b.\_\_\_\_\_ Authorize each type of wireless access to the system\ + \ prior to allowing such connections." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node558 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node559 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node558 + description: Protect wireless access to the system using authentication of authorized + users and agency-controlled devices, and encryption. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node560 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(3)\_\_\_ WIRELESS ACCESS | DISABLE WIRELESS NETWORKING" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node561 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node560 + description: Disable, when not intended for use, wireless networking capabilities + embedded within system components prior to issuance and deployment. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node562 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: ACCESS CONTROL FOR MOBILE DEVICES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node563 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node562 + description: "a.\_\_\_\_\_ Establish configuration requirements, connection\ + \ requirements, and implementation guidance for organization-controlled mobile\ + \ devices, to include when such devices are outside of controlled areas; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node564 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node562 + description: "b.\_\_\_\_\_ Authorize the connection of mobile devices to organizational\ + \ systems." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node565 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(5)\_\_\_ ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE OR CONTAINER-BASED\ + \ ENCRYPTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node566 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node565 + description: Employ full-device encryption to protect the confidentiality and + integrity of information on full- and limited-feature operating system mobile + devices authorized to process, store, or transmit CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: USE OF EXTERNAL SYSTEMS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node568 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "a.\_\_\_\_\_ Establish agency-level policies governing the use\ + \ of external systems consistent with the trust relationships established\ + \ with other organizations owning, operating, and/or maintaining external\ + \ systems, allowing authorized individuals to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node569 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "1.\_\_\_\_\_ Access the system from external systems; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node570 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "2.\_\_\_\_\_ Process, store, or transmit organization-controlled\ + \ information using external systems; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node571 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "b.\_\_\_\_\_ Prohibit the use of personally-owned information\ + \ systems including mobile devices (i.e., bring your own device [BYOD]) and\ + \ publicly accessible systems for accessing, processing, storing, or transmitting\ + \ CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ USE OF EXTERNAL SYSTEMS | LIMITS ON AUTHORIZED USE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node573 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + description: 'Permit authorized individuals to use an external system to access + the system or to process, store, or transmit organization-controlled information + only after:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node574 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + description: "(a)\_\_\_ Verification of the implementation of controls on the\ + \ external system as specified in the organization\u2019s security and privacy\ + \ policies and security and privacy plans; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node575 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + description: "(b)\_\_\_ Retention of approved system connection or processing\ + \ agreements with the organizational entity hosting the external system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node576 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ USE OF EXTERNAL SYSTEMS | PORTABLE STORAGE DEVICES \u2014 RESTRICTED\ + \ USE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node577 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node576 + description: Restrict the use of organization-controlled portable storage devices + by authorized individuals on external systems. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node578 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: INFORMATION SHARING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node579 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node578 + description: "a.\_\_\_\_\_ Enable authorized users to determine whether access\ + \ authorizations assigned to a sharing partner match the information\u2019\ + s access and use restrictions as defined in an executed information exchange\ + \ agreement; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node580 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node578 + description: "b.\_\_\_\_\_ Employ attribute-based access control (see AC-2(d)(3))\ + \ or manual processes as defined in information exchange agreements to assist\ + \ users in making information sharing and collaboration decisions." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: PUBLICLY ACCESSIBLE CONTENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node582 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "a.\_\_\_\_\_ Designate individuals authorized to make information\ + \ publicly accessible;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node583 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "b.\_\_\_\_\_ Train authorized individuals to ensure that publicly\ + \ accessible information does not contain nonpublic information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node584 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "c.\_\_\_\_\_\_ Review the proposed content of information prior\ + \ to posting onto the publicly accessible system to ensure that nonpublic\ + \ information is not included; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node585 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "d.\_\_\_\_\_ Review the content on the publicly accessible system\ + \ for nonpublic information quarterly and remove such information, if discovered." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-6: Identification and Authentication (IA)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Use of Originating Agency Identifiers in Transactions and Information + Exchanges + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node588 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: 'An FBI authorized originating agency identifier (ORI) shall be + used in each transaction on CJIS systems in order to identify the sending + agency and to ensure the proper level of access for each transaction. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node589 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: The original identifier between the requesting agency and the CSA/SIB/Channeler + shall be the ORI, and other agency identifiers, such as user identification + or personal identifier, an access device mnemonic, or the Internet Protocol + (IP) address. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node590 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: Because the agency performing the transaction may not necessarily + be the same as the agency requesting the transaction, the CSA/SIB/Channeler + shall ensure that the ORI for each transaction can be traced, via audit trail, + to the specific agency which is requesting the transaction. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node591 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: Agencies assigned a limited access ORI shall not use the full access + ORI of another agency to conduct an inquiry transaction. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Policy and Procedures + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node593 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: 'a. Develop, document, and disseminate to authorized personnel: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node594 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '1. Agency/Entity identification and authentication policy that: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node595 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '(a) Addresses purpose, scope, roles, responsibilities, management + commitment, coordination among organizational entities, and compliance; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node596 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '(b) Is consistent with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node597 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '2. Procedures to facilitate the implementation of the identification + and authentication policy and the associated identification and authentication + controls; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node598 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: 'b. Designate an individual with security responsibilities to manage + the development, documentation, and dissemination of the identification and + authentication policy and procedures; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node599 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: 'c. Review and update the current identification and authentication: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node600 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '1. Policy annually and following any security incidents involving + unauthorized access to CJI or systems used to process, store, or transmit + CJI; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node601 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '2. Procedures annually and following any security incidents involving + unauthorized access to CJI or systems used to process, store, or transmit + CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node602 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node603 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node602 + description: Uniquely identify and authenticate organizational users and associate + that unique identification with processes acting on behalf of those users. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node604 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) | Multi-Factor + Authentication to Privileged Accounts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node605 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node604 + description: 'Implement multi-factor authentication for access to privileged + accounts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node606 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) | Multi-Factor + Authentication to Non-Privileged Accounts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node607 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node606 + description: 'Implement multi-factor authentication for access to non-privileged + accounts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node608 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) |Access to Accounts + - Replay Resistant + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node609 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node608 + description: 'Implement replay-resistant authentication mechanisms for access + to privileged and non-privileged accounts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node610 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) | Acceptance + of PIV Credentials + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node611 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node610 + description: 'Accept and electronically verify Personal Identity Verification-compliant + credentials. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node612 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Device Identification and Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node613 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node612 + description: Uniquely identify and authenticate agency devices before establishing + all remote and network connections. In the instance of local connection, the + device must be approved by the agency and the device must be identified and + authenticated prior to connection to an agency asset. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identifier Management + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node615 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'Manage system identifiers by: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node616 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'a. Receiving authorization from organizational personnel with + identifier management responsibilities to assign an individual, group, role, + service, or device identifier; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node617 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'b. Selecting an identifier that identifies an individual, group, + role, service, or device; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node618 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'c. Assigning the identifier to the intended individual, group, + role, service, or device; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node619 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'd. Preventing reuse of identifiers for one (1) year. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node620 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identifier Management | Identify User Status + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node621 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node620 + description: 'Manage individual identifiers by uniquely identifying each individual + as agency or non-agency. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node623 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'Manage system authenticators by:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node624 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: a. Verifying, as part of the initial authenticator distribution, + the identity of the individual, group, role, service, or device receiving + the authenticator; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node625 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: b. Establishing initial authenticator content for any authenticators + issued by the organization; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node626 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: c. Ensuring that authenticators have sufficient strength of mechanism + for their intended use; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node627 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: d. Establishing and implementing administrative procedures for + initial authenticator distribution, for lost or compromised or damaged authenticators, + and for revoking authenticators; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node628 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: e. Changing default authenticators prior to first use; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node629 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: f. Changing or refreshing authenticators annually or when there + is evidence of authenticator compromise; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node630 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: g. Protecting authenticator content from unauthorized disclosure + and modification; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node631 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'h. Requiring individuals to take, and having devices implement, + specific controls to protect authenticators; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node632 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'i. Changing authenticators for group or role accounts when membership + to those accounts changes. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node633 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'j. All credential service providers (CSPs) authenticating claimants + at Authenticator Assurance Level 2 (AAL2) SHALL be assessed on the following + criteria:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node634 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Authentication SHALL occur by the\ + \ use of either a multi-factor authenticator or a combination of two single-factor\ + \ authenticators. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node635 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the multi-factor authentication\ + \ process uses a combination of two single-factor authenticators, then it\ + \ SHALL include a Memorized Secret authenticator and a possession-based authenticator.\ + \ (NIST 800-63B, Section 4.2.1)" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node636 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ Cryptographic authenticators used\ + \ at AAL2 SHALL use approved cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node637 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ At least one authenticator used at\ + \ AAL2 SHALL be replay resistant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node638 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ Communication between the claimant\ + \ and verifier SHALL be via an authenticated protected channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node639 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ Verifiers operated by government agencies\ + \ at AAL2 SHALL be validated to meet the requirements of FIPS 140 Level 1. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node640 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ Authenticators procured by government\ + \ agencies SHALL be validated to meet the requirements of FIPS 140 Level 1. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node641 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If a device such as a smartphone is\ + \ used in the authentication process, then the unlocking of that device (typically\ + \ done using a PIN or biometric) SHALL NOT be considered one of the authentication\ + \ factors. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node642 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If a biometric factor is used in authentication\ + \ at AAL2, then the performance requirements stated in IA-5 m Biometric Requirements\ + \ SHALL be met. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node643 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ Reauthentication of the subscriber SHALL\ + \ be repeated at least once per 12 hours during an extended usage session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node644 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ Reauthentication of the subscriber SHALL\ + \ be repeated following any period of inactivity lasting 30 minutes or longer. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node645 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ The CSP SHALL employ appropriately tailored\ + \ security controls from the moderate baseline of security controls defined\ + \ in the CJIS Security Policy." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node646 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'The CSP SHALL ensure that the minimum assurance-related controls + for moderate-impact systems are satisfied. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node647 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(13)\_\_\_\_\_\_\_\_ The CSP SHALL comply with records retention\ + \ policies in accordance with applicable laws and regulations. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node648 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(14)\_\_\_\_\_\_\_\_ If the CSP opts to retain records in the\ + \ absence of any mandatory requirements, then the CSP SHALL conduct a risk\ + \ management process, including assessments of privacy and security risks\ + \ to determine how long records should be retained and SHALL inform subscribers\ + \ of that retention policy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node649 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: k. Privacy requirements that apply to all CSPs, verifiers, and + RPs. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node650 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL employ appropriately\ + \ tailored privacy controls from the CJIS Security Policy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node651 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP processes attributes for\ + \ purposes other than identity proofing, authentication, or attribute assertions\ + \ (collectively \u201Cidentity service\u201D), related fraud mitigation, or\ + \ to comply with law or legal process, then the CSP SHALL implement measures\ + \ to maintain predictability and manageability commensurate with the associated\ + \ privacy risk. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node652 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: l. General requirements applicable to AAL2 authentication process. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node653 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ CSPs SHALL provide subscriber instructions\ + \ on how to appropriately protect a physical authenticator against theft or\ + \ loss. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node654 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL provide a mechanism\ + \ to revoke or suspend the authenticator immediately upon notification from\ + \ subscriber that loss or theft of the authenticator is suspected. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node655 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If required by the authenticator type\ + \ descriptions in IA-5(1), then the verifier SHALL implement controls to protect\ + \ against online guessing attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node656 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ If required by the authenticator type\ + \ descriptions in IA-5(1) and the description of a given authenticator does\ + \ not specify otherwise, then the verifier SHALL limit consecutive failed\ + \ authentication attempts on a single account to no more than 100. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node657 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If signed attestations are used, then\ + \ they SHALL be signed using a digital signature that provides at least the\ + \ minimum security strength specified in the latest revision of 112 bits as\ + \ of the date of this publication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node658 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If the verifier and CSP are separate\ + \ entities (as shown by the dotted line in Figure 8 Digital Identity Model),\ + \ then communications between the verifier and CSP SHALL occur through a mutually-authenticated\ + \ secure channel (such as a client-authenticated TLS connection). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node659 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP provides the subscriber\ + \ with a means to report loss, theft, or damage to an authenticator using\ + \ a backup or alternate authenticator, then that authenticator SHALL be either\ + \ a memorized secret or a physical authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node660 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP chooses to verify an address\ + \ of record (i.e., email, telephone, postal) and suspend authenticator(s)\ + \ reported to have been compromised, then...The suspension SHALL be reversible\ + \ if the subscriber successfully authenticates to the CSP using a valid (i.e.,\ + \ not suspended) authenticator and requests reactivation of an authenticator\ + \ suspended in this manner. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node661 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If and when an authenticator expires,\ + \ it SHALL NOT be usable for authentication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node662 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ The CSP SHALL have a documented process to\ + \ require subscribers to surrender or report the loss of any physical authenticator\ + \ containing attribute certificates signed by the CSP as soon as practical\ + \ after expiration or receipt of a renewed authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node663 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ CSPs SHALL revoke the binding of authenticators\ + \ immediately upon notification when an online identity ceases to exist (e.g.,\ + \ subscriber\u2019s death, discovery of a fraudulent subscriber), when requested\ + \ by the subscriber, or when the CSP determines that the subscriber no longer\ + \ meets its eligibility requirements. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node664 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ The CSP SHALL have a documented process to\ + \ require subscribers to surrender or report the loss of any physical authenticator\ + \ containing certified attributes signed by the CSP within five (5) days after\ + \ revocation or termination takes place. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node665 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'm. Biometric Requirements ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node666 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Biometrics SHALL be used only as part\ + \ of multi-factor authentication with a physical authenticator (something\ + \ you have). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node667 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ An authenticated protected channel\ + \ between sensor (or an endpoint containing a sensor that resists sensor replacement)\ + \ and verifier SHALL be established. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node668 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ The sensor or endpoint SHALL be authenticated\ + \ prior to capturing the biometric sample from the claimant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node669 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The biometric system SHALL operate\ + \ with an FMR [ISO/IEC 2382-37] of 1 in 1000 or better. This FMR SHALL be\ + \ achieved under conditions of a conformant attack (i.e., zero-effort impostor\ + \ attempt) as defined in [ISO/IEC 30107-1]. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node670 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ The biometric system SHALL allow no\ + \ more than 5 consecutive failed authentication attempts or 10 consecutive\ + \ failed attempts if PAD demonstrating at least 90% resistance to presentation\ + \ attacks is implemented. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node671 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ Once the limit on authentication failures\ + \ has been reached, the biometric authenticator SHALL either: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node672 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "\_\_\_\_\_\_ i.\_\_\_\_\_\_\_\_\_ Impose a delay of at least 30\ + \ seconds before the next attempt, increasing exponentially with each successive\ + \ attempt, or " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node673 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "\_\_\_\_ ii.\_\_\_\_\_\_\_\_\_ disable the biometric user authentication\ + \ and offer another factor (e.g., a different biometric modality or a PIN/Passcode\ + \ if it is not already a required factor) if such an alternative method is\ + \ already available. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node674 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ The verifier SHALL make a determination\ + \ of sensor and endpoint performance, integrity, and authenticity. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node675 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If biometric comparison is performed\ + \ centrally, then use of the biometric as an authentication factor SHALL be\ + \ limited to one or more specific devices that are identified using approved\ + \ cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node676 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If biometric comparison is performed\ + \ centrally, then a separate key SHALL be used for identifying the device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node677 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ If biometric comparison is performed centrally,\ + \ then biometric revocation, referred to as biometric template protection\ + \ in ISO/IEC 24745, SHALL be implemented. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node678 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ If biometric comparison is performed centrally,\ + \ all transmission of biometrics SHALL be over the authenticated protected\ + \ channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node679 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ Biometric samples and any biometric data\ + \ derived from the biometric sample such as a probe produced through signal\ + \ processing SHALL be zeroized immediately after any training or research\ + \ data has been derived " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node680 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "n. Authenticator binding refers to the establishment of an association\ + \ between a specific authenticator and a subscriber\u2019s account, enabling\ + \ the authenticator to be used \u2014 possibly in conjunction with other authenticators\ + \ \u2014 to authenticate for that account." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node681 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Authenticators SHALL be bound to subscriber\ + \ accounts by either issuance by the CSP as part of enrollment or associating\ + \ a subscriber-provided authenticator that is acceptable to the CSP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node682 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Throughout the digital identity lifecycle,\ + \ CSPs SHALL maintain a record of all authenticators that are or have been\ + \ associated with each identity. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node683 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP or verifier SHALL maintain\ + \ the information required for throttling authentication attempts. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node684 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL also verify the type\ + \ of user-provided authenticator so verifiers can determine compliance with\ + \ requirements at each AAL. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node685 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ The record created by the CSP SHALL\ + \ contain the date and time the authenticator was bound to the account. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node686 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ When any new authenticator is bound\ + \ to a subscriber account, the CSP SHALL ensure that the binding protocol\ + \ and the protocol for provisioning the associated key(s) are done at AAL2. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node687 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ Protocols for key provisioning SHALL\ + \ use authenticated protected channels or be performed in person to protect\ + \ against man-in-the- middle attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node688 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ Binding of multi-factor authenticators\ + \ SHALL require multi-factor authentication (or equivalent) at identity proofing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node689 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ At enrollment, the CSP SHALL bind\ + \ at least one, and SHOULD \_\_\_\_bind at least two, physical (something\ + \ you have) authenticators to the subscriber\u2019s online identity, in addition\ + \ to a memorized secret or one or more biometrics. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node690 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ At enrollment, authenticators at AAL2 and\ + \ IAL2 SHALL be bound to the account. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node691 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ If the subscriber is authenticated at AAL1,\ + \ then the CSP SHALL NOT expose personal information, even if self-asserted,\ + \ to the subscriber. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node692 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ remotely and cannot be completed in a single electronic transaction, then\ + \ the applicant SHALL identify themselves in each new binding transaction\ + \ by presenting a temporary secret which was either established during a prior\ + \ transaction, or sent to the applicant\u2019s phone number, email address,\ + \ or postal address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node693 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(13)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ remotely and cannot be completed in a single electronic transaction, then\ + \ long-term authenticator secrets are delivered to the applicant within a\ + \ protected session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node694 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(14)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ in person and cannot be completed in a single physical encounter, the applicant\ + \ SHALL identify themselves in person by either using a secret as described\ + \ in IA-5 n (12) above, or through use of a biometric that was recorded during\ + \ a prior encounter. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node695 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(15)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ in person and cannot be completed in a single physical encounter, temporary\ + \ secrets SHALL NOT be reused. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node696 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(16)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ in person and cannot be completed in a single physical encounter and the\ + \ CSP issues long-term authenticator secrets during a physical transaction,\ + \ they SHALL be loaded locally onto a physical device that is issued in person\ + \ to the applicant or delivered in a manner that confirms the address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node697 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(17)\_\_\_\_\_\_\_\_ Before adding a new authenticator to a subscriber\u2019\ + s account, the CSP SHALL first require the subscriber to authenticate at AAL2\ + \ (or a higher AAL) at which the new authenticator will be used. \_\_\_\_" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node698 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(18)\_\_\_\_\_\_\_\_ If the subscriber\u2019s account has only\ + \ one authentication factor bound to it, the CSP SHALL require the subscriber\ + \ to authenticate at AAL1 in order to bind an additional authenticator of\ + \ a different authentication factor. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node699 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(19)\_\_\_\_\_\_\_\_ If a subscriber loses all authenticators\ + \ of a factor necessary to complete multi-factor authentication and has been\ + \ identity proofed at IAL2, that subscriber SHALL repeat the identity proofing\ + \ process described in IA-12. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node700 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(20)\_\_\_\_\_\_\_\_ If a subscriber loses all authenticators\ + \ of a factor necessary to complete multi-factor authentication and has been\ + \ identity proofed at IAL2 or IAL3, the CSP SHALL require the claimant to\ + \ authenticate using an authenticator of the remaining factor, if any, to\ + \ confirm binding to the existing identity. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node701 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(21)\_\_\_\_\_\_\_\_ If the CSP opts to allow binding of a new\ + \ memorized secret with the use of two physical authenticators, then it requires\ + \ entry of a confirmation code sent to an address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node702 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(22)\_\_\_\_\_\_\_\_ If the CSP opts to allow binding of a new\ + \ memorized secret with the use of two physical authenticators, then the confirmation\ + \ code SHALL consist of at least 6 random alphanumeric characters generated\ + \ by an approved random bit generator [SP 800-90Ar1]. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node703 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(23)\_\_\_\_\_\_\_\_ If the CSP opts to allow binding of a new\ + \ memorized secret with the use of two physical authenticators, then the confirmation\ + \ code SHALL be valid for a maximum of 7 days but MAY be made valid up to\ + \ 21 days via an exception process to accommodate addresses outside the direct\ + \ reach of the U.S. Postal Service. Confirmation codes sent by means other\ + \ than physical mail SHALL be valid for a maximum of 5 minutes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node704 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'o. Session Management: The following requirements apply to applications + where a session is maintained between the subscriber and relying party to + allow multiple interactions without repeating the authentication event each + time.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node705 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1) Session Binding Requirements: A session occurs between\ + \ the software that a subscriber is running \u2014 such as a browser, application,\ + \ or operating system (i.e., the session subject) \u2014 and the RP or CSP\ + \ that the subscriber is accessing (i.e., the session host)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node706 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "a. A session is maintained by a session secret which SHALL\ + \ be shared between the subscriber\u2019s software and the service being accessed. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node707 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "b. The secret SHALL be presented directly by the subscriber\u2019\ + s software or possession of the secret SHALL be proven using a cryptographic\ + \ mechanism. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node708 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'c. The secret used for session binding SHALL be generated by + the session host in direct response to an authentication event. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node709 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'd. A session SHALL NOT be considered at a higher AAL than the + authentication event. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node710 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: e. Secrets used for session binding SHALL be generated by the + session host during an interaction, typically immediately following authentication. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node711 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'f. Secrets used for session binding SHALL be generated by an + approved random bit generator [SP 800-90Ar1]. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node712 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'g. Secrets used for session binding SHALL contain at least + 64 bits of entropy. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node713 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'h. Secrets used for session binding SHALL be erased or invalidated + by the session subject when the subscriber logs out. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node714 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'i. Secrets used for session binding SHALL be sent to and received + from the device using an authenticated protected channel. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node715 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'j. Secrets used for session binding SHALL time out and not + be accepted after the times specified in IA-5 j (13) as appropriate for the + AAL. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node716 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "k. Secrets used for session binding SHALL NOT be available\ + \ to insecure communications between the host and subscriber\u2019s endpoint. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node717 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'l. Authenticated sessions SHALL NOT fall back to an insecure + transport, such as from https to http, following authentication. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node718 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'm. URLs or POST content SHALL contain a session identifier + that SHALL be verified by the RP to ensure that actions taken outside the + session do not affect the protected session. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node719 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'n. Browser cookies SHALL be tagged to be accessible only on + secure (HTTPS) sessions. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node720 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'o. Browser cookies SHALL be accessible to the minimum practical + set of hostnames and paths. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node721 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'p. Expiration of browser cookies SHALL NOT be depended upon + to enforce session timeouts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node722 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'q. The presence of an OAuth access token SHALL NOT be interpreted + by the RP as presence of the subscriber, in the absence of other signals. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node723 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: (2) Reauthentication Requirements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node724 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'a. Continuity of authenticated sessions SHALL be based upon + the possession of a session secret issued by the verifier at the time of authentication + and optionally refreshed during the session. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node725 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'b. Session secrets SHALL be non-persistent, i.e., they SHALL + NOT be retained across a restart of the associated application or a reboot + of the host device. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node726 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'c. Periodic reauthentication of sessions (at least every 12 + hours per session) SHALL be performed to confirm the continued presence of + the subscriber at an authenticated session. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node727 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "d. A session SHALL NOT be extended past the guidelines in IA-5\ + \ o (2) a \u2013 j based on presentation of the session secret alone. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node728 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'e. Prior to session expiration, the reauthentication time limit + SHALL be extended by prompting the subscriber for the authentication factor(s) + of a memorized secret or biometric. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node729 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'f. If federated authentication is being used, then since the + CSP and RP often employ separate session management technologies, there SHALL + NOT be any assumption of correlation between these sessions. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node730 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "g. An RP requiring reauthentication through a federation protocol\ + \ SHALL \u2014 if possible within the protocol \u2014 specify the maximum\ + \ (see IA-5 j (10)) acceptable authentication age to the CSP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node731 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'h. If federated authentication if being used and an RP has + specific authentication age (see IA-5 j (10)) requirements that it has communicated + to the CSP, then the CSP SHALL reauthenticate the subscriber if they have + not been authenticated within that time period. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node732 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'i. If federated authentication is being used, the CSP SHALL + communicate the authentication event time to the RP to allow the RP to decide + if the assertion is sufficient for reauthentication and to determine the time + for the next reauthentication event. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management | Authenticator Types + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node734 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(a) Memorized Secret Authenticators and Verifiers:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node735 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Maintain a list of commonly-used,\ + \ expected, or compromised passwords and update the list quarterly and when\ + \ organizational passwords are suspected to have been compromised directly\ + \ or indirectly; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node736 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Require immediate selection of a new\ + \ password upon account recovery; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node737 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ Allow user selection of long passwords\ + \ and passphrases, including spaces and all printable characters; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node738 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ Employ automated tools to assist the\ + \ user in selecting strong password authenticators; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node739 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ Enforce the following composition\ + \ and complexity rules: when agencies elect to follow basic password standards. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node740 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(a) Not be a proper name. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node741 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(b) Not be the same as the Userid. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node742 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(c) Expire within a maximum of 90 calendar days. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node743 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(d) Not be identical to the previous ten (10) passwords. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node744 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(e) Not be displayed when entered. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node745 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If chosen by the subscriber, memorized\ + \ secrets SHALL be at least 8 characters in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node746 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If chosen by the CSP or verifier using\ + \ an approved random number generator, memorized secrets SHALL be at least\ + \ 6 characters in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node747 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ Truncation of the secret SHALL NOT\ + \ be performed. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node748 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ Memorized secret verifiers SHALL NOT\ + \ permit the subscriber to store a \u201Chint\u201D that is accessible to\ + \ an unauthenticated claimant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node749 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ Verifiers SHALL NOT prompt subscribers to\ + \ use specific types of information (e.g., \u201CWhat was the name of your\ + \ first pet?\u201D) when choosing memorized secrets. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node750 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ When processing requests to establish and\ + \ change memorized secrets, verifiers SHALL compare the prospective secrets\ + \ against a list that contains values known to be commonly used, expected,\ + \ or compromised. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node751 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ If a chosen secret is found in the list,\ + \ the CSP or verifier SHALL advise the subscriber that they need to select\ + \ a different secret." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node752 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If a chosen secret is found in the list,\ + \ the CSP or verifier SHALL provide the reason for rejection. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node753 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ If a chosen secret is found in the list,\ + \ the CSP or verifier SHALL require the subscriber to choose a different value. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node754 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ Verifiers SHALL implement a rate-limiting\ + \ mechanism that effectively limits failed authentication attempts that can\ + \ be made on the subscriber\u2019s account to no more than five." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node755 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ Verifiers SHALL force a change of memorized\ + \ secret if there is evidence of compromise of the authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node756 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ The verifier SHALL use approved encryption\ + \ when requesting memorized secrets in order to provide resistance to eavesdropping\ + \ and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node757 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(18)\_\_\_\_\_\_\_\_ The verifier SHALL use an authenticated protected\ + \ channel when requesting memorized secrets in order to provide resistance\ + \ to eavesdropping and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node758 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(19)\_\_\_\_\_\_\_\_ Verifiers SHALL store memorized secrets in\ + \ a form that is resistant to offline attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node759 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(20)\_\_\_\_\_\_\_\_ Memorized secrets SHALL be salted and hashed\ + \ using a suitable one-way key derivation function. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node760 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(21)\_\_\_\_\_\_\_\_ The salt SHALL be at least 32 bits in length\ + \ and be chosen arbitrarily to minimize salt value collisions among stored\ + \ hashes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node761 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(22)\_\_\_\_\_\_\_\_ Both the salt value and the resulting hash\ + \ SHALL be stored for each subscriber using a memorized secret authenticator " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node762 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(23)\_\_\_\_\_\_\_\_ If an additional iteration of a key derivation\ + \ function using a salt value known only to the verifier is performed, then\ + \ this secret salt value SHALL be generated with an approved random bit generator\ + \ and of sufficient length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node763 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(24)\_\_\_\_\_\_\_\_ If an additional iteration of a key derivation\ + \ function using a salt value known only to the verifier is performed, then\ + \ this secret salt value SHALL provide at least the minimum-security strength. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node764 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(25)\_\_\_\_\_\_\_\_ If an additional iteration of a key derivation\ + \ function using a salt value known only to the verifier is performed, then\ + \ this secret salt value SHALL be stored separately from the memorized secrets. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node765 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (b) Look-Up Secret Authenticators and Verifiers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node766 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ CSPs creating look-up secret authenticators\ + \ SHALL use an approved random bit generator to generate the list of secrets. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node767 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Look-up secrets SHALL have at least\ + \ 20 bits of entropy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node768 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If look-up secrets are distributed\ + \ online, then they SHALL be distributed over a secure channel in accordance\ + \ with the post-enrollment binding requirements in IA-5 n 17 through 25. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node769 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ Verifiers of look-up secrets SHALL\ + \ prompt the claimant for the next secret from their authenticator or for\ + \ a specific (e.g., numbered) secret. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node770 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ A given secret from an authenticator\ + \ SHALL be used successfully only once. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node771 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If a look-up secret is derived from\ + \ a grid (bingo) card, then each cell of the grid SHALL be used only once. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node772 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ Verifiers SHALL store look-up secrets\ + \ in a form that is resistant to offline attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node773 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If look-up secrets have at least 112\ + \ bits of entropy, then they SHALL be hashed with an approved one-way function " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node774 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If look-up secrets have less than\ + \ 112 bits of entropy, then they SHALL be salted and hashed using a suitable\ + \ one-way key derivation function. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node775 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ If look-up secrets have less than 112 bits\ + \ of entropy, then the salt SHALL be at least 32 bits in length and be chosen\ + \ arbitrarily to minimize salt value collisions among stored hashes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node776 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ If look-up secrets have less than 112 bits\ + \ of entropy, then both the salt value and the resulting hash SHALL be stored\ + \ for each look-up secret " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node777 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ If look-up secrets that have less than 64\ + \ bits of entropy, then the verifier SHALL implement a rate-limiting mechanism\ + \ that effectively limits the number of failed authentication attempts that\ + \ can be made on the subscriber\u2019s account. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node778 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ The verifier SHALL use approved encryption\ + \ when requesting look-up secrets in order to provide resistance to eavesdropping\ + \ and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node779 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ The verifier SHALL use an authenticated protected\ + \ channel when requesting look-up secrets in order to provide resistance to\ + \ eavesdropping and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node780 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (c) Out-of-Band Authenticators and Verifiers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node781 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ The out-of-band authenticator SHALL\ + \ establish a separate channel with the verifier in order to retrieve the\ + \ out-of-band secret or authentication request. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node782 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Communication over the secondary channel\ + \ SHALL be encrypted unless sent via the public switched telephone network\ + \ (PSTN). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node783 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ Methods that do not prove possession\ + \ of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be\ + \ used for out-of-band authentication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node784 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ If PSTN is not being used for out-of-band\ + \ communication, then the out-of-band authenticator SHALL uniquely authenticate\ + \ itself by establishing an authenticated protected channel with the verifier. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node785 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If PSTN is not being used for out-of-band\ + \ communication, then the out-of-band authenticator SHALL communicate with\ + \ the verifier using approved cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node786 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If PSTN is not being used for out-of-band\ + \ communication, then the key used to authenticate the out-of-band device\ + \ SHALL be stored in suitably secure storage available to the authenticator\ + \ application (e.g., keychain storage, TPM, TEE, secure element). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node787 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If the PSTN is used for out-of-band\ + \ authentication and a secret is sent to the out-of-band device via the PSTN,\ + \ then the out-of-band authenticator SHALL uniquely authenticate itself to\ + \ a mobile telephone network using a SIM card or equivalent that uniquely\ + \ identifies the device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node788 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If the out-of-band authenticator sends\ + \ an approval message over the secondary communication channel, it SHALL either\ + \ accept transfer of a secret from the primary channel to be sent to the verifier\ + \ via the secondary communications channel, or present a secret received via\ + \ the secondary channel from the verifier and prompt the claimant to verify\ + \ the consistency of that secret with the primary channel, prior to accepting\ + \ a yes/no response from the claimant which it sends to the verifier. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node789 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ The verifier SHALL NOT store the identifying\ + \ key itself, but SHALL use a verification method (e.g., an approved hash\ + \ function or proof of possession of the identifying key) to uniquely identify\ + \ the authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node790 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ Depending on the type of out-of-band authenticator,\ + \ one of the following SHALL take place: transfer of a secret to the primary\ + \ channel, transfer of a secret to the secondary channel, or verification\ + \ of secrets by the claimant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node791 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ If the out-of-band authenticator operates\ + \ by transferring the secret to the primary channel, then the verifier SHALL\ + \ transmit a random secret to the out-of-band authenticator and then wait\ + \ for the secret to be returned on the primary communication channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node792 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ If the out-of-band authenticator operates\ + \ by transferring the secret to the secondary channel, then the verifier SHALL\ + \ display a random authentication secret to the claimant via the primary channel\ + \ and then wait for the secret to be returned on the secondary channel from\ + \ the claimant\u2019s out-of- band authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node793 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If the out-of-band authenticator operates\ + \ by verification of secrets by the claimant, then the verifier SHALL display\ + \ a random authentication secret to the claimant via the primary channel,\ + \ send the same secret to the out-of-band authenticator via the secondary\ + \ channel for presentation to the claimant, and then wait for an approval\ + \ (or disapproval) message via the secondary channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node794 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ The authentication SHALL be considered invalid\ + \ if not completed within 10 minutes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node795 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ Verifiers SHALL accept a given authentication\ + \ secret only once during the validity period. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node796 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ The verifier SHALL generate random authentication\ + \ secrets with at least 20 bits of entropy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node797 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ The verifier SHALL generate random authentication\ + \ secrets using an approved random bit generator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node798 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(18)\_\_\_\_\_\_\_\_ If the authentication secret has less than\ + \ 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism\ + \ that effectively limits the number of failed authentication attempts that\ + \ can be made on the subscriber\u2019s account as described in IA-5 l (3)\ + \ through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node799 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(19)\_\_\_\_\_\_\_\_ If out-of-band verification is to be made\ + \ using the PSTN, then the verifier SHALL verify that the pre-registered telephone\ + \ number being used is associated with a specific physical device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node800 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(20)\_\_\_\_\_\_\_\_ If out-of-band verification is to be made\ + \ using the PSTN, then changing the pre-registered telephone number is considered\ + \ to be the binding of a new authenticator and SHALL only occur as described\ + \ in IA-5 n (17) through (25). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node801 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(21)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL offer subscribers at least one alternate authenticator\ + \ that is not RESTRICTED and can be used to authenticate at the required AAL. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node802 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(22)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL Provide meaningful notice to subscribers regarding the\ + \ security risks of the RESTRICTED authenticator and availability of alternative(s)\ + \ that are not RESTRICTED. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node803 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(23)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL address any additional risk to subscribers in its risk\ + \ assessment. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node804 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(24)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL develop a migration plan for the possibility that the\ + \ RESTRICTED authenticator is no longer acceptable at some point in the future\ + \ and include this migration plan in its digital identity acceptance statement. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node805 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (d) OTP Authenticators and Verifiers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node806 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ The secret key and its algorithm SHALL\ + \ provide at least the minimum security strength of 112 bits as of the date\ + \ of this publication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node807 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ The nonce SHALL be of sufficient length\ + \ to ensure that it is unique for each operation of the device over its lifetime. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node808 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ OTP authenticators \u2014 particularly\ + \ software-based OTP generators \u2014SHALL NOT facilitate the cloning of\ + \ the secret key onto multiple devices. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node809 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The authenticator output SHALL have\ + \ at least 6 decimal digits (approximately 20 bits) of entropy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node810 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If the nonce used to generate the\ + \ authenticator output is based on a real-time clock, then the nonce SHALL\ + \ be changed at least once every 2 minutes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node811 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ The OTP value associated with a given\ + \ nonce SHALL be accepted only once. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node812 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ The symmetric keys used by authenticators\ + \ are also present in the verifier and SHALL be strongly protected against\ + \ compromise. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node813 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If a single-factor OTP authenticator\ + \ is being associated with a subscriber account, then the verifier or associated\ + \ CSP SHALL use approved cryptography to either generate and exchange or to\ + \ obtain the secrets required to duplicate the authenticator output. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node814 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ The verifier SHALL use approved encryption\ + \ when collecting the OTP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node815 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ The verifier SHALL use an authenticated protected\ + \ channel when collecting the OTP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node816 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ If a time-based OTP is used, it SHALL have\ + \ a defined lifetime (recommended 30 seconds) that is determined by the expected\ + \ clock drift \u2014 in either direction \u2014 of the authenticator over\ + \ its lifetime, plus allowance for network delay and user entry of the OTP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node817 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ Verifiers SHALL accept a given time-based\ + \ OTP only once during the validity period. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node818 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If the authenticator output has less than\ + \ 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism\ + \ that effectively limits the number of failed authentication attempts that\ + \ can be made on the subscriber\u2019s account as described in IA-5 l (3)\ + \ through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node819 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ each use of the authenticator SHALL require the input of the additional\ + \ factor. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node820 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor and\ + \ a memorized secret is used by the authenticator for activation, then that\ + \ memorized secret SHALL be a randomly chosen numeric secret at least 6 decimal\ + \ digits in length or other memorized secret meeting the requirements of IA-5\ + \ (1)(a). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node821 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ use of a memorized secret for activation SHALL be rate limited as specified\ + \ in IA-5 l (3) through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node822 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor and\ + \ is activated by a biometric factor, then that factor SHALL meet the requirements\ + \ of IA-5 m, including limits on the number of consecutive authentication\ + \ failures. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node823 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(18)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ the unencrypted key and activation secret or biometric sample \u2014 and\ + \ any biometric data derived from the biometric sample such as a probe produced\ + \ through signal processing \u2014 SHALL be zeroized immediately after an\ + \ OTP has been generated. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node824 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(19)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, the\ + \ verifier or CSP SHALL establish, via the authenticator source, that the\ + \ authenticator is a multi-factor device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node825 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(20)\_\_\_\_\_\_\_\_ In the absence of a trusted statement \_\ + that it is a multi-factor device, the verifier SHALL treat the authenticator\ + \ as single-factor, in accordance with IA-5 (1) (d) (1) through (13). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node826 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (e) Cryptographic Authenticators and Verifiers (including single- + and multi-factor cryptographic authenticators, both hardware- and software-based) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node827 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ If the cryptographic authenticator\ + \ is software based, the key SHALL be stored in suitably secure storage available\ + \ to the authenticator application. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node828 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the cryptographic authenticator\ + \ is software based, the key SHALL be strongly protected against unauthorized\ + \ disclosure by the use of access controls that limit access to the key to\ + \ only those software components on the device requiring access. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node829 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If the cryptographic authenticator\ + \ is software based, it SHALL NOT facilitate the cloning of the secret key\ + \ onto multiple devices. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node830 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is single-factor\ + \ and hardware-based, secret keys unique to the device SHALL NOT be exportable\ + \ (i.e., cannot be removed from the device). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node831 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is hardware-based,\ + \ the secret key and its algorithm SHALL provide at least the minimum-security\ + \ length of 112 bits as of the date of this publication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node832 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is hardware-based,\ + \ the challenge nonce SHALL be at least 64 bits in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node833 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is hardware-based,\ + \ approved cryptography SHALL be used. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node834 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ Cryptographic keys stored by the verifier\ + \ SHALL be protected against modification. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node835 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If symmetric keys are used, cryptographic\ + \ keys stored by the verifier SHALL be protected against disclosure. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node836 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ The challenge nonce SHALL be at least 64\ + \ bits in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node837 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ The challenge nonce SHALL either be unique\ + \ over the authenticator\u2019s lifetime or statistically unique (i.e., generated\ + \ using an approved random bit generator). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node838 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ The verification operation SHALL use approved\ + \ cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node839 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If a multi-factor cryptographic software\ + \ authenticator is being used, then each authentication requires the presentation\ + \ of the activation factor. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node840 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ any memorized secret used by the authenticator for activation SHALL be a\ + \ randomly chosen numeric secret at least 6 decimal digits in length or other\ + \ memorized secret meeting the requirements of IA-5 (1) (a). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node841 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ use of a memorized secret for activation SHALL be rate limited as specified\ + \ in IA-5 l (3) through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node842 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor and\ + \ is activated by a biometric factor, then that factor SHALL meet the requirements\ + \ of IA-5 m, including limits on the number of consecutive authentication\ + \ failures. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node843 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ the unencrypted key and activation secret or biometric sample \u2014 and\ + \ any biometric data derived from the biometric sample such as a probe produced\ + \ through signal processing \u2014 SHALL be zeroized immediately after an\ + \ authentication transaction has taken place. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management | Public Key Based Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node845 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: '(a) For public key-based authentication:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node846 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (1) Enforce authorized access to the corresponding private key; + and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node847 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (2) Map the authenticated identity to the account of the individual + or group; and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node848 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: '(b) When public key infrastructure (PKI) is used:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node849 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (1) Validate certificates by constructing and verifying a certification + path to an accepted trust anchor, including checking certificate status information; + and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node850 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (2) Implement a local cache of revocation data to support path + discovery and validation. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node851 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management | Protection of Authenticators + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node852 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node851 + description: Protect authenticators commensurate with the security category + of the information to which use of the authenticator permits access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node853 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authentication Feedback + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node854 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node853 + description: 'Obscure feedback of authentication information during the authentication + process to protect the information from possible exploitation and use by unauthorized + individuals. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node855 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Cryptographic Module Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node856 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node855 + description: 'Implement mechanisms for authentication to a cryptographic module + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node857 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node858 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node857 + description: 'Control: Uniquely identify and authenticate non-organizational + users or processes acting on behalf of non-organizational users.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node859 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) | Acceptance + of PIV Credentials From Other Agencies + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node860 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node859 + description: 'Accept and electronically verify Personal Identity Verification-compliant + credentials from other federal, state, local, tribal, or territorial (SLTT) + agencies. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node861 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) | Acceptance + of External Authenticators + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node862 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node861 + description: '(a) Accept only external authenticators that are NIST-compliant; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node863 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node861 + description: '(b) Document and maintain a list of accepted external authenticators. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node864 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) | Use of + Defined Profiles + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node865 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node864 + description: 'Conform to the following profiles for identity management: Security + Assertion Markup Language (SAML) or OpenID Connect. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node866 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Re-Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node867 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node866 + description: 'Require users to re-authenticate when: roles, authenticators, + or credentials change, security categories of systems change, the execution + of privileged functions occur, or every 12 hours.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identity Proofing + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node869 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + description: 'a. Identity proof users that require accounts for logical access + to systems based on appropriate identity assurance level requirements as specified + in applicable standards and guidelines; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node870 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + description: 'b. Resolve user identities to a unique individual; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node871 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + description: 'c. Collect, validate, and verify identity evidence. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node872 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identity Proofing | Identity Evidence + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node873 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node872 + description: 'Require evidence of individual identification be presented to + the registration authority. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identity Proofing | Identity Evidence Validation and Verification + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node875 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "a.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Require that the presented identity\ + \ evidence be validated and verified through agency defined resolution, validation,\ + \ and verification methods. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node876 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "b.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Identity proofing SHALL NOT be\ + \ performed to determine suitability or entitlement to gain access to services\ + \ or benefits. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node877 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 'c. 1. Collection of PII SHALL be limited to the minimum necessary + to resolve to a unique identity in a given context. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node878 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '2. Collection of PII SHALL be limited to the minimum necessary + to validate the existence of the claimed identity and associate the claimed + identity with the applicant providing identity evidence for appropriate identity + resolution, validation, and verification. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node879 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "d.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL provide explicit\ + \ notice to the applicant at the time of collection regarding the purpose\ + \ for collecting and maintaining a record of the attributes necessary for\ + \ identity proofing, including whether such attributes are voluntary or mandatory\ + \ to complete the identity proofing process, and the consequences for not\ + \ providing the attributes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node880 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "e.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ If CSPs process attributes for\ + \ purposes other than identity proofing, authentication, or attribute assertions\ + \ (collectively \u201Cidentity service\u201D), related fraud mitigation, or\ + \ to comply with law or legal process, then CSPs SHALL implement measures\ + \ to maintain predictability and manageability commensurate with the privacy\ + \ risk arising from the additional processing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node881 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "f.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP employs consent as\ + \ part of its measures to maintain predictability and manageability, \u2026\ + then it SHALL NOT make consent for the additional processing a condition of\ + \ the identity service. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node882 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "g.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL provide mechanisms\ + \ for redress of applicant complaints or problems arising from the identity\ + \ proofing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node883 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 'These [redress] mechanisms SHALL be easy for applicants to find + and use. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node884 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "h.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL assess the [redress]\ + \ mechanisms for their efficacy in achieving resolution of complaints or problems. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node885 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "i.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The identity proofing and enrollment\ + \ processes SHALL be performed according to an applicable written policy or\ + \ *practice statement* that specifies the particular steps taken to verify\ + \ identities. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node886 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "j.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The *practice statement* SHALL\ + \ include control information detailing how the CSP handles proofing errors\ + \ that result in an applicant not being successfully enrolled. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node887 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "k.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL maintain a record,\ + \ including audit logs, of all steps taken to verify the identity of the applicant\ + \ as long as the identity exists in the information system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node888 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "l.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL record the types\ + \ of identity evidence presented in the proofing process. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node889 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "m.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL conduct a risk management\ + \ process, including assessments of privacy and security risks to determine:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node890 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 1. Any steps that it will take to verify the identity of the + applicant beyond any mandatory requirements specified herein; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node891 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '2. The PII, including any biometrics, images, scans, or other + copies of the identity evidence that the CSP will maintain as a record of + identity proofing (Note: Specific federal requirements may apply); and' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node892 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '3. The schedule of retention for these records (Note: CSPs may + be subject to specific retention policies in accordance with applicable laws, + regulations, or policies, including any National Archives and Records Administration + (NARA) records retention schedules that may apply). ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node893 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "n.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ All PII collected as part of the\ + \ enrollment process SHALL be protected to ensure confidentiality, integrity,\ + \ and attribution of the information source. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node894 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "o.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \"The entire proofing transaction,\ + \ including transactions that involve a third party, SHALL occur over authenticated\ + \ protected channels. \"" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node895 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "p.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \"If the CSP uses fraud mitigation\ + \ measures, then the CSP SHALL conduct a privacy risk assessment for these\ + \ mitigation measures. \"" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node896 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "Such assessments SHALL include any privacy risk mitigations (e.g.,\ + \ risk acceptance or transfer, limited retention, use limitations, notice)\ + \ or other technological mitigations (e.g., cryptography), and be documented\ + \ per requirement IA-12(3) k \u2013 m above. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node897 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "q.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ In the event a CSP ceases to conduct\ + \ identity proofing and enrollment processes, then the CSP SHALL be responsible\ + \ for fully disposing of or destroying any sensitive data including PII, or\ + \ its protection from unauthorized access for the duration of retention. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node898 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "r.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Regardless of whether the CSP\ + \ is a federal agency or non- federal entity, the following requirements apply\ + \ to the federal agency offering or using the proofing service:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node899 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 1. The agency SHALL consult with their Senior Agency Official + for Privacy (SAOP) to conduct an analysis determining whether the collection + of PII to conduct identity proofing triggers Privacy Act requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node900 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 2. The agency SHALL publish a System of Records Notice (SORN) + to cover such collection, as applicable. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node901 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 3. The agency SHALL consult with their SAOP to conduct an analysis + determining whether the collection of PII to conduct identity proofing triggers + E-Government Act of 2002 requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node902 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '4. The agency SHALL publish a Privacy Impact Assessment (PIA) + to cover such collection, as applicable. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node903 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "s.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ An enrollment code SHALL be comprised\ + \ of one of the following:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node904 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 1. Minimally, a random six character alphanumeric or equivalent + entropy. For example, a code generated using an approved random number generator + or a serial number for a physical hardware authenticator; OR + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node905 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '2. A machine-readable optical label, such as a QR Code, that + contains data of similar or higher entropy as a random six character alphanumeric. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node906 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "t.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Training requirements for personnel\ + \ validating evidence SHALL be based on the policies, guidelines, or requirements\ + \ of the CSP or RP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node907 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "u.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ This criterion applies to CSPs\ + \ that provide identity proofing and enrollment services to minors (under\ + \ the age of 18):" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node908 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "If the CSP provides identity proofing and enrollment services\ + \ to minors (under the age of 18), then\u2026the CSP SHALL give special consideration\ + \ to the legal restrictions of interacting with minors unable to meet the\ + \ evidence requirements of identity proofing [to ensure compliance with the\ + \ Children\u2019s Online Privacy Protection Act of 1998 (COPPA), and other\ + \ laws, as applicable]. \"" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node909 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: Requirements v and w apply to the collection of biometric characteristics + for in-person (physical or supervised remote) identity proofing and are mandatory + at IAL3. These criteria also apply to CSPs that optionally choose to collect + biometric characteristics through in-person identity-proofing identity proofing + and enrollment at IAL2. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node910 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "v.\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL have the operator view\ + \ the biometric source (e.g., fingers, face) for presence of non-natural materials\ + \ and perform such inspections as part of the proofing process. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node911 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "w.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL collect biometrics in\ + \ such a way that ensures that the biometric is collected from the applicant,\ + \ and not another subject. All biometric performance requirements in IA-5\ + \ m (1) through (12) apply. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node912 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "x.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL support in-person\ + \ or remote identity proofing, or both. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node913 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "y.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL collect the following\ + \ from the applicant:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node914 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "1. One piece of SUPERIOR or STRONG evidence if the evidence\u2019\ + s issuing source, during its identity proofing event, confirmed the claimed\ + \ identity by collecting two or more forms of SUPERIOR or STRONG evidence\ + \ and the CSP validates the evidence directly with the issuing source; OR" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node915 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 2. Two pieces of STRONG evidence; OR + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node916 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '3. One piece of STRONG evidence plus two pieces of FAIR evidence ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node917 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "z.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL validate each piece of\ + \ evidence with a process that can achieve the same strength as the evidence\ + \ presented (see \u2019z\u2019 above). For example, if two forms of STRONG\ + \ identity evidence are presented, each piece of evidence will be validated\ + \ at a strength of STRONG. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node918 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "aa.\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL verify identity evidence\ + \ as follows:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node919 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "At a minimum, the applicant\u2019s binding to identity evidence\ + \ must be verified by a process that is able to achieve a strength of STRONG. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node920 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "bb.\_\_\_\_\_\_\_\_\_\_\_\_ For IAL2 remote proofing: The collection\ + \ of biometric characteristics for physical or biometric comparison of the\ + \ applicant to the strongest piece of identity evidence provided to support\ + \ the claimed identity performed remotely SHALL adhere to all requirements\ + \ as specified in IA-5 m. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node921 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "cc.\_\_\_\_\_\_\_\_\_\_\_ Knowledge-based verification (KBV) SHALL\ + \ NOT be used for in-person (physical or supervised remote) identity verification. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node922 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "dd.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL employ appropriately\ + \ tailored security controls, to include control enhancements, from the moderate\ + \ or high baseline of security controls defined in the CJIS Security Policy." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node923 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 'The CSP SHALL ensure that the minimum assurance-related controls + for moderate-impact systems are satisfied. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node924 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "ee.\_\_\_\_\_\_\_\_\_\_\_\_\_ Supervised Remote Identity Proofing:\ + \ Supervised remote identity proofing is intended to provide controls for\ + \ comparable levels of confidence and security to in-person IAL3 identity\ + \ proofing for identity proofing processes that are performed remotely. Supervised\ + \ remote identity proofing is optional for CSPs; that is, if a CSP chooses\ + \ to use supervised remote identity proofing, then the following requirements,\ + \ (1) through (8), would apply. It should be noted that the term \u201Csupervised\ + \ remote identity proofing\u201D has specialized meaning and is used only\ + \ to refer to the specialized equipment and the following control requirements,\ + \ (1) through (8). In addition to those requirements presented in this document,\ + \ as well as the applicable identity validation and verification requirements,\ + \ CSPs that provide supervised remote identity proofing services must demonstrate\ + \ conformance with the requirements contained in this section. The following\ + \ requirements for supervised remote proofing apply specifically to IAL3.\ + \ If the equipment/facilities used for supervised remote proofing are used\ + \ for IAL2 identity proofing, the following requirements, (1) through (8),\ + \ for supervised remote proofing do not apply. In this case, the requirements\ + \ for conventional remote identity proofing are applicable." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node925 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Supervised remote identity proofing\ + \ and enrollment transactions SHALL meet the following requirements, in addition\ + \ to the IAL3 validation and verification requirements specified in Section\ + \ 4.6\_. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node926 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL monitor the entire identity\ + \ proofing session, from which the applicant SHALL NOT depart \u2014 for example,\ + \ by a continuous high-resolution video transmission of the applicant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node927 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL have a live operator\ + \ participate remotely with the applicant for the entirety of the identity\ + \ proofing session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node928 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL require all actions\ + \ taken by the applicant during the identity proofing session to be clearly\ + \ visible to the remote operator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node929 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL require that all digital\ + \ validation of evidence (e.g., via chip or wireless technologies) be performed\ + \ by integrated scanners and sensors. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node930 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL require operators to\ + \ have undergone a training program to detect potential fraud and to properly\ + \ perform a supervised remote proofing session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node931 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL employ physical tamper\ + \ detection and resistance features appropriate for the environment in which\ + \ it is located. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node932 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL ensure that all communications\ + \ occur over a mutually authenticated protected channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node933 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "ff.\_\_\_\_\_\_\_\_\_\_\_ Trusted Referee: The use of trusted\ + \ referees is optional for CSPs; that is, if a CSP chooses to use trusted\ + \ referees for identity proofing and enrollment, then the following requirements,\ + \ (1) through (3) would apply. The use of trusted referees is intended to\ + \ assist in the identity proofing and enrollment for populations that are\ + \ unable to meet IAL2 identity proofing requirements, or otherwise would be\ + \ challenged to perform identity proofing and enrollment process requirements.\ + \ Such populations may include, but are not limited to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node934 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ disabled individuals;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node935 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ elderly individuals;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node936 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ homeless individuals," + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node937 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ individuals with little or no access to online\ + \ services or computing devices;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node938 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ unbanked and individuals with little or no credit\ + \ history;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node939 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ victims of identity theft;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node940 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ children under 18; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node941 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ immigrants." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node942 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: In addition to those requirements presented in the General section + of this document, as well as the applicable IAL requirements, CSPs that use + trusted referees in their identity proofing services must demonstrate conformance + with the requirements contained in this section. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node943 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP uses trusted referees,\ + \ then\u2026The CSP SHALL establish written policy and procedures as to how\ + \ a trusted referee is determined and the lifecycle by which the trusted referee\ + \ retains their status as a valid referee, to include any restrictions, as\ + \ well as any revocation and suspension requirements. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node944 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP uses trusted referees,\ + \ then\u2026The CSP SHALL proof the trusted referee at the same IAL as the\ + \ applicant proofing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node945 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP uses trusted referees,\ + \ then\u2026The CSP SHALL determine the minimum evidence required to bind\ + \ the relationship between the trusted referee and the applicant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: (5) Identity Proofing | Address Confirmation + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node947 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "a.\_\_ Require that a registration code or notice of proofing\ + \ be delivered through an out-of-band channel to verify the users address\ + \ (physical or digital) of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node948 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "b.\_\_\_The CSP SHALL confirm address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node949 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "c.\_\_\_Valid records to confirm address SHALL be issuing source(s)\ + \ or authoritative source(s). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node950 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'Self-asserted address data that has not been confirmed in records + SHALL NOT be used for confirmation. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node951 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "d.\_\_\_Note that IAL2-7 applies only to in-person proofing at\ + \ IAL2." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node952 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "If the CSP performs in-person proofing for IAL2 and provides an\ + \ enrollment code directly to the subscriber for binding to an authenticator\ + \ at a later time, then the enrollment code\u2026SHALL be valid for a maximum\ + \ of seven (7) days. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node953 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "e.\_\_ For remote identity proofing at IAL2: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node954 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'The CSP SHALL send an enrollment code to a confirmed address of + record for the applicant. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node955 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "f.\_\_\_\_For remote identity proofing at IAL2: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node956 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'The applicant SHALL present a valid enrollment code to complete + the identity proofing process. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node957 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "g.\_\_\_Note that the following enrollment code validity periods\ + \ apply to enrollment codes sent to confirmed addresses of record for IAL2\ + \ remote in-person proofing only." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node958 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'Enrollment codes shall have the following maximum validities: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node959 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: i. 10 days, when sent to a postal address of record within the + contiguous United States; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node960 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: ii. 30 days, when sent to a postal address of record outside + the contiguous United States; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node961 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: iii. 10 minutes, when sent to a telephone of record (SMS or voice); + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node962 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'iv. 24 hours, when sent to an email address of record. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node963 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "h.\_\_\_If the enrollment code sent to the confirmed address of\ + \ record as part of the remote identity proofing process at IAL2 is also intended\ + \ to be an authentication factor, then\u2026it SHALL be reset upon first use. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node964 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "i.\_\_\_ If the CSP performs remote proofing at IAL2 and optionally\ + \ sends notification of proofing in addition to sending the required enrollment\ + \ code, then\u2026The CSP SHALL ensure the enrollment code and notification\ + \ of proofing are sent to different addresses of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-7: Configuration Management' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node966 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + name: Least Functionality + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node967 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node966 + description: "The agency shall configure the application, service, or information\ + \ system to provide only essential capabilities and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node968 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node966 + description: '...and shall specifically prohibit and/or restrict the use of + specified functions, ports, protocols, and/or services.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + name: Network Diagram + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node970 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: The agency shall ensure that a complete topological drawing depicting + the interconnectivity of the agency network, to criminal justice information, + systems and services is maintained in a current status. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node971 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: 'The network topological drawing shall include the following:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node972 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "1.\_All communications paths, circuits, and other components used\ + \ for the interconnection, beginning with the agency-owned system(s) and traversing\ + \ through all interconnected systems to the agency end-point." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node973 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "2.\_The logical location of all components (e.g., firewalls, routers,\ + \ switches, hubs, servers, encryption devices, and computer workstations).\ + \ Individual workstations (clients) do not have to be shown; the number of\ + \ clients is sufficient." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node974 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "3.\_\u201CFor Official Use Only\u201D (FOUO) markings." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node975 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "4.\_The agency name and date (day, month, and year) drawing was\ + \ created or updated." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node976 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + name: Security of Configuration Documentation + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node977 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node976 + description: Agencies shall protect the system documentation from unauthorized + access consistent with the provisions described in section 5.5 Access Control. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-8: Media Protection (MP)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Policy and Procedures + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node980 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 'a. Develop, document, and disseminate to authorized individuals: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node981 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: "1.\_Agency-level media protection policy that: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node982 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: "(a)\_Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among agency entities, and compliance; and " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node983 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: "(b)\_Is consistent with applicable laws, executive orders, directives,\ + \ regulations, policies, standards, and guidelines; and " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node984 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: '2. Procedures to facilitate the implementation of the media protection + policy and the associated media protection controls; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node985 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 'b. Designate an individual with security responsibilities to manage + the development, documentation, and dissemination of the media protection + policy and procedures; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node986 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 'c. Review and update the current media protection: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node987 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: '1. Policy at least annually and following any security incidents + involving digital and/or non-digital media; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node988 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 2. Procedures at least annually and following any security incidents + involving digital and/or non-digital media. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node989 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Access + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node990 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node989 + description: Restrict access to digital and non-digital media to authorized + individuals. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node991 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Marking + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node992 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node991 + description: 'a. Mark system media indicating the distribution limitations, + handling caveats, and applicable security markings (if any) of the information; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node993 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node991 + description: 'b. Exempt digital and non-digital media containing CJI from marking + if the media remain within physically secure locations and controlled areas. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node994 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Storage + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node995 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node994 + description: 'a. Physically control and securely store digital and non-digital + media within physically secure locations or controlled areas and encrypt CJI + on digital media when physical and personnel restrictions are not feasible; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node996 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node994 + description: 'b. Protect system media types defined in MP-4a until the media + are destroyed or sanitized using approved equipment, techniques, and procedures. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Transport + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node998 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'a. Protect and control digital and non-digital media to help prevent + compromise of the data during transport outside of the physically secure locations + or controlled areas using encryption, as defined in Section 5.10.1.2 of this + Policy. Physical media will be protected at the same level as the information + would be protected in electronic form. Restrict the activities associated + with transport of electronic and physical media to authorized personnel; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node999 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'b. Maintain accountability for system media during transport outside + of the physically secure location or controlled areas; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1000 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'c. Document activities associated with the transport of system + media; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1001 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'd. Restrict the activities associated with the transport of system + media to authorized personnel. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1002 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Sanitization + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1003 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1002 + description: 'a. Sanitize or destroy digital and non-digital media prior to + disposal, release out of agency control, or release for reuse using overwrite + technology at least three times or degauss digital media prior to disposal + or release for reuse by unauthorized individuals. Inoperable digital media + will be destroyed (cut up, shredded, etc.). Physical media will be securely + disposed of when no longer needed for investigative or security purposes, + whichever is later. Physical media will be destroyed by crosscut shredding + or incineration; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1004 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1002 + description: 'b. Employ sanitization mechanisms with the strength and integrity + commensurate with the security category or classification of the information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Use + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1006 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + description: 'a. Restrict the use of digital and non-digital media on agency-owned + systems that have been approved for use in the storage, processing, or transmission + of criminal justice information by using technical, physical, or administrative + controls (examples below); and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1007 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + description: b. Prohibit the use of personally-owned digital media devices on + all agency-owned or controlled systems that store, process, or transmit criminal + justice information; and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1008 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + description: "c.\_Prohibit the use of digital media devices on all agency-owned\ + \ or controlled systems that store, process, or transmit criminal justice\ + \ information when such devices have no identifiable owner." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-9: Physical Protection' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1011 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with physical and environmental protection responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1012 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "1.\_\_\_\_\_ Agency-level physical and environmental protection\ + \ policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1013 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1014 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1015 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ physical and environmental protection policy and the associated physical\ + \ and environmental protection controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1016 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security responsibilities to manage the development, documentation, and\ + \ dissemination of the physical and environmental protection policy and procedures;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1017 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "c.\_\_\_\_\_\_ Review and update the current physical and environmental\ + \ protection:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1018 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "1.\_\_\_\_\_ Policy annually and following any physical, environmental,\ + \ or security related incidents involving CJI or systems used to process,\ + \ store, or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1019 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "2.\_\_\_\_\_ Procedures annually and following any physical, environmental,\ + \ or security related incidents involving CJI or systems used to process,\ + \ store, or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: PHYSICAL ACCESS AUTHORIZATIONS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1021 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "a.\_\_\_\_\_ Develop, approve, and maintain a list of individuals\ + \ with authorized access to the facility where the system resides;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1022 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "b.\_\_\_\_\_ Issue authorization credentials for facility access;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1023 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "c.\_\_\_\_\_\_ Review the access list detailing authorized facility\ + \ access by individuals annually and when personnel changes occur; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1024 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "d.\_\_\_\_\_ Remove individuals from the facility access list\ + \ when access is no longer required." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: PHYSICAL ACCESS CONTROL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1026 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "a.\_\_\_\_\_ Enforce physical access authorizations by:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1027 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "1.\_\_\_\_\_ Verifying individual access authorizations before\ + \ granting access to the facility; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1028 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "2.\_\_\_\_\_ Controlling ingress and egress to the facility using\ + \ agency-implemented procedures and controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1029 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "b.\_\_\_\_\_ Maintain physical access audit logs for the physically\ + \ secure location and agency-defined sensitive areas;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1030 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "c.\_\_\_\_\_\_ Control access to areas within the facility designated\ + \ as non-publicly accessible by implementing physical access devices including,\ + \ but not limited to keys, locks, combinations, biometric readers, placards,\ + \ and/or card readers; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1031 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "d.\_\_\_\_\_ Escort visitors and control visitor activity in all\ + \ physically secure locations;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1032 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "e.\_\_\_\_\_ Secure keys, combinations, and other physical access\ + \ devices;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1033 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "f.\_\_\_\_\_\_ Inventory all agency-issued physical access devices\ + \ annually; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1034 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "g.\_\_\_\_\_ Change combinations and keys and/or when keys are\ + \ lost, combinations are compromised, or when individuals possessing the keys\ + \ or combinations are transferred or terminated." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1035 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "h.\_\_\_\_\_ If the above conditions cannot be met refer to the\ + \ requirements listed in PE-17." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1036 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ACCESS CONTROL FOR TRANSMISSION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1037 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1036 + description: Control physical access to information system distribution and + transmission lines and devices within organizational facilities using agency-implemented + procedures and controls. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1038 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ACCESS CONTROL FOR OUTPUT DEVICES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1039 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1038 + description: Control physical access to output from monitors, printers, scanners, + audio devices, facsimile machines, and copiers to prevent unauthorized individuals + from obtaining the output. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: MONITORING PHYSICAL ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1041 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + description: "a.\_\_\_\_\_ Monitor physical access to the facility where the\ + \ system resides to detect and respond to physical security incidents;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1042 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + description: "b.\_\_\_\_\_ Review physical access logs quarterly and upon occurrence\ + \ of any physical, environmental, or security-related incidents involving\ + \ CJI or systems used to process, store, or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1043 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + description: "c.\_\_\_\_\_\_ Coordinate results of reviews and investigations\ + \ with the organizational incident response capability." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1044 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: "(1)\_\_\_ MONITORING PHYSICAL ACCESS | INTRUSION ALARMS AND SURVEILLANCE\ + \ EQUIPMENT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1045 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1044 + description: Monitor physical access to the facility where the system resides + using physical intrusion alarms and surveillance equipment. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: VISITOR ACCESS RECORDS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1047 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + description: "a.\_\_\_\_\_ Maintain visitor access records to the facility where\ + \ the system resides for one (1) year;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1048 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + description: "b.\_\_\_\_\_ Review visitor access records quarterly; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1049 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + description: "c.\_\_\_\_\_\_ Report anomalies in visitor access records to organizational\ + \ personnel with physical and environmental protection responsibilities and\ + \ organizational personnel with information security responsibilities." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1050 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: "(3)\_\_\_ VISITOR ACCESS RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION\ + \ ELEMENTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1051 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1050 + description: Limit personally identifiable information contained in visitor + access records to the minimum PII necessary to achieve the purpose for which + it is collected (see Section 4.3). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1052 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1050 + description: 'Note: Access to visitor access records is restricted to authorized + agency personnel.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1053 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: POWER EQUIPMENT AND CABLING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1054 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1053 + description: Protect power equipment and power cabling for the system from damage + and destruction. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: EMERGENCY SHUTOFF + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1056 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + description: "a.\_\_\_\_\_ Provide the capability of shutting off power to all\ + \ information systems in emergency situations;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1057 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + description: "b.\_\_\_\_\_ Place emergency shutoff switches or devices in easily\ + \ accessible locations to facilitate access for authorized personnel; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1058 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + description: "c.\_\_\_\_\_\_ Protect emergency power shutoff capability from\ + \ unauthorized activation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1059 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: EMERGENCY POWER + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1060 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1059 + description: Provide an uninterruptible power supply to facilitate an orderly + shutdown of the information system or transition of the information system + to an alternate power source in the event of a primary power source loss. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1061 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: EMERGENCY LIGHTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1062 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1061 + description: Employ and maintain automatic emergency lighting for the system + that activates in the event of a power outage or disruption and that covers + emergency exits and evacuation routes within the facility. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1063 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: FIRE PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1064 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1063 + description: Employ and maintain fire detection and suppression systems that + are supported by an independent energy source. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1065 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: "(1)\_\_\_ FIRE PROTECTION | DETECTION SYSTEMS \u2014 AUTOMATIC ACTIVATION\ + \ AND NOTIFICATION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1066 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1065 + description: Employ fire detection systems that activate automatically and notify + organizational personnel with physical and environmental protection responsibilities + and police, fire, or emergency medical personnel in the event of a fire. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1067 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ENVIRONMENTAL CONTROLS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1068 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1067 + description: "a.\_\_\_\_\_ Maintain adequate HVAC levels within the facility\ + \ where the system resides at recommended system manufacturer levels; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1069 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1067 + description: "b.\_\_\_\_\_ Monitor environmental control levels continuously." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1070 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: WATER DAMAGE PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1071 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1070 + description: Protect the system from damage resulting from water leakage by + providing master shutoff or isolation valves that are accessible, working + properly, and known to key personnel. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1072 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: DELIVERY AND REMOVAL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1073 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1072 + description: "a.\_\_\_\_\_ Authorize and control information system-related\ + \ components entering and exiting the facility; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1074 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1072 + description: "b.\_\_\_\_\_ Maintain records of the system components." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ALTERNATE WORK SITE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1076 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "a.\_\_\_\_\_ Determine and document all alternate facilities or\ + \ locations allowed for use by employees;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1077 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "b.\_\_\_\_\_ Employ the following controls at alternate work sites:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1078 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "1.\_\_\_\_\_ Limit access to the area during CJI processing times\ + \ to only those personnel authorized by the agency to access or view CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1079 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "2.\_\_\_\_\_ Lock the area, room, or storage container when unattended." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1080 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "3.\_\_\_\_\_ Position information system devices and documents\ + \ containing CJI in such a way as to prevent unauthorized individuals from\ + \ access and view." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1081 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "4.\_\_\_\_\_ Follow the encryption requirements found in SC-13\ + \ and SC-28 for electronic storage (i.e., data at-rest) of CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1082 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "c.\_\_\_\_\_\_ Assess the effectiveness of controls at alternate\ + \ work sites; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1083 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "d.\_\_\_\_\_ Provide a means for employees to communicate with\ + \ information security and privacy personnel in case of incidents." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-10: Systems and Communications Protection' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'POLICY AND PROCEDURES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1086 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: 'a. Develop, document, and disseminate to organizational personnel + with system and communications protection responsibilities: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1087 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '1. Agency-level system and communications protection policy that: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1088 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '(a) Addresses purpose, scope, roles, responsibilities, management + commitment, coordination among organizational entities, and compliance; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1089 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '(b) Is consistent with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1090 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '2. Procedures to facilitate the implementation of the system and + communications protection policy and the associated system and communications + protection controls; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1091 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: 'b. Designate organizational personnel with information security + responsibilities to manage the development, documentation, and dissemination + of the system and communications protection policy and procedures; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1092 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: 'c. Review and update the current system and communications protection: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1093 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '1. Policy annually and following any changes and security incidents + involving unauthorized access to CJI or systems used to process, store, or + transmit CJI; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1094 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '2. Procedures annually and following any changes and security + incidents involving unauthorized access to CJI or systems used to process, + store, or transmit CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1095 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SEPARATION OF SYSTEM AND USER FUNCTIONALITY ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1096 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1095 + description: 'Separate user functionality, including user interface services, + from system management functionality. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1097 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'INFORMATION IN SHARED SYSTEM RESOURCES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1098 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1097 + description: 'Prevent unauthorized and unintended information transfer via shared + system resources. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1099 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'DENIAL-OF-SERVICE PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1100 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1099 + description: 'a. Protect against or limit the effects of the following types + of denial-of-service events: distributed denial of service, DNS Denial of + Service, etc.; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1101 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1099 + description: 'b. Employ the following controls to achieve the denial-of-service + objective: boundary protection devices and intrusion detection or prevention + devices. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1103 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + description: 'a. Monitor and control communications at the external managed + interfaces to the system and at key internal managed interfaces within the + system; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1104 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + description: 'b. Implement subnetworks for publicly accessible system components + that are physically or logically separated from internal organizational networks; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1105 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + description: 'c. Connect to external networks or systems only through managed + interfaces consisting of boundary protection devices arranged in accordance + with an organizational security and privacy architecture. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1106 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | ACCESS POINTS ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1107 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1106 + description: 'Limit the number of external network connections to the system. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1109 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(a) Implement a managed interface for each external telecommunication + service; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1110 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(b) Establish a traffic flow policy for each managed interface; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1111 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(c) Protect the confidentiality and integrity of the information + being transmitted across each interface; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1112 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(d) Document each exception to the traffic flow policy with a + supporting mission or business need and duration of that need; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1113 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(e) Review exceptions to the traffic flow policy annually, after + any incident, and after any major changes impacting the information system, + while remove exceptions that are no longer supported by an explicit mission + or business need; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1114 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(f) Prevent unauthorized exchange of control plane traffic with + external networks; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1115 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(g) Publish information to enable remote networks to detect unauthorized + control plane traffic from internal networks; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1116 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(h) Filter unauthorized control plane traffic from external networks. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1117 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: "BOUNDARY PROTECTION | DENY BY DEFAULT \u2014 ALLOW BY EXCEPTION " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1118 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1117 + description: 'Deny network communications traffic by default and allow network + communications traffic by exception at boundary devices for information systems + used to process, store, or transmit CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1119 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | SPLIT TUNNELING FOR REMOTE DEVICES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1120 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1119 + description: 'Prevent split tunneling for remote devices connecting to organizational + systems. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1121 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1122 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1121 + description: 'Route all internal communications traffic that may be proxied, + except traffic specifically exempted by organizational personnel with information + security responsibilities, to all untrusted networks through authenticated + proxy servers at managed interfaces. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | PERSONALLY IDENTIFIABLE INFORMATION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1124 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: 'For systems that process personally identifiable information: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1125 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(a) Apply the following processing rules to data elements of personally + identifiable information: all applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1126 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(b) Monitor for permitted processing at the external interfaces + to the system and at key internal boundaries within the system; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1127 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(c) Document each processing exception; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1128 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(d) Review and remove exceptions that are no longer supported. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1129 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'TRANSMISSION CONFIDENTIALITY AND INTEGRITY ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1130 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1129 + description: 'Protect the confidentiality and integrity of transmitted information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1131 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1129 + description: Metadata derived from unencrypted CJI shall be protected in the + same manner as CJI and shall not be used for any advertising or other commercial + purposes by any cloud service provider or other associated entity. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1132 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1133 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1132 + description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure + and detect unauthorized changes or access to CJI during transmission. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1134 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'NETWORK DISCONNECT ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1135 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1134 + description: 'Terminate the network connection associated with a communications + session at the end of the session or after one (1) hour of inactivity. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1136 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1134 + description: 'NOTE: In the interest of safety, devices that are: (1) part of + a criminal justice conveyance; or (2) used to perform dispatch functions and + located within a physically secure location; or (3) terminals designated solely + for the purpose of receiving alert notifications (i.e., receive only terminals + or ROT) and used within physically secure location facilities that remain + staffed when in operation, are exempt from this requirement.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1137 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1138 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1137 + description: 'Establish and manage cryptographic keys when cryptography is employed + within the system in accordance with the following key management requirements: + encryption key generation, distribution, storage, access, and destruction + is controlled by the agency. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'CRYPTOGRAPHIC PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1140 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + description: 'a. Determine the use of encryption for CJI in-transit when outside + a physically secure location; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1141 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + description: 'b. Implement the following types of cryptography required for + each specified cryptographic use: cryptographic modules which are Federal + Information Processing Standard (FIPS) 140-3 certified, or FIPS validated + algorithm for symmetric key encryption and decryption (FIPS 197 [AES]), with + a symmetric cipher key of at least 128-bit strength for CJI in-transit.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1142 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + description: 'NOTE: Subsequent versions of approved cryptographic modules that + are under current review for FIPS 140-3 compliancy can be used in the interim + until certification is complete. FIPS 140-2 certificates will not be acceptable + after September 21, 2026.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1143 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1144 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1143 + description: 'a. Prohibit remote activation of collaborative computing devices + and applications; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1145 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1143 + description: 'b. Provide an explicit indication of use to users physically present + at the devices. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1146 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PUBLIC KEY INFRASTRUCTURE CERTIFICATES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1147 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1146 + description: 'a. Issue public key certificates under an agency-level certificate + authority or obtain public key certificates from an approved service provider; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1148 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1146 + description: 'b. Include only approved trust anchors in trust stores or certificate + stores managed by the organization. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1149 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'MOBILE CODE ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1150 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1149 + description: 'a. Define acceptable and unacceptable mobile code and mobile code + technologies; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1151 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1149 + description: 'b. Authorize, monitor, and control the use of mobile code within + the system. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1152 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1153 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1152 + description: 'a. Provide additional data origin authentication and integrity + verification artifacts along with the authoritative name resolution data the + system returns in response to external name/address resolution queries; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1154 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1152 + description: 'b. Provide the means to indicate the security status of child + zones and (if the child supports secure resolution services) to enable verification + of a chain of trust among parent and child domains, when operating as part + of a distributed, hierarchical namespace. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1155 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1156 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1155 + description: 'Request and perform data origin authentication and data integrity + verification on the name/address resolution responses the system receives + from authoritative sources. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1157 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1158 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1157 + description: 'Ensure the systems that collectively provide name/address resolution + service for an organization are fault-tolerant and implement internal and + external role separation. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1159 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SESSION AUTHENTICITY ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1160 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1159 + description: 'Protect the authenticity of communications sessions. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PROTECTION OF INFORMATION AT REST ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1162 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: 'Protect the confidentiality and integrity of the following information + at rest: CJI when outside physically secure locations using cryptographic + modules which are certified FIPS 140-3 with a symmetric cipher key of at least + 128-bit strength, or FIPS 197 with a symmetric cipher key of at least 256-bit + strength.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1163 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: Metadata derived from unencrypted CJI shall be protected in the + same manner as CJI and shall not be used for any advertising or other commercial + purposes by any cloud service provider or other associated entity. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1164 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: "The storage of CJI, regardless of encryption status, shall only\ + \ be permitted in cloud environments (e.g., government or third-party/commercial\ + \ datacenters, etc.) which reside within the physical boundaries of APB-member\ + \ country (i.e., United States, U.S. territories, Indian Tribes, and Canada)\ + \ and are under legal authority of an APB-member agency (i.e., United States\u2013\ + federal/state/territory, Indian Tribe, or the Royal Canadian Mounted Police)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1165 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: 'Note: This restriction does not apply to exchanges of CJI with + foreign government agencies under international exchange agreements (e.g., + the Preventing and Combating Serious Crime agreements, fugitive extracts, + and exchanges made for humanitarian and criminal investigatory purposes in + particular circumstances).' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1166 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1167 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1166 + description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure + and modification of the following information at rest on information systems + and digital media outside physically secure locations: CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1168 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PROCESS ISOLATION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1169 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1168 + description: 'Maintain a separate execution domain for each executing system + process. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-11: Formal Audits' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Triennial Compliance Audits by the FBI CJIS Division + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1172 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + description: The CJIS Audit Unit (CAU) shall conduct a triennial audit of each + CSA in order to verify compliance with applicable statutes, regulations and + policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1173 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + description: 'This audit shall include a sample of CJAs and, in coordination + with the SIB, the NCJAs. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1174 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + description: The FBI CJIS Division shall also have the authority to conduct + unannounced security inspections and scheduled audits of Contractor facilities. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1175 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Triennial Security Audits by the FBI CJIS Division + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1176 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1175 + description: 'This audit shall include a sample of CJAs and NCJAs. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Audits by the CSA + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1178 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 'Each CSA shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1179 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 1. At a minimum, triennially audit all CJAs and NCJAs which have + direct access to the state system in order to ensure compliance with applicable + statutes, regulations and policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1180 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 2. In coordination with the SIB, establish a process to periodically + audit all NCJAs, with access to CJI, in order to ensure compliance with applicable + statutes, regulations and policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1181 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 3. Have the authority to conduct unannounced security inspections + and scheduled audits of Contractor facilities. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1182 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 4. Have the authority, on behalf of another CSA, to conduct a CSP + compliance audit of contractor facilities and provide the results to the requesting + CSA. If a subsequent CSA requests an audit of the same contractor facility, + the CSA may provide the results of the previous audit unless otherwise notified + by the requesting CSA that a new audit be performed. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Special Security Inquiries and Audits + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1184 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: 'All agencies having access to CJI shall permit an inspection team + to conduct an appropriate inquiry and audit of any alleged security violations. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1185 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: "The inspection team shall be appointed by the APB and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1186 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: '...and shall include at least one representative of the CJIS Division. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1187 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: All results of the inquiry and audit shall be reported to the APB + with appropriate recommendations. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-12: Personnel Security' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Screening Requirements for Individuals Requiring Unescorted + Access to Unencrypted CJI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1190 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '1. To verify identification, state of residency and national + fingerprint-based record checks shall be conducted prior to granting access + to CJI for all personnel who have unescorted access to unencrypted CJI or + unescorted access to physically secure locations or controlled areas (during + times of CJI processing). ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1191 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: However, if the person resides in a different state than that of + the assigned agency, the agency shall conduct state (of the agency) and national + fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using + purpose code C, E, or J depending on the circumstances. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1192 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'When appropriate, the screening shall be consistent with: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1193 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'a. 5 CFR 731.106; and/or ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1194 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'b. Office of Personnel Management policy, regulations, and guidance; + and/or ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1195 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: c. agency policy, regulations, and guidance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1196 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '2. All requests for access shall be made as specified by the + CSO. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1197 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: All CSO designees shall be from an authorized criminal justice + agency. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1198 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: "3.\_\_If a record of any kind exists, access to CJI shall not\ + \ be granted until the CSO or his/her designee reviews the matter to determine\ + \ if access is appropriate." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1199 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: a. If a felony conviction of any kind exists, the Interface Agency + shall deny access to CJI. However, the Interface Agency may ask for a review + by the CSO in extenuating circumstances where the severity of the offense + and the time that has passed would support a possible variance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1200 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'c. If a record of any kind is found on a contractor, the CGA shall + be formally notified and system access shall be delayed pending review of + the criminal history record information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1201 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: "c. (cont) The CGA shall in turn notify the contractor\u2019s security\ + \ officer." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1202 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 4. If the person appears to be a fugitive or has an arrest history + without conviction, the CSO or his/her designee shall review the matter to + determine if access to CJI is appropriate. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1203 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '5. If the person already has access to CJI and is subsequently + arrested and or convicted, continued access to CJI shall be determined by + the CSO. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1204 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: "6. If the CSO or his/her designee determines that access to CJI\ + \ by the person would not be in the public interest, access shall be denied\ + \ and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1205 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '...and the person''s appointing authority shall be notified in + writing of the access denial.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1206 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 7. The granting agency shall maintain a list of personnel who have + been authorized unescorted access to unencrypted CJI and... + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1207 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '...and shall, upon request, provide a current copy of the access + list to the CSO.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Termination + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1209 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + description: Upon termination of personnel by an interface agency, the agency + shall immediately terminate access to local agency systems with access to + CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1210 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + description: Furthermore, the interface agency shall provide notification or + other action to ensure access to state and other agency systems is terminated. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1211 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + description: If the employee is an employee of a NCJA or a Contractor, the employer + shall notify all Interface Agencies that may be affected by the personnel + change. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1212 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Transfer + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1213 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1212 + description: The agency shall review CJI access authorizations when personnel + are reassigned or transferred to other positions within the agency and initiate + appropriate actions such as closing and establishing accounts and changing + system access authorizations. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1214 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Sanctions + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1215 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1214 + description: The agency shall employ a formal sanctions process for personnel + failing to comply with established information security policies and procedures. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-13: Mobile Devices' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: 'Mobile Devices ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1218 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + description: 'The agency shall: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1219 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + description: (i) establish usage restrictions and implementation guidance for + mobile devices; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1220 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + description: '(ii) authorize, monitor, control wireless access to the information + system. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: 802.11 Wireless Protocols + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1222 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: 'Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) + cryptographic algorithms, used by all pre-80.11i protocols, do not meet the + requirements for FIPS 140-2 and shall not be used. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1223 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: 'Agencies shall implement the following controls for all agency-managed + wireless access points with access to an agency''s network that processes + unencrypted CJI:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1224 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "1.\_Perform validation testing to ensure rogue APs (Access Points)\ + \ do not exist in the 802.11 Wireless Local Area Network (WLAN) and to fully\ + \ understand the wireless network security posture." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1225 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "2.\_Maintain a complete inventory of all Access Points (APs) and\ + \ 802.11 wireless devices." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1226 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "3.\_Place APs in secured areas to prevent unauthorized physical\ + \ access and user manipulation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1227 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "4.\_Test AP range boundaries to determine the precise extent of\ + \ the wireless coverage and design the AP wireless coverage to limit the coverage\ + \ area to only what is needed for operational purposes." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1228 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "5.\_Enable user authentication and encryption mechanisms for the\ + \ management interface of the AP." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1229 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "6.\_Ensure that all APs have strong administrative passwords and\ + \ ensure that all passwords are changed in accordance with section 5.6.3.1." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1230 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "7.\_Ensure the reset function on APs is used only when needed\ + \ and is only invoked by authorized personnel. Restore the APs to the latest\ + \ security settings, when the reset functions are used, to ensure the factory\ + \ default settings are not utilized." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1231 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "8.\_Change the default service set identifier (SSID) in the APs." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1232 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: Disable the broadcast SSID feature so that the client SSID must + match that of the AP. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1233 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: Validate that the SSID character string does not contain any agency + identifiable information (division, department, street, etc.) or services. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1234 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "9.\_Enable all security features of the wireless product, including\ + \ the cryptographic authentication, firewall, and other privacy features." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1235 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "10.\_Ensure that encryption key sizes are at least 128-bits and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1236 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: '...and the default shared keys are replaced by unique keys.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1237 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "11.\_Ensure that the ad hoc mode has been disabled." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1238 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "12.\_Disable all nonessential management protocols on the APs.\ + \ Disable non-FIPS compliant secure access to the managment interface." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1239 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "13.\_Ensure all management access and authentication occurs via\ + \ FIPS compliant secure protocols (e.g. SFTP, HTTPS, SNMP over TLS, etc.).\ + \ Disable non-FIPS compliant secure access to the managment interface." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1240 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "14.\_Enable logging (if supported) and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1241 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: '...and review the logs on a recurring basis per local policy.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1242 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: At a minimum logs shall be reviewed monthly. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1243 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: 15. Insulate, virtually (e.g. virtual local area network (VLAN) + and ACLs) or physically (e.g. firewalls), the wireless network from the operational + wired infrastructure. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1244 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "16.\_When disposing of access points that will no longer be used\ + \ by the agency, clear access point configuration to prevent disclosure of\ + \ network configuration, keys, passwords, etc." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1245 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Cellular Service Abroad + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1246 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1245 + description: When devices are authorized to access CJI outside the U.S., agencies + shall perform an inspection to ensure that all controls are in place and functioning + properly in accordance with the agency's policies prior to and after deployment + outside of the U.S. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1247 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Bluetooth + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1248 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1247 + description: Organizational security policy shall be used to dictate the use + of Bluetooth and its associated devices based on the agency's operational + and business processes. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Mobile Hotspots + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1250 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 'When an agency allows mobile devices that are approved to access + or store CJI to function as a Wi-Fi hotspot connecting to the Internet, they + shall be configured:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1251 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 1. Enable encryption on the hotspot + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1252 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 2. Change the hotspot's default SSID + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1253 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: a. Ensure the hotspot SSID does not identify the device make/model + or agency ownership + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1254 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 3. Create a wireless network password (Pre-shared key) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1255 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: "4. Enable the hotspot\u2019s port filtering/blocking features\ + \ if present" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1256 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 5. Only allow connections from agency controlled devices + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1257 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: OR 1. Have a MDM solution to provide the same security as identified + in 1 - 5 above. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Mobile Device Management (MDM) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1259 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: Devices that have had any unauthorized changes made to them (including + but not limited to being rooted or jailbroken) shall not be used to process, + store, or transmit CJI at any time. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1260 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: 'User agencies shall implement the following controls when directly + accessing CJI from devices running limited feature operating system:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1261 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: 1. Ensure that CJI is only transferred between CJI authorized applications + and storage areas of the device. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1262 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: '2. MDM with centralized administration configured and implemented + to perform at least the following controls:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1263 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: a. Remote locking of the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1264 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: b. Remote wiping of the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1265 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: c. Setting and locking device configuration + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1266 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: d. Detection of "rooted" and "jailbroken" devices + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1267 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: e. Enforcement of folder or disk level encryption + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1268 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: f. Application of mandatory policy settings on the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1269 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: g. Detection of unauthorized configurations + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1270 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: h. Detection of unauthorized software or applications + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1271 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: i. Ability to determine location of agency controlled devices + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1272 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: j. Prevention of unpatched devices from accessing CJI or CJI systems + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1273 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: k. Automatic device wiping after a specified number of failed access + attempts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Wireless Device Risk Mitigations + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: 'Organizations shall, as a minimum, ensure that wireless devices:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1276 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "1.\_Apply available critical patches and upgrades to the operating\ + \ system as soon as they become available for the device and after necessary\ + \ testing as described in Section 5.10.4.1." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1277 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "2.\_Are configured for local device authentication (see Section\ + \ 5.13.8.1)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1278 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "3.\_Use advanced authentication or CSO approved compensating controls\ + \ as per Section 5.13.7.2.1." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1279 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "4.\_Encrypt all CJI resident on the device." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1280 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "5.\_Erase cached information, to include authenticators (see Section\ + \ 5.6.2.1) in applications, when session is terminated." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1281 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "6.\_Employ personal firewalls on full-featured operating system\ + \ devices or run a Mobile Device Management (MDM) system that facilitates\ + \ the ability to provide firewall services from the agency level." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1282 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: 7. Employ malicious code protection on full-featured operating + system devices or run a MDM system that facilitates the ability to provide + anti-malware services from the agency level. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1283 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Patching/Updates + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1284 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1283 + description: Agencies shall monitor mobile devices to ensure their patch and + update state is current. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1285 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Malicious Code Protection + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1286 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1285 + description: Agencies that allow smartphones and tablets to access CJI shall + have a process to approve the use of specific software or applications on + the devices. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Personal Firewall + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1288 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: A personal firewall shall be employed on all devices that have + a full-feature operating system (i.e. laptops or tablets with Windows or Linux/Unix + operating systems). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 'At a minimum, the personal firewall shall perform the following + activities:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1290 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 1. Manage program access to the Internet. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1291 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 2. Block unsolicited requests to connect to the PC. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1292 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 3. Filter Incoming traffic by IP address or protocol. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1293 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 4. Filter Incoming traffic by destination ports. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1294 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 5. Maintain an IP traffic log. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Incident Response + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1296 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: In addition to the requirements in Section 5.3 Incident Response, + agencies shall develop additional or enhanced incident reporting and handling + procedures to address mobile device operating scenarios. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1297 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 'Special reporting procedures for mobile devices shall apply in + any of the following situations:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1298 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: '1. Loss of device control. For example:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1299 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: a. Device known to be locked, minimal duration of loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1300 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: b. Device lock state unknown, minimal duration of loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1301 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: c. Device lock state unknown, extended duration of loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1302 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: d. Device known to be unlocked, more than momentary duration of + loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1303 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 2. Total loss of device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1304 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 3. Device compromise + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1305 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 4. Device loss or compromise outside the United States + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1306 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Access Control + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1307 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1306 + description: Access control (Section 5.5 Access Control) shall be accomplished + by the application that accesses CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1308 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Local Device Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1309 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1308 + description: When mobile devices are authorized for use in accessing CJI, local + device authentication shall be used to unlock the device for use. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1310 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1308 + description: The authenticator used shall meet the requirements in section 5.6.2.1 + Standard Authenticators. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1311 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Advanced Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1312 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1311 + description: When accessing CJI from an authorized mobile device, advanced authentication + shall be used by the authorized user unless the access to CJI is indirect + as described in Section 5.6.2.2.1. If access in indirect, then AA is not required. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Compensating Controls + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1314 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Before CSOs consider approval of compensating controls, Mobile + Device Management (MDM) shall be implemented per Section 5.13.2. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 'The compensating controls shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1316 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 1. Meet the intent of the CJIS Security Policy AA requirement + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1317 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 2. Provide a similar level of protection or security as the original + AA requirement + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1318 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 3. Not rely upon the existing requirements for AA as compensating + controls + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1319 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 4. Expire upon the CSO approved date or when a compliant AA solution + is implemented. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1320 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: "The following minimum controls shall be implemented as a part\ + \ of the CSO approved compensating controls:\_" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1321 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Possession and registration of an agency-issued smartphone or tablet + as an indication it is the authorized user + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1322 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Use of device certificates as per Section 5.13.7.3 Device Certificates + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1323 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Implemented CJIS Security Policy compliant standard authenticator + protection on the secure location where CJI is stored + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Device Certificates + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1325 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 'When certificates or cryptographic keys used to authenticate a + mobile device are used in lieu of compensating controls for advanced authentication, + they shall be:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1326 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 1. Protected against being extracted from the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1327 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 2. Configured for remote wipe on demand or self-deletion based + on a number of unsuccessful login or access attempts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1328 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 3. Configured to use a secure authenticator (i.e. password, PIN) + to unlock the key for use + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1329 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-14: System and Services Acquisition (SA)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1330 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1329 + name: UNSUPPORTED SYSTEM COMPONENTS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1331 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1330 + description: "a.\_\_\_\_ Replace system components when support for the components\ + \ is no longer available from the developer, vendor, or manufacturer; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1332 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1330 + description: "b.\_\_\_\_\_ Provide the following option for alternative sources\ + \ for continued support for unsupported components: original manufacturer\ + \ support, or original contracted vendor support." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-15: System and Information Integrity (SI)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1335 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to all organizational\ + \ personnel with system and information integrity responsibilities and information\ + \ system owners:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1336 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "1.\_\_\_\_\_ Agency-level system and information integrity policy\ + \ that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1337 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1338 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1339 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ system and information integrity policy and the associated system and information\ + \ integrity controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1340 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "b.\_\_\_\_\_ Designate organizational personnel with system and\ + \ information integrity responsibilities to manage the development, documentation,\ + \ and dissemination of the system and information integrity policy and procedures;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1341 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "c.\_\_\_\_\_\_ Review and update the current system and information\ + \ integrity:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1342 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1343 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: FLAW REMEDIATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1345 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "a.\_\_\_\_\_ Identify, report, and correct system flaws;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1346 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "b.\_\_\_\_\_ Test software and firmware updates related to flaw\ + \ remediation for effectiveness and potential side effects before installation;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1347 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "c.\_\_\_\_\_\_ Install security-relevant software and firmware\ + \ updates within the number of days listed after the release of the updates; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1348 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ Critical \u2013 15 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1349 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ High \u2013 30 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1350 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ Medium \u2013 60 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1351 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ Low \u2013 90 days; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1352 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "d.\_\_\_\_\_ Incorporate flaw remediation into the organizational\ + \ configuration management process." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1353 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1354 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1353 + description: Determine if system components have applicable security-relevant + software and firmware updates installed using vulnerability scanning tools + as least quarterly or following any security incidents involving CJI or systems + used to process, store, or transmit CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: MALICIOUS CODE PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1356 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "a.\_\_\_\_\_ Implement signature-based malicious code protection\ + \ mechanisms at system entry and exit points to detect and eradicate malicious\ + \ code;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1357 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "b.\_\_\_\_\_ Automatically update malicious code protection mechanisms\ + \ as new releases are available in accordance with organizational configuration\ + \ management policy and procedures;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1358 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "c.\_\_\_\_\_\_ Configure malicious code protection mechanisms\ + \ to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1359 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "1.\_\_\_\_\_ Perform periodic scans of the system at least daily\ + \ and real-time scans of files from external sources at network entry and\ + \ exit points and on all servers and endpoint devices as the files are downloaded,\ + \ opened, or executed in accordance with organizational policy; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1360 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "2.\_\_\_\_\_ Block or quarantine malicious code, take mitigating\ + \ action(s), and when necessary, implement incident response procedures; and\ + \ send alert to system/network administrators and/or organizational personnel\ + \ with information security responsibilities in response to malicious code\ + \ detection; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1361 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "d.\_\_\_\_\_ Address the receipt of false positives during malicious\ + \ code detection and eradication and the resulting potential impact on the\ + \ availability of the system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SYSTEM MONITORING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1363 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "a.\_\_\_\_\_ Monitor the system to detect:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1364 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "1.\_\_\_\_\_ Attacks and indicators of potential attacks in accordance\ + \ with the following monitoring objectives: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1365 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "a.\_\_\_\_ Intrusion detection and prevention" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1366 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "b.\_\_\_\_ Malicious code protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1367 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "c.\_\_\_\_\_ Vulnerability scanning" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1368 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "d.\_\_\_\_ Audit record monitoring" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1369 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "e.\_\_\_\_\_ Network monitoring" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1370 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "f.\_\_\_\_\_ Firewall monitoring;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1371 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "2.\_\_\_\_\_ Unauthorized local, network, and remote connections;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1372 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "b.\_\_\_\_\_ Identify unauthorized use of the system through the\ + \ following techniques and methods: event logging (ref. 5.4 Audit and Accountability);" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1373 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "c.\_\_\_\_\_\_ Invoke internal monitoring capabilities or deploy\ + \ monitoring devices:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1374 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "1.\_\_\_\_\_ Strategically within the system to collect organization-determined\ + \ essential information; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1375 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "2.\_\_\_\_\_ At ad hoc locations within the system to track specific\ + \ types of transactions of interest to the organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1376 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "d.\_\_\_\_\_ Analyze detected events and anomalies;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1377 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "e.\_\_\_\_\_ Adjust the level of system monitoring activity when\ + \ there is a change in risk to organizational operations and assets, individuals,\ + \ other organizations, or the Nation;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1378 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "f.\_\_\_\_\_\_ Obtain legal opinion regarding system monitoring\ + \ activities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1379 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "g.\_\_\_\_\_ Provide intrusion detection and prevention systems,\ + \ malicious code protection software, scanning tools, audit record monitoring\ + \ software, network monitoring, and firewall monitoring software logs to organizational\ + \ personnel with information security responsibilities weekly." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1380 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ SYSTEM MONITORING | AUTOMATED TOOLS AND MECHANISMS FOR REAL-TIME\ + \ ANALYSIS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1381 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1380 + description: Employ automated tools and mechanisms to support near-real-time + analysis of events. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1382 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(4)\_\_\_ SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1383 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1382 + description: "a.\_\_\_\_ Determine criteria for unusual or unauthorized activities\ + \ or conditions for inbound and outbound communications traffic;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1384 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1382 + description: "b.\_\_\_\_ Monitor inbound and outbound communications traffic\ + \ continuously for unusual or unauthorized activities or conditions such as:\ + \ the presence of malicious code or unauthorized use of legitimate code or\ + \ credentials within organizational systems or propagating among system components,\ + \ signaling to external systems, and the unauthorized exporting of information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1385 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(5)\_\_\_ SYSTEM MONITORING | SYSTEM-GENERATED ALERTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1386 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1385 + description: 'Alert organizational personnel with system monitoring responsibilities + when the following system-generated indications of compromise or potential + compromise occur: inappropriate or unusual activities with security or privacy + implications.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1388 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "a.\_\_\_\_\_ Receive system security alerts, advisories, and directives\ + \ from external source(s) (e.g., CISA, Multi-State Information Sharing & Analysis\ + \ Center [MS-ISAC], U.S. Computer Emergency Readiness Team [USCERT], hardware/software\ + \ providers, federal/state advisories, etc.) on an ongoing basis;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1389 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "b.\_\_\_\_\_ Generate internal security alerts, advisories, and\ + \ directives as deemed necessary;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1390 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "c.\_\_\_\_\_Issue security alerts, advisories, and directives\ + \ to: organizational personnel implementing, operating, maintaining, and using\ + \ the system; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1391 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "d.\_\_\_\_\_ Implement security directives in accordance with\ + \ established time frames, or notify the issuing organization of the degree\ + \ of noncompliance." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1392 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1393 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1392 + description: "a.\_\_\_\_\_ Employ integrity verification tools to detect unauthorized\ + \ changes to software, firmware, and information systems that contain or process\ + \ CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1394 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1392 + description: "b.\_\_\_\_\_ Take the following actions when unauthorized changes\ + \ to the software, firmware, and information are detected: notify organizational\ + \ personnel responsible for software, firmware, and/or information integrity\ + \ and implement incident response procedures as appropriate." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1395 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(1)\_\_\_ SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1396 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1395 + description: Perform an integrity check of software, firmware, and information + systems that contain or process CJI at agency-defined transitional states + or security relevant events at least weekly or in an automated fashion. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1397 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(7)\_\_\_ SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION\ + \ OF DETECTION AND RESPONSE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1398 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1397 + description: 'Incorporate the detection of the following unauthorized changes + into the organizational incident response capability: unauthorized changes + to established configuration setting or the unauthorized elevation of system + privileges.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1399 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SPAM PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1400 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1399 + description: "a.\_\_\_\_\_ Employ spam protection mechanisms at system entry\ + \ points to detect and act on unsolicited messages; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1401 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1399 + description: "b.\_\_\_\_\_ Update spam protection mechanisms when new releases\ + \ are available in accordance with organizational configuration management\ + \ policy and procedures." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1402 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ SPAM PROTECTION | AUTOMATIC UPDATES" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1403 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1402 + description: Automatically update spam protection mechanisms at least daily. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1404 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: INFORMATION INPUT VALIDATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1405 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1404 + description: 'Check the validity of the following information inputs: all inputs + to web/application servers, database servers, and any system or application + input that might receive or process CJI.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1406 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: ERROR HANDLING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1407 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1406 + description: "a.\_\_\_\_\_ Generate error messages that provide information\ + \ necessary for corrective actions without revealing information that could\ + \ be exploited; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1408 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1406 + description: "b.\_\_\_\_\_ Reveal error messages only to organizational personnel\ + \ with information security responsibilities." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1409 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: INFORMATION MANAGEMENT AND RETENTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1410 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1409 + description: Manage and retain information within the system and information + output from the system in accordance with applicable laws, executive orders, + directives, regulations, policies, standards, guidelines and operational requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1411 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(1)\_\_\_ INFORMATION MANAGEMENT AND RETENTION | LIMIT PERSONALLY IDENTIFIABLE\ + \ INFORMATION ELEMENTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1412 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1411 + description: Limit personally identifiable information being processed in the + information life cycle to the minimum PII necessary to achieve the purpose + for which it is collected (see Section 4.3). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1413 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ INFORMATION MANAGEMENT AND RETENTION | MINIMIZE PERSONALLY\ + \ IDENTIFIABLE INFORMATION IN TESTING, TRAINING, AND RESEARCH" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1414 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1413 + description: 'Use the following techniques to minimize the use of personally + identifiable information for research, testing, or training: data obfuscation, + randomization, anonymization, or use of synthetic data.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1415 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(3)\_\_\_ INFORMATION MANAGEMENT AND RETENTION | INFORMATION DISPOSAL" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1416 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1415 + description: 'Use the following techniques to dispose of, destroy, or erase + information following the retention period: as defined in MP-6.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1417 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: MEMORY PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1418 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1417 + description: 'Implement the following controls to protect the system memory + from unauthorized code execution: data execution prevention and address space + layout randomization.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-16: Maintenance (MA)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1421 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with system maintenance responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1422 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "1.\_\_\_\_\_ Agency-level maintenance policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1423 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1424 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1425 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ maintenance policy and the associated maintenance controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1426 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security and privacy responsibilities to manage the development, documentation,\ + \ and dissemination of the maintenance policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1427 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "c.\_\_\_\_\_\_ Review and update the current maintenance:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1428 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1429 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: CONTROLLED MAINTENANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1431 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "a.\_\_\_\_\_ Schedule, document, and review records of maintenance,\ + \ repair, and replacement on system components in accordance with manufacturer\ + \ or vendor specifications and/or organizational requirements;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1432 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "b.\_\_\_\_\_ Approve and monitor all maintenance activities, whether\ + \ performed on site or remotely and whether the system or system components\ + \ are serviced on site or removed to another location;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1433 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "c.\_\_\_\_\_\_ Require that organizational personnel with information\ + \ security and privacy responsibilities explicitly approve the removal of\ + \ the system or system components from organizational facilities for off-site\ + \ maintenance, repair, or replacement;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1434 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "d.\_\_\_\_\_ Sanitize equipment to remove information from associated\ + \ media prior to removal from organizational facilities for off-site maintenance,\ + \ repair, replacement, or destruction;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1435 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "e.\_\_\_\_\_ Check all potentially impacted controls to verify\ + \ that the controls are still functioning properly following maintenance,\ + \ repair, or replacement actions; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1436 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "f.\_\_\_\_\_\_ Include the following information in organizational\ + \ maintenance records: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1437 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "1.\_\_\_\_\_ Component name" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1438 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "2.\_\_\_\_\_ Component serial number" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1439 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "3.\_\_\_\_\_ Date/time of maintenance" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1440 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "4.\_\_\_\_\_ Maintenance performed" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1441 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "5.\_\_\_\_\_ Name(s) of entity performing maintenance including\ + \ escort if required." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1442 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: MAINTENANCE TOOLS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1443 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1442 + description: "a.\_\_\_\_\_ Approve, control, and monitor the use of system maintenance\ + \ tools; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1444 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1442 + description: "b.\_\_\_\_\_ Review previously approved system maintenance tools\ + \ prior to each use." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1445 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: (1) MAINTENANCE TOOLS | INSPECT TOOLS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1446 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1445 + description: Inspect the maintenance tools used by maintenance personnel for + improper or unauthorized modifications. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1447 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: (2) MAINTENANCE TOOLS | INSPECT MEDIA + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1448 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1447 + description: Check media containing diagnostic and test programs for malicious + code before the media are used in the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1450 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: 'Prevent the removal of maintenance equipment containing organizational + information by:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1451 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(a)\_\_\_ Verifying that there is no organizational information\ + \ contained on the equipment;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1452 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(b)\_\_\_ Sanitizing or destroying the equipment;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1453 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(c)\_\_\_\_ Retaining the equipment within the facility; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1454 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(d)\_\_\_ Obtaining an exemption from organizational personnel\ + \ with system maintenance responsibilities explicitly authorizing removal\ + \ of the equipment from the facility." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: NONLOCAL MAINTENANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1456 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "a.\_\_\_\_\_ Approve and monitor nonlocal maintenance and diagnostic\ + \ activities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1457 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "b.\_\_\_\_\_ Allow the use of nonlocal maintenance and diagnostic\ + \ tools only as consistent with organizational policy and documented in the\ + \ security plan for the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1458 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "c.\_\_\_\_\_\_ Employ strong authentication in the establishment\ + \ of nonlocal maintenance and diagnostic sessions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1459 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "d.\_\_\_\_\_ Maintain records for nonlocal maintenance and diagnostic\ + \ activities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1460 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "e.\_\_\_\_\_ Terminate session and network connections when nonlocal\ + \ maintenance is completed." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: MAINTENANCE PERSONNEL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1462 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + description: "a.\_\_\_\_\_ Establish a process for maintenance personnel authorization\ + \ and maintain a list of authorized maintenance organizations or personnel;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1463 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + description: "b.\_\_\_\_\_ Verify that non-escorted personnel performing maintenance\ + \ on the system possess the required access authorizations; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1464 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + description: "c.\_\_\_\_\_\_ Designate organizational personnel with required\ + \ access authorizations and technical competence to supervise the maintenance\ + \ activities of personnel who do not possess the required access authorizations." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1465 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: TIMELY MAINTENANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1466 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1465 + description: Obtain maintenance support and/or spare parts for critical system + components that process, store, and transmit CJI within agency-defined recovery + time and recovery point objectives of failure. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + assessable: false + depth: 1 + name: CJIS Security Policy Area 5-17 - Planning (PL) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1469 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with planning responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1470 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "1.\_\_\_\_\_ Agency-level planning policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1471 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1472 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1473 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ planning policy and the associated planning controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1474 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security and privacy responsibilities to manage the development, documentation,\ + \ and dissemination of the planning policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1475 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "c.\_\_\_\_\_\_ Review and update the current planning:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1476 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "1.\_\_\_\_\_ Policy annually and following; any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1477 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: SYSTEM SECURITY AND PRIVACY PLANS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1479 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "a.\_\_\_\_\_ Develop security and privacy plans for the system\ + \ that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1480 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "1.\_\_\_\_\_ Are consistent with the organization\u2019s enterprise\ + \ architecture;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1481 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "2.\_\_\_\_\_ Explicitly define the constituent system components;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1482 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "3.\_\_\_\_\_ Describe the operational context of the system in\ + \ terms of mission and business processes;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1483 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "4.\_\_\_\_\_ Identify the individuals that fulfill system roles\ + \ and responsibilities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1484 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "5.\_\_\_\_\_ Identify the information types processed, stored,\ + \ and transmitted by the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1485 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "6.\_\_\_\_\_ Provide the security categorization of the system,\ + \ including supporting rationale;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1486 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "7.\_\_\_\_\_ Describe any specific threats to the system that\ + \ are of concern to the organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1487 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "8.\_\_\_\_\_ Provide the results of a privacy risk assessment\ + \ for systems processing personally identifiable information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1488 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "9.\_\_\_\_\_ Describe the operational environment for the system\ + \ and any dependencies on or connections to other systems or system components;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1489 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "10.\_\_ Provide an overview of the security and privacy requirements\ + \ for the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1490 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "11.\_\_ Identify any relevant control baselines or overlays, if\ + \ applicable;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1491 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "12.\_\_ Describe the controls in place or planned for meeting\ + \ the security and privacy requirements, including a rationale for any tailoring\ + \ decisions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1492 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "13.\_\_ Include risk determinations for security and privacy architecture\ + \ and design decisions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1493 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "14.\_\_ Include security- and privacy-related activities affecting\ + \ the system that require planning and coordination with organizational personnel\ + \ with system security and privacy planning and plan implementation responsibilities;\ + \ system developers; organizational personnel with information security and\ + \ privacy responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1494 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "15.\_\_ Are reviewed and approved by the authorizing official\ + \ or designated representative prior to plan implementation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1495 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "b.\_\_\_\_\_ Distribute copies of the plans and communicate subsequent\ + \ changes to the plans to organizational personnel with system security and\ + \ privacy planning and plan implementation responsibilities; system developers;\ + \ organizational personnel with information security and privacy responsibilities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1496 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "c.\_\_\_\_\_ Review the system security and privacy plans at least\ + \ annually or when required due to system changes or modifications;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1497 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "d.\_\_\_\_\_ Update the plans to address changes to the system\ + \ and environment of operation or problems identified during plan implementation\ + \ or control assessments; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1498 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "e.\_\_\_\_\_ Protect the plans from unauthorized disclosure and\ + \ modification." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: RULES OF BEHAVIOR + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1500 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "a.\_\_\_\_\_ Establish and provide to individuals requiring access\ + \ to the system, the rules that describe their responsibilities and expected\ + \ behavior for information and system usage, security, and privacy;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1501 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "b.\_\_\_\_\_ Receive a documented acknowledgment from such individuals,\ + \ indicating that they have read, understand, and agree to abide by the rules\ + \ of behavior, before authorizing access to information and the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1502 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "c.\_\_\_\_\_\_ Review and update the rules of behavior at least\ + \ annually; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1503 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "d.\_\_\_\_\_ Require individuals who have acknowledged a previous\ + \ version of the rules of behavior to read and re-acknowledge annually, or\ + \ when the rules are revised or updated. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: "(1)\_\_\_ RULES OF BEHAVIOR | SOCIAL MEDIA AND EXTERNAL SITE/APPLICATION\ + \ USAGE RESTRICTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1505 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: 'Include in the rules of behavior, restrictions on:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1506 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: "(a)\_\_\_ Use of social media, social networking sites, and external\ + \ sites/applications;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1507 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: "(b)\_\_\_ Posting organizational information on public websites;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1508 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: "(c)\_\_\_\_ Use of organization-provided identifiers (e.g., email\ + \ addresses) and authentication secrets (e.g., passwords) for creating accounts\ + \ on external sites/applications." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: SECURITY AND PRIVACY ARCHITECTURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1510 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "a.\_\_\_\_\_ Develop security and privacy architectures for the\ + \ system that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1511 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "1.\_\_\_\_\_ Describe the requirements and approach to be taken\ + \ for protecting the confidentiality, integrity, and availability of organizational\ + \ information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1512 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "2.\_\_\_\_\_ Describe the requirements and approach to be taken\ + \ for processing personally identifiable information to minimize privacy risk\ + \ to individuals;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1513 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "3.\_\_\_\_\_ Describe how the architectures are integrated into\ + \ and support the enterprise architecture; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1514 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "4.\_\_\_\_\_ Describe any assumptions about, and dependencies\ + \ on, external systems and services;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1515 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "b.\_\_\_\_\_ Review and update the architectures at least annually\ + \ or when changes to the system or its environment occur to reflect changes\ + \ in the enterprise architecture; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1516 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "c.\_\_\_\_\_\_ Reflect planned architecture changes in security\ + \ and privacy plans, Concept of Operations (CONOPS), criticality analysis,\ + \ organizational procedures, and procurements and acquisitions." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1517 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: CENTRAL MANAGEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1518 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1517 + description: The CJISSECPOL is centrally managed by the FBI CJIS ISO. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1519 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: BASELINE SELECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1520 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1519 + description: Select a control baseline for the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1521 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: BASELINE TAILORING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1522 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1521 + description: Tailor the selected control baseline by applying specified tailoring + actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + assessable: false + depth: 1 + name: CJIS Security Policy Area 5-18 - Contingency Planning + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1525 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with contingency planning responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1526 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "1.\_\_\_\_\_ Agency-level contingency planning policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1527 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1528 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1529 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ contingency planning policy and the associated contingency planning controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1530 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security responsibilities to manage the development, documentation, and\ + \ dissemination of the contingency planning policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1531 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "c.\_\_\_\_\_\_ Review and update the current contingency planning:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1532 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI, or training simulations or exercises; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1533 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI, or training simulations or exercises." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: CONTINGENCY PLAN + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1535 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "a.\_\_\_\_\_ Develop a contingency plan for the system that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1536 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "1.\_\_\_\_\_ Identifies essential mission and business functions\ + \ and associated contingency requirements;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1537 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "2.\_\_\_\_\_ Provides recovery objectives, restoration priorities,\ + \ and metrics;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1538 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "3.\_\_\_\_\_ Addresses contingency roles, responsibilities, assigned\ + \ individuals with contact information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1539 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "4.\_\_\_\_\_ Addresses maintaining essential mission and business\ + \ functions despite a system disruption, compromise, or failure;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1540 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "5.\_\_\_\_\_ Addresses eventual, full system restoration without\ + \ deterioration of the controls originally planned and implemented;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1541 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "6.\_\_\_\_\_ Addresses the sharing of contingency information;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1542 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "7.\_\_\_\_\_ Is reviewed and approved by agency head or their\ + \ designee;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1543 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "b.\_\_\_\_\_ Distribute copies of the contingency plan to organizational\ + \ personnel with contingency planning or incident response duties;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1544 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "c.\_\_\_\_\_\_ Coordinate contingency planning activities with\ + \ incident handling activities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1545 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "d.\_\_\_\_\_ Review the contingency plan for the system annually;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1546 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "e.\_\_\_\_\_ Update the contingency plan to address changes to\ + \ the organization, system, or environment of operation and problems encountered\ + \ during contingency plan implementation, execution, or testing;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1547 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "f.\_\_\_\_\_\_ Communicate contingency plan changes to organizational\ + \ personnel with contingency planning or incident response duties;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1548 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "g.\_\_\_\_\_ Incorporate lessons learned from contingency plan\ + \ testing, training, or actual contingency activities into contingency testing\ + \ and training; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1549 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "h.\_\_\_\_\_ Protect the contingency plan from unauthorized disclosure\ + \ and modification." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1550 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1551 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1550 + description: Coordinate contingency plan development with organizational elements + responsible for related plans. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1552 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(3)\_\_\_ CONTINGENCY PLAN | RESUME MISSION AND BUSINESS FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1553 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1552 + description: Plan for the resumption of essential mission and business functions + within twenty-four (24) hours of contingency plan activation. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1554 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(8)\_\_\_ CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1555 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1554 + description: Identify critical system assets supporting essential mission and + business functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: CONTINGENCY TRAINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1557 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "a.\_\_\_\_\_ Provide contingency training to system users consistent\ + \ with assigned roles and responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1558 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "1.\_\_\_\_\_ Within thirty (30) days of assuming a contingency\ + \ role or responsibility;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1559 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "2.\_\_\_\_\_ When required by system changes; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1560 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "3.\_\_\_\_\_ Annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1561 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "b.\_\_\_\_\_ Review and update contingency training content annually\ + \ and following any security incidents involving unauthorized access to CJI\ + \ or systems used to process, store, or transmit CJI, or training simulations\ + \ or exercises." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: CONTINGENCY PLAN TESTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1563 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + description: "a.\_\_\_\_\_ Test the contingency plan for the system annually\ + \ using the following tests to determine the effectiveness of the plan and\ + \ the readiness to execute the plan: checklists, walk-through and tabletop\ + \ exercises, simulations (parallel or full interrupt), or comprehensive exercises." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1564 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + description: "b.\_\_\_\_\_ Review the contingency plan test results; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1565 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + description: "c.\_\_\_\_\_\_ Initiate corrective actions, if needed." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1566 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1567 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1566 + description: Coordinate contingency plan testing with organizational elements + responsible for related plans. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1568 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: ALTERNATE STORAGE SITE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1569 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1568 + description: "a.\_\_\_\_\_ Establish an alternate storage site, including necessary\ + \ agreements to permit the storage and retrieval of system backup information;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1570 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1568 + description: "b.\_\_\_\_\_ Ensure that the alternate storage site provides controls\ + \ equivalent to that of the primary site." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1571 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1572 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1571 + description: Identify an alternate storage site that is sufficiently separated + from the primary storage site to reduce susceptibility to the same threats. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1573 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(3)\_\_\_ ALTERNATE STORAGE SITE | ACCESSIBILITY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1574 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1573 + description: Identify potential accessibility problems to the alternate storage + site in the event of an area-wide disruption or disaster and outline explicit + mitigation actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: ALTERNATE PROCESSING SITE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1576 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + description: "a.\_\_\_\_\_ Establish an alternate processing site, including\ + \ necessary agreements to permit the transfer and resumption of operations\ + \ for essential mission and business functions within the time period defined\ + \ in the system contingency plan(s) when the primary processing capabilities\ + \ are unavailable;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1577 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + description: "b.\_\_\_\_\_ Make available at the alternate processing site,\ + \ the equipment and supplies required to transfer and resume operations or\ + \ put contracts in place to support delivery to the site within the organization-defined\ + \ time period for transfer and resumption; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1578 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + description: "c.\_\_\_\_\_\_ Provide controls at the alternate processing site\ + \ that are equivalent to those at the primary site." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1579 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1580 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1579 + description: Identify an alternate processing site that is sufficiently separated + from the primary processing site to reduce susceptibility to the same threats. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1581 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(2)\_\_\_ ALTERNATE PROCESSING SITE | ACCESSIBILITY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1582 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1581 + description: Identify potential accessibility problems to alternate processing + sites in the event of an area-wide disruption or disaster and outlines explicit + mitigation actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1583 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(3)\_\_\_ ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1584 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1583 + description: Develop alternate processing site agreements that contain priority-of-service + provisions in accordance with availability requirements (including recovery + time objectives). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1585 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: TELECOMMUNICATIONS SERVICES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1586 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1585 + description: Establish alternate telecommunications services, including necessary + agreements to permit the resumption of system operations for essential mission + and business functions within the time period as defined in the system contingency + plan(s) when the primary telecommunications capabilities are unavailable at + either the primary or alternate processing or storage sites. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1587 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1588 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1587 + description: "(a)\_\_\_ Develop primary and alternate telecommunications service\ + \ agreements that contain priority-of-service provisions in accordance with\ + \ availability requirements (including recovery time objectives); and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1589 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1587 + description: "(b)\_\_\_ Request Telecommunications Service Priority for all\ + \ telecommunications services used for national security emergency preparedness\ + \ if the primary and/or alternate telecommunications services are provided\ + \ by a common carrier." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1590 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(2)\_\_\_ TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1591 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1590 + description: Obtain alternate telecommunications services to reduce the likelihood + of sharing a single point of failure with primary telecommunications services. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: SYSTEM BACKUP + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1593 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "a.\_\_\_\_\_ Conduct backups of user-level information contained\ + \ in operational systems for essential business functions as required by the\ + \ contingency plans;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1594 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "b.\_\_\_\_\_ Conduct backups of system-level information contained\ + \ in the system as required by the contingency plans;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1595 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "c.\_\_\_\_\_\_ Conduct backups of system documentation, including\ + \ security- and privacy-related documentation as required by the contingency\ + \ plans; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1596 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "d.\_\_\_\_\_ Protect the confidentiality, integrity, and availability\ + \ of backup information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1597 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ SYSTEM BACKUP | TESTING FOR RELIABILITY AND INTEGRITY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1598 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1597 + description: Test backup information as required by the contingency plans to + verify media reliability and information integrity. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1599 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(8)\_\_\_ SYSTEM BACKUP | CRYPTOGRAPHIC PROTECTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1600 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1599 + description: Implement cryptographic mechanisms to prevent unauthorized disclosure + and modification of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1601 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: SYSTEM RECOVERY AND RECONSTITUTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1602 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1601 + description: Provide for the recovery and reconstitution of the system to a + known state within the timeframe as required by the contingency plans after + a disruption, compromise, or failure. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1603 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(2)\_\_\_ SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1604 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1603 + description: Implement transaction recovery for systems that are transaction-based. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + assessable: false + depth: 1 + name: CJIS Security Policy Area 5-19 - Risk Assessment + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1607 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with risk assessment responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1608 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "1.\_\_\_\_\_ Agency Level risk assessment policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1609 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1610 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1611 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ risk assessment policy and the associated risk assessment controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1612 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "b.\_\_\_\_\_ Designate organizational personnel with security\ + \ and privacy responsibilities to manage the development, documentation, and\ + \ dissemination of the risk assessment policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1613 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "c.\_\_\_\_\_\_ Review and update the current risk assessment:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1614 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1615 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: SECURITY CATEGORIZATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1617 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + description: "a.\_\_\_\_\_ Categorize the system and information it processes,\ + \ stores, and transmits;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1618 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + description: "b.\_\_\_\_\_ Document the security categorization results, including\ + \ supporting rationale, in the security plan for the system; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1619 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + description: "c.\_\_\_\_\_\_ Verify that the authorizing official or authorizing\ + \ official designated representative reviews and approves the security categorization\ + \ decision." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: RISK ASSESSMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1621 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "a.\_\_\_\_\_ Conduct a risk assessment, including:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1622 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "1.\_\_\_\_\_ Identifying threats to and vulnerabilities in the\ + \ system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1623 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "2.\_\_\_\_\_ Determining the likelihood and magnitude of harm\ + \ from unauthorized access, use, disclosure, disruption, modification, or\ + \ destruction of the system, the information it processes, stores, or transmits,\ + \ and any related information; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1624 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "3.\_\_\_\_\_ Determining the likelihood and impact of adverse\ + \ effects on individuals arising from the processing of personally identifiable\ + \ information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1625 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "b.\_\_\_\_\_ Integrate risk assessment results and risk management\ + \ decisions from the organization and mission or business process perspectives\ + \ with system-level risk assessments;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1626 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "c.\_\_\_\_\_\_ Document risk assessment results in risk assessment\ + \ report;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1627 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "d.\_\_\_\_\_ Review risk assessment results at least quarterly;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1628 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "e.\_\_\_\_\_ Disseminate risk assessment results to organizational\ + \ personnel with risk assessment responsibilities and organizational personnel\ + \ with security and privacy responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1629 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "f.\_\_\_\_\_\_ Update the risk assessment at least quarterly or\ + \ when there are significant changes to the system, its environment of operation,\ + \ or other conditions that may impact the security or privacy state of the\ + \ system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: VULNERABILITY MONITORING AND SCANNING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1631 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "a.\_\_\_\_\_ Monitor and scan for vulnerabilities in the system\ + \ and hosted applications at least monthly and when new vulnerabilities potentially\ + \ affecting the system are identified and reported;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1632 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "b.\_\_\_\_\_ Employ vulnerability monitoring tools and techniques\ + \ that facilitate interoperability among tools and automate parts of the vulnerability\ + \ management process by using standards for:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1633 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "1.\_\_\_\_\_ Enumerating platforms, software flaws, and improper\ + \ configurations;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1634 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "2.\_\_\_\_\_ Formatting checklists and test procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1635 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "3.\_\_\_\_\_ Measuring vulnerability impact;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1636 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "c.\_\_\_\_\_\_ Analyze vulnerability scan reports and results\ + \ from vulnerability monitoring;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1637 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "d.\_\_\_\_\_ Remediate legitimate vulnerabilities within the number\ + \ of days listed;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1638 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ Critical\u201315 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1639 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ High\u201330 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1640 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ Medium\u201360 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1641 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ Low\u201390 days; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1642 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "e.\_\_\_\_\_ Share information obtained from the vulnerability\ + \ monitoring process and control assessments with organizational personnel\ + \ with risk assessment, control assessment, and vulnerability scanning responsibilities\ + \ to help eliminate similar vulnerabilities in other systems; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1643 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "f.\_\_\_\_\_\_ Employ vulnerability monitoring tools that include\ + \ the capability to readily update the vulnerabilities to be scanned." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1644 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: "(2)\_\_\_ VULNERABILITY MONITORING AND SCANNING | UPDATE VULNERABILITIES\ + \ TO BE SCANNED" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1645 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1644 + description: Update the system vulnerabilities to be scanned within 24 hours + prior to running a new scan or when new vulnerabilities are identified and + reported. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1646 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: "(5)\_\_\_ VULNERABILITY MONITORING AND SCANNING | PRIVILEGED ACCESS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1647 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1646 + description: Implement privileged access authorization to information system + components containing or processing CJI for vulnerability scanning activities + requiring privileged access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1648 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: (11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1649 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1648 + description: Establish a public reporting channel for receiving reports of vulnerabilities + in organizational systems and system components. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1650 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: RISK RESPONSE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1651 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1650 + description: Respond to findings from security and privacy assessments, monitoring, + and audits in accordance with organizational risk tolerance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1652 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: CRITICALITY ANALYSIS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1653 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1652 + description: Identify critical system components and functions by performing + a criticality analysis for information system components containing or processing + CJI at the planning, design, development, testing, implementation, and maintenance + stages of the system development life cycle. diff --git a/tools/cjis/cjis-policy-5.9.4.xlsx b/tools/cjis/cjis-policy-5.9.4.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..c2a887c3570fd48992915deb49d66165ce413228 GIT binary patch literal 97083 zcmeFX1GDJR)8@Nv+qTWKZQHhO+qP}nw!Qb+wr%U4_dj)O=H7X~!OW^kr&3u-C0+gN zUQZ|TQotZ60AK(R0001l0OjcwTeg4z04bmV0LTCkKw3g}w$3KD&U(ro_9jj`bnZ6R z1ce|#6!`!^|K|VS@qe%fhLfjk2N@7VUQ<5c6WUY^^%Yc514Qtr&?=sQwY>d}DGM}sPsQV@AnzL4~d_J^y8i11QB{6RE zO|kje@O1QG%d!B}fEME+#t27 zl&S_qhs4q&N+d>>GI{MJh%k&thS=(#D>EPl%qfu)9#WM0v?p_fL^3$RuyOA~88B|0 z&E0<3){c7=EeciTrG=&G2a&+^uz$`E4~9NPT-1w$7UxVg10NhMDu7T!Ap{M8U%oaF#{^bU$9r7K~LaGd?f7r={UW9>arUurf?(*lAC$Y6J8HeAm8a4n#+bzIF)qk&v1+q4ZI zUaUWBq{BGpgj}Bff%y9i3?Tpi!4z4y*97Pvrn~mYQc=5vR|2s00 z6{QCMbw&&r000XB0?^%>{(n&8X6I;SXlG~jU$yQ3B?$0ef%}Ko|JkEEamI3(0Veo1 zq&H}x$06}Yev-?JGNh+<6P%#|DNM%NsDjVqGc);yt-d&IzKDe7k#XAelk@2Sm)K>8 zlA;j@q;n%{wgpP}RZi`dAiRaS^A!#?TD-o7j-G99%}Q3zxQm~tfW|u`LCa%{Pd;T61 zdLjZkDL$*8xY3q)e&t)$MYXaow+pa|Y($secIVA2pTIj;s- zw?gu;g3ZI|CGjsJ_D|J8z? zDRAo-BmftkMB-vrvUIBZD-wB^1L%`J%T(*oG4X~3ZDA#^YIrsY>P%@mNRfv{tevHK zdfb>gJEmGOsQ)5{;k~EgxqT<1u^@@I)Na2+>9B$Af#7na*KD^s)DEyZR^(~%t7GXlu%!?Ufs~DKE4(l^UB>cjK}+ z5Pa*Le}hK2r{eh0i1IbrqLeFYsIGIJ>)_IdD;p9RwHB3rUt?iOsyBMBZnk?!a_^_# zvffRt6JLdf=7|$n z@F5f;1n=os;wD?N$1bISFYet)HU|&M(i#V$hCALm*O0VdG%F3^?7FPV22r++LS&VC zOT>ds)%jSZ6GtSZyZh8;r?W8#v}f686<1p?B8)mADD=HY)B0Vt;% zIH5-0buVc1-=Cn8>byNeWS)0VO(HGP7bF5*7C4R$Jq(RTYfE3qDc-0ag*6#dxV8#0 z@M^T8Sk|S+jWH5#;uu@|^*g;{$t36Op$USle!m1@F}YF})Kh~-(E#cx4L<^fFxTY6 z(JDs`Yrt?~b49OyMZ)Ld)8^nf>8DwT)EK~+JvvVkQ%Pk|q!yQ5{1*77UKqTUr2wtT zBt;$Z8em*<$>T}QW$0z7s3?JBuwY(jS2H|VU)V1@L$`qi1KuyB?9W!vZN^P{_n}i# z1a=vtllQsJvuk|*9_7b)UZt^h?(zv=aWES8>XAS(iB@tmCi{x!?VCJjcM2akJkXSWvX`msqM7`c7?>ftbm8_$bWl9*fpZ4zNA@1-i3}6W%4U#UIzlm_ICsHq`{n zG+yYH%Y0o{5Z6jb+Xc>KEH9=hrw(AS38d4FmTJr2!+!SHQSY#@rfPb^K%D?k(Z zzrskeGaygDBGSG={yS>VOG(>J|CJ^s?EjMN|0z$-<|Z~K^#8Gp|HbZ=#*8gCJ3=q| z88?EL9L;*7A!Y)wRO$hngW;NFBu<5nWg4Pe2LUB_C+b84e?Xzdf>gkcC&dPsxWDdV znL}2gOhC6_*pZ~Brm{6T*ateUHSO!+*PMN5r{}f6WFr+@LFMlj}_ICVM#ruL@yZ%>uG5Ge^M#EY3Da9f~og}0H3NN9cZu}N+c%noda zctfBVVx2G$KHzq8O|>djObW^p4L_!Az}5ABd??5>>x90OWcSn_qmm+hur!YO;_$jb z{X%&qq9YNvbiUBECg5Gfn?l|nc|b#TD)$8_suSdDYh9fI>=Clk)GONS%M7`Ox;2Ct zRaiMhcvI=B9?i$em*`$VhL-S4*RC8}7tuKYdyK$R)l{Y#O}n0r+(nvzt5uPW9LXL< zr+d;5D`+P6&1=^ljd8;WtoUzDt^PVStd<%Ta65i9J-z+LrfT!h zWfF2B96=N}doBbND=_zewr;20Rj@>hjRLXd+j?&a6fjbRD3rxh^U6>zKxs8QrMK z7Vl^n?+$J@XYF;YQ+ei6zO(hNL^$yY-cZIM<3zaN2QEJ1!NLt*Nvw{W1x5RjP{@tK z^60WvA}=mS0LyN(kkZ}Ma2a#^M#IdF&hp80*)tobb3!~qx<~LW@=5wV7an!?hxm)b zBI~Q4Wk*#p?({%?e|8C-voqoBRZrg36#061EAu;|;R{A58 zV^$m&q^wijG>g>a8vGH2AW9KWt@oYIjcK?q7~h_CMc1w3LHp;EpnceAtoS3qg579g z`G)MbjKxc*;WUNvq1%YNCzs8@!jV)&4l=1b=8c}Zd)qz7CNaWg6!=_M=V$E=*zbF1 z7fsrnrp+lRTIP|5o^|JuvqjRM;%MA*NMiPq^CVInGzEAx8DP88_VxK>^1Bv_8#p?& zwJU+Zsr7F^p?-9-;CB3unsS=rQrBGvioy1&3E2i>SJ2Gt>T7I3<0 zo%cgDp$JSa+*ozCQxVl=5Y$;&yD@eYpBRa$ji<$S28sZ0ix|9d< zBBt1L8&C!M`d6{o*gQ_s&WbFi(AUGv)*7Xfw^OuniIinn?~}!uF{P7J*C4_>KTg^v zbN5k^9n*{d6Ry8=$_uBE+UV6H8^DBHM^Mquy{$lW%7X<^$B?jIKy)3_*Z$@Km+J1Y z0-&!GCw&BAAAK{NQbWb8(ms}XqvG-$amqvx>p_jig|{e%D+gDNBpL$a!paib8CnhC zNAdN&wE?g`t>6>^^6V?c6u@9^Og~$vL_uH;wvIm)IdL*4kFDUH-1W4n+kT_E#i~>v zB}Mt?JfG5XtkmFjoNIF)%Nvm``S+IJ(_%JoX}sdU0grK!@$2~HPXQaJpYmFWUw`#C zsX-KcCfM-A(Z#j!z~?#EMX;qalWo)^Z(asBDcTe0xVAC%#uwSoo#!mBG@MQvogD9< zw@=@rb=21yTsoGX)3Fj?j3X~z%(=!f#?tj#Ci(u{5BS(Wv1#AOWhA~>{sL;>4h5-P;_@AoD$=t-m*@^x?yZ_Xt;-t;kEQWu5 z3hHNEnq6du`0)IA6%;I&5?y5;U2aqHYJF*&)8)$BUL!|M%AW96Bz>bh_TT8=j6b-_ zLazGN%Qgb*|9W1U1=Q=cP#@o$MB@|H)a9qK4dB(4=J!hBBxSwAv!#Q3obRGC|cI2%(o#8 z^Y`JNH(Rc*LQ02;IYwqoH$erf;1H$O#oew7k|`4S>NIWM8V9=JX^sPNV00OGCP=0G ze940*Db z9RAByLx(iGj0|5j|LDy++fDL;PmuafVxMe$4*MZjT4$KI`%iNJi=O|Oaj5s$3CPOw*7_x7v}@s1?gD+;z_pO9`fk~HV(O#*BM?Rp z>{ND0N8^xgW5>XBZ{*ar-Y@IYBF3VJ+wOht!th8`f%x;Gscw}UY>&rQi8Fvk!JCsc z+u;O)zkqFsx!zd>VyffY(h1r59Pe}jvDNWi8AO}{y*NAGUKB`IXlR}ZOzy^IYsWe` z?m1z_@z5nWclixsP`_CtLCM)o41InRLS`iguJGz7BD8rv63YXR{|^7cD;~@Z4$cvq zmwfRmS5MB}Y0ycSYdXH(zWq<%{)rZV8svu&sY7xEpbih8KcB3r%GFN1s=kbY;{~K4tkb1}+DO&o>^qUXGR4l*PyE z?)HAM_X^+WnK3u|UYv>Q=WVaI4F7XH;`as5xBSdBNDRqS@_1K1o2v}*CiGlxe^ZyHihggUK-X|#SAyh3K%B5_i~sPyZQ8tm(^J2y^Rx5G zk|WdL?U=f~ysC_cmz~n!)RB>SLo?El%t_%@H%+OtozNLYEad-%P?b$Rb^ zU+pC}r0Xc?5pP@2-fjvi>lF&Weq!W7bpQGvD$H|3~R{+5CFwR7Ww)?M_ z#^zzKnm%5V?prnDx3#UuNT>9?u!#Ee#EL7xh zx0LOZ_!@7PK!yDaedr_yz7gmdlr3d>J!U#EbifnZKdG87EhvaBWBUL?K=t}Xj*OZq zQeVzpor8W2u^$6g;}5tfxsaBmlR5B#0Xejc`I|VKaenlY6wFW{Cv0_SD6ORA+A?Jf zDa5RJ>(%Nz26ab4(3vP_zzGu@#@;H2?CB*qBUpAdX)8cwnU3}2X3x#q573|MGf>cA zK8o!Xh9IamL}W@cwNs3tYA5qFZ=l9~?F)Sl!S7?;*++)2HE7NRyVPk&W|p z6IeKDR7kd~^P(oDmIf7kHUg z{zg+XfeTb%7F`O->t33Ri4&hEvWjE&a(HnkM1I6hj>9 zUuo_q90EG?ZzzAGHLL7RgI(Rf(zal(8fOfOatU2ny{j!UM>{V7-?*uuI>{qQ3C=UK5eneDElYtj_6hCRXwT#uH_3ie$#YGr2FI-Rr- zyVMeeu=Uw^3L-rDKKZBvdTMhgJQlOrdwMPlqL~ZxS1y&|mo~vuqN8+sLD{iS^eXz6 zsjk>Jl=gDNsgd{yO$LQsZqJ-fo*tOK8OicaX_-84p*GDep$7FQZ%-B?57)@NGs1q` z1^keoV2^SFVgsp}rJxsDK1DPWM+~%Hy}H^T7}CoWSz@O17z3Bls`G+&2As6+fF_O4 z*tc~o4GuG#zXb`2+vkd!^BOv}Ubhq+4nNKVVvfA3N6FzQ&#Ft97(52*++~R6d7M9v ztp_;!%T+n(=qRz?E_&%^HNN5^x9JJ5?jgXWi|{Lg%-h~4js7D!+vQdu@GcsI3Mwf! zeu`Sa(B^_Xqwr5$2npLpVc=ppwK-Y=vSHWT(L3BdY^=YqV<9)65UvHYqVL)|;P^~S zHg}?H5)8t}H?6_oG7~7fF~~1}Q+yML|J*c8X|-#!x1lUl872#j*dy*I?2jlM;mTfI zJ{3ozryI5G8OU2ZH0F?H0ZsPzWA?fzkg?0? z@yoPNlBb)8FHH+j)YdsTs>Sp#S~;Y!&ZbiX=LA5ke?cuttPo)iwcTT=J_eb%^h=G2s` z2~!^#t-fhC_%8}#unL+thpmM622R1mP4gc1ab}`8=kKo>(5rrRxoc6eJCc##1$ivK zv*U69_;E)wP$Qsp!aK6v&-EbnChI*cGrz$}xlEMZN1Z$^9=Pi)s#i^m@xN^l=#Jc> zw|V}#)~zZ}J8Ox#U|S)p{Lb1aeoK}kz8v%S$k5Z1Y8NmW@Jm0GqHi$mM}zG6`~$|R zTr)~=F#F|Z&RwUq+Ko1)ke1ijbBkxH1Tk4tj<^?gCx5&pG8dz&YsmHbRMnV1LxCK1 zkguiU83sY*oOjLR^@VT%bR`KyMt(d}=7A{^*)SVpwyLf1oN9kS;mZJu48y}o(swv( zRMwE|M#{pLKr!tffMZREppw!c_9hV={mD{gYRd$J@QwL!DyAG7I&A;*hI;y=@iu`x z+=s!7A~wf?%?#wmPP94U?iY98>sFo^b&N44;f)R|jCL@Ll^0KP%=j5TjvOWE5V2i* zWa5{9YauBnAV*h>OM-Lwk`U^zPO#WQAy9^(^{7e8K`lRt+8hEtGx!uv5z+in|4N1L z(;lD@Xh~}Zfs}e2BRf7NBNIGs(L6pG!cP9^^N{|JJA<}%6I@x|J{W}nvfNrS_rnu) zropD{HkR-!#K4pgpku^0k_MBqFyY~7hcb@p?Q*z$py2A(PQX8M`+dUjNuN(^-Jm;NwsRdb-iNN2>Y z_iWUVfqzH>SHph;BMjXYC&(Y!*eU zKyWS%LD7YzySNuTkcejIFoA&cZXih;Dj6L*Mb4%6 z&E}_fgSicLBV4+9$`1p>&?=>AtoM!t7MEdlI%0rzimbLI{U{u^rzO4!`QxEBwqTwa znObs}7uI>hf_@Lqwg!V=QoXdj-AVwJ@FvoGrH&*e%!u=`k%D=hTvWiUJ)WM*xk$ly z!F(0b=o()Il3|%2G=5wpG6Dh;N<`#RbF#p1JYK9Hel8G~U;g3;-k2-iHE;5Q0Gs!*vk>v>e@>6-;>AeZ*djDV>;t ztkdtr+IG@G(N=aOFVr6yhzvEUF2tDcODrT??ByD@6nBM~9UYhs#+g0?1VQ;AeKS6@ zI`Sl&fc^~i0(W{H+GC}x*u5nvO=v96u3=n~7(sdR*YSoJsWnh!K#wR`zF25c_t1bF z@YjP&ygteq&vN=(T%9D6e<1>8f`X1gUhKvyO{s+tvBw$_asLb|>^`ScU3;op^|4&I zn!zVI&^@zE zz!0Jb^}K##dfHmh%Nr&!a?kUU|M(DyguU)m?;-6IZ3VIfa5?wT$f|t>bFGJ02IjTS zP9R`2h~trVJMoHwPM+Bggl}Rz7=v4VL-3#FX9Z3EI*rf~@=9QiR}MDx5m?v_pVM&j z(w)7z@d~D!VTnWUjwL~>gxhvufRaicVl0g3;DWsR;?=3yRRmbaIZ+bY1PtS{$0lLJ z`1GQ>hum>Vob}(;$Jd}=(KTkZxYqF6m?sGw5Ci8%8i)VZEw((g61~ec|84Qd9P+n`y)c$Is>wPxon}Uvos!e2dI8( zP9fMLn$FxcOiGRcc4Hv0weP_CyQ3clE18l{n_O`ehan<2r$heoO=%;*=t4YWIvY`@ zLSg8I3t3>0A2y|HC_g<6g5fgU?}=%Z@bRK{68xknaLO>7Z*jKtSL~6? zj-EP^?#nMMXPWlPgJBVOXZw47Rn7JYYPNOue7A@Wh${HX2q(4cpgbmbs*yQ^#dI7tQk|@5L~=C zi?YU}xmN>OqygnnQCqup*_NG=oH>sI-i7@E-|T_}u^+Z$@i;+Eb zE!9Le??^J}y67aRtj%+K;5@Bg8Hd1w00&B$n__g(KS&!aPG!1Uh8tCjj}T}2h&BX1 zKuv%(t9qDgh_BRZ18m(vJrGt`ln8J_mcJw)kLzp5ejK1?g-i{P(pL+bL?K5s@THCh z)=QEkeGXu~kFPd^$mg)5Hh)YiPXnQ*Qm$g4u3N@wJ zF_Wwkx^3<>n$5;6WccrKpl?5rq1zIV~cGhzYH~I@ol6>2pJy*?nsgIom!nY zVx+uAnmMtI46<9jcgxWgXCGO8y0;NHrAaUfm?KfkQdkc+B``q-jAO@wlk6&4DQVtm zGPF={Bif`M`xvJ}@B^Mme;}-WW{aZ6?rPaB7&>-JhVXt;z|fubZO|y(pRI4vp*s9L zJ*;LrJ6L(%-v+Woj%qNrnL*uc>YSeG$Q)6bM9Jf{;1CS5G9qNMkg?gc9R4mh*&<|@ z*jhzw4g|OHFw&?)LQ9)QxBNl%9s^c1(^BM>0+R$|X#CmfSQis=sSz2%3GuO3B|NYM z8ABAfQL0vuMWC5=VJXyabW)3D-2)L;FkW zJYd`!MO-&(s-%Jp;ruKaLv6%pM)m;+w-i$N{(TK`0b$lB^0>c1z6Pv=IhCn{b?OAOOJwhW?2QA~SS3!(8iU_gS-$wtJJ~%lp=%8&}KZk_a z#F4EcAeXThB|92}K`ydA=E;aMI69Z4oK3LF8vy4I4wOvez826emu_y8%NLT)0;t67 zO-Nq@`bC2_2+ARUwDGzJS%`2@122l_6O%n#%CLYZIQkEDBU^IXfmXL!6tZE#6yC@1~&f^gdSufYu)YdwZ6O-xS zLLgsOm5ZcIS^`*w;*h4<8zWtjvFu!YvHWbE)D(do?y^P3*BN{?OtlG^@r_o|F~B)` z)F4*Uxh_5+Nyv|&Z%UCf1Sd6-7Pam#lU_J$p3u>P#M9Y3$P6Wbh4Yv>6a}r9&LUh} z4zd*Q%UdWS!dFcvU=$`>m4&py=QI=Fou%TIWaten@e@vph!mmN(Qzr8W@5YASTw3Q z+n{JE%U=iv2~i%ayd-(7NTA@>bg_wahnBJn*8w%LHhU||F)gitA+u&)p(d81*ygKm zkcVu@X{3lE|C@o1+52Fqu?Jfe!FhN~lDicJ;0)oP@yMQ!>H01e6-&+_|Jj{wm zcutm{hk#1Cx#MGxpbFDvX`rHIta5eH_;G_1OsWgN1+U`)|0kb z!vdr^R>Toi^RN3D=oMxSNaM%7!2A+RZkHNU(;V=q2H!4QD;c_YXMq^To@;9 zMB_;V_wh>VMehpZHBFyY*YAka;=@!(7R`*B8!0{k4#g~{ZE&|Ih7U0ACAQ}oVh=y5 zxF^8v65uxGj;87b)nUUIT*5r1O<^oZwTZq9w|v(!3!&Q;ReqaF{ApR6PyJyK8ZGP+ z;PIx{9u(nwvCPBWRaYbP1#7e>Cd|QgxE8A&irq>z^h@uJJ^gt)N~kCFmbj(l)#oe3 zxk;W(7NCq0uEElR94*KYsmVvTWaL;ogcu#oFpncyPT-D375g35*LalmqG2X(0x% zy?_sVzR_wQ+SlCuFxP6J8lJ3pBVi<@4L+GJM#81TU?#<=yFS6=WZE)sT15DX#Qic? z!irQ9(1d&~BMwx}Z4E=tS~5xi0ymtgOt249qQezh05AAH0ykbMRh@Vz+(aci%|e}$ zJIL^MgFJ3f1e+Fibsr@7I9NVEIE>QqGMLlA0#=QgW*4*1IDt}|#J?O1t__vanfmz| z;~xh%ZS=iBhH5!<|I*@r2~<++6mm4ncb=fKt6ol6efGr~C$gFt#bi_KP8GY5`1=_@ z=EA?V3AGKu?{B>EA_%}XQW*<4aEJpn7dZlYmC>w)0I01Dh)!CqSe7uH0@Mqk<3E4U zS9&E(6z?eRXpD=HOICqPCKRlpMR=z`mtZ+ey*o6_drifPkP1-=W;#0C; z8QEDaH``NlIyrXml!pu>3M-1Vr6cv54T)uj%{^j^hPuKB?7L)r3J`ak*BxU`5P*J# z!Uzl@#}8omEW_bX%8fZztVZYDA+@sLq?YLVojbxZPlcYF*j+o?Rfkw zuTwZ)qO}Ta}B9so8`_^@C8OpR9tM8og zcQG9+JFz$(Ca-<9rqw!SIE?cl4`l(25Iq~s@&Vp7Gf+5$dr!-~@q`7sNqjfvYXz4Y za3+iMosy3sfg)lIt>%%ObPNv1Gc|0AB|IRc_{j>22l@r`jR_uv&EG>=r5yLl4O{Th zp!54Z&1FNCu8J^U-E(N{@72l=a{(yjW(A~~*`li;6BmdcTuEX?xcPF%yf97zoc>0# zO(u{JRMssNtST|85Q|#n2{ELP@>ye^XwfK<1ENK7iY)5wFf>HaxIRKW*RRbs*V{W? zjzT!%J`X3RWs;;uO-c+oiKb;SXk`JBR~f36GC~PPr~c!ocbf>s$(vnDb!#)5#gWM& z+>4T8P@Y()W9U3wP*1Pds9l!1@RzfzJHhgtR;;#ytEgl?_L`l$TWFw^X(+v2I6#M< zRV*wRm7Tq?J_jfZCn^EF5IAGAI+!9!Kkv6ExKVY+K54`0me^~o(N)z0&l%M0Sufu{pgi{PI^p+eUmK?4fH zW{2~?k}G-6(L$(b&K;{fH58Bzk3%z!p!Tbrk`jHKg%MZlBsF~Lwx$i?Rx`);=(D@G zBtFeVeWS{)Qh_K;?|3fuk2bBcJ9kW0b5Bovpqk;z$gXb9 zz=U}l)fLI1p`J(=wrk?zO`J{p=@u<0PCnW}rg4tDn99i^f62gW0>wtK*LUJvoFmtk zD6ER#Z#s_3vxYAIN=UCTz|vTu^hqPQIAZV%HEzf&bmS00bRs3jQQB_t@H2r2QKNuC z=z)dP?}$zgCU5`P-Tk}_5R}aOX<2{>7Lpl31@yQ!rGgb*xsTut0ko}W^_a}*D9qcY z15ZT$)aYwYumV^Q?Z?DGNO5hYM*5M%esaxL)Kv<>s07y!Ar=Uiz_5|9-W$=fc5xrEi>KNB`b2(Spg5lno=;o)AUd z0QgoB>TN`eS@$G>8YXv`c9;YxtS^i`p3-C3*k51BcT0Sh(}S1&{Dx*P zXk%)t<8{|CZS^_&(`=J0J;X(c#_WF?LWShJ>^noWxGuxg5!ICRGcdJN?{~#+M2=IB zsMztHe`xm=A*+IlJ(0>Tflq2~6F~q|WVLgC@7?CPm-p)?kNHJuq{wm;L-N5Ad0f~& z1MYOUZj3c4T3qz`jo!PBp>{-1kFXPI0cWmzlh4fM#-IobMOTeh#DlP_h|Y*P8)dw6 z^diB)Y1_SJnTTb#5!4J}3M8BET&_pg?@B+q_%dUjzZ2QSEp?x;iX9vr)6WTDS-jop ziLY!Z>_TKu;18RngF}t&ylefJR$f~$NC7`Q{1cm5wd9^eIp?K^Ew|K3zprq!XPHG;4u$z>ry>$txWkq}H z<;T;t+(;#9TiptYQtYNOYuuvxti!p(g( z5dLrj9_I6^@YgFF#-{0%lQr@$+b)TL~z&hI#vO-<=a+89# z^xSqa4Lx*i`&xWNr^BtcFMnUir^u)ZX+fuQru+D2u#a}s1WmOeVIulDQr35Hz` zE+ca@ZiarlMcn*xUca1MSUm(t zPGoTkKJ$}lifr`3_xDGr{??4=qEDmV=N9+3TlVc6{b_tHFE)(6?sW}#qRr&!U|X69 z-C9pufUbNW$w5C+!fJ@jT-7XAEIb$?Sm7<}ozIrPxrRv%+PI788<8D0FVYD_On zM@VOqtwi3@*~iAF=REV#1I@3(G4~tHIL)>R!ny7B5oNP%ii*0(K6|;379fPNtAwVi z2`5)guU<)?7Ez)q&hq2YD}31g90mZAY1B$<)G=g97iVTiK@k4?w)v}{C5fOX*@_RH~VuVUC7O&JNA=k{k{rFa4MJy`N0^8mM8SP z=&>nj#<4@LKpEZlcAY+TcILX#L&(ZYjws^V*yW?fUgo9?k0=3vYeAEn-nty6@K55| z8{+2HNz%);ou@?l7UtBm?J4QzAqgwYFSE8xh~uDiC`-FY4}u*FqrKPcqDm&CmGrUE zi)nT)RL7q$l|zj!5pAx3mw=l{#@z;C-ECiSa9{AZr>}!62!5)7@yDN$yQ^k5#|I@a z;pZpEJIi@5k45mokBh4Vn_EYF*A3s&pvP*CyKR>u~`M+L{gL<>vh_=e;szKhq~xL#LUpghF&JwBdBWc zxy%fvN5~-7Qu-gpk)-(fu&juV2)G^AW2^2#I9n$*37xM3FI`KCv5o?x1aIbJs*Z6k zhwr&cwgbRTND9J=m0jbCMLP4f+J)!VqGm9nN>`w_NPQ9(!)Il|#>E(53C&L5wnh97 zZ!jQ7vE+aG#K;zrq>B(s(nPHd5xy1KrZ?I+fw2$`7Uz8Fz(wud+)4te(EWmaVO6I_ z*L`F}r5+0P1WhfDUbmAV^O?%zP}j{}(Hv=?y!KE!vtr|!*N!W<>IBr@+i)E=!obQA zY8=2=oqS!nuIi?Gd(NbrOB5SZ{eS}OkoL4CjfG-sY*KTF1F+{&iIeYqm0J8jb~Rr| z&rDXV& zP(A?m7YT(^2mh=cqdbSD-Fa>{wL8-uKaC2z(FfIS+dT^g@MD71HxlVPt+ zeQ-*CEwox_%#bFe%JJf~|2Xe?71Xd&G>vzqw8Ka%K_uEU=XTF;!5?@dckP$>!ZU`% zZZEGJF~`mB>B7m5^vvzR)9vyvWIxd*9P{y==aA*b^bux`{J9>nM^C;WrJ^;gwK}_s z>tL;RWLE)X$aZNqa|wI{!&{XY3uSHI>EA9X)Ue0SyPaO&sMhz@#$IiOGLBv`Fk@7t zPDv03syn`STN@e}s@dM4*9n3OGkIJt+7j!i8ux~702wb6U3Iq9Fl*uD+iLkLxG#S_ zT>0LEcJL>e-@BO9kr-H)+j;7UP@k_`AWx2=-h{^04dkQBsx5g63PQSBZV5!Lfm!i$ z4OnQT$V{@?}m}D-4{rO4)!oA&f-Nn=t1yhla5)p zWtw(Kqv)!;uR;K^uEMcWr}wjxukJ`xy$A+yaQ&9S_4jD=uoc za@0ekE1<^0jtk=4E6X+^0%C{T+szkl`sxf8BNEoBb4AFqhD#1kmV)!BAly^G1M#tR{2XsH=#+ zQ%b4AY4RQ>n9)x{ps2;|j*a+pe&20Gb9>CzKp?OmNDUP;aCXAK*|Z1WD=2AaYG7jT zq3r5PCAtslO4wt_Y?GRcpGt*p6cKMxY`(gsR*kA{i8a_|e>In|4?4PzXg32bH8A)Xs^#*f+*S|{$hhrVNRh2TuwNmt`VYeaK_+7&r zl@*t#>xKU=p!q!nqC{huc~-}ItKC#5-~FnEluNIcUSP7#)6@ z^p!5)RdU9sOF8~Bx@A{HnOlyv|C*1Hk^BN9dxg)u;6&vqtYC?YU4Lp%V!gVuCq8Zaw zzx68fL^MeIU8E^+ZnI`e?8im@IjWA}>I<}MrM+T?dI+6QBQ?}qyma8~B$;vNt9%Hw z6!Z>W14^Kv69hq(bpK0a5-p{rmVclLaDGWszz8S|3&H;X06;*$zf*Mshhc5R9x(!b zsejukjZH47QjH{RU9*=`?zHA^4~bc%mfMIk+uUHohG}FyLYGE|@Dcp|;{lAaJSYCB zLAuX>opW<|ZlZb~htuzn`P@_z?t6ehmy_y zmJpF3fI=#vl3w&E~9qe_5 zE6#Cs9y;YpWV4!G=OwDBc!4kuj=Rk~E-_J@2%0^F;rJ-3-pdV@U~TSDH5S_P3_{*&7uOOE_jhpO;Q$t z$NJV%^d$Y&k$33Yp}hcLkFAfE`J)(@ei<5UwFJf)Pe|SK_>yv=wCEk79zZ0SeV1{dsS44gkF1ag?_a+H5^p7 znMC8Due5-P8xfJRWBE}ZoUI;dV9}XEs|ymsdqltcAs)Z%K}+#ETxh}N=rCb%1qgwc9jJKo2x=|rvf4q&1!fZ!%?@Ey#+&3- z?(0zWTkX%Hyg{|kD~NvkP`&q~q(IqTv8-HDbY@i0__&x+8^>g630)8)7}yW`SEAFAjD&e{RZhkL*RS8@#y!Z*ldr9VG%y}jZFR{p958EIFPZ2ZfkHS$0l z{uuHB6dsKkR8-b8p1ZBR^*6yG5q;1SAO|J}!|(2umc9&LxKb-0)$Cfe*FH09Gj&xY zaqjMBw}N$L000KVJ#Es4pdFOO6(G9Pj4*)gBdxC28yd6&>Ph>%4b60>_cUR9sQPBS zr^z+u*^-IRPFJo?;MF~^-txEQawz&MxiDjo3TcGvmuJfZxho!6P`Hi0eux)pXS~L$ z3oBTDW8Ry;=||gb;sENE*<2ryFB7&zcp74U3D=DmbxZNFUh~7FCEX#VeJl)5&d#xp z+O)|Bfu(AVJN-qu3B>Ts zHOkv?j7|n`p=NieBFOqD{kPD~3AyNm&1x;7zL`^Rx>=K*%~NMt%E--j%%eyUOmaLT z!uq>_06q7la$fX}yHb+u71Ed6 zNb%@$fR?mdcm_M;Jz7X6Sk5EIDT!|7V)Gu0sn`L`b0*^cVRC&GVio7mN!xh`1OmXD zAj`77XyKAAH=99Tr0Xq0eonlKH!bV+Z(VPMQlu^fq$!t}%goTH*6zEzaf5^NKDkfS zR_yM;>-llee~*%CSht^$jOS0s`0Z{C7td)G63$;;CzY0+!{uckp!hVw;#h6w|HTAF z`q#4+ZfHZm>I{{`x1x?qjb_8JN=$9ypi-bap0L?~q$5RSZLrEB1tY+5P01>VI`caBd-^J!3l4W8WR$ajMl zWTZI|DlYr4FFFg_w7@lJS#{;ME~6<59NYEui7rBs`KF&aBg8Sv(QQOFa;S$wgi8}Y z(oq5DmjVaIq~+k7hST_p=pQT>{jri3%?RaE0PTr*gT!+~Wgpz}9!q>go00QeyWV)) zw9@grBf8v?Hp*V3rCax|G_Y1XRsR9%>7RS;4nbXA8##l;Zxh>V+*oxhSf8#Pn6r-c4&~rT%3zR)ipr%fV z_|j0ECgcdt08*<)tl{#4bkdZg2sjlE0rS03QjOO0QFmMIq4+#&#MwxrF;OW!KH-Qw zOIGA^@U{<^srUALb7>@-Y52y4t^p|=Deac8Ey(C8aX(;`r*ox&G-kBT#7J+XjZaX9 zthigZ=*AD#x4adN$2$V(eLEQI_V)R7`n;~6KYq;c21|#A?;@pwJg~o8pn#*v!Hjov z)c6SR%HBsx60T{Ei0l)VPHT!)(yp&-5Nsvmyy^RtOrjLF{AyU>b%J*%0;`Wf|NXf4 zewcZ(OVGHNeLd(NhuKh0+^%3EkKTl9=YD=LZrwMhf7qYJCmPuF19TRGmK7Ab- z)y9ebs-7whV576ZPOY*xcnNk6H~PLS^eBj`5^yLxitO5p1W|Bn6ugRP7g8Pdjf)Yt z>^jxb5sS{Vmp_5{_;T16l{9EkfHj_%Yv!h1e3aL{ajrI`e=rUcQ=Pqu~wZMqQ)9Pj~(Wh7A zSlddEErynG)VR++ z4=Rsjuj!p2X4R6QP4H@S>&B1tlKeWM3kO8EJN(_e);oGC9)yqG6EiuCw>xUbVqBgU z*eq5vWh`4MiB8@FMn0jllTUMOq=c1@(CuCaLZ5HN?R94g@wGJH1WeLhPK>$9(cIFC zfZssz;m~W+AVR@4m!S8_5FU?GyS$OzuB;lx{CDH*>XPmfmaV~qDbE3p*MYS5Z(~2l*f(JPe7-8lrm+|a77hpC>>aXmZ-Gm_ z7BF}VdyHC6RJkwY;z{yU8=npaY+T`@Hbn%jD~UkKnA|O{P-C^5C3+nu81(FBN53ca z@IH6#?r7M?r*(B=bo0UJV`h{CP`VDqNb2A9>LgO0H}hPLNwS6E7Vf{)gmzPdt_xSHuF=9B6kE=$+fU%`vfoEb=z?Qgzj9eC&0lyC{?-HiRB z`IdaB*khQ;I>?I9&J zf5X(QZ*z$rH`dO+{Vw0z)V2JTK5f6~NyO4T2>3M~=h+1aa=-X_t~F)XhP)<;SPHbi z{Q27AEEOSX?s|lzM|tgfA+Ftw)8qc9T{i9f2;-Es~MT*;Tk&J$ECjzgHlX! zzyfuPEefT6UzT2&9Pak|3NnzkLI_QRVW_OBwRqHa%iY@1hOXB5;whVa%Wd+)L34I| z=Op50+j|CeK1S5CuS61m;Lh0HDzOIEePCT~0`T#}%*5>k-Mc!Goo;PoUCZ8gx1 zC;BUku;z^T8OI+itAh_S1bwbnMnZ6w=sE{A8FI4?IPcHsz-gjT*1^DAJeW)_x^z%a z!=>1~YP34I@D^Y5CD{ z;SF3uS*w7JI+>SiA2CrU^)4q-bk<+H>{=3QG_r!jpN5zHw}d3OL?m%*jYyTkw+`K@ zs8Key*HC1gdm%Sr?c)j=IDoG6$tUUY;5~%SZa%xs3R6OgzjvXX3K3yl0JLJ?!mZQ9 z`DIrS-d75|RQDM*cvIxQ$$_Dqfg-Z7A{r;_mPr2HQ)x%hF>ucyN=Jb0I35h8*Qot5 z0e|7OX^)lG`y6aZ3W85vdkeFn0PPJkCB>&X_%12?GAayf=^wX zR*zZr8Ln!rw4;+CudRfDnm(M-*1_+l9zr*nK*)@)cqto_jigtw)L@bQ;W2PV5cF^} zvs|)wm|WGi=YjjqtqE;tG)>);d`=fUABl}ocTByAGa+odxTMj%1)K#|18{%kNAD>Z zO#}gRnrryh-!0p9xY5oEgZz>G6F^Qnd)Mxj(7lu{PU7RrTHz^bFZa-lg%wo5AZh2N#3ke+EP07{fn)*E`vM5+uhO zDkZ~}iooI}yv7HxyxLug0;iQ1@SEu3`Afs4Q;U=_Ny5an+>qW#5Tm@+PyzsBijiwp zr_X-DN1dRK`RL}n5~eX{!LR}fth+1Oa4G<_NvjHfKeCl8bvcru?6C{*LZx*_lKmUm zEoP>oImjJzZaXY{wz^JnO&go(gLkm?k;A*{X<|2R??vi_R3RrG`(a)d>NZE%(J z4#l>~bfP?K_Uh#9eLSZmE+a*UZBfXzqFL|Q7sFb4NR{Fy$pPMp7m_I{ok%FX#S;3N zCq<~s-ZzubWsZIUbUpA?_V|<>?o}Z#p=%35D6ygV{_3c&mR&J!oIl)?#>~DjDppJ0 z)JI2w#cztLk0yDEDs+YXC+1sDGENiM@?5%67p4>J5U%+($2vhw1A)WI>T zQ;z1af8J9j4a*;n-(3ziw`yqGD_IDDqW-I(UndOEsTE-V{` z)nzfZ(P_b7kBXdyU4~yk2)6SqwdqH*D`;D0nf$Rn8eJ1f&dW)^Hw1mzWud#F3+4TS zv@kpfpci zl>U-gYemGqot=k=BIPm~Q|LBqiOk&B*bysMta$qN#m49VJs?O@%*>8)lG%YzZZFtF zNsByZi^0&vUzk~^#psiGz3^1@!J-t*mNKF%ud@%TkEOQ=NSunvMrVW1S&^y6dgsoB zE`JweX@*#x>6k~FCBDU_S=1fgKLh&<vOjAggW7vQZRQ++hcn2=B zD&RQR4QP9+i^P`}&^wp^qAqKdtHuIg{tfICS~)Vz$|{!BH-tov#?Q_1TFsb#*6Hct z580KDP7S#qWVxDn!V#Mukv>R*+3|(_8@~@m?}Yy~e6a6_7dSk{FJ8XbE*K?FIH9~2 z{^siA-0=lFao!d|Gq#98ki581;=+$#aXiy`&xZ`Z7Ju4b4L^lBQI8fJ#JEnudF&NI z#yGs^yIn!r68ysO`$ydA;X>An$Pjtpl0q+p0!pad$Sp(@@`a;Rpg*D!raq&(xx>+X zyLnrU&dyhj9HDHj$4P)zTS!j5_i5Gx9)rc7hw;Sl+9h`Gm3Kys`cQ+XqQ-*InXI~$ zI`Vb9;vqvTL;Gf0BoDOnFT(?e8cOw8in)78nIkk_Wx;w2{6^Kaye?9ac^o;q&J*yb z&8y6E6s#|ox!C@Vw*MKTB=H(TwucW_aTe0S@3`EcIrh%n%O7?hqL`?;#o~p{p1ykd zeD>s@@gz~BbJ7U+%*kvw*LG9hnoAC`0ee2gn+N{(#p}0RgpVN=@5pI!^vjrQKV0(->d0S;3o#qZ0GB33-pYl zY0>G`9#oC;&~4Th`n44v%uZ{7vp@r5&#`?f?(_TEUop|VaBu|=a{EvAe-)eTG?n+2 zk_34YATybQDMIGf%W^P|hwsHpcA$CGrRmqq6mK>ME^R=*Y9*W#ZQiBc1q=|^AE<9J zFiZ4A(lVyltF%>Q!a66763>fY_R+D0S1XxRIQ!~c&#hw;J31^CqC2RQ;Ja^E13N9! zH~z$;aO^$)-Pvm72H>?O03^Sk9lH@D9N`c7trD)FDz6m>Sqq`7B@w}ZrtT$0;xtP; zHl$?JW{WzO132e6wcAqVC0sy4z&bV^(zMunbFb(|7#EEHrls=aHB0A6gBzge6@%dI zY2hz>Qm3ZD6*P|K<00IEW9e+^L%uQaKfRr7_dZl|hUAG?ED6QvthZx5A1)@gmf=cr zBQ-mlD^~O>inw~&a3(x4DFGbk61V8UI(5Zs3B(Kmv)w*V{Twnevz#9xTf+~s)?jC5;sW5}y)zv;eLM>*$`ALmgO^c#YYH<3c0E8V zCLsq?$D{THr7mbv%%2w;#M&6f79u>bdw_vJ0VsW^dex}6Ks{cVIadBr${0uEm-$C# z7}Xwv{T?uK>y9&D)3g)*JyU1K9D;DVR!@8sJUHYGy*V^aik>)@w_D#%`)Huqo{0nP z0LQ=>jCc(=DCF?5qEzMunZh@0aCrAYS`~@&HC?E0JI8wKHgfmEx zESBnGW@rfwtv_~ zYmfiN>>7k2|JrHhfm1_<{x4|e+)RWCfb16#rDfwn?D8*Y3r>UYPZiG=Tm5=MEIkb@ zpfxq#6Cj~OM~_VhQU8ZwKKJe;tu3fs)I@s-514X|$_M);*L6)<858Sb@@DYWP$+;< z0sAU=DobrokR?iO56$TW_lZ3ieqdR})oy4OU!*N5h~yeqh@JKDosbbtM3p zjiQOvC6|OKx!p8=(p57ZY~iaX&tXV6BxCA;t0G7wXxqG}aDvV8Rt5~%nsQNJda|O` zMKG_n>AXtMJW1(`!WuF^jOvX>C9KZK$&;cpM^i^W4bEKg=)fc3g2T-Y{8^4bp2ipo zT&*YUNA9Sh0$qxJpnd2DNIWOK8vRo9Z}hTy7DOmVUJsy(?^iu+A_05t!0OU6jO(ej zDt#cad`cTwaW}E*x9VyN*2Am6?)3_zaQI%R&3;hO!$6E*e80}7-U4R7G}pH-JA&? zM@{*P)jJ@Mg4toBb0D>tXOLogQ+&}Yh35@Vuy=+C)0L}~g`s_?Tt7L@%+kPo%TgfX z)Zcb*b%wtmM~_xcyB1}u$2`H94(#Dyb|DDBymf!|H(12V;FXRK;*{Gle;=YrihtBB1@NN_l*QNfjbkc1eyW-BFM7Ss7ui-HODq#{~BF z;FQu_;S+|AU?N!!XB7;q^fxb_y!p$^SAXtE+dA3GlL>sP)hCOjN>5$luVQCCRmUrl z>KU0QhA#H}h`-{VdrHWGNM>zi(u;*Q5SMyB>1Y`5kbcKtdW}(JGUxeA^htT*-tTx4 zAX6nj%egO|ukB**PF4rh=}lWGK8vZaD5*T$+7x0`EAA`Ty@5_JJC7YFX zEiN%WtsaSCK~*ifg9an%p(}R)*9VCBvj|79Lwv%}80pEY?S~Iu!{^?7m8|9f=+trv zVGp(G$!DFzz1CA)MlZ_n;#2it3wQ_B`55dcw$5-vj`QnBv{|R(9knr#zQArJE2b*x zb2(3i)P=#?c^c)(KQkVKz@P!#Q%|a!f~B;50vMiI@1_E#kf7wRh>!?>2K3WL2Q-*W z?$Yu0ev+s*!$nQ;som9XZ>iM>HV?#f?bYMI;!MEw=5r~uXKU&&>OL$(Y4#2Kw(07YN616=W`cx8T34sKk9Zzbb?A_-Fp*5=+QzbW z0eE)ip^f08HpkJ+=?(-_ePru5d`KV=e|z}XmyiE$1$HAKt;~4J29O}2W~$m@o@?9c ze6oX`)k7YfeY)YC!yZT$@b!#ZKM1D9ERn)PyKZ}=EKu$vJ&E-}Q34#1b92Z{lux~2 z3zxt`A)i!v^v2gMmeEM2SPtn4pAL) zGIhqY(o9GtvruKGEM~Wql{%~Tj%xN!Arj#tfEa6H0cH}7OODdq<--C`1@M+Nd=mV_ z4d}_Ue*`I<0;7>8uBJXbR4Mw~e5fd2C&GBBCK~?rdiL-C`ajtz`^~G}M?`q=3GF#c zYz4>YS`K#kc!Tq9y*zmA_0Uc5)S zcM80TGON?@f=Y@55~bebiLml1P)dYGsJk^tI)Q#Vavpo}I58hrA|^bug${wPCiB;g zMMJLFq{h=}xjGDRS0L30Z(G$+!{n8^W-idV!_zq+-PVIFP5N+P)}aNkA|6Te#}SO3 z?2A!aQNMioxGL1w+&{qSP(I{nj;_swlZL3{+lS9~AE8gA`B1wL;kLS%>Sz)q3k6gq zIQb|rE6KE91=kKUR^u7UH)~?$n{6*zvC>x(eA#D0@JEKipsN41C5%VKHM!2s;lc+ z_RorvlFsjXwgrFV4$U3b8SmpFGm$Qs~mTEfy)_*%+|9vmdk?O=q5q`(l8G!`fRWPwau zAXhF;5)*X!XiGo(?pnZ>uFen+;b|w-lHT@xW0hrcFt*&!0GB8hRlT=;&-fE``SABt zW%c#OC}Fmx^%uU?O^)1b^q?{G4H|Z?25i$#lw@>)B`#E{&(!$otf47 z@(H+HNaRmQrK-eEkJ-d8+1f{CkR4a7w`-QAp7EjpllW8%_>vBOiUm~;jez#z!g|CV zuGF*M<@Rw`fF}2w8rgj{lD}p6X>b~UVMAfy0lLZ?cj-4|rs;*8Ho*ILX%BEq;8@7< z@&ta6YKJkD{L`xw<+i)B%(Niq=c_}CM^8zzJKzSOZPFSa@O=NHbetxib5Gy;N?&7# z4)21YoFu?6b61wbOXv;254&;*)9>(J?3y#QIq0Hc1{3O0a1iY@qvJV^c}LKarj`|D zaIWH2PrMkzJ2ruMpL~cDzx*FL`k_~0sw4@c=(%^LlnXFKxOS*3YvU5rBPv>4$nz*j z34`drNNU72v>3vBMmGn@s{ULm6>RpF0ezhqj@0W4rTY!uxW0vDkhJng)(b z^Gi5KNkA#}yqxB)<`naZzJP6#hCB}X|2fCmDWbT&ExmfGFHmCgTTXXFNy}|c`9WfL zt>hTP7M0Ojl z-rnwy?4IYP-V?(vtRPr&v>a-bxTb$EeF$$+0r2*G#q2{;Kq_HTKx(Ffav|A&B8?C( z8g4P1MKT(%v{#>CnB1{V_?;1dQ|?3DQN)Omis#NC=3>2nPNHGNiMYu#W9w-$+xe#~ zkce1_`4)sDZ6EY9e9Q#G6aVQHlNoiRw6N+IVd!>|-6QP>VVG-jpp)@1c^ZofC;xeJ zOD7$A`|%`2>qeHb{lUkH4?F^aS0Z_8oy(ekV_sgN4V%8Q^r(BSXuX_DF-u4yd|}cw zY!OIhDmIeBAyaVbo0LP~>3$!S@z~Y}t_Qy?576Y(p4S9*p>oJPf7NO#5_Qw}s zsNO<2^UWfV0b=E4{KC>2bYNmA{Q-=&qpzlo3900IN=u_?d5m?LpT0wJE*TKfUtNb2 zzXoZIbWw1GJJPH5K=h=5F|SyPUWd8W!q|tMABcxzS(&uprj@!w z?KkxCllOeGq8y~jM6=AwwgIQjR@I6&(%HZ}69`{m3MGT3*)R=p(p$VJwz9cHJP{@; z%-z9TmxUI!3t3^OSNf!Uuu2cU0EVu(1PVM23x zdBIRTw9=m80g7yGIoZ3jtrxq{SNY?;d)wc9_3#Vm6GvCX`*(L*sA0oq2EDPfnU5+8 zcXKs_`|uRvkon}ewaF-Thb@AYiw5BE&ecZNj4G~hhs zC&o<%eGT3>X|cdw^ah?6mBsv@ZNPsVH5#dEF_L?rf1Dt#Y|7(!l_M$I_3(L47H-HchEdr)3#7#PYqQ+40vWmiNmn5f=y z#ZI=2_HdT`B}wR7m6VsUOdjj-$^Epk*6_c}E;7h8c}wQ{mQc#&pv$UWy3=e-)RSWz zKCiPkN}TVx0YotEw9oS%z8$I6!mhqfw+mHNBCt zNIzfjrTAMtYR0tGYBTJDo}ujJ-1&(Je_KGcXB7#Dy8A%bj@4|}yYAje(bcfZc9jU^mj+V1t6=p|h3 zsq+B%2GbqS0^^L-Qr|P`Yqh9vvS#G5!o>Vm?ff_@T|_}Gdz-(XvO z1PS(k84`!ja=i23|MlOXAr@BPcnwktgb*$k(3TWrgdvIa0sH4Slns7~O|XYs%%gj} zv+DQ>YE&YdA9VrvRW$lN1dW!}`9@^38xVg&YJ~VTG@pq_T;%Oz19|L+R(*MQX8pE^ z-j_=1SpgO^lk49+n7%pF3@*BcZw$?N&i!WLGYN7OR}1eIFsMsKJEDK{suHk2!_THS z#yxDtQ7*#J23hRBYrUS21r`C_nCuaa9M<|K#qiM^FkxjFtB@vj2{^w5umL;LIEy$a z3+&>NznJPc2})5W#_ORhToV}!PC*qk@8_J81-Ny<1lLSoNu{ExW_~10gtbp?@I1(` zzfXnRg~EvljCAO*|HbKV;--8Bx@eDY9m)yl7`y|0kFWqu!af?&-a^EAqiH4nU?c3Z zKYORPNA&_FcCP_k=siMk6SCT`? zG-7UC95SYX?rZDHuy(Mr{wQ)RvKp!9YsLE|t9lAwxfM^e)&g4sJN_2sjPEm~G{7_;9(vESevG z^Xzqz`n_`t;6dSOx|ua z%W`=pSdxv%tIryXIlWSZIy9EU}BU$O1l1@jIp)4 zd-pCMOZynz$P~&m6}mQA90+`I@WrO$ps_rStlKK_Wz&k8#>ScMqfdyeT_5%womgs1 z%GUyVEa zC?lkdVCCiB1Qe;g8E=OksxJm)TB#s?8f&Cg20=IgaA1)zB=uiOF5N%wk@+f8Z`~2Qa=3w%EyW+MDDg=&kz2@S>!w?#mGcc{vJWCz;NWm?@gJvi zb-An|_G$R$P6wbVJXrVjIA);fPI(u;v+~G;F2*jrRGS7cyja7(kr!Z6{ zXGegl-m4`@?pXl=4~8t4Xk@}05n(GH4Skni1A~z3>!+A0X_RuwQ_xKFD@~BP1fKqJN7WCgc|g&Ub9hi)#v!TIqQ@EB5NU7m#CW2C zVI=E#@!rs7VWJcVdx>I*iA!~IcN1O9?|JVIL*R!!!XB(9h`bTh0ka z$o@>3s6!#u_Gk_hM1@|!Ed*qGQSG}ilR`xjBngZz~|>BIL6cob}V!iR|Xp?40J^~Zm!NEfEiLP#`hyF0)8 z#q3|^>(%!B7=Hs2@wiZc_G zV)^NS!$_9%B_U(^52p8B-DH|bM#93(l5`Bz$t>xT>re19CoB%aMlog!5f2aJM|Z1g2)1HOw?e!zYTJW-``?h8}x z(?!koK2NgkG5*=2J9uw3s>ROtl$8Q4H=B<03ZkGikp{myFF)EYfKJE1rmvAd3CR+5 z#7_;w^}9MOeUok zg1me}xU|!sLLeCrsII>d0L%iD`FUQTRmyBL%5ripS*5xpHou!hTR=3fKhFFc*>7ZK z0vC=sRwCoDG3iAoB1j}GI4HE4ctq3d`iF1-@HN;(L0|a<>)nfot~)csnX&$ zr8yM-CL4^m*tvzJBslUUU5{V0(+Mmx@4&nv7g0pcGOsF7L*9R+@$j9=TN?OL86(3% zhr5h_q9~ZVGMPf<^k9CvJT>Z@VhOLiu84tBvEfB1oL{Fb6Roo%rkkg&szodgse04#A{HQ) zf2msbIWCxF`)W8NqNw>PNT^F&d%U!<@XUJ@AB=WJN|-e)XN%1FBC7I8ND&6)VA)ig zHJbL4N-A}h`JsW~C#Yh%IG!JVJY>a4fsLf3CLebpk33em`;~L%xPrv|)&-(iq%^hl z@`&OaZz+}%k6}H0@IiAYr-5@VrBhNe%p^~t&u}4i(*X_25;M0HMrCRQ%D`4OSj!oN zZZh4rO-Cbs1GGidx8t49EQnkwZ;9kOA&kanEcHMt_?BWFKLcuSo3W>g_>op!c^X=j ziv?6ExDT~M|ADU_n?i;}L|pTUe1wr0O(KWxtN>TIiOFk$rlF3w5oPN*p0#@H%oNi->x52PDIwBGOdWqhV)X2k($ZjHn zlbC9A3xs=&GESg~KseG4aICQpQPp42P;Mbb@Bnu&y$9`~;vp)TiC$ar`iGZqpFN&M z*jN7)xb^Iv{_$LZc@K9R*ksoXuEFL8qGpK0{F2}n`J#x&SV}s*c6O4|aVP3(9Iw@S4!owOs8}8D7c>u)au}Bi7BYxmT1}DLrha6$e*NSACLkTJp8! z15S1}bxp0^4$>uPA?!MEEq7#ay1w7q8KSAPhb9<7*FX{M(3RF4Hh~2mxcbXrMYiFd zHScX3_s83>l-}(9;vH)d5yQw=v**B|_|~`ou*jl^cas}6F^xL(L4zsZpCZCs()P5Q zRcK>54k53}S6Ki)saND$Yq7&;G|4lXUzokNLA|wdW*O0MLR-V;C)=1IYRh%0LMJdq z$oC$i0vd>?8d785M7xH=FK!kS^Cl4(eR2;>togBd~+nnU z6VSMsX^XMMS!p8f@9<+0fueu5W$DZGeA(Y`;yVPjt$Oq+qaLdqFKwDuW#`L-!(FEL zYO^IH2|O8UU7LVg=i*EpBqGb|OxRF{MfS`e7C{7WjAexyw^)~UXr4ew(N$#?fEUfv zl7HetEe@I)Z?2BoKDQ`ztj*mn!c9KEzdCdH-E57AiQ97 z#8zih88{F&y4DuLVR1dG#c3Aah+A44#H9CBnqaizMQDgdywidSNE}^jeA&}vIfOb% z7nBCa5_&%T4R{w&MVdZFCH$CZrY&`d+0xpK+r*%ziQtblO@JgM@e@EbG~OnqDOZe! zfY~*YnJAr|K4v!@`@ut_fkOEy^$h3|Z!FQ0ed9bE^Bu(AiDv*cy|iXk+QDs139B8e ztph5Z+0o}v}WD=^?`fHQ$%mTd=83u$ob0e^Ux!18f9Vud7*8MupZaQQc0 zReWur8Vno!@1eO!m=t8@a5mFmFZSP2m(FM|-bc(@f(!qN=J8uUym_A=DqRDf##1zbFb32a%1Wk=;Y?$A^6S~c8~c#Y)m;w1 zDQH{inkjhDZR_wbg8Lg!Bd<3%ZQ>31@5$*f7b%1%W-oawvRpLJLiN_`CB^SBedR_P zXG!HnI2lZ zM)~BH{3Ja{sxj9gPr_qX9M$-~wYFrgA+;M~#<`LsR3$Pg!U`@$U_Vuy57bJfB1 zbaBiFjv&Vz)?!Z5fo2WiIqe5_M1+1!FJSYOMhG#F!!@htNkl@4qZO`b4|BhRBC;{k z@_K%-f`Ra$SGM|EBvA8&q4m62LDGRCbnUQ;Laca`<-kE5XKm!itTRN>Az!*e@Gp}q zaH#_}b0mRBLyz^Q15B@|=KEgT;*I*xNf7A_dP6d-?D&pE;i;u`^-iy5ycGKg3IE6J zC&>Uwy|5}X@Re^)=sxn2Q<>i8fJ1);UN;$f?tkT4L4!C4TcdMsb@<7Qr)eqc48C=0 z(N|ysMhx2k>65u5RJ%u#NW_SVCeK`S0DQ;LnxvLe#R(Memtj9qhN3hdA)Z%QsGJh_ zmT@?|DrDMC%qh{LW3dVW9DQQzwQR3oQ4L)dp(LlAtQ4qvk z^PMyQAGKW=upv5}+HmKhpL?u}3$q#D$_7hl1H}bSG_^t`XZs~0mf#N&T`j;q+5c6q zrn=}QPxIa#oZ-y5Ys zQ+S=>o)372TsVW{jD=|F2=g^9X^?$SwlcKZ7JpVuYlwWHLSET)h}&agEXK^sjQA#n zEh-!u9Q6&LLrwP1uqb=ASA^|1AJ68kQuz1m-82v|ZK%(TSdt#)&6Q=JgKF!J|B`ji zFp)feOpk7x>4Lo$-(QGhDf^5U<{WJYP-ew36+L(KL3KYsRW-NL`T6%*%R;pt)fF)2 z;el5orbBS z7!mw|crnmxRe@DsFRiqCvH4$T?}>I$tswPZK8G}(M-U7*K~BNmGTO;`ovGs-(Tt6b zr{9Ke_x|U|NJ`_g9rszZ9HEN`v`hR@E_Bt*-YbTABTQwW)N3;_QJ?|;Ee$M zf=|gnZ|d)(H(LC@LZPBj;9DTwi^)74$eGR*C8jr*+!K3PaqIttl2sCGF*&8Krj8F< zA2B{l5mObyA6__=zbsalI2(9&wxA4})^YOk&GW~jYLbm?aNuN35POjOHg%jMq;ou9 z5N|=mIRy047_Z^f7J*O-8~#`(PI2h5jF9o4IAp9l+7g{A~~L{Ns-)ESvcdR z!kEfmNVp-9krSp7;&Tu6hxN>8UT5=*|4Q{myI>MDqMtvw0#moA$J$nfhiAbph)|DM z%_R|pD>pEH7U7s4tANHM9}X)Me&F6TRnYrKC`uW)_mR70 zwTy)d_S)jyW)7Ksh7ro-FJ z=rc{PYCUyadOP2t^tQJ+YcB!|gX^>{l*6tVPy6DWQXn{-5XRujNFh}}gYz;jLum9- z#G;_BoREz|XqQ>+x`rg&R-E%np^#cRQ_o0;@7qq)95L?8KJ=|6RMVEGSZs<*i@Q)Z zTgeedfPa;vIQgh_h_P>m@&c- zix}zo;^O&rE39@p^wv!ixmtVYcQmgKJ+(bX6osMYL|xUS(iEs{t-w|c;&pCrh?5P$ z3@JHYvzD#L3~jxL!uva?E`}*p1NtaSSW)Ja&-rwVan9UgmC_0+T6 zqf+t+a0G=CPtree;mzcT>NRDtkQwp)HMn~y)M5K^td>$zsD8JPlX=7AxWtoW@}g?` ztep_4_W(CQ$iMx3vhRMsSMiT*jTt5m-o7n}JJ>|ZS;6Drf)*mCJO=Esi~2t@;R?t% zmV5x}))lK0slgjwzlyNUmOfd!aMRZ2vyi809)^hL9v`JwzLX6~I3Lj~bCR{uwpJb9 zj_G_|#rxnQGwE@8jPAM=5xr)Va(~0y`}`oty*rv&cB}Rt4=&FS&-XgaRT4;s9^HOZLVU6$K`$Y27*0?r! zy-Z#Z7_AjyEv;HOCk=|4rqqFvKSq@ol0J+sj8 zF?;;3QZ!JH`xfgi?TXp`uct2e2=JKQ0~oS){&p}tMpib~o4VCNzMrbN4(O^_zZ7_5 zjPIRdY7d_cP@%M~M^qE*O-2CA2d-LPj;YQKV>HR&i^^FE^m+}`WWmaP+14wINQRuzgyh_T(}O=aXrh2b70P%Hr5Z;L%;TDM{u#equ3q^mDk<6n>elp z-HxF)21yh>Qz5%I)E&yf%N`D8c#sp%;JAKQcgR4-r455y9766_jQO|ohkJk-kkXsX z<9F{%ZxBHE z$uB$Lm(`AmJ*EXh4nG8-H{}MSPek(5a$H#yAH$7bQ>s_KaQQv%e!$mgxDhT@ehZHB zqpHPcQWnHFL#CCIAu)wa_%bYxsLH7k(J``TXMj3LFO+B&RL&%3u&JnX^{o%zW-&R*S>=HfO!PyEohV@#XFw zxM%<~Sb-OUkg3&xBOMz~!ZpzH5l1B$_S923;(vesRVb)jxm{SgowuOOI_}ZmaE}RFD(XNaU2P+; zV0i$%awT0}haX7)Fep@-K&;2$-=Iq)dyaoR zd4h{((JPDqH5_lT0ZuGnDx=$cD~$^nsD-dQU~CTbbrvg38NcGT?iKe5%E0LU04qN* ziGh{A-hHmvO(rPmshNRG*VYwySxdp~xt;*;)eUntn-AD|G0MD*4WJr|BF=ecde27n zuDGoz`nN<|AhASE3+vdtIzb*pwh}M~wiJ2|=cmY0!KDyYy121-#rsv)8Ksf11k}Xa z4P@arrpm9*$2k6y29>^&4nYsxz$o=IMwF%KylDA{s!lM04MXrUh*QrK(saSlHZrY= z#(bQge~AoXs`?zXDL{&B0W2Qu3EQy-(!K=-N5@g*BWXz?9?DWBnzqVbmoHS9U*LqE zOn3T;E0~9VdI2IT>5w98?HqbrG6Wb_@it$5hZnuQJGLdCmc8tVlss114tK{>yCFcj z@h*X}Y0Z7PSeX%LOT&IA*6!rH{>4ZfuIgIAR8gv}y+!`R1BXteQ9Hz${^I~_u&u7m zm)Wc=ve~S7<93Mx#|%bc1`e6FJ)4^NfAI}tv_K! zhtbEt$Vp(pR|ZVbHYmGEH1Fy#)0TbW4cZKc-0o`A<05ZfIcTuRrXKr|2QNRA-j2!m z{;}`SzOXMWu1qR*hmSzTF?Q7um4jXM!fDv}l{euW@nvd`Yw~^d1Oqn5&GjO5mbKvbxvlM7wFDO<`eCN-w(MOYhD>~1n^arHtM2|>%~{4lA)(Ak1=T?RsK zOl~#Qm?Qcc<(7hu4VZyQOy4hN*19nFuCyv!hE=3uOdD zjW58fC$HbU+I{rq$zvlp8(p&tvG_SlO%JZo37|*2Dxj_jSVnjLd)_Xdf?_x(=n>0T z4albW@`+|jmE3p8497_lHlu2r#re;v6?C~0Rb8BXER*tBEThOiH=tq_uPJ8%Osbc3 zGECiPdENAQM5kX>;buk<+CoY4qdYeNvDm3oe??vK^K-&hlgHmDV%>E7us`$V>Wl!= z;+-?xP;O&PZJ9i^hOtdas$m=V5e6c6CoQXVffu0l6+&v1Rggrh*c5HBS#AOAV8v`q zQcx+Q*pFfA=E*239&4@kFm+w~V#l`y*w|-+3 zHA6E?iW(t^&(KbNwB-zM7Z)`7wLR`&tNUV|enD!88&C+@VQP_g<5K8wI00O5TYnbQQc7UCtwL|C@!`+K1JoQtt0<^? zaNv}hZpZ!WhEpTi6D~YYhBK504x9y7&ES$$)@^c~IFj>^Xkv}@?IHQbE@p=$T65A_ z0;MiR0Xe&Qtw7`=NyB)5vx5pFzw*ZouE1Bx8u!-yo&JC2h;cC!2rNpQ5bJn5}KVN z?Gqi!=f{w}fq1{aFS9K+aKKGMtKy?sZWHS+rRa{craN81nawxjjp_(D$# z?v`hlOo)Ks3Uy1I0NES`TtWGKF%)E7mZ*!CkcBw5#DIglU@dJWs=$`8NxYh7_Bxx{ z0egQm?Y7i+sR4_cl}%>sHc+C?TF>40;r~M(|K(y63fPYTcs%N*qzhd%h%VbO4@47Pe z4EXjV*lX)D>!r*7znEsxhd7HJ3Ffv5d^&{JsnzuK$mn^t@QRH$wbN#_%f>y?<^Ze0 zKocA24v1|!w?uw@cRx-_Wfd>N^<12bD`4jcf<;^S2D*)I>9-3CMIMIvWqV+Cc%5?Ka+waN?Pt8PoG zp)sP;y)l>y!64B+cRaFzb5WrPo3@<0V{a`9o5GE7h$1%=WJ}DdC%k>YWEbjc zOlx4a+sW`5xgp$}E0Rq$>NA18<3!=^bJ&|Kun}Mj)bwbfugKU(kU>ZE zJ;~1?N^lE+R{c5&kaNrIcBy$iLFO7lY$uQHaabzZ=e^4VWQb;eM(puW`R3wh0m?M7r6i!A zk_>CVhS%CN9rf^9;b(LLzB3B}T>hvBO?3byJ$Sb95<3Tsa^RzLB1Qk1M|?08^ayyq zk9LMNu1v%)`m#D>K2+r#Bc?Xo~B%(2scTfO1>wf`sW=sw;O&0u*W5^l}ail6(ihj$bLd_CPGNCzrPN=ULhtJAe4$}`yq8{y57=@5g ztWqJCloC9_p8yL+=e>+Fpx*TGXMRZj2&0`Kol~f8Zd}n_$`6z81N=o@rBRE8&!pQA zwcM4zQQ~g4E*xQS5R>8i~3AP%ItT z1CD5gZ{%CkX<}2y9M4xrkghI)v7sgD=Z^B}J3%`MDNa&~bWr-OO2RsDK*Yi?6@a)A zIrqX%YK|}WKR}#({%gSF5*)yvc)AqYh)9C2U>nuX0;ECEbJP$N)deB4ZM6TQg9(Rf zjWNf&V12*q-K+dQHO2efhpiW@)9sh*cUXjf(HFy9y+ywDyv6&zXUiWTOW)1j3a^0Y z7Uf@-oGQ}b42!oLoqKFH@~u`+#zReocFWFV6bExe)G9LD^qYe_aFeOA4}rDJ@b*f3 zyFUVMMHdrvH3D~J_7oz+vzJO?J#b0%Nteq$RqG)IbzpiPAUSm!t$3jOiZ!<3qsqW? z(Y8U`Dvns}!z@AwER9Cj$P#MSX$9r-LbJax+sSIQ#lb%Q6w8a$JverF_*f6}`q`T| zXb<937{1uIx`=YLH^xf3f zY3bTyb1+O_3g%>kYv5j_y+`bG#7+X)fsKh})*z7$%!Y1A+GI9BLV*!DflCsa6W%GUaR!v=w{>>XJTIpv`l+7KVK~&3&NSjcvL>mqI^e*@*97Rdy7_PkBmfx ze4~52_At6>O_L8DO z+p^pm$;3RoEJM7s#f8T**jj4rm)F&L)64NWn4e<0lN(Cnz|Uqo{D+@=k5=|}cQcL_ zR1`l{(O44}nsN~cKV)X@O3Is!D;Tk>)B%mgt5&GLPOZSWe+wgvL!!U|-DucKG55Pv z)oXdaR238SR;Qxxg9TZH;wcbwqlP!$stmZh0}Ek3f6stUJ&+S23nW;depw3XZDIXjBDT2pNYn z-Aj)(Q~k3sj*vCQaj}<@RZw}S>)}t_r1|J3{onu178VlejmQ_u>ajpv7GGxEbu9o~ zRa7{&Q>h#q**J!s@j+y7n=R;;jbs|+wp{bg6P^(j;H*1WpoejAe6wL~Cq3lvKE={B zCAb`_3@!Q^CXPK-zQKqRoKHprZD5GNu{B@jiIRWn>G{{q)9}|Wq{e_%3 z?!^^n9af5u$zT%#&ktIdFB1Xy6bSdoJfE^rPV=^65!eimE%%_7y!IPWpyytIPr@ zTgCS8bj|!0z$Iq#2@B3fBAbyfginbAcy{|zQY!`sjw^peBm(UEsCOP{reMz#Ag^>3=dF?~j)2rVtMvNPBpJV`UiLyI}Ps>|!wQ(0dw z*Jk)q#1nBU1Pz#o{QGe>=TDR3-K=!wY&Vnw%~D5OZpG1zHN zM3~&}RJZh(uVa`Pl9k5|MigAChBuKc<4#hHtPbl|eqwbf4oCJ-(lguR?LL6x zJ5Vi_+O&R)Q=!$~pI?QuI9)qkgSSL=ZQ*@|N9iLulOK{PGyDQll%)QtQk430B;|0K z!`4wi+}*s?ke-3sj#rk5Gx%#%`%nbOo`S&Z*bBE%zbqqKe@-5t_i!x!v%07z?~w2A zdCvahfsmJ7h1ODhBA4h0R<*f!v5oz$$4+SwZ6EO!H#3@y)Qg}=fe%XhH8de6cO!Cr zpejQN$@Tn`ArnZBi(jzaA3E7JZFzx4Ge))Xq5_YTFufx_^u&%K|KvKZ_Q~uESdq6oqf&rmz?y;_| zsK%?Chfd=FCFj|ZJ({D-XR-uD*?=CgieYxqzILCHZJ0nH3^}K5kVs5tA9EXMcurSv z{g5;!`vi^!vmuCHGlY~lLNbZ7=J{$UTIHzQa_j;&E6x_ZzugY{k6^QW*~XY<5a6311T(qK6l>=hb%G!%w`%z%1la^x{%*R=|r(gkUvizIhdx{a?-$1>)3@X&q2PBg|>SH zcKj}|knQY}v5A#CFg?J|v5P>JH7}mD4nko8`pe+hw*v9v2Fa(d@7v5yurO(n>0sW; za?y}F-b;9)U)i3}vQRYwE2Mo9E{fx)Ew88(uN$zJknx5yg)u;j1HVnsthB|=J!{YH z-|)NSJ>V1rhl7hEWt29~X6J~DUaAse_fox8Lk;d_JfZ8|_3yubQLSw3?(GfS=reQC z@L;ve<=;E(bx*fi!v2Gd#(Q&E!$hcGt+`qmQBy7rWQoNYmK>Q~uENL!@TgizIs~!` zSS2$FRF|wGyMwrmN=qq;6yGwQv==WYfcw&mKt_k^-&}PM%$h!i-bLKNPC~;)elWh(ebwLh z4|+AWOp!mkB|za#qIWj!mjCS@EmtV7hv+i(4CSj}y-O!Wn9+PAMoTC7KfFdfTC!F# zJdmH`3!>v$JJ!*3@uE>-4G6d7vgbwf@iFn&z$Rxgg)rE0>dOA%LzY^%y^v22**!Gm z%Lt@xM%|;x`LtNnZi8nRRGo;xndFTR_lEnU-F@EQVCLN2`7vLN)}K86Te@!sa1rm= zsPA`(Fuk+(d6cL5l*;{NW>^YLqm|hgP(9N%-J?7i31YUrCIUlY(`BRNtrT}~U<#~b zM^gWWw~a)o!acQVbQn*s%(=i|v{W{V`ug-Xx#Ta@SG}>)VnRaKrs8FrgVBE8ie9GO zU-};A1ieu8S(1gcUe3@Pu{IrT1aT2NVOGnC0Ku9;&_C|PQ{2Ix9O#I@uiQ+h2xa`& zU+_N*W}xt@W-U|9F!j9Iwm3P_;Mgpr8&f$Pxvmxtp8BE&LSn2w4HYJY33~e&P9_Uh zuyFw_0-bRg%)`HF9=&e$JK)G1w_^cYneFAcV08v3YJ^te>zYJn-}EuV z6K)j6-t}6E?$N$m45`wN!Z4t_Nn;`fKwnza{4oYgX{8jV4WJCnH)jsboSt@jkpU%K zvsjfR((P4q`&LlAP~X%DEwz+WqBbR{5Azfz$4rcSpn&Xj5kuU(@Xf>M=BMf>BNv9w+dw#^b}x!na?Q}O_}8MM+4SOPgP_X zfirX}$c^8R#u@y)$Hd8}R)}Z13=dR|v+cZZ;ywyz3C@6W!;t&pTZ>ErmUYpe5gQ*C zAUwS^c5Wi$8ZhfsP(nbj?xIL>;1;jt619q9@Y7Q7xRxaui(ppD*u#{QvP~e!I09>Z zXBBq8OkKJIzYC3oGzgN>7JWXO1DYmxmE}M!m!!*vf&e&UGT;pJ`=-DDv~K;qfd6$r zzdJ`ti3z{8Y6SA-GyMUY6P70PMzmZhS4_U*s`@`Y#sT;h2y^_jBgsT|7H0*IQdu2B zBU&Na9YNgi-jreWA2F76mC6z72AxYmO~th4hgjVRH?won*(-?mtLddiI-EgUPeCZw zdC#`heuWpQ#-u!Rot-9EQ$OWdts= zY95dx4wQ0%sX+tKMZ&_+YF-d==NV`ZEqPJq$wrF;xvw}`=J|TCB<cy{z~5LnJ7?c|x|wwFcre1S=IL0WNX&9^R$gJU+#HTG6+bc$G$Nm=w! zv&*~r-Hk%Ihz$oY9|4ZzDM}ZZExmvXSR~Gq71nq1OQ_51UanKvo-DFbFFw%gwYN()SLMw{|nY_)A*K)`#yhBit21a?oiGdkeCR1hFdWY!_}X zH9M}Xqw}d4+!47`g4Io5KculteJ8Vo|EYU2R)UAyB03NhR|8f!`G1~qCpRE`#w%KC z_rOJ11D}*MpQ4pTt=0l7V^9sDnh6}bWJb^|oXZ=8dHc@n0bcVGPiD0(v2?OVBzlUR zpQ^D5CEs!j5F3#4!45UF7Sdl=kU>?BI&MPo2$^#5AjmClMigDpX2>k8E})B!@?lCM;d-y>1s6QB|d3O0H1aljrNS;Vty zpaM8F02W;p117x9JyC0<%E2=-o$IYyfz@CBUs-IXK78=kXp;sH$W04J+4#-$99}I8 z>-+!Y3~gkjQj6a_ZKA&#uPMIjbs+$C6V6D~N>RK9&jtD6Y?`|xiaI?+f4#fMLsPoD zM8nAU#Pg}GOe)*RSFb69efyBgumMT4pe_82X+Nc z{hbilCbJv~dGC%s!R{hmNw%&VXy&bs5nXJE>oWQJ$zQ0j0JcU9ieb1j8fm1QsL)!OVU#2$@~tPn0qs$M`iSTV^DA})1GXG`52qg4B{DjO=g1w|S5 z90-@rhzz3pTMcF4Zi4zP88W`-en+aIe#$+Q$Z%H_sXgkc5n)%wJXVG%dnttGgA*pG zp6_JuJ*-|->|<+)VG&#$AN8EtczS-aYPFuc8ht88cg0X7MWa1D(U} zE`)PqGP_zqL(b#Lr@n5eWf7DdTO3BS#YMuP*CDST2sNSZSTwAa;yIpoZ=IK1lNv#Y zp2C|wCFXE{%Sq+fjctX;tkVVB#C-}!M7*VUo@!e-Ztu7Ky{MDTXMt)g`%%qTHM&9@ zI9R3Yjc+pejJr)k3(SMBJ%n2oL#ka$!XFFRJ|8@e{g6w;Iv^HfpnC*0;+gt9uMlUS z4+7RNn?m<$CgzDRCFRJSFxwJyLUMTy!v?8>ruvmZ?+zjZ^0QM#5kVHl1k0Gs7ux>M zOs_%@Djul*uflyqsGzRnN4zWM??WJQdUfWoVJ|XV8E=oN??230_R;h$x+C1P z4_v_KU!!vLj)1TF3PQc1n5|<4dmg_iU5*??0}CBHMRCqIM|-;(;IW0rI6P)Y($PXz zcfB$^0K1{CcvYT(h$l%SF%V!T|8J^|xAGA5oVi1ZNCoYLz(W7R?I?gQodoy(*>krB zJfH=d?w10ENR6rcHF1ygT&8P@wcAB@fZwLW%LVnY0s7%q*?VpuraEf^MtL zyGun0RYlkQ3NIor5HN)!fy1-yXu3K#S|3mF2|rzOL|UaV^<`wfjQ|d{V-`|9np_#P z1e0r6Hpo(Q9BXT9@{OeQY8g8`^K8cM^!WUlZYx6)Yd1ZJm#bY96Bs!euWxa5@%!63 zkSq94e?lZGTXBFLxB~O*_top!gyG=_*QyrRG*$rJV{^dHo%ZYadZO$$QZ|fsxDX2c zjFl!08%WG@V#Bw>8|cZ+1UMJk4*L4fNUO5$rC53({GBDug6kd&U}GinJm7zpQH2$8 zcP$Atm$o%?ia~VkyX_dh$wuyJT->uA@WfyKMzm)m%1h=~?7`9O`sfZoLxYMMNR-$J zZ(5SspfOg}+PR}%>6gE8xnhSEH1|{*Z|q_+osbGA}^EPspm>GgXt_rrgMvogvY#pNg9o<+6 z9_~JY_+67*xE*Ty8tAA(=Ufth$h{Kt@d|8+rvL_B-k#Z{KOs$q3HTYh$AyOoqq0hP z|J@aTble(ZqC~``>Y6f0BfFgOSHTkMh8NX_%Dk~iuHXV~VHJtW({|M^;#@P-PJN%G zREm)y9|osxaHQYa!Hn?XH*4RBJQI{H7%~x0t!X`QExdSHZ6o+PA)jHSg;uur`t^L8 ztbw>vZPP((n=vKa7r4$->L1$Ya7QvDcM*ba*`M7;)jIax3KUn3(-6F07_hH2CEhtn zm?-M`OmqOiL({eD1Wu$YKq`>uO-z&sGgvVz36Dh6Tkt(lPt9(b43kOHjJhikaT8juT|7IFrVN0M_D+K*L4nT?~dG@octt|0Qx+Qg##J&JYEE3mxaQbnCnEQxSqUwZ?Fnwkok>A$MH}*bg zl_4T&J_BkX{`X5ytKv=Bmt=T4tr@O&x!;WRkj6kcqS-0CC01aqxowFtE zzL2AT_#j%k(ljC2h;LeC@SrzUC0dasiy4_k-nOKNo7^(du1Q*9} z_z~D(!2Gg&s9wG%9Ks?w0k@B=o4haa{{rZMJgR0uW6LmHh9YsL z!PG4LtVuhL_sRrd4DS^uzVA-#ouLxmnj!fcGAfqRu^D9^;#I!CY9f0o~%6leBYY^oEHe-vU6C~BGs4BCy}-h*G){Tctyo`f9qh|{a$MK zIV3a~Ed{PMCJB4f=WiZGyQzVC4)6%(OCqjcvS6@Kgwmv#D{WDX{1FElNUq*{wCt6Q zD==-#q9Z!Cga4SEXXU>UgvGVU1E&=ADA)-?_(V#><_W|m0uarE$YpcW-8akY{_Pu- zhwCZBM|SGSxj$8b7{37oEvzSm4^aOGunHr01m2xa?%=A`Rdj1S{A!FSzi(-~ z6u9$(FtSXfaRHDdPT5^C?m&yK9ATDsSMYT(y5nON)7>7eAtta$57=dzXnd%pMTT=p z&=BbX5ec|NQyF|9^cwKv2sx3Amf&3|^r*@So?HgTX9#1ECWQDwCg~QxK3@(j7QLR| zpp6X+IXHSz3gICzK?$s3!10mx2$D#1+|h;Tl?0@@y-zB36q?By#T2YkIPaleKsfv7 z#L|^f--aQz=vW|5()Z4)9a|4_E;qFZcyEWoyog(|pLaw#2ob7gvy7lX{5{`8+XlZ^ zxRh2i_QQISG{EA^qLJzZWZ^d5>M*77JU6QJv`Il#2ayWr5B2p%x`KXJaLewE(XW-% zg4GH8#Dc+Ga$gryN5qVJ6tI49Jc>q>is8B1BGol{#8QP*m9dwWqg)Gic3B*f?S!Hc zvCuX2f9gm*sYT#qtdZmdy1=rqCo|)eL1^{*vEiuiUuGqgBT~(XdReL4GXmAUo4!c5I@P-h4`VXCUcOw`B5ZTHFj|xKX-&MP zpo-|1G0JyEbmU&*F89Qd5-ygyquys*D%AGY^&NiFxjKtP83iAUf=&OV;kVS+-kYDt zqYXeB2OAs1@wgfs9=zGzAN|k4!Dx49+)q#WU23U{jviDkkoLlUmL6s$GF3(CIp@Ht z4%kgCM0D*Kj=+O~G>XUOEjC;0K8AZPy}}q4TMw+4t%szWXGg)X&RUsLyO>Mk(KG|f zsn?{z;utA(Va=Vq1f)~O%2IWV>H>y(?dhqWyg3SW0@Lf9QxXPhHgf|8@StF9?CyZc zVr!{HM8DFk02Fzw?+AN&EU^B{!i`G63#ER-^Lj``sSNS8uOdaGocG+u~S?Ug$%L zU`gg7ReZ1?=BIH2d})d>v7S|eq>{+tgj!BQq{j@BTiaWfF==O1<;QaoO;fpP&1r`f zmS|J0a0M8XqG*L(ZlR?S5Pi>V`uqaW$zZn4JR2kgR66+`nVOf zNcd9TdDRd}G{hfRq=-AA7J7|8ssW?`420akyj~LXYN?!(ox!*q)Wf$mEefOo1s1GW z>&f*>FgVpLgl3-2x z0N~a4PDBkk%m`i_sBHbH)THdgYQCAmu6mwam@EW(Q1BrW1I`eM=;%9hrN~)=GEv>ybTwVXJrCR-}b&XnWg0Jdef3P#&9*xJi zb(<oeWm!-KuU zgX;D0?Fd%KBPNW17SJD_K(TUi91}#GNTW!j&5LYt%+W7`Rjs085L2DFJ<0wju27G& zi@u*-F9_PQDEFc!zV_DnJHm+~CuQSlC%|@hMh7sXz(3Y7u$JDR+g>2wvC}j_9<+{% zI$rL)ITlt`7^l0Pa+LmNSY&!{nmC><@#yrJ67Tf8l z&Hrz)(_1&2gB*y4B$2d(n(5ovAwm8(B7cOeq~KZOw1j)%D^4cKK>D@Gcv87owY^YE z*vt{;)*;nFHP{;L1Gzicd0mYU_umdjTU&#jjbSzX<>3~_g^pfE0Q_n7jE20MS)Ad z)4u@V;GegqXWGeIy47Ek6M5y{aO{RXj!)_#J_-{JsO z_s&9cw?^Beg9=29i=ilL# zd|Mzi*Hk-@RxRC;OkVj{0aN}dl*NPb< z4cH~}Q&umxczYx`9U`Lr0FVq#RcT6H-+}3v$v1!h9r?y6q~&~Z-CtXkKgV|rEN$YY zY4y*N{mmRoy)|I_d)#iiP#A>3Z9V{1B}S6Q>@+4eY5D<316~rziqjOsuV^D~vxshu zetdJ#aZ-ksI^*q@qgW6Q!h((pi8%)|yo9uIV2sy;>1h4D3zuHZ+rEr)vfy(7wV%9C%JOGj-#=ybfDOb91ymtoHVI4~83z>9s_oW6}g_ zH&|6jF3C^`t$P-B?5M_vzo z$kq7g@xc%#(BJ?1zZsz1<@K=vlj30X)-Dp-MmxK_V>a}M1(R&dt3D6kHwLS0$Blg@ zid)zr@DxeazvzT9kCK9SG7I}f+*`4JA(+V8h)^?!XD!>4aw0~9eGKx;JWp910sgG5 zkaymWz<5`50R-U9+rfslT{qj;-~F&3q9*XxJe5gwzfgcRzQb=x z$-~aAB!BF*rfMGv1ZOptawxhg+k!!~LIS3G5HIci#?{$7%7B-W8-zS zAv7Z%Pq$1F@4$W)C`+<(It+wqc5Jj!!Ga-axtZaYiBxmq_DqR>Qj(^ZtJVq^ zBMMlXGhwMfO2C>~>}H0Cq#28?9K*$omIBa%EjUaE-?LiyGxBI=JyMt`!Qf_g6fa2_Dc36Q6tA(9cp&43_{i>D}Mu#n( znvNp79G*mNhVQ8=3L-kg#elvlIQ@+*rC*dMvJKGwT!Pj(S-z9@WmEgB1t_YP8a$Ms z=;3(A8>{PINfPm2&tJ&qE}(!8KLI>>ZHgXmf>%y%$z6CWsB+gq;FdDWY(S2=U8%FcOn6 zE2f&SC#_0AaBIsTY`9vg8w zYQF*B{w&n<0&80)ZEp6`9`0PNtYIj$NmCb222;&SJUTtSrjady3%? zyN5fk2XNeSh^F_pg>P)efmQT0j07)qnSN9}js3V-`$SpRRhEM&rhg zS3j;$71?;QRnXK;i<&0E+5opb-RVN0?i5Y^+N%!JgVpiE`=2bAx@*KuZO>HAbA6l} z2q4(jm{m&fmL~Ru{nA+tkI>7nkV~-n8A@<(7wO5Ky3xE=p3Ka#&|Eosh~fYdtvIOJ zQw-);jdu7ag$lN+17w;ucDJ_=cRWCdo++j+drku7^;MQzI6ut|HAe`kq%0NWV5*(Q zpr7q|R94Tet z$8OUGKEs zJ+}JI@flae%Gr}@bH*57@7J}K;#Vm@7=}MrKm3d|%I4s3>%fvHTU)z7@sGnlZ4CEh z*Eb@L-C+>eXrB@OHB18sphi)C#7teuHR>Si}e=KsmJYJ7?Vx48fUk)zI7@NxdLS zDptX^?YLjH8+|Y`z0N0TsKW4!epM<~=z*c>PcT#s3fPF-C$Lnql$!!d}@YV3?<0*i8EhjCn@U5tUFnj=# zXxkLCZF*LZ@~B+V5gYcop418~w^T%L-9t%PWVxTDRUhHptibjvqI{3DDtexS66egU z^rm6MEP})+JN$~_kNdsjNoCR&%JakuHpTGRVY(JZYGE>Tl_}p&jM)NdP8A8$kG#9| z><;9B@k8SRY|=x>bs?J@bOoRfq>AU46{r-c{As|_#7|cX^rmtutbeKq;x?3Q z7jF3Wl-!-+f%46-M`OtC4!|@$8Lp$~z-R`YSu^{)5RkN2?#49kPw%D_O$d-U4VYDY zf_*n1BG9g6>$NNzdv&ocr7h&Z%M4$#+oDzNfAoaZWK5O>~N?N=V9HNHs1R>96@kDP}Aw*MSjAkOV+fuKe%0CQY z>W>cy3?08A7D&PS?ZFP9F#2b&>#zty2pT8$xcaeG367Hc#oyuQ639kA3QpNLtqOPz zOQpb0Q^vFE0bB+l3xdKjqyDla2<7(xUU0q)NN!OBV}-n;bTCz5KDRhH49v<=x)Vqu zsu~)ir*impx=@*76KBK3I-x@WCZIqYqG46J12_^|?O;Sk@Va2i|&f zv^RcIt$+RH>Q~hfZ^;um4p%uu5qPMI*O&_VjNEs zxvZXFt$+Vr^>2gW_}|%KmjsGP%cKV!&8~PK^Ep&}L58#b{KYEym{TwI_9nHl;ZnL| zP~8GzM|h-&c^UQOlYMxWBDi zF>!Yi+>c^Evh9eBg#^RAD9W@?K>%)`#oma4gqQ)AJYsIaY-sJ@dE9YFGU<6!-h2ey ziY?t5I{R>Xs-(R`DE*C!Hvlr7`-3sci8c-ZU#T{R`;L@-1eC=}>n%Z}laPf5(qIxv z+_seo8l_tCmDFU0Fxtv$=wQ_%d}rsg_B6%b_^>z+O+)u_xxtb5Vb`Ueo~aN3%<`i% zmh|#mFeYHE4W3uwdhzeX;{{vfaSN9qqT-@v?Q>9YTdI+_hF?|X09qG)Z?M4z#dBw{ zJ$yEJ{TeCwvGVX+PyzrTM0$J0DJl+3OIV)%$zxL8R_ow>5pV^`)x*^RPW7_ojtbs{ z+6!{5TB~r>KF)|{W)lhWBd6lPdOsyGdo!tj4y8gmOU6bDBM6<=?yjN#@oquNAGCpBEH}7d(b3|4=EZ(+tdsZ;p?`@82A z)To>;Suw=uF92IT1?6i?Xl}$A8BYoS)d8G{Y#LsMG#^oKdi^ml`G6*P2NG*gE7;L=Zbw%*V79yxU zg>s*!fT)QPUkX2oQnFYiB}6$bS6@`~=s4ppxd|boUy^|C?)M-I&p=04L$JPZl)*mM zfOQ)@$_|@kr65XOJ%s+y`R?bEF3x@&86t9M6 zwOC78EEZ-LcRkRn3tKJ{XNBuco&Rg(6`M zXK~x75~w1&jo}XVeptOQcR*CMsMd3Md#$6^)9P?-yvC>toH(dH#`oFO11IxV-CvuwJk9{2#wfK$P*41qcBQ+iNzEv)^TXUydcO8V)E zLOV@Cs#ETkCd1H@P2N=z%?pex<=xS{XX+^!-*9St&(-Vh#O(@r{5zvq2l{R{zeBVd z6_srN53mBQP@cuSURc^M?`F2Y^(BiCO2`jF?d| z>kE2CMdekkYzz*cxb{U1@fZ;{ok_RZWW-KtyM(>#$gjSIm@+ z3)p!Xg<-W+r%qNhJn45zq`j;wsdf6L9ql>IMivuRKq|c1<094K(x$gA|ig;YYm+M zBX#L3BJb_1HAzA0jb!4|R|dLc?vGmBSh-d}wmuSwN~?&O=t7E+cCe#Vuo_VKoaX}D z6tg9Lf#i@jLTs{)!|!tKiY3;Igqa)!-iUELOWF0FZ@;PRvR?`kQcFY+ev&svSHC1- z94x&wgKo8+6?v`_(g^65c|b{cI)?v{seH9oy@{Ts{|s6Gy6gQgVHgXBv3Men8RiEg z+Yl;iv6nO$8`c+Fo79-{B+YYX`l#Uauv+Paie%=1G)mC(coVjm#0|iHM+}@Y?cd=E zcVT5jfTl2W>Fw9THsh!KDIrDS>hW*!c7Fho`7&&55_gwoMswo#>|}v8P)Z?mKz+21 zHV2Rm&53k~%)TZht*hr6G!<`|q+dptOyGIH$L`CiTdA;fV6yXYK4q}ga@nTH&DQ6# zAw1%G5=Qjo!iq8dO7dVT*fMyWXBrf#8eE5(Fo+g#N~C$xy;wP`T!*f2X)G%H=1UVO z0+-mFhG|Nu!5HTY+dVJ4=U;1t84VXx?uCi&>!}CGotNL_rFMn4FDNc+LqOWAktTsx z7_Ws_TXPQP=rJ_ytH}y>R`^473f(LH@c;bm}aGDDbr5J zkeMgSmyvSfNFa!fz6zr1TYZNrU-HwbeKf9faCl}ojoVQ|TX|=T4t`hqM+)4KY%^1F zoS|h6)h@s~G3kr|X(D*AWS!qz7HGh4iexbh-r-LNti&2)$Z0R2V(diG+|M_l6~IE` zA~LbHDNr=kIi8Vdq_Lx4uB|N+fQ;?o5V&e%|AkZb`!w&?RHA#jsf(>_Qs14G_@UA? z=0x}2APaQSVuyQJ?Q9KE0kZLCe^ibB_-yl!&jx=4A>b6wowLW?U4y36a}pa*tD)TI z-y^9;W*7mTEKpf<`ubV3KaoX1nH)QUHgU9*^n;PkuNT=w3(B5QN95zbsWvwEtM9&A zM~k6vl{I0@-Cm~ziFI`Z)mg~LHg_lX+KmQ!k*j-pH&boTq8Gk8T8myTR)xLf8U0og z23KV&QCGB;Vflect0?y#VxIH;o&ehz?{J1@%cxs`9NbTY z@O$k5V4%2o*gDSM!w%y4CTNWrf}{bTpqU3oN_-TXA6wS9HFnxAqbSSs!hByksMBCj z=1}CuCk@j1I~qlkoA;(7eMVv7aNbZbOfi9 zQ%Ps)!Vc~UAbsX{NEmryh#Xy@;}V(J2L*`3V(DT ziLeLN4v<4I*?EFuS|h2Zq#uKalvt%uQI4%}t(im>5+fF67sRDlQp{q77siuH@q;up zW}K1uvtc3p$AnsPV*mcv|MG;Itv!N99j!-T;s;l;Ump-g@LbC9#?&V{az`=82GO_% zJu8w;F$G#P>=Kn_GYsqQvtdWs*M);#en7m`e)&1+HUPhA&+eRj-JfhGwS&$r#XGW3 zL6=t(<>g2@(XGwX$D#u+^z4$X*IoJoE5|w^o%LkBcB{H?^B5N?lk})yeX0%I6{&BZ z9URwJ4%KmxgkrqdxTNBePGvQ-&2n)&d2W=w<9|qF(K44qkpkxFap{=g{cHs01*&|4 zFP4>0x0Ky?Ym)G6syQvAG7}wLAv%mU>&%qzhF(S-wimua)4nR*ho|Tc2A%7Uoq8D= z1R!;T2Me^YUBxWbHo?t)ZvJ9}{J;^u9U;R*zSn`Oq4)E=gDekU5Y53tD{cn&0*Me5 zlqOUvZLlOsgwIAtr&I@Geo85AtvPJoUDFM|P@@yhJyR~!tjLr|m8?N@_-uuQKn;^PgnnZvu)kNHudA|%*zDyEWU;tM5uE=q1L0x~UFrc$VMx#9l z0h9DJ+}vlj&R<352$qUzd2!K-FsoKn;xCqpWFJy`X@$|^+ehVz@FF|Q16v>2p%iZO z=mRrd7KGJW@UKA|&^3)EONBOv7Serit!yKCnOT4zo$Wjr?AZd@IC+;&CTMPM1$2sF zp_vTRXlW`~uue*<2&hLi%e#L++MWLj4d@Mig;w&ox0|_$?%S^Zlb)po)X9aGZMiqE zR%TD~#Nn9X+hq>YNzMb)V1USQLbR-o>vHH}zy2XBGrTp?%N5u$_nWaF>;{Q~?5x2| z`DllwOiZfU;hPsdR9)37f*_=e(jXyZd$#R{XRYXvXGtC~oIu_j!kCI!e}H zK}1z=S!$?kbSiBr)QSm)orT1j>BdU?|IzJNg64oio=A1&XJnRfx&uCZFh1Lf(v~ zrXmGmk?)kUf!&B6ni~Xx|b5@4}3i=SRg4R}jgGmjI z6+kPHpi-vt6xp(HCQEgbB%-uJEECs{VsKBWMAr_dz( z*0Kz#-UIXsw>yYHkDcl{@NFUrg-*$z!W1w=M0}DsptS-Th=vsCH*4RneTC-OOVrt@ zpl!REit-&=R925ENBps@5hKtCBT|;im4uX>48BY}5RY>13$z7BeFHnMx7OhW)?vf= zDfpmZE(k~+eC^}N@!8x=tCVehWzlVcEB-d6lsg%0%8AE3at zND04kgtid4fAskUap!QOVSbgt-43yOi^5i989d^`=jZ_t2j;%XIgFey3l{=fMAc7p zt!hloQmC~wEe)ZSW5+$P@{gb#<`o#$M^qL6-=JTxJOkC+T7vKMA*0qy`|I;h1Y+sr z<91|lx+H$n+SDqC>POW`vhVSH!yvic>(_X^sWmk8iKha{2eN?Bv8?9?GJ=E0iqb}P zkB;MV$2!T5@wlb#R!APP)qorcFpwg^s-9)-!I9**92^&6a$KFwQ4Tu?vWk%#xyHaZ zQ^?xVyw1BQM9|zFGTyNE7gu4Sypln}qwePtz1UrN*|1H3#z_78DJ^|X{zwlL@m^Af z?OE~G@>y|2#UR|MpfYJFVzm#t5i4F}9De6zi^@QZ)p+w@?`ies;9zh3v>NYh?^V2V zs)H^3QzH8hnjNo6zfsT&36%q<05zg^Hkj~r!!MSbB7mk=O6&l@d>EQ1@lnW+;g*9> zBPwdBe=@|kTM3nT4}23XnNk?XUI5_(oc{K#gB5)p@wE|71hw%~toSv$XV5GXR51SS zucw`njJ}n($(9;yY{8U)PAC#)_Iq;D^OWA8p03lnO6@Ak`Sa5%cy~?6?h^T2om>HCa#||K6o-a4U(wBzA8%3artL* zo8s$Fy)j|Bu}uz}_wdH_{9Kqvz%J<}Rs-D{&9B)!&5tzwl%r!9mrq)3rgyi(<8rkL zq=kO0y9baaS>6q#Kr*_Mp_2Rs>O%rF)i8ypHS7c~IrHD@{l)90qlz~<3(2oWu8x5V z_V>WSSD_#-8WaahlLUa#jVex|xfnm3-%W4lQ2EUdb{j-FVOcm;aXJ*i8U&<}lGR)* zFJMZ~*67r6BiH3eA)uwLU2~=hmJ-aVCB89_PfXj^f_wXK=C?Oj_+RI)Cx^?Zlz_6e zs6w+WKbOg6f#5aG_Qk@`%j2<_3FA8xc+d24&+O$Cc2VzH$b?Ix02zc^M;Di)0%$lr zaV)0CUEnjJ>=07|I0U)DaFU+AV-HgvsbnbOB5`O-^Py1MyL5!0TEVUrTSsK1rB-cb1wg^2 zrFCNVE1)?9P@7cSueV{GdVQL-U2e}L_*LeVg!{>^E(Vyw$zQKlktgdtY#U@pm_!1mAS??>P-j7ptmgkhQ)K008aRSk7T->nSD5GW{#t!CTJwg&V6SW( z#^wr#iP2?Ks8VxfS;N_lVnb&67<<^xW^{cmJjk(h#o4(C$k88SCv za+_lwzC!mZoHnLXKdz-E)w<`-mi_c*esX(H6NDN&kF@oW876}2XC}&Vc2l}FHE|KP zv9DhI^I9s9@!I@L@zp>I;|!XjwQkmaMlnL3D6d3puJn5hFm(}g;c)SC=Fb9IlR0vk z$KWyX#0p?27grsoLPWw%e^&e4`)#CoP7RH?%v5rB0hS`If`l7S@fGN~W^A%Erfalt zlMfiMVj#dtprQwkr!AdDwC=8u8Ab>&qCicR#X;Q6=?4jTLzX~zp}2z6VL7g@`w~MYcdwD@qF2i|uP!V^QYG6nRT9+`JMbPiU;fw;Y#(W#zH;=w47(El>R_ zerk>BEU_p2sJoP$1w;6&e*584$CqruJR2Ej6<7oV3YDV z!62YSQe-TV0xy=Cr~JeGz#yM8pOP<`wbtHsuXDO7%Rw*?h9!0PIj8DW?b?^M*Lrsz zNex6_gW7f(R9onytbNgM;w&Qa=RAN6%%w15{d23_d~Hl6H|lMVc*IP<&8Ci9UdQ)3kd=t+8O;1Z&ef5uk)Ak>~b3P?lFv#m0+V06O*a=V*WX zxw%N&wE1n-lY~&O+0j0V;Nz99ofFuh`qXo3EvjHL0;da@3nKC)k7Ii-=@WWu2rUrz zkOdpYE_R?`33y-?&Z_;L<`QV{adv0W%Ut2?1Y@uBvm?JW--o?Ff!WoBg`{i8R*zkT z6lE8N&PD?8`nFv%hz3&u@{)HA&wylLb2mJwf;YIh$T|SUSuZfOUg4=ta?NWsMU@)y zUOIrjM4F(wUXyadA_VgFUA!t5H`dSTCF(9b2{YMrjxT^t@ac&V9Lk>nT5nE6n9w2( zlCMAn7r>WZwbQinrX1_$@Z^=lJ31(b(5|SqY%iX8)R1Dgq&D1JmJ1+W>361305!ii zSTY>`&uX~rg(~jDMaf6Rq+F(~d&xV){9!sGZxv;3I}wauMGM>jSa+AY`cx$a>Ub3>Tbqz2nYo&W^cijnTGG1N3DpZJ zkxyky@C}`?kgm>xH9N<2W$X>2!Ry-^2Es>29w#Pk47gW+RVn5wx2Q^3ivQ^f^O&<# zuTu<*m}1O9Zqlyy;&o{H#_$U_kAKJtSngz6J=(6=htL=-BG$g)g7SSChhR1V@K>9= zO@nK`!9>{!LmLv4GwN6biuzhVXAp7+w)sn@})9 zDrzv+p(D-^K`?r6SdcigeyHp&>iuX*Hy(;W@Yu``Tjpa(;;XeWJWo#XGTD&16q_b% z5sKT<7D}^E4Tw%)^XXd8JS3lE5)E5|g|Q+O`fYawb?-RbJ-r*CSuAQYSjrj-V?U=z zKJGbd+0j^UDHDHljPVVGv`B7YoOrls?(DOi4*!iNMYmgcn#KsgY@n58TlUboki*l5Ax(nbsScZh>=Cotp%M<2y6h=g zjVXOUo>KZEY(MZccY{{Ox}f@&xGHk>yg837nY(d)JS!={4-)Rib;dYrcCK~o0nDaK z%1qibD`81#qyb4bjh`|3$`y8V`sQpKb*fXHWU=6g^81|#Rk3&wwA{&>Bc5Z`AERfA zbUaT8dyzc?ynCMK=)$M!4@K(O6kJCCZTZ%Ji6 zdIjXlsn5lDDsO-BsCdsg%`@xEuXW~at>(>(K1RYcN^8TUaE=L|1~ZfZX@Zi%I-la$ z5Ec%A0wg>(R#DC|Z;3+DX%R1!>q#}(u4w>smz3zXf184Y<_75;8GJt-N{6-lo|*f&;7 z?%uaqUe6ZO@2NdCdpZ{xSG`V(Ju|loJs46f;SorC(GQ7m!6*8R@;c+MPAKr0%@qFU z;`*&J#&?$arTd9js}3YykjI)D)i}pAUnU(J1n4!5NOT)2QD~*0E&I}<2a3;PGwZ!= z)@)MEI}mNWK=i7&*=d5p3&tJNvfY7XEQaZzJvqL=fn#waQA6RCxM+Aq7pdo8eJUE& zx^MsSx4);&%RiA>&+1}e9Grad2vorLO&Hbw>bnaFi1HU-{$|5p?BX5Vz145N-t;#M zO&5``UhD^>!1(Fz4K*peeslvKet|at zVS{K1+ygp(3okXJ1#typ*wiTjaRwhDyrk8p6JS? zMYnykhrhiVcTPeB7S3N$rcJmmBQ`%A!vSVVz8{s0g*#I3?ZM7r|e zq~Z++cx?X_E8ekM73+_bKG3_qJTVMzC}4S7#O}q24`nFCA%GGfD-Q1)^fy}MCKPAo z{u+;3`-XZAT@yzfKy*H>MuZK-Ey{{1xIfAjh~N>(LL}!6Z^5n}L3*}`d**NyV?=xc zIvq0pXs@0GLhjnb!0snbR$@i4ruJq&50jd853vM~dy$~#Bd8=Y$r~R@K2}kwj-u!5 zPl%~k!0gb3u+lr_)Xu;Ii6Wp{l_BC6B)KZPk;K(=3lJ#z?UDemt7rrWt@{+Fm>Vjs z963yNhhU~!~Q z#?N=kRAC$$XlV4E0kn0NOtW&kz-vL({-*5=P97uSzF^)LKWl`fnTe9BZ>ON1Jbct2 z2Y?J?R&Da4dotEPN&bcr=dnQo&2DUI5JU9k>-ra``Lu@S&*871o1d6A zbL>*NJ_Ype(Pv-zobpYhL6x2T?x}pzJZ0l#v-8i$BFH$MCK$k>cXkzq&@e~_@Xx>D zc76PiS}`Sy)T|MDw#s2D(Z7MbIxI>SRw8j0d0SHZQx;;axA}xCSnHKE=|no)y+2cb zKL+65tI6&CJC2wt7C27r6wu!TaZAL#WzXA8bm3u7F}L@BH8L6{Wb`8K?H*r(N*OuN zHiRp-!1UxVY%b(NiRA}B;_od|>#V%DnzCbmBKQz0uu7A_hw z3dyk7yAOIwA^Jt*;M<^~58>6X!dlmeK_BxAjov_ z!)o3HW{!%3J;k!Ngo0uu*rv=crx#@TP1xDvYlLONC50xyn|rp*VFTJOX(P$6LL}K6 z#eDC{@`&nU_zx1<_7~)rcaQd>*qEzk4|@iJbX$B$2rL|Ik(R)m-`!v@aM2gw=mc%z zM>r-7dt+Va7nf2|kW&CGg8hX=qi7|ysuRK_LmZ8qDpAJx0hbH(SP%nnDa{8Dz`0}| zYm-|m3tHUpa;lwE&xoIO*y-@7xf1X!fcB|I1c?SEjv~2DUml%bW^WowHHIjXo=_9) zV}mkq4NNg9elcny+j+|GNzNfEY=JFnFnW=7K)z0e#V^9q%t$C!kiOGxk2 z7JIh11t5&M480!^uz(+y(NI{-txHa6B?{r#G-enZBEo@LBX1PLZ z7>}oa1KjK1Cpye&p?0u}0blsj?rIx9-}x_>Jt4*d#H!Z-2%lbCx55F)?htYUnRG}x z=RX~-sN9Di;KCpGBNijI@;3pdZBBa;Iw0NWOxL5kzgjF+t?;%qt zbPBV=FxkxT0pd04UYgF}L+*ft$8g*m<82I9=>o%v^9aX*kN@=VeC?L9OJ4Q{8PJpi z3mA^1P48H#f}10!pi(B~4474FJ77y(l3LAr7KuDi_?CH!0gQ5j!WkG!u|?6VAFBE- zq2{-%<+H=@rw1V2eKtSXwLh7>`m^N$a;8+9ic;&Nv92G@sU}j0jae=;2EYAYJ)Ya1 zeHVX&Y6xawd*UWSx3Rh;T{u~D@%$s<*?lQRz3Gton9|qmWRr&NWHmEKhm35)1`@vqCpsD5k)6PT0$$sw-V4*A!oE5vGfz-rjXP$KbN~s z=w2cX-R(R(Mn5oQ+nVG2cfV}%Y{NlE?dgo#c+z^q2?iN802o%Y`gVD3g=;w_!#s+1;;xCLpWDlK!vx^Tj+-`C;)y!()e|!C4RL( z-QBeM;5G?@j&Fxj_*H?STUUT#V5%^00)ROtNuCL%jzTxA`2`7p!DsN???0`OFj73L zCO3s`PzXNSe+nP8bv{GOVqQKOpK+^asbtVLAME7^4|JU;FHm^Gov|0{dETKQfQ&ex zqZbH@A~$PaEbHPDt`jp|to+(vn5%ey`ttLv15M3ZC^G;{0!cd}tJ1&F%&OpKfB;yA z{D-=vHKxBsF_x%HWV6wsZlOjvoSHGu4i2CSib(kBVqHc#I$2P^!&SpFw3~*uv;2ri zJ&!zBkQQ~PHPU$oVrMeLS(uam+|O9@bOUcrUFs`B+}EG405;%qD9II%X^rGfdgw#4 z5Th$+7YT&tfI;jXDgrowHQnp2Aa4ueYlXfp{fK<|Ys&E+PzH3N!@u0JrNNIOGFb$o;Lo2Lj%J&l`_i{z-@cC*Lx zJ=f|SnlM;^#e8>uIN6^atd_{iEFcs9l#}^vK79g(>iifzhOERO zx0vB2y)3a@A(9e z#HK-T0~n2O(VhC$XJ580x+%f6;neNU_b_>XM74Z_*_-c8U|y+X|LFuNB>a?rqBD-; ze@4CB+WrwFJeb>ONe*GlTQnQw?T4GZ1p}VmAa(ZY9FqTwK+QMzV44DM^_8yCF3>N754GVe=U;m|ho`ifE*?5n zMiIq;iL7>HUIZ)(j|@nG`dQMJPe+Rt7gbV(cVKmL9xkG$k>?3Ju)Dwgbu+}>+3xb- zhY>GkzK)_5Z`YyNdbuIB4YV*&5~{RU^a{w1xy8A<3~w*~L*NAsWz*0?CnapOdft=y zzj(b5MtOb>wqu6U=)FTv-(+jIMecq8pmVdFS9aez>Gc4BrZNHk_`fC=vvVIFJ6vrb z_q>8^7!%+5w>~byvRebNIz@R@Sm@>OX^VWBkdxrucq0hX*0p z(Kk~9jb^qTI`b#aH_%+{Cqt5=wy8^n0_?hSw9BBGulxZBn9)5z*O(3B9Hvj6oeytA zU)#D7%W7AT<=|}=$$2P4RcBkX+Ferkf>VidMUB^tL93692wVe7!@biA#F4@`g}0tt z0AsPq><)3eI4_){Prrbl|BD|!dvYDTI)uUOh$E>PNm07CAdrhQf?)6t4B&%x5^N*= zK^LS`OvASkKht6Z12Dz`OK1RoWtp8vkj7c@KeAFGT8Ne5xuok~(kha9o$3 zU77Z)6WO`>bj#C1c?v8M>j>&!f$-kjrsKK5ucWVHLy{-fkk7S?MFN}DkAXw#bLFm8 z%!^i|{t;Pd;*W9%AzG697bKsFzu3dGv(UnFE{c9g0Qm2!mxU$GN#(zq+#j{M2K!jE zBVeLp^=RT7tVXnzrWS;fSt9>LN`$GqCp5mceo$XBpE=H4bahyldMVc^dOc8=M zMebblyo>K1eO7fm^z%dNG|*nRG7jSGPG+~$BHE5cqkHsn3=7L&)##uH)+?( z`w5d(?*%g5XWl=Uy z@>b#O^jv*<{K$D69==&xd&|AWa%Z~O*jsfYRXB903>qy%zM8DEoi+$7-0&1S0J5T- zHWklkX6!b(xEU(t1l4qoDh(_odT;~;=z_5|fY7#;5=60<1Bco=iqgJZ=N5({fvYW) zSWO&{`-a_vR^qvkqW*$StKr8vcSHoGUEl1%b1?e&R)DVXv_Y*w( zjF(!>zNCk>VnlCcC|Sn51j5fYqmiN}Pj>Ci8e>+(PqU6fJBQvsIs$?=>2T=K z?8K7rbRwrLM%yeRLjRCo9*Mvm;h8^Dln=Ge2BfTTVv+vA&hp4H*@l?8Dp72Ml1GsB zLCF>|pI_FLxmgiT7`d+p^ZqZ^mU0y_^_(ekboMyvyFKvWmpq<4+Wz8q;7o>`k2QmB z?Jqt?2lV)1M(e52=NF{O;x&HF99eynPJ%3c<^Mr;tT)_`nHme%U(*p5y3!y9Oa%x| zdd!B?bggMbtT3%Ahr-%?Sbt*g$aBE%DgpvgJJ~;&znJbI*A6j?ar~cC2xLS%>gKkb zCub?LUG19HbAT}0Sk@~n+ibCV)fP~9XIbgUyI)*SsLK(k`@2xl%2+(9~tVwBaawQ=J=Fiznq$kKNA9RlHqn z_}9+~Rs%|%-Tx}hWr%ju2#!;eaWDJ(wrRA)1C!Oj0S7AAZV;S2?u-njJLS=5P}zcE zaYg;on9pEgosAW@V$$R_(llnV5GQN`)EO(2bORhHOmRO`i4&`sI|a*1o76I^iP|zt zo}d(hlnNdROVI=)HTNhZU|cx*un17eh)Gc81p+ojjA7H{7W3DzbQ#p!*z3eZ_b+==J6~~X!|*i)M2zfuSi4; zS&i4`KybR%t5$TZdJle{Ex$MERyba8Ad_;iJHa=gaty_Pv;qW`*uBGpxuE<__!+zxPcnBF0yYLt zA(ycSaI1OPSh#V*P~n5nY0oM>wgb^ZsMnghHJ1_518@Rm*nSpeAOb7?TaJKk{jF5B z0WYdty^(4V!Ekpk5t$NMt&4Y${jIE!<4>PoblcI)pt=Z3Vw4a${p>X)3qgZ<0V8U} zA*U{rU1@~E768*5e-daa@ns>Q85{Y=BBuck6IOl(r=&5W-7Eu9npg)rhevqtqgHh^ z+mL&xACPq@ocAKIh+Y+RTX>!V(@kO;E15W;FnFu#;P75rRMzRXd()0vGh;f6tSQ4Q zVmyoS;ZMs9(uPqa2OHtAelAQDHQy4> za;UTX9(5MHXPyQ~2HnS+%O>`F4dLu~_{`yjn|_SaOZR%eW*KJehQT$>Fw5Pq{}akH zzXo7=-OxW~d8T)-Ur?&~Cs%5U#t}H1Zz&~i1QHavIlV@bZ=jK~fFU9Z4z$KGPrya? z04mInT7lYZT&*cuqIqf$lpbD`+Q>^ZgPYrm%HS%j9$yolEoLe!ab7|0rY+k95NsrC z3QY(3LL3E?*DsFbCOR+!gFck$;FhsBSaqT`j*y04(Iw# z$TNaTgBp?6nF9#MOI+!B)X9!i8fX+CfEY_>*;I$NPbJNfTq$Z&!6w6zxqxhd9Es>f zVasK58{>7b^hELvoaw|WPx0tm$GcXPy5?L)136;X>pn;F#XHTBTe9TvXl$8HFA5l7y>S?70-boDsE?MuF`gjJlD5sT88a6( zG|RL!7c3H&S;n=$G9b%o0pY< z*o@0AMvl`u9-FaMKz-oion)(hGkF!@1DwEzESG|%E@y;*0lXok5AF8Xs?;%y*}jL+ z-id(0X>M?LEEzJ9<=@WMnIhZ#GoP_gGS_vwNuTqoiX8LW?SlJ7DejcTV{2D_-Xe*& zvs@lLo$rCoVDkO^@H^z_7Gl@xVnlXAO|J8jy;7zeaj#s5IL3m!n%^aq3YE45D# zJQ7PsV947=xEJU_o*bVNYJwPJLzv_t%TfL?co=ndvSOm@KQg>>p-GDU3L@}9-|cMb9* z@BpE82Bg?@l%wui=*k{-*+SvJ*dD&MvJw_LB`|CFQh^PM&dD&!W!%a89*&GMCl}Xf zhS~b^H=jrgKjPB1mevw~EuU%?))&%YS4=^#7B)9(wdg*T5lLN_bjs zdW>eQVp)GVt`aHkjV@9d#IrNwofGAomq}FL4k0(IPeurbyqfc!$Kv5*98I82po(-3WmrQ!9H?gI4#4+JUPOF`4LZz z=|Yt#9BM02le6~3lGMhfU6A6KgcQIG49H&N|A843IFPKiU>86tlUBJwk7U3C zj<_0wW1a5oz_*w`nJ+-HSudwJxQu~b0D$licq`_X`_l}(ypZijJG)*I^%Y^pw%@Z* zp5kJmeJ*YwheFX%tTB{6$bl1EtfIsMTU@Me+Kf4k6e1=X+urjJ-YXfH@dLJtsOipp zETvzTQD#da>7i~KP9OE(8ZQaLU?aoxiH^YFG6T(C+E_Oat1TO1LEEl2$jc~rHx9Gd zCEsEa$HP`s{Vdv?W*&9a#pd)-MkAFu42!pwa80pSqnJUUt5cf*ZiJ^!VflfQ6y^61d#FWquIM;>#AXB8ES!lpuIy1*RlVb z7`&~>s5CZioM9-;fkzp@u+{9~#k?gz3800+fuT(bw6pFQpgSV8T^kS+MbhmnFj!dq z*$!;sd&RE_ZHem>kpsyoDnwZd5W`k#<}cf@Qd+s??mA>iv*c;_LAE6GsWUN}r(2dJ zOHy?o1|ijvTwntaskHKLhd;8hFDa<9v|SyKbnSg-tYdbc_U05}Cr&XzE8XlciPW?1 z`1jnu?6mqvg1V7+hJD&uuVmB$_cz?K=B1_<_ppe=@umX&1~2+wW^MP;RI#s~s5^#C zhwYMe5nVJVAmdNS0uL@yr;IFbQ%+V>a_FsyfC=n$=O9PO$HvPO#iVF4$X5a;n8d|t zHH_U&-J9mg3$!5NaFA($f%Y2F#C7YzMx#EyT#zDr4!*+uCFq?5etiZc0$^ITN9!%7 zn?0>?D>{xi;5QdP!jm|^x`JPdh{vlPDDNQa0=hzP42|8O*5)3T;mD-4*s~v2hqK+u zlj+VMj`l|*yd8)|fJFy54aQwc(=qepnzMZl2kJy;oit{m42G7{XtBpDD;8#+nPXdP zd$R^})OlLF`?}}ND-$2`6s?qAJ!_#v=kmhNahNRscuPnjG)soS=)w+8R4*(p(6u=# z9P@l;FiB9jZh+Nm!|;(P*xM>?wZZU)bO?xgnK}m#s6s=*VF$V5l@e=jyU|=^+)YNn zg7o=Ckjtd`?sB4!pFx~$SM90I@mWh_Jl%g-SXJ8BE)@_QBd(4gk$=rYhcV$rSm0l6ohG7z$FzjPl{K;$K1mM($hGo_k8-BLn`Jh_UK6 zP0c8R*U_smdrk_f^>X1mp?%qgpS4I8=2u)=L}n9yLr*{S8w7RXH9o*oKVcmS3ZN_< z)v9;e%K_`Urulh!9o0!nEW;)lnw$zo3v-|oF)+}u%oaNo4S~{YPc$Tp!>p{?(TG!q zdd5RXY-5lP=Bq!bO1fH+^?W0r5Y4w`mv%Ot8$rng!_B(PdCKHk*38uv`NnmP04B;9 z8W1vfnpb`cQYsu?l=(WNw9(rR&oKmjvGUM)b%Vl1YKhaIBeW{-jjOpPONImMTU)=p zi5YRu7;moej%@D(h-3rZwN_Cuj7~xju0<2~2|J~b0aQ6q?JGH=4VqHwjmT;TfKOV# z1m@2$OQU4$pTQ2r;N6H5484|r(}1DSIDUh7gj%3>;*35?n6z2O_3x9#-T2@R#KzXNf7hA^b6k4bJ%ZF*pMet{6vf+QYH9rJ1MG z;~Hj@GgJCdgc@j16{)|zGrVnUpbFshGwF<|OEFQ4#ahJ^{Ol zm;gJ=@E?EsyI1sg;7yY8?jL{q?=K$dH}#TD-~A36KKR~@y>}p$ZTv89mQk`v_TExt z%M8iZv2sLY9+IqMuZ$xylI)qiIkFp$GO|aUP-G`tNP4gP=;{0Yz3)H2f1anyeP7r0 z+54RHyu)m#%~Aq8(}t1ifdBl68T0dBzx2!eXCd9DnV@Ql%V!fq>3$A;)seo{7)JD~ zBYD#vv$IFc={#+k^Q`Cz@r=M0(PrU?ee)UF?fB^B^N+Mdn=TjQ9go&0vYu_nJVwO_dnn`@62F=kKUTsvJFwRz~niF_!E&Z9R#{~`AouNxC1e*6! ztH-(j$kuBscbp4+98H0m96>(2&sTibCSUJj>14<6p08;Mj0;EojDO-h86C9e%TbB8 zd$%=WgVH}nPodNMiMpp2QIj5m)1_o`86Uqo3P-$BY~p@y&S5*`AoM^)j-#I9=Q2xD zd>qx>>%9KEgVDQrzG=F$dnmmalXF?U3p31`B0dBW7O#iLhiC>#lwNr?)R|W57u?mQ zUg@4jDw0v(UTcyH6CRag!V^sx{Cf9RbnG9dbJuR&cN=*|areXTUh^IV zEO9@*)w!qq1vcK(pDRsXZ0kwuC&hosTuRn7aftS*;%71utv>fjL^gyn!?RP5u+?<# z4PnfD7~}k{mtl2DJ?xv@SIkXEtByZ(TZCT{Op1E%4hwX?&vYjnf9|V)=CE+6Uf&FNLI7V}3jj!zL}mc7|u~w6>l}{xRS^@qBOf9Ggtx`@#2| zxvtzKZ{vp;PL@!Qr=|U;Xv9deIW|I@7|86G$8)@zHBcjm>w^r;#y$!MGOJFhEsGv~ z>n!?eZfmmw@h2y%NAG9+3orZ%)6M?*I8%}3qBPO@HI1Gcx;=ZJlK6M}tR7Md``rP@ zt6~gN*p$lYz}-oy?10;UcI(Y3TnuJ!gdO=WMV{z=$ruvxxq28cSG$v)a%HmLJb2OX z&QemhV1dg|b?qtUr$T#8Rc!hh=si_g+w9+BJ~zA;^O^hw!|%mheRb)oWQS4*Z1?-w z0j)0TSKFJkL0d0+24r<9t3S;NsgzKS)05Nk(SACkW_s7dp90V4<$c!~di80=^amLn zG(q@YLMr|h+-_6XUZs33W3hM6ehoBMEDhh+93IYc zL3FX7$)3-;G>wh*`x1n1>Cul&Y09U?g7qZwUHkrjj<;;L{6}NHzmauJ%iuM*MJn+& zxpwl~?yttZ?cPD{|hxauihV7idcB(I&P8Z zdbCV8a9KY>MX3m`=;7atrk`AUDW1YW7QmK7%J9u$D}Bz*KY?`3`=&XWb4H1Oxb66a zzgtlMVk|1;(Z(N+TUV^<_iI~T3ke2TXmvljTWIp>;7Ro)-Wu!kk6yKXD;o#L7p-qK zbF@=DZ@d1eiJxcY!BUKA@xvpIZbja@mDJh=&icU%q-VXa@?|ktDTizZUm@kOjHK^! zX$h-(MawlBLCBI!F7~sUpzvX{O5G2Wr*8zvs+GTb1sYgHW}UcbyacL>7}yeXckHNg`+c|2tkzCxLwU4i(U{84;|NQ1B8@%`{!ISf5XCE-)hl`wfkc{8QYQpl` zk%$t__}c8uWk2Cr?-b#sqMG5Xg`23W$8pYw@U?A$=kA%-s0rU^6EffhsZh0Qf9Yo0 zE=JW1fsNIlds%FonP(~EG5YVTF85z(b~MYF{}raBM6dc%aU@mj=kus(QSW^-C2M-s z_uvot2ZawC`R`{hSfoB$Wy!UWEkwO}xN4tG-0A8*D*8l*pH6sA_vA+R9j{x=!Y@yJ;&etOyfS&3$CQA_wcO03SHq9Ge9=gBs=v2Tv3rZR~PD48Rzv9 zT;W`FP@a=nmY)f37@ZPO6mnQvb+Bjhp#6Wggm_izPBV7h=15vPVEKGz`<3i=YL|ag zgM7@u?iYTZ&ifzcO&Cp{r!O6}-_d{l(cra2SMQTIH}Ns{`S0~K@EdjU?^Vaz>`yA; zOKISbq>C9od^QMJxa&C>K&Sl?{y&R zj5+?;S=!C7v{4W(iSv$v>j_Rr?uI+y+~;_~Qawq%sQ>1uo%22@qo_1C3r8Yux{ zl3(ns1fJjn34#`M`u@5{lTY?q()S~!Hha@2mq^KcWQlEe2K$Tt$^8Gb$jt=oM3~~(smz)UQPRp42m$Vl ze_R3wGHoBwb=eKu6SpqEkBlQwlp~IPvt5}TAgcem2;#a{6#y74dJkh{V#^AaWCG86 zhkUS%`%s9J4=sjla z(#gr%p8WftOoZU6Nr3g8{vX0_44PvL#t$9)d@F=xw#*cjK8P+^UyJQs%WQBu%&{_* zv+?w_p$l7>mir~lcHrSubQjes`C?#5kb2Ktaan4NEiOmh2CMI+WmL5g7U=o=YqD#? z=WDbFUmJWx*mg(OE-YR8qUqYiyL0eUq|Sd(to%B&FKV}8;{5em@B?jOf%kuZrG1#t z4t5mcc37-k&>-e&x=dV0A{Fn7YaHZSYr5juLyL%IL=7=UPAlUu+v%jGKR|tDZz7Nt-MdRg*|ibtAIi_ zb-pKmUQtxBPwdSLC16)i`CIab;5T)KlLW=hBRP>V)iD}nyRUA>j^{>YQP)tfJp7T9 zV%F{PEH`RGs)Z;R}%rqwli1s*Ru_b<oRR*rmO?ZeH`E=d9?- zgD;MM^bE@)Bdnt&q9JvMg>8y9nuv;NE~1A}6Dp~vht2AD60K zRqz$)Uf<_^sK1u#vk`UQ$S z1-Ns^i=bOe^rFiE{<-x?rlnFmh)Yub9_(8mTri7h*NQju}bZqwHzOknN?fi;z$DQhf^g`kX59=uw><4~Pgzq$jdo~r4 zI?})%sG6659DaLE#@wore^J?rRQC19r96j^zt~6uwxk=I@3hV_C)1S?C`^$_00qz_ zMh?dFGmG-U2>D;WmaRV8s`#cjx9zz4WOiU5G(?sIs;U^nVBikrIStWfoV(ys9gLMBTEvNOvw=s%+rJNSR z_R&KR+c84r{IvNo$L67R-531+sN1q;XSI+zTq<{P)-RdQ*(Qgcyy@b&4!=GhnJ3LsPN97XoP0)D++6QzG3$^% zig*^1v@cStbbrFiO^N!4Ii+RH@2j`IjZvw|YO$aIZ~zL^kj9w{)7zU$(GbN5Nb6>V z)!Ha{lOsK__3+ky#0Yg&#N`r#FLXWvxp6*AqYpj$deYTwL?84z4qN%27 zF0tXIYszzUOF8=GKT}24>+pUgy)W91I*%BZaWPRf&FeGioiaK7)MZ>HUmVegku2yCNp=_TCN~q@24{!c z)ZB3HWm<5M0ThJM#u$ZEPO?YVZF45LHgm$=DabH}*c3JM5VfB9Sq4h5UAO_ERY0d% zAg>sy;^ds5>8#DU;LrwBLy*#0h)_G4N;wmc!VU_h&+0raM2ke%6GSJ!Un1pfXwWQZ z;7NE`pT%xqp@M;-)R@LU5`|2Wb>P@Aisngxu_tUF$SW71;X4`aeiRJ@LnkufF%|UD z66L<3#gTEF+U^vo>~&9cf3|i&rxuaEUAzGo%WQu^@l>-6J@SS^1Fo9cp0695B2~9P z`t_Oy41sMN!>4u}>yrJn_QAPg(PGch9{ zxYhtx{u8YtH0^c&ZU$@%tRZx~h|ELWd*(-2)hMT&#C6{_zhKw5a6AY2Q*OF}z|JTM zUDoyW?p7dGhGzVnxCDf!>rEZd3o! zsci!pb1@5FH|^0+tD6Q^j+t!xC(eJ|Q)X!x{)7oslN2}b+EqhN5WY|PTZRBGpZDPOEnM%W_Our0+MN8la*duu*x*wVkt z*<5y?YV*vf$C7%KyPSqquW9av3KKYiyO>2J4O%%hXk+%&X1#>Xt^7xIUUmvSRLeD$ zyx*%)@mgbH%W;yL0c~D^dhA&T%ju#;3O>{@tI1l%p1HAxs%X}GDnCRciI#O4GckYe z8TLpp=JSxJ#lUwFg@!JNfcOtr<;3mE)b-A<-IsiQwPnyKL9QpJun0UQPUdss9>gX zVKpVC5)<3VN^G(Cz08S<>)Qw1l4^k!^z#zs>1&Ve?X5F7$sbJ9&)1`4jp9-oGknzJ z_-WU4?0TguUP~`*0SggR&sfx8m+`Q^KSti0=CDCFb_AfU!cA*r8}jlsves4LB_01u zc|{%k8q2b=dH#yEwUnDrmn+8Rk{?UXK7B0!?guXx)7)!!))j~!(Bd7dlP+vnNPbuk zU&@Q_w6CBj+Lb9!7r@h@jS+ZgtoLS7|CW`brAV85%EoiqPJ0AwBH#MSL}vaNZL!I> zxJs;V_NzAO!k=x|)!wjnC+C&&-`oC!ZB6xPgbLlpZ; z_RuM6Jwr#$_G75;`uw^TjmlQ}@`?je%TxFFB!QC2R%Hi`3Dv4jtdAnGWgbHT?e>-^ z;lW55y;m06Gz$(2vpY1dw)iSF4tW)Y(YRoT(;FCda4qmap8Osa3{AiTNIk~A%@X6l zDGo~?n*froKp>HTRR6&*q|5WFLBb$z+>8pt-Q`s0kY_z@OH6CzkoSSg4s!@YIy-_8 zyp9ujGj{C$kQx+nFPB`_Ofc(-+4tEr zsH#4&MA(!duoDi1Y5ehec6bf*Q^IKg1|oc&0yrdtw?ohpLuVumShH(YV#gK-)c}9^E;kNS>~;S)&;4srM&a948Y!}`!`IoPDx zc1>mX8bG<)m6v4K7~Hhr7%HrQ_{o&JDd1z0daz6d=!1 z43Aiiwn*pwPzwL=Wg4}r-y)^S{S$5oXY8y!uCRj(EVgi@yd!=hFtY6iF842acR z0?a93IAT~yt&{*TM8=Zx7uE&g?nWb?7Gusp#=_cfK;C7g1as`7vhn!`)!o2RAy;@$ z%wB+T@3G74<8P3UZZo%xN2Aw(+&in6nyk_^%BT%4RWD-cnpsOsK5t7X_itdOID&pS z6PKE7#aN`P)U?kAQ7JcW{EQ%pNl#PkL(aHG=bVqqkyjMC1!#*RVH$5`3MK&<_yV&@ zRo|edAD8ko$_MjNJJ%FBMXh{^QrQ<2PliVdJOhuHY8q2Wa9qr$1|Mrz8?1I6hf-N0 zjEEkMZQFT=zh~=FjupWg3w1tZr$;F_^6UXfYHd~=d&v>6$rrW+gotWSRiJ@jc7t4u zwo%>=qmQjxS0|b-u#C!i<@@!WFsFlabPltK8$csHO+`HGX9t>L$D_rSBVz95%L{e1 zb?d41%I`sVC#GO{tLUEL9q-?3KjjsJ7{^j6c6OQ?6rdQ+twg-!&E(>)T8#dE&lXZD zO666$Mv;m$YbJS0M2KN60oPkcm$mn%vNUmMnx7}iN5J$7tUs2XRY(Bjw*WeRkL=LH z>inj$DBRsog`Yxfx1lX6C!La%inft2AayULjwkdQd+7E-E0ZP-3nvJ)f0Vy?zjT3X z3>X%~+x^drmyVbKZ?Yta$KB?w`UV2p)%QqlV9Wc}-=(?9EZ-@ByAuw3TDS>f`_*w! zz|R*%Lpl#JDS+|o{d9HE;<`_kGfor7@2ZqWP&OXcubzJSx;x=G8`=WWB)E4R%&!B9 zIj@;3UE0WZeKg$gx?I`BjmuM6!UOSt=5Cprbg(npAD%dpOOj)gwhp&OwyIq#TLNWa zRj=?J$ub(B_+gtsBtFKTrU^C?JryUGJS)?GMF+olCQCS8oVYHq%}w67@~9aHI}03S z25W^EC4%ow`?ncKMJ%K8Tu@d_WuOdxg4B2^Zxb7u<{`eke}(VE?Mo7{SI%iF;MV>3>TDGG~diMjhQr5kkeNH zaUfca9QQ7W16K{ij(^#-jB$ZbDOZWEL?Lv!aNX5F!O=41GO#>>DrIkg5&sK-Q%=R_ zJmh}LYWL6)E2t6NeArl=Wj$SfX3!`XX;YL(TI?Y8IZ^t=csA@ zfHCA)11n`2JSw!$oXUQf275Nr=c?-{bUN#K!0bbm4Q=I z-d58)w~$reKal;^oRj~wRF%2xRYndJ{0E4xIYMpN!WwM;0~BP{dA1;nU2Ry1@cI$~ zWZy;WAZg+7(A?2Cm&GR+@+fcJwp9Fj$$_s|-o6&B`EGhH;<2Qd#g~Xtp=&zkLLiRc zR*~COfzlGr^WG>1rg0ru4w|lqA8ia=wB_N97kv_u z2K!cw$g^6TfceqCclVH;ZeF`z@mfk(I#hVvK@Zd#UIQcL z5(nf9i!L9cCE^b)P*AvM zj^98x&VNk@Sj&IA>p<4+$u^by3rOnq*j))NwtLq7Jw8ShIniFZ(KZ$Z0uPq^6kg@D zlDl4iKn>@=CJijHIQB$EZWoG~XrJ21N(@b$%tg3Ph_vdvARbJ^&gQnQvnS^lQbwD& zSkuN7MvLgw6Y7ApU4UKZkwe}<+qxJC9${)U(Ir@saR<{nUIOO=cufRIUei9+-jJ&X z9u`R3kNtx1z>|9>cb{~bwU-GT`#v5EaBwrrXRa^_8%+iDrEsR5!b{_yj&xTrpu);c=&zu@AS$KsGDuUO?VtcLo_#K?qIv%gI2 zZ}h<|svCV7RFfN2^Yw3b&0F+B@q$F6Mu`ScT=mg(N@bf*E_Ox?V5zig4Xfb0GgvY1 zH>B3cU_D27>3oFE7_y2&<>y+;#$-tZ*42{|P~1PPl2nKGl1{+%1?Vuwn{lwl3?$}^ zS}tSh&pjVcN@R8@h`b)=IA4flIAR86)`@|RRk}-*mW?~Thwsb627fmfrg1s_NFW-F zZ%nbC2JSPw3|=!d=qWe$IUgeA-f)srTxxTqIt>&a@BLESi&>AZwQ;cdOe_hAUepp? z+@!Is+~u@9!?@VADnO~j{qjcw^I$yrYJDYHImk6a(~6s*?aox@l)1vbEf&m5ENw({47V-oHqc8$xk0D<)0R= z;|-sJm)~XBe~Ntcy{T%adEBV#lLI>~iUe5?#XCmqaOm}v)wa}ZEG@|n%_Yi!)E)Rn zLO5j^>*edKbXdxWIsb_*2f4#<4hqB`JdEHEHn&58cc)(jhXfrUqfA^paUw~zi^mDF zg*43v!|ymlarrJaZ5;nKF_5yRf(?8mv_`EqsPN=CT!nr(jYKwQ| z-hBGP4q~z0r>@r$xu8LdtCvQ8!RU%wDQEgM;$h4wOqbl^JXa03@NzV zA3&z0hY`A_NQME<=+GB$2h(QHt&p+qCHzeP?Sl+kLxr-W zfqWj1hxNuF6VZvO#FmO%Tv@`m)n(1DQ%PHXDq|JT;OAk1RQcX{O>F{E0#B4}-3@N@ z1%%QARz@BD{UhP0bX=Azbs@4XS|FIuIoFw0Z9=}>RUSm%1jRHF-O-3BC?gKs!#0U2 z7%0ryv%)$ufv`#yXX#5_085JNJI}@!dbL-IX)c}Tp5(M;72!zAFI)w}1KqOL#+Zur zCnu!A(gdX5UTZklN6458>LRn9ujPf$+&A4B4$G1O?4<$mXPYT<&&skFq-#c!_6DNy zXd&IWacw;(g}ghgFp~`H>09{VR?(XCL$s!)KUe)cI>^=bqVD;c2DqKd@Y|ZseWD4( zUYoDdEI>hkiQ@sE6rp)&@3ydE6GI6Se#o?iy?# zNDz1C$qUol0gwpk)!V?sa&SwY&JQE@QjPlVcdM2lW?4HkMl;0?ejmzp4f~Zr?_r0l z?_-{mk+m~Po;m9q$mGaOqY^%~;z}UV31=y}Kmc@JEmmIG#ujAV)JvsBN;5}P z;@g^O^Gnwk9ikKDam}GUZ=`9brujsfvY_%R_)&(a1c*?^p(?SRyz1m5r9>f&z9iz? z>^9#LBqGIUS?+=E-V!jSCu*zjR*jap_XHryJ$V?bAZL0!;06ycqQ0~0uLt_x*yAFEyIc^&d7xoR4~ zV>cCe=Z9Zxnt__$X`c#~-<8X5VZuMJs&Q!9?BrdjYiFU~pWo+U-p&3ikieOUZ{yi; z#}8=7uc}2d9{Q79eAwHA;%oZduF`7b3|b2E-T4bz59>$IfG8ps^b|5f_P#^WMrdCfgzUPvu0=>vIV45;U_`ZZrGwso z9onz#9zuo|#BgseeBG^##x~5ydDK&=gSH6D*EAFH*z>CL=4X*igpE`oDE}L$CjF|7 zU;?J&LZzyVu%VslJ=nwgH1@riwiFfjK!itqfEy^RL)+72%G;$JEuXc_3wPAf`H29N z|2e?+dB%M*CxzQppPU6~m!z=o%j!P*g#i0dk&*M_-HOW&C>X6(mTB(ASf*5BOE}|A z?9+dFqIjw4J)|=cbIo!(eM891({(|QiTT9Zo%VYi!ix_~lVAP#(Jc$w0x5!t)v50| zZiC)QtLusjjU11#Xr%g~{8T^aNx^{|)YZzB_MF>Vwe+x9dYjj&tHpMI#k@C<`E}m6 zEi)(0iSqtyXRG;r{S)B?R&n3d0`DYKIFC!-HJE87LCG-F^Q6FkGPHpr7jjO$;w1$@ zpc+)5ON;!;m9IvQP2LBQ`RKDR=?wo?!MuXMRWv_-eIN|#GERBhB19jVyHk&kSsnc* zzBTnkl)%9sbT`soxfbswyKy)yRyU8F1I~*5Hn=fOCgX=h_Pb`%!a%RU9ZrWu&6rNp z^V4-6S!M9^bLxYA)(L`8Rf+$lS1Ys?IRUju^=~a$fUSv~;=ILNX*+j73<<%bUWzMH zr1muGYh=IUy!}`*lAxgH6x0?7@Zc=LS(U-QgxKzZiJRCKs1r%I2QEE5R%p|}CvYlbafA67`I?^VgW91DbZ2tGJY~qN)Qy`4dJYDNevN#wg6;8>5%L2=Trv%B>5RWKOt5B^h2cjfi{;9Rq zS3(qe>wKTBhq@bn6U>7xyzzQg7bye(KR|&MR0aWH+>VQyT4tu8f@-f|Z^QigH(LK_ zC1|I%JZ!zC0t5=+DmO#fj61~>3fvDb&cee*S)j1~@5T@v4X^yeL)KAXBs`wU)gh@q zJu)o^Ww2TTC!unK?>}~`pkx6O zq6P~J{M*pVnSz-ArIZ*!DMgtO#6!R}xGa$|3$AVssP!zC^YdyoX#Ls{U%s8tU{wvb;ac@p<(@^Bk_r4pP$`8}G9X4ah}i#6Sjf1)t_<%H8sJ zD=%owK;CmuEG4GW5NG>5Q1n=Y?HQ;rfPC?dOe97FYOlW5X!AAj$bL7M{}}M0xWe#u zxD$(RN9F(y2%%l$?;{V+n(dAb4I9arL;8qZtzIrU6{;6Pc|{auCIhFOUyNBU;qooc zp6wG+0JrdI26ij$j#>{Hoq~MDL`{!{UO^JD_lr*GpixcG2#YO9)bvfA^LBFJb*F}a9dK=ZGad-Slg$yctx*-SNhw!qhih*8Rw6??QJ+dj zR;hsCl#e?7T2%iw=9pjt87&xAN{q8g7b<+Xs+5fFe?+}1ADOEKh~BI~yTLo{GC?{8 z@H8x2PiHW&C{joKyI@MT;zZ?Lnrg_23V88RCjAHmIA9SG*UPo~<_q9OT0r-98}BOb z#gSFTQ>lGMlYc|ANYy_88h!wo`Wu_XV94eU zwo6ebS9$|6fc5~@%-lXVYG57oGk&7&hwtGM%BoLA0<=YF1#J5bsH0qoxR?D{zr6j1 zJ$3?AL-ad^_8rNfR+{;DB6H#RAU)^rBeXH9QW=N|kjd3u`GY8h4gej_7S_zyiBN}g zb7sHZwAT8gH{~M*kUJOQO175qx_7&wWY(rz7sYc4R3Shb&x4xI#HI0j%dtbq$(Si> zZ7*}-$x}_Rj6c-`te1jp?ixsxC!khiVkUI42p@>C{yZ)>6`q{*QUH}wS_6x}2e-n4 zc|h7REg&X5R;)g2=O9$c`6QZK*$K zxHrh6=;bQlw;wJ8ifM5M8HoCOLRJ|5gec`5TFRh8XAY1)4CquCHm^^xD+Q)lhIR!37da+kuw5n71OH4 zZvMUAp$2r&7seU^R4S-UHB=_O$Tge_N6@1J(s(}@0t(G|5+A`b|1Y#xC^%2IPv1Hv z(f@U`lLe5}Lcg(!7((+~ZU0f^Bhec_i(JfqOJ=e`o7I2BfFcZY;eAI_h)-yinuqnY zfm<=tnJP6i+~7;?beE$*3s){`bo{S;$_j1Iq&U=!7;TBMVwpax4Tpe}l+yFJFGXXWRfB7~-MD#=4 z(ud3ru%!WL%T^FSL*pGH`;e4O+ZMvW$-mQU=Ze?s*0-KP<+J}zUM$BGdHJ7wO?u(= z;%X0o@^hQydO(1@7Qu{Tf>kip-?RRT4A3fI#r4(+y-w8~n0cJK>p>VdUWUy6|E!sT z=^Rt|J~?ay1|YCzhDESucUnqc`b9*4=-h=}lC~-2s^4YOAb%XkoLsac>}#HMV+?>%z?`X#=|hI;vQ- z@Z?o!%nzY0JUL?14F%DrSAY<))Y^ESZiQOhe_fji zMB`H}uc(JF@Nz^!xU%KM`HZjs$z@PzJwT#6P2y6d3VblGH;wMfZ@l;XGu(+AX%V;7 zDv_W@TB*>*CO zGQx9{iD->ch_3}j!8iKPEKt?AYsx@TZbRGxy?QafuoL*A2-+9}(yrlOh0Z?<`5IV< zjP%MT#;aWyFF7gX7TFBsuU%_rh*>)UkJnPX6FM~%DqPK>vW|}|y`td0$}3k?JQD41 zj4LMD6cy-~dnbsn?Gb@7B0Uu~|Iv}J`B38hDG z2~}P))?+OCv;!(UW6l?g_@E)FW>=exEGPs&d>rdB<{bj&EOZCH#Rncs4Mc*F*dgz- zZcY3!k=g9C#@G=W#v;H9%G;sz^Sh%nu#T!96SLyIPz^(uyKBV}#OG;zB+%HFB|Yy4 zaPAa#RY6D`8o{)=074hRTDy!a+z3p?(=2nAnk zJ^qHV8CYWjf#gdc3>-9~-7Z;lt&qkVK}|1lUA;0cKsa8KQ5e7{8W+WZ;|8gOKqH@{ zp+VM0!J-R_{Cnd(#)=gE{rVZ51^wW6 zX40X?M5N;-@{2n;My+!XvTBM{N24?SSP?ofCP z+~oWtXeZ8400#n0Yu5?^pp71uLtOVcM*6QCbO+X}cJ7#B*Xd#r$iN)_neB^39q2mc%j-Aig=zHoQ7tI)BT{63E~d-W(fb@ z2F_ED)U|@UO!Y;_3UFUI+nFJHHv{siV309(WbBIWY1VMzC~5Ec7?rc>4hvCi5>j12 znFgd@z0#JDC_09cH2x(B2vfQQZjyp3Jz8Y`5kADG@~4{?e@_y_9_pyjGC^F$#+foa z>g<^ZKH)&*6bxvD(BO&^tUS&X#|RdXlYfOl1afWPW4=0g1&@G6G+-IHGf@`@E_ z{=$Zv;=f3zjt_?GiVzy*LZ{=>ug0DoC)8ZFw`8LVH?n^%OJJ~d(AHKrv8J#ovBU3Bv-F34BM z$BlGRtpU83Ics1a-Z~gskDu)!|TaKnY%Al1zPB8KzOLO;Uz64~a8f zrQ;!lw)fguzP4M~(n63@wFrwkL$l;gLU&-v)L@_%iIB6g6mweRb)SRYo*OKlK=mHc zmuxxjc6{4%BqO0}sbw3}bDOBD@4vJS%f4w+_Gy2mM;PPMVs1G&1~8t`iE;F7XfC)u z_WLmrhPI0TEWglWn=aZ>2`ARv_I671?3zXI zHg6x$l6|#%{_ar#7=}z8ej$iF5aVG^)cbMSP#-7xKoKjFN&*3?KU281c8;tl7_5 zpOw@5dNzE!4Oyh3hjT-ss8*gi~s4Y!15i6s-h$&?gl_j-V}5*(N1 z#(SB48-t90RuAyFQ(?Rxkb-XAW#k{qpvhgYrLnpxtPLGXOe{YB+orEFjf>v;3gOmAHx(z|8mDWtCBsl zC-F8(ak1#~J22=%T1*a2;#QoQdyCVgRt7x$Lb!qDsF|6fFwyFBnKM@(mo*$NGVGmw zJn#RTrYJKzfA;wjB2EFjEGe9k*TN%^) z9QLbvXLtn$ir&u`c_j4sp@qzGFrO?8X*q`|)t5=1_cZ)In>LV(Wln zu(n&E0i(5a)&sH#<8alt0)gbe6M{*wH2o=7O!i^jX~f>SiDJ56Te*0A6JucLF^VY?jWv3uWABDbXB;G()T( zpyph3vU>bc%$U(zIntSIIv`iudz#KmK#}sN3<@4|;k&lsm*+FboUEUhsl~1&H`=An z-E&q7I_JL;Ms-0^*_7ER!{lkfEb?S6{@IhS$hH`(@z{Dg)5}KwcdhCP`ga$fOY(Hh z->wjIC^4IS9#WB@2BtOMZ`$*EVHB_>wrQo|OesU|ZL-?7(h1YRiWJ%Xy3H z0$t_Yb5F2Wz@=AQUA~}tjv*99=3H~DSA+a2xaoJ4Rc9E13%<@)NE;sE@a`hRRt}h4 zGRkNa3kY#W?x1}1gK6ZhTnkS@#Kad)nE(`M@1ooQM#PLHMN%EYiYq6z>_yTW<#pZ) zvDT&or2|A5%vtFU1k>W4Hc#%0+RaWPAA--<5HUWQ!5A?iz1a7ZU--YmKMx0J(0&%s z);w0yv$pUOnB$0`>kw8DV2!kjA!?;8^ds1o??9~!b8Hc|JwGe*l6Gr!_Dei|^jRJW zaZc4*bC`f)ij(P9?-cdUyp{vGu(~{V?%Z=8?yh^S*FO*&2FXdDu~pIM5|I$-$2!}d zn_vU?T;vu?n!BHH(q^rp`0XV_aPzOt3|$K#J%th>GMkKCUI{^pPh;Z2euy zcKVzn{YYBUA^{X2j_1C}xi;@|MA1ukw0Ui(Sefdr;GY>6*3&qtE4WDY$W=FFtTuD~ zEHAx#iWksd^w^pz-sC>|+mQ67&a2vPut;f+tZ?*!L8mIUV4xX`jr@$1@!+fg=Zhf2 z>@kjj9AYLBHpiLPX5!K1k76jL*!PEHfPb!crOw=sW+X`u4B#-T~tR7z5ZS_%l1zHVgQQ(OP-C+%GIRAceLwC z5{Y;T6XxWRO}-sxNK#oye;f>$aN z)KbP?e@iNoVfG3}v2WemBY#1HRvS8&d_~;umXtjEHPqI(;HzpnajyLEqQGyiAnMKH z;gshh=H3Nw)O$8IL(Nzxx4{pBFC<*kJ7hUZ3Ya7MnB9})_QJ@K8Gc#Lx$%6?YVD(O zH29&5!R%XH7For|98cGA%#iJAC0!bVPwvC zhDs0YW`w}uxHXnji;m6EG~JszwvQWq?x(+N}fl3!d$G`;i*mAiIFq|_1Fx8Zo- z2J?gCXeQOMjs1=JT*=XR-=0>-pHT{AaNdSsBg>TCu|1jfELKY&RbuvbNoJ z`LrKkZx}3G;CXdTFIwg(se7YWu43CcHTjBL>s{UsgkCWjUU$_;p`gvfq}_Ej}Snyscu@tKBM3ksC(?Tma^lmsE)_IvAWoO zP4kx`yyFb{oToAOj^H&jyuhU#lp*@1|iqYfR$B@!nZu4g+s) z<54TRp9-1R&(9{~l~i-hXDx2JD(8>@(x}dds%fomp`Fd?W{)HV{9cmZU`fA8G9_Eu z_lsqd&|hVHP4jip6u#JG{h8NM#mLKd>C+N)H1w`@pTn=_Zm6}t^K{ws_trJ*DWcc4 zgEtemfEMmA4=XPxp3AnVt+n6f>s7(J-fB?RPU3C{H{6(uc&+9gljJBBn68C@I;%?ZDM`trNbSK*u)p0+NDk2joi#}%|z#6>kz?*Bz*)}HCDS!7Nw z`}+DM_irZQsG=8yJQ6Df#uxS&6sJCOh~|>mvlw&~AP@Ga$ykyC`^wITQVTlpn?B9b zk&V(x{Mw>S*)L0U{`cY8YfSAOs?3U|63>4;Exv9@j1I~qVo40_GeX9m*iui`X`QXt z5)6_jSC?L+G)fjGIbLc#lnd%;D;8!Xd|LQIA^j0$I(OK*X7XUTj$m~0*J>_HE~-9e&+ala|MGF zIyJ8|`{da#lqh0u-jVmMjm9WJ$vA5G79cmG9%VeF_kz`c7GxuAYu`=Es zu4tXKj-AN_@bqH3M5NRO1DhoOtZk>y>}E~d>xlX$Rrz=|rt*{bE@;9d`NS{zzArXH zb8f_t-So1pN+4nz`%}9oN3=6_PEi(lpt<;)#b(DT?C#Vh&zq(3R7Xy{Z!{G3%w!Oz z2Fh=cdz(Ybn+fNv)KyKtYktW`cD6nmLK0qlR`7_0@Tpd@vf7&5JcFV++bRXyZ5ROF z@jjNVWKMMqqL+|HP;CdxSkU(?0DcfMqqH7Z3~DYR8@uI0&B+&bV*Gs$=Ir877V{AhH>7ZV?f;*%SX zc#+}h1Ln1Nm$SsY2iUp0*n0>l#&3Cdo_#TURjSsl)m*{@Ebg=Fi*HJZV@Kse9e2a+ z_hM;tCojBwTVU_xpyUz3KLVt)$rWeb$v4U1_%0op7gsmPRPTn_-4v6OaVMU`PHTyM z@187Ce6)3G?rJy?phY|n5B6aAaR80j27YsKL+_!?A%^|uRVEGB#JkIg4hsS2+&O}j zDq*%|;FCVtW(c(|&&{{O| zak%}fgv}820x)WOlj>}$m=0QLrg!Bv&L_%+sVGH(x~J`tt81TIeR|V=C~B*I7mN2ILk$^Fr*O z>I``buI3+MkS&wtANQ0C#7}{>$7TZye<34I31=ZfHVS1rtz@s{p(yyyQ5hl&FV2L0 z(1#CGUZg-Md2HI{pyMUyId9huc8|dOrp6d}Q?Cb?^^?_+0|jjofSKJ@z*+RD5?Kzh z08|-t4H~8th~G_&kWbwPBj+H%=3mWu{Z3A@^gM^^TG+dspsN5D=b%;Irw?!2$ED`~`3NMD z9$URKfhR`!NqC4v0>y1EWcG$do{GRc0=--HxmAdQh+SvmWknStOA9qu#Ao50cAn2} z2L~Q#JFtm!P!sgMf$~9?Eyd*#8Df<&Tr2!?LCw3N?zS>TT=MafCfH?ExM@LVl`+a? zsa-6GPqk`*+MhnqmNwrZ!d&E#b9aWA!uy$#aBuh1&1Z!U@-edgb+X-6vPs(Hlf&KB<%&3SMl)+48k7hPo%&``2k(kO{0}A?MQpm0RX{Kc zq@ya_-Y)~Vy&JNjD+Y6il8eJAZZ>xf<`vBMv{s>eK*NTjR~!Y3YXNpz^fXiFFuljj zM=P8M7s}26ok$hw-A;{r`!RG&x??=v%xw<9-XxdBdRJh?^ z6gcF2%*029je0X)6YdOZVU*{ZZi_)g+|30i z6hJ94Hpi9j9rk$amuZa{&3ngmws7#3XI^mCYKNdtctf}o%ls< zXupk9YAf6Q-fE4@QR%u|9I2pnjSsqQX&so+c9==yJ3;Hkm?|7Q_Fl9NG=_2-&mD#; zrdpELrdynvubatnu$JwsSDc!no7Ps<77s<-Rl%_w$g8%TE3$4D9@_qbo_3GB_Dsd58G%B6epK&#a?M6{^*wGkd4TV9}?B=272MnIBHN+F-YJ z9`rKuNb@@eR3VB#ki1-4ClQx)e74$6x0s~FC)Fm!_>0lo0lLL`DyhO7H(MU*mKT!| zS=t#(HQbgDw>muEg)tOZE#Fe~hLz{3R0t!w-Xu|HtviQ5W_NNsUfx4@^Z=BWxqC#R z6Bo*hlNlkZ`*K$Lhk~H4O(pdPbEnuyAs}*jT-EIC|Ix^-FVe^0%8lZWwaOuM@sn{I8w@8A+-kEi_)yTC!SEK zAa5`ug<~lpLNXpDC^3zJ%pTkXbljudKa>PIpx+ndxGc-r&ER$;fwHV255Y?jxpAN0 z3D*925@;qO$C;RsJT}%-w^PzGREpi1#Kel(pJkb7rTVO|(u6*{ z_R5<#w!Qx}ER&<5e7;mqI)5pT4J{IpEJgAbdtx7x-CidF`?spKv|M4Gr{?!lTlx&3}F+@TiNPIYQTWyW&A_HSacu2Dj0N0`(|1$gZhjJhp>> zG&t!yEo)^$`=%Eo#L7C3Yk&@x+u6*mPrH29I?vWmqn0-6oJ0BJi?P^Gmui&qAFF}$ zT`{a*@qljPFxGb_r{+pP@N@gFq&=LHYjKBb#qgKsSKvQ(o`b2IO12EFYhDyNob*P? zB(yK>Cb9RL4WEW7)4(#@<*3EIVX=7;Kc#b=G%hVH+WM zCRR#?-|8n>dzf;~*jUciY4C=-rqIt$)k;$zk9r)dpC`1V<9C}>1xABiTi%e))RTe! zB>V^VnanKSP|FoTOCwnGOVa{`<%-OlmocOa{DZOb{bO5-&ae9O*)ln{Nu)FN_eLJ^ zMce?lXsu0=@QCl1YBH_QakTDJeR+d$dL<4GcdC|!UOx$%S)=G+%3&vs<_=*sA%V=V z=oF&cSs@F|Qn5Ox*yM^@ma_6R?3TIrI~={3-hzb^r(@8v@qa3B8c^tVN0D|%5)stY z@u2+QmIDo%KF8`z$Fm%*?Ak|!UdL)h+y}jw_Hg?=p^E~DlPfaMyaE#5+rq(qcpC=k z{Z{LSeXY0sD?sl4MC!pBd^MK&VV$r9O@s$_i(|UZD(@=50>9=&*vgY};9KeAn8oQN zOw;nWm2Pimw3DWF$7Z@q|BlU91Gnq4L2PcP$%H)5GGeH_9`x{!FX>W6-8}gm{jv%2 z%m!nf;o}$IAaPo?(lz$>UM!FSfi?VQ)|yR#0+ssQDgz;e4f3&DVy2#C%irsfY`LyI z4R-5u(G+c4E$>Fq(TuxYn#}s!s0u~gG03TJ5g;z$3=vYlPX-zDnEMeR+!_M7_Vm)yZ9pU&qgbp08N0X{TLxa*Kk;m##OYY&Z4zQWT-vWS zx%}>fi7R!KmmoaKYN*|?bLa62H*P5<0h(w(><~dEox=x_is^>f(;!N0CmX4yc)SND z_RimDT5o0+#YpX%A(!tXmTs#Jw`!j|-239q;3JbzC{kc0Ld!Zv7y2S}K_7su8aOoJ zr;i_G?1q4R}_e_8HG|5#H&!r@@u}PGWgL zHX*1vXLEy!=~nk_786KR%^#nAplh~>Gg%k!68oYWaYtW!&_$3fvO0nWZ7}Nba_2L) zeS5Ee=6C~^F8d?l@Y8oHsasu(SyO;nK3Ad6UJt2Pc~*DRrD+fZSX$G|O%`mD?#-^N zjZ(#rE!Rr6ZB?-*a0|H?wcEC&6xv%PeS=vI`3y_T)t8|ofcYNI)S>V)?+eaEtbX;e z)3)s)geakU$PaI;?vgry05D6V{9E)9dj0E+CHs^m+&Y|q%UZLv8nEr5TdSc}M`??y za`*&p;j%y+@~9DGMnlXLdZXeK$mAmwTgko@&|!<8nxw=Gbw+Q^V$6@x`VKiPFWnXg zcB(?%l#=Cg+L=RHf6oYB)5ywqx68#J6slc{jv{*5-LXKmQ%FA$^S*0g7iR%zTDqQ| zJ&jojw>~AAbEW5n$8oN`gDxwdT&YZ>+j7b%fe$HSAn!&NTi_> zD=LeXRvo5er@|@($N=ZWCf3;vi-h)FG$n;|!4UmE-2B~+Q8vOH<)aY^ zr&-M@OMV~*%nb+MONm7+idM6C@F4G{gg45x9RiX;2y^yx<^Yyw_4^)_y&Ep=gB1zl z!9waC!)pcW-JVKad5W&yE$pCmrA?wxK?E`(gktw%$sV0E&yJTT)9Sr9AQ7zrHF;3> zBHCWm)0mb!3FAq7HLW6g2rvIWBLutKZ-lC+B&9ch%i6uh7`ofOlOf{PqJv)@KkZh9Za?(gp3AHIaN^l zmayY6jO${$#;S)#%Gznm_BcW>^z=V_TJGZ~v|-POdxgTgxvRi2i%Vss@bTTnJs}gA ztX)KcL{2;R{&9(RsU*Ew?QgtdKsmdiTdcv^yqgqv^1xc;owg_Kr%$SO9pth7c;l{ogY@^dt`8I4>Z0V!M)N?d&)e)*%~>j_}t=^ z%qUL|al7}UPA>?s)d*|3Ta7P>N0#s(pF7i^Vsb8q!=EfJrIQwhW#sJ)aXG96aqUsj zk)T10|(v+udobO~uURo!rd_zg37 z=iw|dC2>A$4V=S(NG9po4UBI*@zI)@)qr6S?(SXr0Zb_OYC&8!=5SPg00g@=n@vlB z3rI_c1wTx(uQ-Rd8c5D{mQ|fD&ES}xVY|HI5F(_IHME>NUq#&bXj!hRd=<5&bQx<@ z5H_;JKLX;{P(HO#mlj~bzuy#z*dDh*&3EpiiQX!;a?3i{_qaw&{NDS56*kUx>+D~% zUncZBRwzDV*PdIY|F(g7t3?*>c6NxAhap?}#om>@@_{`%ih}F|_D-?eZ(XT~+n{1b z7nH(zzZWd>CcvdxQ3S%^K zwU%agtQejkYdSihe0OSm)s5M4z6&#*um%P+&vyY95}cI0vXtj{g|n6YBxo7}Uci6& zR}&;S75W9QJkup}ifmGcBF_9rMF`N&ik@da*vuPow7I_MNba3uNsf%Ul1;QKt`|?$jdVrcn$vqKLqThOg#H$AJ!K4{{=z}5E+Yes=J$5Nnea=C0L z?;y~1CCyzrnq?G65uaVTnlx<#Yb7b+2go#K^M3y&_>b&&%5EsXd*7@6{32G(K2Aq! zx8D@-l#4u?fTvWltNvhStr*Pa^y(pGv1{Av6t9%lKBx=CZx};5q+7?VN28G703zzI>b!PoEBT zA&$yVydbrn;5n~~=KV4jiv~yij9L|~_-hej(#rQ-9}sX^M;D1d`-beuLB(vupqHb^ zHEJ<=)06_k+ut?dIXlqm5Y&L&c6nS;8Ax<}dxqS|H*PP7q@4ou|KPn4az!gpBFI9lzVhb$PAlq1#x* z#u;E+2OQJGTb|Ed;;cGWg=C~^$7mYulv7taHgEF|8}ou7;VTE&Fmh7x)NHnK2AFdA zYmrY@GcA@85sEb^hdh>YBAl4HxO^<;s$Al-#N*1KA#SjJC*n5oiZvKsX9&N^im-_h z>}&dNRF8U1Gu10J>^4D=1snwOS3s%;HS0!5V1grae$9egWRRchC~#@0t+3Va2w?FQy7_d%2`j#F1;TH=ebb|=kAV=N z)bId@ct|=7>hsr^y-{24MjeQU%ileua-1%NGK4+rfD{dG{7%~j2JT6(QwjrOCe1?fJWEu#r{HkPJ zsT>t7SrBAF$xgbCqOARO9o0tYCo$Tu&?o5(Xq3@`ob4^O&Bu?`?F#A2^K4P z67S@((PJFHbWEInqQLu98HQg1#;csTqlY)v%K~?0tnGAVFT$Pxx}?=%Yl=$Gn$F}! zmFP<&>c=z2oiUha!R-~+Ul8WxKbpwb|LFjh%aX*&#Z2EzWMOwsHf@4FT*gu3!KTv z5s|5kI=+_|=4R0%2yZ=Q&zWQQM2hc&BXC|@at}wYmJtYvb(H4-NI zE8SASAc?w~yLsLNiE1uQxQ`zHaXR5XW+C-R+d)u8rH+){o>&&x+(Gw#JT)%K9)5Od zV|N0sawYBP{KN-B%Qojb3pV%gQ4ynzh70=|&w8s*Z(3Yzredrdpdz2hh2KRucO{Xq;FX9ye^nFaT5*uz$2`T93_^`QI ziA9h5Sc^PdxJok}*kdG4mV} z1O^(3As{f&FpYY?ZFRTExE%6QZ}8zc1!k1AkZ%hd`aS(wLYgRvf8cC`jw? zMQii@+1dpJgS?4Ggvp2l{&vZQ$GD1o>z0fIzI0(%=} zZn*WD{E)`pA1|psNV*5FU`7vq{A6wj*Mh8QMTO3;2|#{sMgH8!Mjq}*9_{^zJlX*j zRsN?$My;5h5pv7;jKM&!gk`tBu|y3D{vIKZG827kG!PYFuzt)ti!O^bW8KhTJ)pfe zWw7hsAb*-?;dI@>0rSZV6aBg`&%YFHRuGV_?_&5>bmQOET5#8CVC_%{WP}m|VS!LX z(LTa1@u~`CJvVf-ArpLz zqLL{qn_e`kE2o`cWXnzWaq>1Q`IzfgMPuQxRDx~Hg0?DQB7H2v!O>3k0asBSLJipX1;arzZK=LwqsFjJM} zFg;($eObhiP=BZV#hr_EJ@F_;0bKlW^;6isoR>_H z{~Bqg8z9#B7C&0XWe`JsD^W9J_3T@ZdvA6>@ef{?+IsF!70^7gdiS1*KhyhQsf93} zyxcKMg{XF-yK-d({hb>*3WCpP-YafhZypvj%#9DAGfy|rLuItBz&{EmDI^PMXS$}B zlm-}|r=DM4k>;Y?i!@MJm#c2%yGZ^=q3Snk2|o8nPeg6I;(gwSP?~Y9h9j$#gT!jQ zJPIS7;y;_&NBn1BN@cbMB9?NyeNR3qz4UBiHJ+c*1*CL>&765X|S%S&WF5(-C4}y+igb z8qFsCO-e(0?_&YqfVH@yqy!BOroAvEG=dGGV_hogCRQnI&z-Nt2-^;Tup^7SNTbimNJHO zV6sE)J3uLDm-l>K>1J?mwrFaM`!p4c+QV5V_18gyFG9Q?Umo=#3nKTU-9%o|6EqMvCr4Dbn!pPi98fz zTz`06q>HY&vOpDTT?5e%BkNJqEIKj?!GmwN}0w^_-vV z4;f&oGWFGJcGf;|=M~?hn~2o0teoRy3?{c)+Nry4nGe)8=*q>rPw^m#aN>nISH@-pg=rhK++N^Drhr=`Q1+}{Q-S4ras&rR;e7s0=|ECi9q8 zu+sc*UAzC0@b5)19h-zFg9V7vLLl`27<>p`1{B2$xE|u|67XLyzW5YW^#F64153g3 zkD<@OGQiO5?k-ndet(|(F9D+GOcV)VZVNiduM&KJ$uKzazYG6+LB9W#;sQ~Tz3~HV zpgTF(*1!Mw0pY$$&s! z`#>T8L0JDS;GdrU?*iKV|1RK9zyI&y|1`~iA8r!(x8Z*pYEwf>uyqg!9r&dJdvH1! IKp67>0Ih608UO$Q literal 0 HcmV?d00001 From e242b020142d37f449fda49bfb1c429ed670705c Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sun, 28 Apr 2024 15:49:47 +0200 Subject: [PATCH 2/2] Improve CJIS depth management --- .../library/libraries/cjis-policy-5.9.4.yaml | 272 +++++++++--------- tools/cjis/cjis-policy-5.9.4.xlsx | Bin 97083 -> 97218 bytes 2 files changed, 136 insertions(+), 136 deletions(-) diff --git a/backend/library/libraries/cjis-policy-5.9.4.yaml b/backend/library/libraries/cjis-policy-5.9.4.yaml index ee48910d1..6685a4bf6 100644 --- a/backend/library/libraries/cjis-policy-5.9.4.yaml +++ b/backend/library/libraries/cjis-policy-5.9.4.yaml @@ -204,47 +204,47 @@ objects: scheduling of initial training and testing, and certification testing and all required reports by NCIC. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 description: 'The AC shall:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node33 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 1. Understand the communications, records capabilities, and needs of the Contractor which is accessing federal and state records through or because of its relationship with the CGA. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node34 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 2. Participate in related meetings and provide input and comments for system improvement. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node35 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 3. Receive information from the CGA (e.g., system updates) and disseminate it to appropriate Contractor employees. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node36 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 4. Maintain and update manuals applicable to the effectuation of the agreement, and provide them to the Contractor. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node37 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: "5. Maintain up-to-date records of Contractor\u2019s employees\ \ who access the system, including name, date of birth, social security number,\ \ date fingerprint card(s) submitted, date security clearance issued, and\ \ date initially trained, tested, certified or recertified (if applicable)." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node38 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 6. Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC, schedule the operators for testing or a certification exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule @@ -254,28 +254,28 @@ objects: mandated class. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node39 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 7. The AC will not permit an untrained/untested or non-certified Contractor employee to access CJI or systems supporting CJI where access to CJI can be gained. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node40 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 8. Where appropriate, ensure compliance by the Contractor with NCIC validation requirements. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node41 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 9. Provide completed applicant fingerprint cards on each Contractor employee who accesses the system to the CJA (or, where appropriate, CSA) for criminal background investigation prior to such employee accessing the system. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node42 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 description: 10. Any other responsibility for the AC promulgated by the FBI. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 assessable: false @@ -283,34 +283,34 @@ objects: parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 name: CJIS System Agency Information Secrurity Officer (CSA ISO) - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node44 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 description: 'The CSA ISO shall:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node45 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node44 description: 1. Serve as the security point of contact (POC) to the FBI CJIS Division ISO. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node46 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node44 description: "2. Document technical compliance with the CJIS Security Policy\ \ with the goal to assure the confidentiality, integrity, and availability\ \ of criminal justice information to the user community throughout the CSA\u2019\ s user community, to include the local level." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node47 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node44 description: 3. Document and provide assistance for implementing the security-related controls for the Interface Agency and its users. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node48 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node44 description: 4. Establish a security incident response and reporting procedure to discover, investigate, document, and report to the CSA, the affected criminal justice agency, and the FBI CJIS Division ISO major incidents that significantly @@ -321,39 +321,39 @@ objects: parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 name: Local Agency Security Officer (LASO) - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 description: 'Each LASO shall:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node51 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 description: 1. Identify who is using the CSA approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node52 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 description: 2. Identify and document how the equipment is connected to the state system. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node53 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 description: 3. Ensure that personnel security screening procedures are being followed as stated in this policy. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node54 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 description: 4. Ensure the approved and appropriate security measures are in place and working as expected. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node55 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 description: 5. Support policy compliance and ensure CSA ISO is promptly informed of security incidents. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 @@ -362,51 +362,51 @@ objects: parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 name: FBI CJIS Division Information Security Officer (FBI CJIS ISO) - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 description: 'The FBI CJIS ISO shall:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node58 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 description: 1. Maintain the CJIS Security Policy. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node59 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 description: 2. Disseminate the FBI Director approved CJIS Security Policy. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node60 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 description: "3. Serve as a liaison with the CSA\u2019s ISO and with other\ \ personnel across the CJIS community and in this regard provide technical\ \ guidance as to the intent and implementation of operational and technical\ \ policy issues." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node61 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 description: 4. Serve as a point-of-contact (POC) for computer incident notification and distribution of security alerts to the CSOs and ISOs. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node62 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 description: 5. Assist with developing audit compliance guidelines as well as identifying and reconciling security-related issues. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node63 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 description: 6. Develop and participate in information security training programs for the CSOs and ISOs, and provide a means by which to acquire feedback to measure the effectiveness and success of such training. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node64 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 description: 7. Maintain a security policy resource center (SPRC) on FBI.gov and keep the CSOs and ISOs updated on pertinent information. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node65 @@ -694,64 +694,64 @@ objects: to which the agency will have access, and the FBI CJIS Division policies to which the agency must adhere. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 description: 'These agreements shall include:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node115 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "1.\_Audit." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node116 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "2.\_Dissemination." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node117 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "3.\_Hit confirmation." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node118 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "4.\_Logging." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node119 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "5.\_Quality Assurance (QA)." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node120 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "6.\_Screening (Pre-Employment)." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node121 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "7.\_Security." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node122 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "8.\_Timeliness." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node123 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: "9.\_Training." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node124 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: 10. Use of the system. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node125 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 description: 11. Validation. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 assessable: false @@ -7269,34 +7269,34 @@ objects: parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 name: Audits by the CSA - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1178 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 description: 'Each CSA shall:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1179 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1178 description: 1. At a minimum, triennially audit all CJAs and NCJAs which have direct access to the state system in order to ensure compliance with applicable statutes, regulations and policies. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1180 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1178 description: 2. In coordination with the SIB, establish a process to periodically audit all NCJAs, with access to CJI, in order to ensure compliance with applicable statutes, regulations and policies. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1181 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1178 description: 3. Have the authority to conduct unannounced security inspections and scheduled audits of Contractor facilities. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1182 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1178 description: 4. Have the authority, on behalf of another CSA, to conduct a CSP compliance audit of contractor facilities and provide the results to the requesting CSA. If a subsequent CSA requests an audit of the same contractor facility, @@ -7515,20 +7515,20 @@ objects: parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 name: 'Mobile Devices ' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1218 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 description: 'The agency shall: ' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1219 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1218 description: (i) establish usage restrictions and implementation guidance for mobile devices; - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1220 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1218 description: '(ii) authorize, monitor, control wireless access to the information system. ' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 @@ -7843,51 +7843,51 @@ objects: parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 name: Wireless Device Risk Mitigations - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 description: 'Organizations shall, as a minimum, ensure that wireless devices:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1276 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 description: "1.\_Apply available critical patches and upgrades to the operating\ \ system as soon as they become available for the device and after necessary\ \ testing as described in Section 5.10.4.1." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1277 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 description: "2.\_Are configured for local device authentication (see Section\ \ 5.13.8.1)." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1278 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 description: "3.\_Use advanced authentication or CSO approved compensating controls\ \ as per Section 5.13.7.2.1." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1279 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 description: "4.\_Encrypt all CJI resident on the device." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1280 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 description: "5.\_Erase cached information, to include authenticators (see Section\ \ 5.6.2.1) in applications, when session is terminated." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1281 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 description: "6.\_Employ personal firewalls on full-featured operating system\ \ devices or run a Mobile Device Management (MDM) system that facilitates\ \ the ability to provide firewall services from the agency level." - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1282 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 description: 7. Employ malicious code protection on full-featured operating system devices or run a MDM system that facilitates the ability to provide anti-malware services from the agency level. @@ -7927,35 +7927,35 @@ objects: a full-feature operating system (i.e. laptops or tablets with Windows or Linux/Unix operating systems). - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 description: 'At a minimum, the personal firewall shall perform the following activities:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1290 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 description: 1. Manage program access to the Internet. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1291 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 description: 2. Block unsolicited requests to connect to the PC. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1292 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 description: 3. Filter Incoming traffic by IP address or protocol. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1293 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 description: 4. Filter Incoming traffic by destination ports. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1294 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 description: 5. Maintain an IP traffic log. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 assessable: false @@ -8068,54 +8068,54 @@ objects: description: Before CSOs consider approval of compensating controls, Mobile Device Management (MDM) shall be implemented per Section 5.13.2. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 description: 'The compensating controls shall:' - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1316 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: 1. Meet the intent of the CJIS Security Policy AA requirement - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1317 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: 2. Provide a similar level of protection or security as the original AA requirement - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1318 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: 3. Not rely upon the existing requirements for AA as compensating controls - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1319 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: 4. Expire upon the CSO approved date or when a compliant AA solution is implemented. - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1320 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: "The following minimum controls shall be implemented as a part\ \ of the CSO approved compensating controls:\_" - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1321 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: Possession and registration of an agency-issued smartphone or tablet as an indication it is the authorized user - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1322 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: Use of device certificates as per Section 5.13.7.3 Device Certificates - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1323 assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 description: Implemented CJIS Security Policy compliant standard authenticator protection on the secure location where CJI is stored - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 diff --git a/tools/cjis/cjis-policy-5.9.4.xlsx b/tools/cjis/cjis-policy-5.9.4.xlsx index c2a887c3570fd48992915deb49d66165ce413228..7d6a49c8a98606d6f06340349600a34f343b8903 100644 GIT binary patch delta 27418 zcmbSzcRbba`#++Lve#QkR>UEaY*|^^I#!6tJfu+OOJyrNGP3ucM`nd1lD(Z!_Dohb zzx#FS{rP;qzrTKu-+#T_uh)HF*L7d>d0nUa-$c#3L}lzGP^@thXEOmFp3PZ2JPJHK zyl0MrPn{n-SUNj92s}eMX5Ga)&9G7WnA@Fxnx4Rj#pfX36{wn^vL^0UVLKlvT?-jw z`bE&KbobQfoTO&Vd^XmYgfWo0`)hJSvU!m;6@P8Hd?9UA3^CC?p?4(JDt!}c8e+Ge zyXjk3^@ir!wm^tFM&IMdP5twBIXilIcwcgOo|fFXhUQ<09;Y#VOcYlu8ZBX%NQBP* zAyO&6ph+(lo*@&b&ojuzIWNuVDZ}u}+zzQ)a_@}gGdY&tnpz%I826ahcg`DHcmEMa zsQbMQk$KBlNxUN1W+z0Y|d!h~-(WUR{e?2_Wj+Ix)cGZ_Y= z56)Q^dn=AqvwQTPzj$H%^c~6PO4@hLx}|%c0`tGCEJ5$52C&Xd9RcaArGqQtf2^92! zcsDdf)}3DxHNDNcJ3E+wH+jWi>N4MlCF;k7YVBw)sSVXdNb2fC>digoh_*hBg-w3u z2rWqq+NWMWjJ&1Ey)r-LF~lrZcujcW+uV`0NJI)ub}nYYp~{lOJgge)wIU%rvYqOf&9zUeK9A zd0nAvKI+Efz?`3lWf3wW!ZCZDUpYA@$Bt7yc2?gJIn`IX6#M@cxJ@Q{<9Vu-t^P&q zY48tOyqNSew3TG%pO6!FI^VR2dBJpqzf=ib%>7B4Eh#XwZ;gld(J}rSDLxxy5|MO` zGGK~tN7m4n;{Id17xKuV936vYg`u^%vA35EKfN9Awl>-M@bua&dv-zZ?T~Y;$?MEB z7WBRlYbw_xuTaF>%5p2?Y%JgUe`ABJ=9`Sc>(pnZ^109;97WwQQrF^J7txxlz{@Iy!VSS zW^!v1!Oue_zdEarjb7IXxh#h1a+-SOkG#MxY^1t7ogT{*C53W8JwyIz(sFDj694C@ zZSP_#>gecQOmwqtAsGXk_^R-fGejjIFCdV0cudh;rfU104SS{`V|ql%asVRZYie#Q z_3siW`|XloCAbxP5`NG_%;ylaD3LsJ(mNy^|EzhfB=|Xd_PWvL^RAo+OeJwm0Zr;+ z<4F$F&wih$BR*%_!sAl6PZ;3kUtm9XJ+Syl-C>9SnODZ@#EWQj*!AM4h*c76Dkc*O zyVtdkHt|^QcRi$`9Zi+dcp9VwHLJ&ASDuu-UO(vxwEEVZS>oIN?TzhgXCrc=DTAL9 z;uP~UVoa6KJdKVrA}+}}sRvOf?=;5E3ObY#BwZRf>vAaOU(!pdoMClH{a}4Fru1_+ z#S@$R6SvW9YORwJ#ob1p^0^qjUE`ugcTXAzHbO0|LfOfg%}cwgg016Z|3FEE@3)?} z?P)o`svh|~@MB-$l=&1m#?w>a6;DrN->rqu-U>H0x4uU49hKdr8#abtAa%(0as%(A zTGXAs{x>%1m6|I?W24vY)QwMt3qw4S7V8lT9eh4LI-EM45rmE-KAh}pot}I+S)n*R z5rpoY>;*wb>mN?AveV|LP{Zj4#i`BM$w3Wta_Mwe5IX%lb#mf-x*-T1?M$&kM_Z{U zaXFXlB&DYJWTzLQll_s@lO@^Hqg?0!+c~}ERGx={1o^{v(r-hx7aNU^RwgWueZrwo z^+O+@h*a|_8?zp#Bc>qw~G-n(5wX7)IA=KKd)E2vb~>iWa0j!^2)XGxhT z!e8%7glbMDyprAU%B6f8^qc9=jCSHZjId$(XhBGcX8fpg_L|o{H@sY`TcehEHvfEF zE%%->sz^?4Q}c@BLv;U=ESd8v?##W{<`#%BTexes0KY&?{b{qaFZ)^>3l3v$91{D6ZBR!8? zSs#xW&rbhxtz~;$$nh9_cgXd4ieY<)_NokD@VDjQdw?`^_NQT%zm4Q(k;=3EZ!`C( zYfWe?dq~-9B-rEIm@)C~6B%!Pkd(DURJ9`W5KoihPkPL1<@5Gp&F637b%IH-E~@=; zNav%-JWmttFL+t*`Fn99OQr|3LT{V5Sp)VQ*&>o)!gahmW)PucHfKD(B@+k%=?ktk zC|xckUfOxL75%7iin{H``ghUD&s~w9d#;tB-vO@q9n<`hGX3nndKA-XL*C$|F5F4> zM6{_FXdgYHy#`+*KE~!8(KlwmKDfkN8)I_#Hx=+@TizEmZ8Cp&iItmm&;3d^W1qbs z-Xu%x>iE=^|Fux5kYRrQ-fG%|`pgG_v_T1O8Og=bpM&5moxvMvd#h}Z>-Em$2r27~ z_)S+1++-g%fY{fbvR4!Qtn48teSeX3@1M4z`>L@Bv=R zfwxa|AO?OJt;o*q5iw~y4=Y}LA+AZ#J`yfAt`4TVke6Q5|$jHBbFt$KIy5_`%GB!i?y)_N-*R(ijE|Rem?DyJ7ng_w&ZIg#qz8Vu zaUU3m+XWsOhTv~=Qj38u+{ef9v%t=7oCT}STTt`+HKArp@7Du{2Fnfe;SL;D| zvd`$@J!bdg_1cvV#Nyde_9!AD%7`;d za*>Q(E54`u+MGU(g_{I*txH;wW?s3S`QK1N~Kl>^;qNb`z6a**|L zguRUL&T-THbm4^dw$)`7PHM~IKs3SYCvWNt{n*K(*rO=!PM%`}jq7Dvz5(YINLakyMzrOH3MFpZ$>DBe7~ zY31D(OXnYhz&I|&s7PBW(Z=A#s>Hu}^E*Mh`>s~+YBgm*g(2gYvWJ*gPlnP}eAIZp zSeEm&)R7Q9vX(QXpVnbF9VV>yWLhYwWZ&VH;|){FKEJ}v_X|=Kyw)jirIywCMXfN` z1t?5Lu755+eX4MgIG>>W9J-S@qk=LMP?{xO)cM+M@lAksEXGnN(Cx{@FGWG(&WflM z?mL@L>=?FZxz_~E=46O6autgd>x#6ErHL}Ez1wyL6z-^Jb&_WLoMT$Jx=!`On4Z9d zKFsl-;Vxr*X^8H<_2oM2@?UWl6aECASN%KXgTdR0X=s_(PljkXcX(X{q6GM2ky_@= zUysSDrMalN`{#m3!vbohi;2%yuIi^6i+%0iye5uQDF0S|dYbD+9u`2v+Or`k@87D# zS27t3bNAd0V)s;gbO$D6Xh6(>C3G-Xv7KKPDm(Iyr)*joeq~FjD5)9{ z!>kdD-I<~?;g9An?o8z9*=)>S+un&&8sJB0#$@i$23xXjU-9P8dT5uB$Xu+TgURA8 zd!Lw1qclBU!hxgkfby#;x4SKsB{CSY56`Nj+Re zonDHDiDfS?_Gj3|(dTyb9n>iaQ5^L5$l1%#2iQ!WGB1R^uf0n*O}CI%B=#ZyUieSt zH{!-NN=+^ji#F8c9yEpcw0gf1%Q9Bb_Fr3Fp5;E9u|#=*a~xx_!OOuALTLoK z9}UEX9vWaseUeJhr`MbT#br79o-AityKdfdLuQ3?irSZpy|bA3#*vo$V!2iPez90t z_h)v)?lo4Aa;X{;>Qb?D0hY(Y`Ewrhc%GYk+u?y?1sDrYcD}XJDf9LoX<$EudI8LB;= zyUB3Nl|pGSuD1wd5iB!M_syD?mYu-CMJ4_H&)@k+MAQ?dCfnN?2O>*psi%bd0b~=b z0RckB!2_P0_}eo+R)#Yd5;BKO)66zL90YocHT2pT8*E8;Z%VfAUGjOW_dq84l6}d= zld76$7;zrjh5RGv@@&sx&Ksc2U#Hgm=>n#0r!(gQ9>Y$xwJbwBdEK2AAs7ohV>!;11xY*aP2rM=7S-_vo93kZvBaiai>n4ewm{T5Fb(G2QB7Tt$>uHnU z-lYJ`d{ifswBL;{Gf#N3(Bux=8@Ba*v$l;$MHI`^~E-G>(e?flg!)vV89igiKk_Ud_~E$mT&ZrA0~(9ME?cfPoBG-v;e62v}HDeT~C zD92+~nAl`+;YMMf(+&SnX?|)u!!1Ic&rCn!rbz`>m!x* zxeLK37`lW;w(@n$r5jeG)PE01Hp8PsZhm55wM5B0f&S~HA z@a`rZLepcmZ7(j(+P!1+K0>2v6jpZuqRMoGrTJ&ose-_n zI_o0P*a{$e?7aneb$*w^LMh$Q9_v2pfrp9xydW7oIGpj86_xak8Bxh@W}4BN*}kq?2x-ERXc9~M4{%{56_Z%CGbz~a^REUJAiyVW z=v^%OofqpzvAK;Ua(3c1-1`Y^+9npsu<%zjO zJwP_PAHC4z_@lA-nKZGym)NU;&t>yPw{EflHsz4~1j~KY+Tz9~bQ`2VLp@`9(L|nj z_-{VvCMB>{1wl%;F04F!aSIiY6#7IP33TQnp|qbLP&lLt3i0>bQaT+I`9W5C{2N6{ zBm~uT1XsJ|Xsq&!BQWCYc0?~&sd5L)s z+88eY&)I5`Jh#gfdisghkZ>@QD-C*F)!>Aqtasr3&x4T@5AQ_h=3-VPU%Ext&Dk)& zy2cVJ_`DGm??d%l|B@zDoFgB>Ftbh0I=ivovgje3pMB{xc3~sq?a!5aDT^VNo`%OS zfx1s=KOmiz7(5<0R}ssQn-bYC{6Nu zRp~9OK)t_H#+Yj{@%5&DRI`{8{e4pYwxvE{O<;A8r|HBqw2Q7*{43lW+H`h8nmFM~ z@aZanPaiSn_EZT3sPN>p6M$2%plJur@Z?CzXyBKdQWQdAI2zxu^_ftF=`js^D-h&n znMDyL5-89-XmZfxjp$L$xk*Z&yKO6;&0IWED`iBJy7NdZI|2kjeA^7|J5iaQq{tvk zAPD=V*OlJuM6EW(Nb^jK*CX#ThiLN*X2VOc9;xq}Bp4dkk3EjOmXzohTat~PQSg4H zkXOkLI~i?gx~I^TTXFp7g_XdCsiEb2B1K92B_AH>l(v(b*66Ji_tx@6^o(4nLmR&f zgLA)~L&cp?{$96>>wwG^V?lUP>wV!+lC9y*5!01KPbK>Ab%;b;lwAfh!dZMHlv#&I zv$zH=q7y!x{5Z8Ql*j|;LNp=e#>L%AEr}zfy^70pwV6d?Z@!PivBCzV zx{QTG86kmgF?8B@(nHvlW9b$c;vH~thptc0vItpN+E)f#m*>^j)&)84X`XrI@Q zt3Yaj5JDCXjR2Z}yP!ME3#*WAMs;?`2=d89KJGt3`-V=+q8 z=9dPKbkEYIWVG;ya_I%D&<)z*!$t|IUpStED57OzW=muSBx#hsJhbFMOST263r#^& zk)IbRI51Tb41eT2H9PRe=v~-w+x3f z4ska3eFw=-%ckvxWMLP3Rr_+lbdO*^p;2gpzcvjiPtG$8dyY0g#xWt4?ro}+%tVQQ zK{5RnNYsk_EJ?R$ps*y^fIE+hJ|4|(s2VKpUML)@g$4GUR6pU;fltfwHQ7`%}6hqmF zQzZ`zf}u<^m(Bq~BhPVNX+CXf5APJVaW6!H4MZoi(1iRRV%9Jnms=z@6|`^iX~q8MX}S4Z`Q+q(d|>ZW)zNrv6=pQY+={9sV+f%Paa!09l4N zX$bB4^tHZiipc$UC+=XFAx~f%MSk#3HBumt#l|fgJzwqs0V6M`CNG69FGWfQVqD5s z+9`rrnUiKWbJ=R9HS~Esj4p+>A5?z+HO5~7?ExfTp$Jb5Ld&RpyUN-ZdEXZoJhX~S zlpU};z%WRtrL$#R3Ka-_&ci`UE89T#TLYjdg>?T3UzWLal#}3Z44)H<6m#Hvszf;9 z`Cf5`?6=D65$00vkSKf^9{Z=MA8*r=^v+-1Kx{cnhv@t z7+^V+i=e6^paP+tB%=nOo~jDX5(Ar0!v(emXAR?p1wl^}cAh^a)U&C?R}oZdhwgO2 zX&e81U^w*b#o`rW`>)RSXtbI&^lG%W0)mXuaVhAAUeX3YK^)?_VT?#I z1ozyA$5ND~1WU|x-HQ2#1rYo4+FakJMpUnb#AfbzhjHt^tQ=y00ix4m9JlByrXuqY z0;(!fD%zXeU?0!FoaPSQx;AdVqX;n#chUMSt6s@|kK*M+zUH0nL79a1d0MEwR?Qn< z{v{7|-#3>NNHyirgzCysgRpH#8em;Yru1yTVi0lYN{M(oeBt>iz|YX37euFeM^qZ8 ze}huc_u{FguhYedYqBn9`h$$#+{f1126QU{-6znM4kI?kb}NZPa15!|y;uPZC3biR zaiu`{{g^$KTub6zieQkzT#Q7%yt^W|ka72I>U;bZ3TzSZl1!zN%7y#L()akhw8}f^ z*`P%2WgD9vW0Kq0=(+t3^JLXOu|U>ar?L$3PwJ(@<1(j`dS40fiI5#>a_&s=+C3mI z`$#n?@_tp7Ae&gB$C0SMW6W-Q zhMgw@abe=N9=sK|t)Z3N*4c3|m_#hgc~Y^PBl819ChvMJIHgtfwbs zdwf=|)*y0_q&|sBWGs%6Dm1gj2Ze!|`i>*)b391XR=)w;H{4<+mVPlv20`^k(l20$ z#x|qu*4`nu3w9zjYR5-~X6c1xu$ypz-9&uxvw#v^9tc>9e$QFhPsAbmUL+~)oOeiJ zOY;OywQ2O>4l&cP29LIqeFU4QUA>XMmT|mEt+sS|YOj6Sc2%~gXc{O18<=eQYU=P% zIL9RoP=?sqhdR=w?NP#uEWbWSk=EK2MiFFPn;1|>F5(4+Cl1AaO{gU>6eg&9y*7lNr6;658;-9g;Qc$@KMq2ZJN5T;|YtXN}Y>IcvPN>_Yc!4$SIhH+yvaH&PX z29DunNIVMHX32BK57mg_ZZANAz;^}&KCPSA zqXLs)XTZ$|Dlsw)6sKn7(!@6fZ@p423^~vyae&(`j+Cv57Z<|S6B-+6PCwr!77$8P z3duon99$0{aHEv&d%z$cTL10;CJk3jH1wW@U61oaT@ygJ|4}Uh%UE0qij&rfIR2iV zcoZNVAVgVch-=!Z@>#mY1iwihDnJ-eI}EB3;9gTf`LO{W;fic7K=gaS=3bR!$a^fm z84w^G92&G8!{Ng4FJ~a63uA#HiT-%u1mCP&q%9BP`1H@me9R~4nB%)D>`oM?L{5lE^N<`YhPa5XC%W?sdpd=U9Q z?GQwAkSwolQYxp|T z&~);=q8f>8a6RT@duA9ANuyXb`Oxi>+Dh_^UGw4a%A@Y#+ftKpSv@^UMcE;n_jc?l zrMXz0pV(&fRF#yP&~C9|?(~0t|I_Hu$%JVe+ziA${_C6|xyE*FnYK)5d${uPE4y!a; zI%JYmi0B*;PyD31|5|h-6!A*l#W3@NVJ5Jhvqv7cAK#K435>fj{s&Ree_%WT1&J=o z00~lXXjIivpb#3sEt<03<*bIV{E0lposG9_Ge%SHyMSxM-J%&lPUb;1{Gsq%qAg7# z5Bl=KwUyfX>=4nk5TGI3!TH$eGY8^Ycp`mbolm~ zA-2malOU-!e83}atoqs$b6X)@Yu=dhTQ0kYajUHq^fKD)Pd*Dy#KuqvBU_4`c2`P1r2dmC6hKft`P20hC_fJBvJ*M% zooZ||EV|SwY}t3l;kUQ?G19tTxQ5U({8 zO~kRfQtIN)&mG1-2RA)MK!>Ho1#FF~Gq8?ptL#K?3&oion>jO>@u08NIe|B`Q+s@x zR(3s?!OH>DgPwjgtZ_UOz`nN5J|;N`Ff#IWKj>Ia`n2FmMyV zemn)|p#@Q*=A+iz3YQ+{n^DUb{r-5gI!%YA37D4p@e_3=mAN?gehJ}&i=fC;(;iL1 zHhWXaty7rS|IvcPQEE9!*m?FVzKC(hd1mA1YT9BMqgeo9vPAp%x-V|Ud|oJuwB#<{ z+Nw+Edg0FY0?fdWg8Yzh4M7zPW$v(u7(|tS`a}qFAb|;Ar>B&Za)4asfN9D&9JvW} z8=PVizLlDYL{Vl; zOuNIVL0X9XVQbsD5tQ5JSb7YIjU(duDN6IJh=iET?Bx&xM_tzm0?;D)}6>9$vu}W_3pq*NM30YUWOIW_8xoQb5JBSEa&K z(w|&VsbCe6ADuaexMEg*;S;S`)|Z77OC6_zE60y4Gt((5Qy!VnTL*QEdO+TZ1eQ9# zXBBfaNGXIDZ-{1`Q}lWw!3y?AoaoqtswO9oX0CB7E$Z2Yi$BAz z)Cx-X-B@0)GLh;idsuxgMX}NHVg_%Se(9X5`*+pNJ#U7{Wh1GMl;LE$@2W8K?V*^M zRfHCxtC<#9A4n~zA#W;BtMo$A!*dbhSuJ-Q z%|xc+xJeIPymkm$+Xc+ZJ>+ z8lG9m#)dI^oSx~J;h&;d2856cZ6*w7QNn z^2H+RY70|kbmmZ3ky-hOE>CwUDjdD80V65Q>Z`r9p_#eowi^K#&4e2=MNKzb>JnZU zYYp-JHm-A8xQYE-SlM-W7$_xUdQF?iJDM(|n*)K^U2@_|g=PIc`G&wJBY+j=uHE6&5 zNaYOxxJpeVu&v?5VVxE_GU4b-jqtb;gjqRBYAC-s!A42mX!(2!+{YT1$37^G(AH<*A-Uww#7ona;fXUErw~)ace%FObGuP z1j?~VjxRNoB2PFUY;JjFt(nFwT&=9HZUCh6&TMxl z8{oyCB9{O_lI`p6yTxuhuM*m7c!8xdd7;4IM0TR#wGkv~rQIhs8p*POy;W9x=1?L^eiB#U)6nycJyzpsPnUg%e z^xdX_v;>ZSVp6BRqSh0o3_PwEG62aB)#Ex~r20z?^7i3YcU~2_I$zxaZKu|-$i$Xu zLma|ovi3|trR!e`(Bm6{U~SnH05;mUP;a2um%q=qHwm{HFHP#t*DhDHn-P9vrayzj zbH?pIUu<^4Q8BNb_OvUB;fGj|QakAL(rTN`+2>{U{Ab%QLzG2N3>zK(w6fhBJbJzE z0P6cTuY*KYZdr+^C(5z2$9X<36*%Q|6_h&9pKl=?hGI%{c(dVR#bRP+HfVJMoIsqb zcj3`uBETfAKxrX4NxAsn&8a2*@mY}Ti56Yyx7HJH3fgBrF|_K2FCp) z9t^|F=nFv@6#-aKY}t`P)KL%7|Z2H)q$oEA8thGz)e z8!oT@_fxJ|VlN4hm>WLf`N-7hp>y%we_o_k^Ot5(B{_!fO^;9B@F>|N*A;9|`J-?Z z1l7fx>V!%x^dSJ50&)yc4E15+6yUx5;KjIeho7QEtT{UmFw?BR_al})Isvc_6!x*& zxkqXM_)N&}=>G9YE$Yqh#A$3!GS#fg9tu7 z)N$$f=%Ld;xl#uC=w+q%L%4oT2jC}K=Uih=HDfMEF-*r$*rP&@eU1k&jH`*-?7$=d z5v7wGt~~?5T6;d}CzhvYtE)ZdnNdB-%*FA=d5BMjK?B#XRP+}he(5-y`P;J~l|e7| z4rN}k?p?wKX8KDvio|KZLz$Bed9^(j8#;emGTRO5cEG-NLmbhCaPqP?3YJ2dmeTMrbCnDfA|wiKJ~`?X$&>Uas;a1eI{CF>0zI zxIqH32@^4Be>kr+JCtAwy|Ttqk$RLIkW&jzS7?TH!Za+8|L%gq-WLrlv%!~*+sA&T zDzEt86Lm~-hsNQ{N3VT~JU|IJ^*P`#Yy1qm1f>IZjfpl2#o<#9ag+CG$7h-SH z4B7*g1Mqt2{v@8?OLd`=2v)~GLUGO*&Bc|btgD2q{1FiJ;Z2B7qP&Yewi3pXvVVmc ztPTKN#|x_`LE9+HGH=WB<>=({Z#z=VzDD!d?;BtGBx3h(l9X#H@PO7t<(dPqGoER> z! zA>3aS5~hB)$!MgDt)qI-E4a3Tv)6;CxuEa+=0xeHDQ-&0#Ii#(jO*fXR|QcuT^zsr zQ@C9SKBuW;1--_H+;OW_h82Gd-LPVG;xZq-x;xr5;&IhIK0uxb+i8RJ*U?zjj=5s$iToj&9)vm% zx_m^h8R)uGHEP#q2~r(4@U{?my8`Ia7oQ1kVwkX0 z(DbPOmqjhg{9>iBcl{*GIp|wq`6H@-K82f2FqI;ABEjkxpT^QR22b;o0J^gJ6Ne&I zjgnLug5n2mr6b(Y6WNcezL8`2px<_|8vW<2)Bkyv2IXII&XWU7$C&^BdKagkC`r9{ zy$M$%dT12w9bkP)xT@SKsRF1DEHbPb9dpkC21Dy{UHvbe@vt=As1feQRihwqLeJMf z`Tvzq43N(u3vK2OVMh`nP>V47i@2bKlOJf}7e6+yDFR+@BXr`OeEB42)nA@m1OBMZ zA9U$0=0pRaOXxKZH~F4IIKc-UesFOMcf;eJMn1#HTmXHua=qHpUF*Z;V91S+2PooG zTsQqcno)p47_T}?TF%)@%jshO5<4$REMW;y%_$K%5O3UDC7#1~M@aRT6*vr38LkfC za5UppLSufoH8u{P9Y^2U=Q;MJlsuST5@8G+5e?x~Gzo&fUh)nEUl;0TF|OD1uL^aO zx()#K&*gKE$U~0m66{p=DYRBAi zjX<4?#GI*9I^u4C_y85czL6(ZDi$`5oqk}izi3(fKo*967DF0^_L-0f8E(ZL04P*i|)uWA%#2d5l>y`P#m z=&>|uys0jz@dLE%0Zat=Vm+)(z+qhwxWvD<4FnI1>!i33CJ=WKIPnD$RId#zvx*ia zS(DlG0UtB<_r`JdRViN$%v0LLm|t1l6ky)Dm-&#+YJ0A2oa58HMEyPzb;e@f}n zFe$(-L%=`6VdFPWUmSq0E=&D(v@3_BL<#BvkQL5jX{BK{_hRV)^T>sAi-{sSoS!%b z{m%U2-;`d0)Rq8%*D?8b9nM^B%l{~lJw>?*jCTT2UZ#bGRb?0+N5hE|`*0HEA4l(n z3t6~H7)%NR5eG&i9=;Brc=va6b3VbiRiySGF@fn8{xKTE3efYXEVt5vbt1L9#GXp_Xh~IFa0uu!de3Zug?v|i{)iN<&{U>v7?cWGA-fxMMsFWPEUGfn~ z?GM-U>z^#I0Ev74yPix}UL|ZCzEih!+WQVbpo&tD+xAeP{`z{maiO*7zovJrt3Z| zx5DtJ4nt`!#`=OolhgMKV4`a8oq{?Kyqnq!v2N1F_5O}2uk|YexY!efbaGS zZ=`VqabE6#AYaKveXaI9z)4-PvvXC=&|00`PAlLPY;ZOI0Yu#nYIj98N#3X)e=wU9-l3QAZa~f*AnW7U70rde9ueYdR>|-?2mXClj1^dFr;>iHn+u-2w{~oOUoOEV8E8I{k%mr@10UvuCr~i$p!AWEd zgzJ`E5z@phC)3?ehFvNEx5T8YYlgg#elEB`K)aIA_%E5$c^tz7U@8rGH0?$(g;pv2*HpD+nflvULdNoky1m_Zrxv)wYpkmIQ%N*S0hU4*>m? zgR@vL1z@so8@k3M&aAyDE%pd0*K5nL}2t4`J zn?hWwp@%g?%z(xNp(;xK)qu5IE1c=$JUKY|- zD9~vH+3gnh4>k4zl5C{Ojwkhus}Z;w(ENmh%%O-C#xl92YF-;Bp9x;t1&wChP6D9O z1=4vC|E-e+U>5Z`DZ!`z6~KR40Amj`w9ugl961p)t{5=kRVG0!QjnNU&Pcyij{|BFW?>j(gu&DJ$}&&E)$pPxzzc&fR+zo)Hu+v z5_l2(oMF681_HT?JvQ#o@&LD*tb7AJ61Y`C)TY{)VU-5EI$=$QYnmS3#(e%Jrt~xL z#KtWY-z&XXYFyxHTOw!!lT}8Sf7CGM7On+@`BxTBd-eB2IN9Scjv3m3vv(pfVy5uT zScBP1HIjdcf?%qQ|9p$%F*I*YzB%=%ujlFfU#h_L;9jw>kpXNq@80a2RPcy^W~+UY zA}tu36EmHr%O=Fduo+i;U?>2={I*;HkC<5z*_&L>%!ma%fbmSh6)=fV3=G4`jjP(~ zo7`5Z_SEUH0tDKi*1toe@hdEaG!3wVd|+-5(0BG<`e5=ZxT--NUbq$y5)gR4v!*Uu z_F&)G4ldf^R`3sGe2bXRd55Nibn`e*rF1z5pu-jkPEWO8fytfmxcfzXOIfL!V15{$ zTAX%Ho_mVU;7MCS7mUO~e4dI$!zqFs~ zzsn_zxQ4ienSpzuu+uyemCiA|_iBAD@>*#pdnxR^A`O<^s0iKv*bAvQ1@}EZU`~BwgM4%-LZFYYpoj(H-x9u2IDBpJJZoJ0}`^U^_U9X#-hY%A!dQPN~{yq<>f&=o-r! zd}XM1^U7ct<`ea$TD#*0Mr%KV0U5lpIoBM}*n4b3oyaF@Q|A=a`@w7?`zNHD zQrH<_=!X+s=@YinLB6Ym@0|+k2Zy2!z@+VyjZlf_^5rRCus?Mf;Am>*sb66{kzEqk z0Gn_|NNc7ky$6V$)dYz=4M=?kFww*fsw;s-fj3|TiQNNTr*4Yy07gmJp(nm!8?R&r z&*-ML(QaO~r$}Ujz&J&{x@oWJRk#5yH9qGW52#Fjk(5GeLU)(&UJV9miaO0>MgVMA zX-zJj(OF!!ltJ39-pQgQ!#9nhlD0BC7pF0xne>)k+O3);0}Nvj=-jdVB9N<~e@CwC zBmxY6PEy`*=c?b{`dk+m@#V?T2qIBsaMXH32Wm+S;OPdJ1wX%8?e9?^X25s*Kn8xE zAh23NoQDhhMr8PamWjyW`gWk6aI2Rk z_nlk$+t+o$-dkbgXIfmow2PsX#o;Yyo) zUwyrPWW>W4ntXZkTXodq%P1tQKI7w;VCB4gmAtP;*De$DSB zx!NkbUL1j!lWWoU^1g*VlKSE3CGxsbPOS2gfc_?iBzbeIvw=$3@9pGKhHGo}%#wYl z5GFUe}t8fuT5SCYzTX(GqXi8pNLG79x5?y3hW|D{1D76??7+75OGSb;uPk zm^zXVaA9zLpVK?RQ0F>gY7swu#wE2rQT)6^|CRRAC_}N|^~QZ`4ORR2s=kQS$1@H3)uh$2 zcR761u9UuDqa%x(y?a#Q*a|(9@DpH zXi1)3R@)^c&Wz>a1l*+~a%eXq{X@-%;}|0hTF^zht$L^5o}B+$!}7c4 z8n68+xuQ~II?sbdkw$z*W*{6$YEnPaxwm+NyZE6>t6u7PzZTxEJ;~hei3|q4c?tYgr zBw>p_g& zY}f^qdzJ&I+(WwNI~-Vd?Jaw+kTMUonQM4P5bIb!;E@G`O4*d$z5;%EA*8>r-~m{U z11wY9`=p3oj0>NJciN|MQTr@APOmf2FeNLhHFo(RhSyP@?~QC$*`FutbVP;zi8j6c z)|X4P--%5MF0D>6;J@E~kP@x@N(;H_eNo|#p)B~T#a%9LRG&31gT~$f=5xx^6LG@sV!I~7yuDWIaz2~NCV+d^?nH2$6 z)IZVS%+scYy(HV`Gnc4pwjG{53B-TA^jV5)xymb}P1|kaog`Ec}!p_@Q21e)~ z6{K?cRC|1B=u74QgyPNJgo3E=0jXX*?x6mL*3sXu%vH$!;l;^yzVz(F&BIO2!XqZ` zyZ9f^-SL-t1Nl(lrR81%+blmNHFW=D=USwYm>~~)K|BVeLiMHewy2NZ_4Hdem-piL2bv;A zhCW^@rDBUWSh|Il`|fkp(Eapfx{c`hE=7-F>34W<_Fmxo2?4R`$ zsjw0y`)EKK&unV&67N0a&+h$HaUv;Pydg?^aSFaG8{NoPK?P(rqy!qt_KE5|{T|9^ z6}x_zdb5%3c&J4S$s{!YRveU5j6FY9M6ut%p^!2EOF$;8EKrx%t8LGU6#Lt)z*L^p zVJnt1Qo_r-Lcgx%fxEP#LW)%&-d@tx*5+_R z?}K{xk0+@ycV13h*0+(#2-n~uTwC!>*u~$&m(d|ZA3R@lYYbeEk>|)*{^Vz5ds~!6 zdW`cr;m1k+yT9*93SUmLKi9C>?@1
`n}az8HM_hP@?V)Xe`7NfE2z!t2quk)uB zn3k;cta}!g6ccB&c1%*VZve zrRzDWs={a4I_14Ym;Bn)=kl!6t7Cdo7flB?nw6m>y!Za>$!@{i2V3i37JhNBaqYD) z40)#cbN}iyryE7nU%meAvOqeq4U1|i*P2RRK=;a#jDf*Pm?WF}b!?p497T45XemA6 z4Pm>&EWF6u65jgzf<$cgDf*K6TG!Kk`XfBPyyydN0i4bzsv1~&8=R(yid|lJ+|W$e zg`Ng?=~cYm2$5luo^)3&v=aB$UlM`^SMW)f!>IRqKEVQY=%eANa@8l#7AUOK+eC(5 zr1?K|?3Z(lK9A-Q>iRmGm1z@W709w=$K7nCJgAsYU#E3FL}SyVnvEwN3~fjEGRTa7 zyNo0&7K#5EnP;v$6zEA35Uwga&ntZ!f`m!d#FytSdF?H-?Wvrt=hESbIZ=j}Ab3q3zx{h=W>AFHq-+)N zzz?>s6h5T(b_Eo`qS!X-?`u&OR={gW4A~w^4_El4T7`1ZU*PKp{&?4e@sDi%=5NpC zIdC>xD)&$2X|^#hz;`(2~ZL#19ge&*@ZN7hPH$hBUA0YU8mB8@a1!dm7-N*2SQpNH()LA;bv*&?)c>czphvuzP!E~G5vq4 z`to?FzwiGUTPb_Csq8yx8A34yH-F8Ydtdk7*FEPv&pFTgn%8X;-BbEK!<{uZ_|?^&nm|)_CXwwS z^tWZ{g)wOEF_MRRnQ;?OJbTzR5!JNXKg+cC{@Q@uma1dkN^Ims03OaTP_)J5UCk+q zej@8Ku;SYb$!t$nqikpr=oFE4&P*P>Up)BoNqj}ol7vDYmTC<=^1<Cb~uyBZPDDbO3G(-A1mI)MFvk2j z%4$zo)P!4inAEf9BkP1oZ>o=Ge5oRFnU&bPgr)omYOND+Eu`#uk{{9VZWNYBlXWA37R zellRY_0#Q+NIYVCWrF7dD-8I9WG2Of8hb!SOw=PKkaA3{c?{J5zz1#H-^#Q4=@js!WU1Z3jHAV7PSXm zCUuS$$`kLfh*#|^We7W~BR{w}`_3@GyQxC>s}AoSE$n}P6S*Q6`TnMNCK%UuPMqDf zNxk&6nKJ*|$jg;ajl6to`1326E|K)8s96H8DV)*>p#Ytsb5 zirnp6o7VXvU={8W8+Uz3_cij+#b@DoZ*>bW4WcJd{8E<|HWC;`wb(c5$$e?;wIZ${5?cMP1_Wj@7 zL38(q=FUlVF&vG4DemqD?*Hr3e7^b<2)KqV{1cwT=cmf@iU5r5atqm7$?u=xu+}ja z1I=HBnb*Z0VO$)I#TavwFcn+58jBP$5m}XTlW^z^x?4eK6yC-r2TY2j**BCjn9M7b zSMWkZrAj2#v7ab@Uxjc7p5%g_|$c7T1g205F>3+8D zTGwhrQ+)MVtH}a+;>V`qmBhXht&>~wnprm{ee@hHFO4{9y}J>vLXo&`R)e%@2Ce5Y zX8)g>`)7wz^yq%57WZkS91$-l_#yQ{YpKEE=dhVG$u2sR)q0Mr9a{*!vV>q$FW>jj z$@F!g1SUAGtF+J}DbzHySpxCkI9tVOYG|%SB5h~!_mo+N*kzS8m7SXz?O#yR1a-`A z`w8`Ofhh?q!nP)@4de98p3Gyk&`t4tg@VXvhM8e3|mzCNT(lIm9Ijt zY9+HQjz?%s{|PG@@T;~J>||J5W9O15B-mR3rQ_3o#8Zzy1D~+9iuzF#c6NwOKO9;) ze8xS>a&e2?P%Dc&?(|y1$DZO2x)32-=Nj;h_MDGKJIGs#Y&@B0kWm-$CN!E@)tcLO;x|&W4LRe<7m^LuIE* zbB5+}q|@w=eVL-a4R>aj$rGcQ=_{ZXGzXvIqxXTPc`I@v|K1*^F5IqU3O*rYL%BVw z7{igyv0Gn%j{Dtu(UL$=keoWqocD^uF={koDh_zI0!!Zu!*FLhuzEMreA59!cdO1aDu^ zJz%q6EK&j;7_rszv$9@83qE)+r2JW1@BwBVKf8KE9sKaq1Bbr<=hZa+g;^!Fb-F#V zd9_toyNibkA7AIf&REr1ZVhw-R8;rTv~3Y^4J0xA3pNmHj>?iC8{9 za@T@z@DT>#*#{*tPIqB0YimBE)NWuX;ANj6c22JbfBWim*Q|FSlqwT1b`D{DEkf>G ziZ2ofIGUZ~+M>B^@ttIbNuHqQQI;+aackz7dDjD{*VGQ)oXv{D_a1f_gq8JO73z|l zwk-TQcI!nWPjU|nEY$?ebRbT@2G%hD*sin^3q|?T#V|5@JPhXIzLO>JpGbfufWBbVLAB{ENuq)i87qMoyH7^C1P%&xuyo4t_Gr`gqqp(cpt=N0&_qh9I4p_MJ?O+zW|S9|%ysdtI%5#3cz!@aHm^n;OQeNvEkgtCm_ zgZ~x>tzbJ|VKV6uZM-|*NhFSzE`cE9<|G^81Bb!4u^cckwr1ni^Hfu(qB}>@1Z*jw zt@{WhFffj5nvK1@dx=;=1#q0|&u+#Onif@aG~RO{9_ZwTIUeGTG;30HGQo29*|Y8` zocUz{-z`Y^BH@81d-duRF7}+g4Xia5mp~|}faW(ApxxXXqMfN!YJziy79t12A@|-L zDH*69#F`>K-apB*fMI zxLX$I?-Q*rz5K?&t>|xOI2(W?+M<4MR%ImxqN>sD&&r~<*D+rtC?3(oUM6#C2@4_9 z1XKzuk_R1dxjrbTz9b4PCucwQ+Y}3N?E^Z&F&X?$e{Ai9kloT!@RhWkI3*7!l%C># z61^vLOa{fE^ynoipl)I11eAth?Fzg+AGi}djnibWKEPd?T1sd89X4cxFlm-5h7bJ3 z74)p;5-riVGM`9D$Ts=wpsjeglrFvBuSMZs26U%k`pyFcyl{g~BW7X+28R2t)GoG9 z4kv$kQl{9PR!*6Y%!~X$RMBV!Bu2eu!+L}kO;CRC&GufT)rXp2^QmLc@cD^fN<-z{ zN=K45m+A{HMbD!sQmQ+hn1R~nD4po{bO3w~4|c32}r70a`9M>7!b zWFzG2BO;}9*ACPM_RJgFCd9!$kzSI((?a(P7%|S)XcNJ2cv@O!qngb;5L0?2EBKdQli{K*k) z-rH5FJqKHl$4ZzA=ZsUvx2wR@La7XshcSPDruCyK9xifw9gEs&?l9HxPo8SHJ|gKm zAzIR#RmLVherN+nOBM^uU(9`BBZ;a3^eJ`Dd&F*oTlPs8t=Ef;J?Y87oemF#fAuVX-|-PM zK}ems>s_i1A)hTjDo^sfh-lp5T8}8YUZP4qym}XI$?+9irqFl~R>}Us1FH09BZ!1j ztZJsZH*+Kr-NY@PuJ>RhQuGEGq*=xwvM$^@p-3i-HzDxuGNOcjs@TjjOPxO>$ zyIY1bL1ZIP6;dRibZo5&r7a`hH-HYP9x*ZOwaUy?1C(l*)0FmDMTy;wF;0Q+Fg6;w zu8M>%JM{#SUP<}F?E;9y2N}+U!2^iY#XXah%)ftRE4Fo<*fJeT|M-S~#@UHwz5%B< z7Fgj0FHlro7LobK_9%+deO?2FGB6AA9D_=XYO5f&v69%TOTE>iL9t$>elFAg^hLQjfu2BbK%WlGeZ%|b_gD#2H9iDYV#dDFzXqsj0fMgiRuUp^n=v`0k z8|>od5-z#I((A3zi_)?D+X7O?^hM!xgK$C^coa=${VT1tI#Y$15CO^k@NjGFmS9ey*IkVD6LjVhJG1amgFmqXjEhaR`Ii%J;)aO zYc^%mOQrF3Ba+{ZiOj>lvCX-P)!|XKS1)JieBG)DsR;!Dzu+>P446H>vyBZRWN#H_ zZ{d@Km|74w!8aj%dM( zI+$AS+{P0PEhzW>_Ld;Z;5C2fGK{^2;ccB?zW!{$>nWS6h5QJ3#J)S7LPlm}Shds4%dvnUB2%AehDzeaB z$nlnEdj`7DNM`dHJGLz=QGaq*mGvVrOj6_s=N4uYDQ5vXQ}8%g$D05pDoX zf6}=2WuK{RXxqisf^y!}L~N7t`BZ!^?S9g8k4b^WTqY|dj<*+8r3N9lWSw1;xfbHR zzbkPl0tPtHe{4Z;j1oAj5M{;|Dvd1O?8g7~izt=E+ToCU%Pu9+&QgdAD!$p>o={0i zM;Rvk;7fNlinV1|%U07y*+WET*P+V;rPY}gQ&V@9*snQVhC`3r`kw#dTT((U!%TE^ zU`r%l+2L|i*G5j8l|@i{1fw`ufvE-g=Pn55>W8l|hFxDwu5JcO$EZO|C035N3t8(r zMKeUT_&6UgDX|-B74ky}#U%itkfR|WdzP-a=o%~%ddRQu+-_(SaQZ^p&y*+h+BECk z)^;wtDo#(t@ux(qsFC6e3lusL?g`4$AmM8nAZgwLuw|}Q=67oU%$2tmlT^Svbu>ER z6&UuD^orjZyBTSL-kl2Z6Cp-RWJ3vnM{*DWf zpd)3qUc^r(UjeyUjk>s=?C?Ud>*;negWI;^uJ6@}3_9U*dHjlbC7R`9mT=0)E2Vkca8TPYiD9yyC#_q`;WY)>UpAi| z93pS+ZSxb-sgcpV&SNa&UXnYSkW~l zjX5_($)3tIQXY81Iv^anY=Kj7;=z|UY9<4RUx}@TR$bCqjV+9oK$up0gx;;{i7YZ` ztv}S932nf=VdKRzVGu7OH@0g|H-@TK#UU zEn;)z2M8()C_5^cW$fE%UkTu;6_M!{?Z5!X{Ss9CeM%)eZ{d*Wg#|1~i+AcbZlmHg zA!NXx|FnM4V3KtPjsLULsF>2j!bg}Ag!|nee+Ta9n8oP#2L9Xg{q&z^7ICH&E&0n0 z@0V(MTZKN82-qm4SY+b?Vy|DyEfZkzLB!^F`%?UdJq`?J zUm9(90ody+Rj13t+Lu!pwnK%Redrv%{v`4vJv{icEKs~`Q;MNrU=aEnQ$l~5-QGG- zpP|a%3>cdnn!R32kZ^9CV8dh;A^HDN^J#Z=slC?u_!E>qvR9KQNj=ScV-h>AQC|mZ zcKQG=5qQ>c#(a_BKuH$>gGAEHKu#%Yex!_GVhMmh{?mk>&xOxL+8;4=!H=G4?{D^+ zTx5)3Ts#%+JD-tr7X)GaVUPEeP*n4D`X=SpEJ7brgc5rWXdexfNcsW8P53k}*9Z8g zzaT-MA5;`*V9)Z9us_3h+ww#Uo-Gm((zk2? zfcIX1S5IyOY>jVJ^wL5`)x>`NH1)BG9h$tMrFDG^RLc|3aNo8hx8a8)&Rz4RE`r5> zQV=u$thC=!iXEm5jcuYPV$C7aKA_^I!VYLZ52tt5xxRfBq54YCnK^2lCaP;y*^Iy5 zPb}MVIVhFp4jS3Fi1UCCb<)rdGT-KOE#+#$G|CLSF?l?czt@06yTc5lWQG_2)Z2D3 z_%t&!YTfL$B-F120yN!lDzo{+um#ZYx8Sp@T1!)6=HY(h!_%%`q01A)mIeu(WKj8OVXAkHLy1X+i9qNxKJk2ssrKaqK+_B|K!=p<=7!# zsfsrvPCY$0P_5EDIeTZ3`kz}Bk_q=9ih{rK7$3qJ0Dr~#^_eHF-)Pc3xrBS*3g5e3 zuRX>CHl)*j9w7tD$0W)vHaVC6s3QRwmGqmta2!5w{Mm3Ydj~jx^1jHx33?~d-9srZo>Mk|zcpPtbbZS`pt{DBo4uV#nsriN`OG%;_Y6hFftKuP^)I7^s` zJs4f$Pjra;)1ZP{)UP%e*Z{SuG}nXl-k}B>>djHA{aI=n)znkAY~6OOIxl)mD(ZDw zFcWS;UrX)@yJEsa#sdy6fXR*MViZ>xXy3HHNq=o}IZJL=TKfj5+qsao^Ya}x)b_S8 zzh&~({aGs{6smYJTeoq-YU2Xq2y^-VPf!s%AIOozp``A|vLwo47{0O`GR zx?8^d7PdXWqv5gNK#L+l5->!s_qmkn%&3zfu@Ye|PN45a!F{o1TTGA8C6cw=L8WYC z8`g4b)<~QWY(3WJlbZxAKY{Ks59;}67{*p}OKte3bTOs^mVHB1ErkkpXo{)eYty9csj=KGW8^5EI{nw;qBq52h@}$}aX93H%fHe8Q=NTcor9i6 zR+!)Z!MD|ArdK0-L|b*Hm97fF-k*l0R|jNvmsSX6(YW1)@y7wE2m8P4dbI^j3n%VW z*gB5F%b|qP;x#>M6A4(8mggSkDVlr^)-9A(+VL{HHRXV}a4+e**i0gbuRB_-#>k}D zJmOYYEnvSlPE3#~j^^r~UahcuCt*lh=T4fv=4-9#(=WyHQf600m9(Vyl#VdlUD<%n z_B!#{Fw3Gu+qhKB%^3K%qxitHOJ+w?)R1&&N+z#01>VkE<8$TaKZ@t8s^%*zSApnc zBiZ6%`5LANZ0bpKVX{@?j->~a_zgt1FC|r-@1ONnxff?LmvmWABmf;o13TRDdPX^Yi1Uu<%e)7?>iQ620+t2Qual9MHuW zi#7*rfPl-kYn24?VQyqGJO_}x8xK3DUogVTo>h8C(p)A0{hfMr!67p<6AMEtfB)Beda3_94hFa{*T#pcfIDhM_p2xv_JzP)X+g`}PVjMn7QLJqhbw{-&1A@-kr zec|Tt+oUgI>{ATS{rrUWXAh6|g0%!@b}_m`=O@}C;>EKp*3<(yOW4m>_zN!x2T3rW4CTi-Iolr%nM#2S|rwk`|CE8gO4zB6KIbJHZL$FpP1hia>x`tZ4mcmUef1!GtYhXH7Z3P-Y8qEEr$o)bW4IU`vNdSE%>H?j zwn?+g|IJYvQu9Y}T}yLtMO16etAE@-i!$mxS*($BuNli>R+-IAvhDpSoWZ00J0SSl zeQ6nXT7h-7%GarnQ*%=9{WMN+x{#c1ULD3DYxnI!Q=@*GVCnE`sT(bLlvhb7G5m6J zPD6E+-GfnH8rfhkU9pF5(#4RsPD5){C37A1`G}v=oOTjLDbt*DCBczKy1jJy`$MP` zQw*B4RQa;kPYM2=sm^}3x1muKlb&1k;&F!2qmBo?evdr)Zpw2rM`(KL)^T5i!sJSd zye&wV?$=Avi5trc8B$kQ_x?D-%bQE^GX9`72Tx1>*!n;dIQeUl^tk%Mty$gxa<=UF zX~~v19#QPa+X{geMG#FbnJTfd*9v=+mp7WWd**WH?$5TkB5n4>U$Jd+9_}xr58S5$ z`Hg~)^wQ(S1-hPSDN(Oq-1#lm)dZ)Uz*BSA8~&1-{{I~|mAdB(H=?3uNY%r_<*7b0 zC-pINq^4ovl5msMHY{A~9ObZ{rz&zt7XuQ+{x;7yhiz^r3Cu25A)YF*f#}HI+9?Z8EEL^>IUDKiRuAb!89kTQ* z-f2%Wylq&Yvysb4l{_le*4?%_HxektepVFmf!>j^`bdr?eFgp7+H|f=k7- zOKQoYo{EG|$>wy4Tb;MkEnF@qnQ&taa66UF-YyW5JHAE^xUMMy3@*od0dU$9LPTH zm+LmGnEKM-p`mM~>PU@;ztX6B>XDG($wJCjX5hbr~?CP)we!7O4WdHpc(S5!4 zoIo+lpjw9^tMj1VVpqv1w~Eo_nOw1sWky$W!!DepikJ2hbn(hFrp-N-rH6UnXIEdG z-RXaOlp3B38A$PUoQ(*J+RlFt86eeT^l%<~tI!!yLgJcA#B++pq4nEdIVzBe18%m3Bld0pbp z4FXLb39IQXe4_Qt(CIHP2iFzjM3rVQxHdifyg7Bd^VHc#ZnPFW6CYJ4WVLv2rLDZ@ zcYAp9ZIkkS+v(4g!_kDRM(1Z8xQ}}G7j8)2CRD7+aWCzn>Tj5>HKiXrm3HID`nkgs zNx8?EpVSAC(%12xyh%&$NTMp26vc5!I#CyKrsx~>xkFQ&zat6BYxI)~)TBHRA#U;< z{eyM!9WIF(CgIOHf_&v-xZ-;jJN|15Oep)eC1}IagKwD%^pA?g>M2#;><0cm+;G?k z9Eth*QpqJPL&)SRmF%nJ+KDgQKO1+Jq8S$h%4za4tb=yNq#>s;DR4g$dY;QcQO9dtH{itUT@M*6I0 zU;@>u-xX_Ww~Ug&aEGz+Ku@S|Ar^c8?)q=utLN=mcWYZ-h>Hc;=)JppqtF8Su=lWf zf@GEZ$$Q`0-sSbZ!_)Rxn|a%5pR`@P+aw}5eS0y+viQyc?>jZ2y5-c`dA|AqI;surPG;7vtc4a~Hz#{0-XG0XjQM93;SM+*;&3ljhj@iAdFGmM7tO78k z!qtT}eIg?~v6>p3(J519(OmE1+iH-WhI*uZRgNd}w7zD@ADHSdqPn#2@v_b3_GeBf z@9>bXpHn|~bZqnN&O1ehIYk*gAqFMLnBC~OeeB}l-2?w$5-M*yfX(~;n}h@c|0ZXy z#eIG8Fv}DFox(xqtYiZ#^4LEc$f(ckT~!7*q%XXiiYy;iF!RLH$*gyHn-`>^9#7|u z{5tu2yZ`t8kB;Aqc1H)<(66oRqm7QE{@$1*cqpg`EXm4X??BdbB5u`udU(dzub(rn7-EnldQ3UN*UHrXl zceGo(*K8xfecyjx;@*k;`sQlH+WIh;r+0lkN&B$e!tRVyd>t)M3iLMq$(0W% zlKAr>6LVH4ZnKkyOCGuCM&q$vXQz^8|f7-uP|RxjwpP7psi9 zpJD3ite2jt4W~-~coH=w<+lr2soS$&dJBHZ-z&V+C~_-%-X`_#3RkX;QX%%`ofW5S zicSx&5vhlYYz@=V{bVtX3W-nNaB53pX6r(}O2&OFl+iH}&)zHN3Bu+EWxMp69Gbo% ztYics9=*X2zL8xJarI%&X8Gdf^F`*NObmPZH--(X65O4bw?1Ppf20XO$9uq?EcM<# z_5Z+k_{Q{8Pc|t{J_UDFWX{%w`c}sIJ_C2S744PhWR~S;f-6QQMb*Te7gwB}IJ}wv zpCk8uD-EaE-(2HOTHNFMczpA@(q`(Lz@`S3nEvfgB7&W_y5=m{EuN$=?zLYxhF-ik zc_I6z=i$pMqG>h>-P9s#XGA_N zh}?khCX4AmPW@bwIu%AYWVY@;nMWKMj4n9x6&x{Bg%=j_vvpxA9&sx0q9=dvtFh`g z!=2PO?Aj+G1cp~l*?IBXe{Z3kY*PO3`NJ)$i>GFh9h$MPXI`%H#JB9Q)&xDITxW2~ z=KA902WYCe3_px^^SLs3CEyG3s&D^YrJ~O5r^5}nTRd+P$PEDS#@pFnA4Lbm&Ae1q zCp`DW&V0``mRCrtSal|JxH8`YL&Gk2bE|6W4y*qr>Y#RR;dVmyO&1QHW~OU%`|9 z_4BI-MO+@M;)bHe7ek#dLx8Z_hJl9kO~WNXRPu}6)WH{0AVu(k#W>LLVB+CU zOZsl4{P&*piA5@EettLloLt1W zzwKNEiwq8!ea*+2;ca)g@4i+@Iyze2QF;4=;~4mA0R`D#@B1d<$)-CxZ+^$6H=sgX zal=YYy-RA*{z7ceYG#A$evX}~GRnsX#S%6@rTkOk?4Gx4(G6^?+|&L+F~%KhwI%t{ zvvE1vD1x!8o>|p=Sg_Bp&&eJMA1^TPeQxlVJi9%-O1F6CldeaT(AM4$$-2M+>GF%5 z0od(^@l(*nT2}bTtzVy+?NS;5Pz<-JNRJejkfMOCvI^L<3}ilU1BW3SMafK%P&uW0UwaTgCIiOE<;@?m1C zV|2>4pI?a`%ZYexF+^BKQ58a6(-Tj^mtk>UpkLE^AGPcxOe(#2= z-w5Y%R$O|zIu=2aqWk3W<8On?{nsM-T=kiIQ1%k9o8M876lvBkPX;_ArjF35&LVia8lD3Du^;aDua#Goqp{8oS^ zCT%P*9+tT!QHBc;Hta(nEuhzcna1tBkCne`CuY?ZyjsRO_&A*Qr-!(==bzvwB_!RG z@^_fKn0{$M=3QhSDJjq24Fd4$8@>(2>4kWYJM|~ETT{Z0x)LI$J6)RZ30z(^{&H$r zqvLw@UV0(L?K}0f^G^LgX~VY~!hM10>at}{z3 zEviwJrtS$ZmpkpI3|OJ+v&c+(kNuX)+~V(@*Pi`29Yqtvgg8e*8@ts+>Fa$@DX2!N zQIx();Y0*9d&uEUwfl^j&;HJ<7`5I~J{t+A=)pVfc=2)(=KPpL>(IJ)boYL1J8)-b zwNOP{bCLPLg|Ce$Na`_RLTRT1Y(@EX2A zR6o{-_fUy9dz2Zv4`u+WeW?&@z-{#s5>Devf?HTs=$SL^;ce`TgtUlTB0n(nE_EG-g>AbBxP>q)M*Uk$g*f zTeKM|QikUZ<`ZAL*ULtKw;xDSE&_`uKjnrL_o}=zLCwm%m_t>&T`w4x!d`JH;UGDx z9G@G83Z49sD(%0drm@MLlv;uR9Lbjq?Uo!yuuWZJXb`;Z=0%wggxv2mJ}Ro;nlnzM zvL#3ivcLQTSd_M6H3Q$Jq9N{a+uv*TDr#=Wei_Vt2@7tGFPAh(&L6eSL2h&$Jh;x4 zwj^Frw$JUfUvYZl;=#G1H`i^DB08(9S#mOfp^GJfEK*CmZ^!Lq2Y(KkRqa7%BW9gv zCx^5Yt(_dlI;-=HGuC~_QiQq(m6ENPUdL#9i4Dk2@PDia670B3El!OO$g{H<0}zcD zsAU1fA~M^gtFE=C7CC^6`NkQ-2XgNUgp!-du2t=w4M){ncI)AocUA;6L@>vg-LIVB ziLBe?OYmssLweCt;~`T*ik9_#t?s!QHhOSgq5-W}z@l5Aq86#?>XxAErq4I;+=kFX zQ?b}cGP+pGyHSiF_6ikF7(6P(Nk-R`MJK;qq~dF6&@E^XOt@2@#baWliAP|yIL6+S z-=C!JAaY^^CzycXNdUzIjRG8UE2I4$ZA1Uykz#lZRKXf8TOJTv92xgr--|Ytr|zNQ zkJb(tY!TI~h093k%=V|Wk95m$!!K!dke4#s^9^HDL`3ZDKy3)v}(Xx8uHGfry;mnN_3We8NXQ8_%tQycgq7^Sh=Qs9g`5Ja6zi$Wm zhnQJIc=4kXR$dB){nz{p2w^K&RC5K(MvS+y2mo$+RowV$Kwuh=dy<36RX2T^dFK*w zKuBN}aOg8X%GG7&Hx$Lq3D(TRlfLV~B8i(47;oXgvU(x&w2077%QpHhzC z(BJFY*^AP@V=XLAM8?v?aXtMU`96pOoM5ke1ACGEdp8PpVQ{YrqWlL=Q+&$z){P9r z23W)I@g=vu@6|mw%&kQ~=_+IRy7?&&WNhPd67ZWRu?~K7!cS;T~dKps6dD1 za8|4XeufSpuwH-pImf&hLRC9SS%E&A%PCpMhqTwuwR9yg8jI5#2LxJ+ljl~jlF9*w zhJ=^`0d&Ndq6q*G_#+HfTfGA9naf!*9y5XqF9us7x$<y&026#p1(DF%ygGaVG^zg=P8_k!P%&}QmBc=_xGes3s?q@Om3PeT1(pmc{fsCZb#{g< zw`{-j<#@;!&>MTv0@J02rYdHkELKsQqR>*WK=kC+_w5ItpnGHWtWYN{bz~?W>aJ@S zdG<4~he_4sYT2l*v!(pjsZ!xsvy89>f@xcd7m>zWfj3wER|%zmmovFM{?*o*Q4i#d z=(qVyt6nhO2$djnMN>h=oRV@Tt$aGnF*{l_z7p1Ufg=XbI>qm3d~oqp)Dzr2dAXf}GJGRP!{Q*s}*uzunbc2_LsEY%Q%*48=YFcCHLZ=mI1Q_M1@m{#^X>1k{Gi^m{ z!$Q=019zDv!L2JS7a71C-e&!T5pCUT9-IkvRbrxtBoukv*uupt~{5?bo&B^C~m zm4srMo0;Pk7op8P0XePU3f4K<^7PdQPEPh2d^ESGSm)|-v1V~8jT!#haU#sC297-n z6)zO#H-M#xsb?>0aLl+<-xs6e$F$#|6gvzat|`E5=5YVn3rwwt=rb0PXDVt2q&2o> zqjMq^tE(wj9xYXj&L%&Qn|bs?6d(XL7Bk&!cQb@Uk3*KgwKe@g=U35Rm=6 zO`-5d+r@ZDx~+>WDAjBgEm@SDzvI*2fONR8>2-wZ+T~05Hm4ULM|UK(E;!4S&42ZP$3Y_Sppk%~so zZSUvHEW#nDhi{C;SZl5F!11B;EsGmyert6fH#nTK-|q0C!icpRe~A+68XEq0 zE4j(e%6HA0bCBr5&-F8#dx!P~sffkAQ%Y>W_NNCnp9ka|JAYBpT1s^z21%kc(QiL{ST|WBi^((Wq%@M|J~fyco%!jPOJ2GpQ^a= zeX*@e03Ii_uqa;9Q>s~<^*q3yI%8TZ+eUxqi*pl4r?^J|H6D}aS(0_CI7>xshQI!? zjd}l=uM|vn)0>QWjaHf12Xa_;W7QQFc{zhefRg6@$IXqnvxTE}k=T`q@cyQ$%7G@` zwhNlu7r>*dJ%lK?&B0CcE};^tXd++;=m|Y9CS7|6&P#HNGnU@%>i0Z)w22)}_Kas||eXMkPicZ<(mV zZl)L+u@Y^QF4R?u{C6{xR@E=bQpkx(ZBgj3s#0gYqsg@D`Mjuj%H+TAsMU;`CIYYm zvh|7#{|7T7Iqc+@O8_2{qe=PmYhp+*vtb{bQ8yrHVeOY;SF>D#KXlhz|M-pJM(~KZ z2eLb6C&;|#(EY{X7uaRDS=+|raH}S9(3qQcsl^IYqoUTpV)X)nrJ1|L;^U^QM&CL? zo)`M&Mp0_95o43CS<^lPF=#Zd|A?TBNl#Pj#Y}rf=bVblQBjk;3doD4kK&2M7?9xMnenB(8Au3K@`$rKP z$Y$1Qq?sF49P!44sx@u$sRG-moaX_bUrX>gyG7@4N_v8Kq^D`hWc}#Cv2A&`c<@Hd zK6?hy)iKwtrPgb_1tFibs_E6Do2J+Oey#pcQG?h=Q)#!hni^E$xX!agrsU5zzJJJTnB?j9kCm@#zRk3Iv6H|Cx|@Yc_GaQ{X`JSQbG z6o?+DWR*?p?C}C)iBZ5_F8F~?6s~Qmr?azXC?pw@7fb8TTZDSuGew*Ei;J@Zl+<_-$gE7Bq;AG5i*`HIzrq_(CaU*f3kGK# z%~x_QVhm5o(FY>3mMA?^jS;fjg$;ZIb{C_jk5fH`F;Q4L)xT=Otdb+Ju32TV|~ zX4y+%(EnoKnp5#H53`%H@^0{e8x#?)+-WS%vY#qHK46xMK^5gu)w=fnyO(@$+RcY_ zk|3q72+~~h94)8%*AakukndU;BF=qvCf-O{+eXh=?P0fMzSh zn%zgOssPk@no$FID2+`mqm%Pl^?m)>pRM^s{?xNFmwd};fS!NjF}C3iMV$?6K>3hD ze^3QUcb)^taaS7VBYZza01a^0+e@0?-?w%N$mR0Sh26_5&kfCcJv6}gYiwQ!(S1EN z8}UF++U8Tli1-BqYjF_YZ)z%k*M##GzEgf!HjXg^L=KLnTLfngJhturv@dD*Af^IT z-n<%ZY(wBY!`KG;9D(vKC|8(yysmll(RYCzIQ#}l2EP_O%_&fd`mVXck}l*RXqA<% zf4zrh4K_M({?y=~+cqC@r#^#cBS!LZEh=bkV`1zo2VXGlJ;K zCU7z5?~q5sw+r{&lpyT>6!{eK268&=b97HjX3mfn`kOf&nm`{~fObNx9G2$=shnTrb9M%j%uI zY2VlFZ$_IF?VB5ovMCU~z0|AvJg1e$M_ahtGshH0OB&Q4GXQD5D38Hi=e+*5HE9r0BD9#I zO9+x<&X#pTWNrn>nh22ErhTZrtXvHoE)cnIy9MFFM>j2QJbYu-UM6}N@L)8^+0!bY zv%(^5Bo$DY){S|RBu!*05_KkTA17N=7`@A00ae+^CQNn!@+XhYBY9*^+%Mgp(mOZ| zq;q%4<8sbZQLFME(!%~_WMsmM)n7*THTvThw9P&ZXeke91q3#GRe8wPXiVlXxekBgkn1R6`*UDut{juZkLyyT01;N;z95=d1wgXO3ksa^v zSYbIsZ`-)lv;Vd%Y~WXOVH&^dw*>Nm_{J3bDd0@Q%aApL13t>5AM;^S?hGZl#-%n# zYBPbL84}<5skIZc7F~;SMt!7^19UHH2`O&U+0=OBx-`wc(6k~-Zy@mOTLR}mJk3gd zC3QJSLPFDuo8a?qS)Mu3BW}Xrx`O`xs-Jk8sc*sa5ycUN*T6XVcu(bEU=5^L{kX!j zO)s?+wBA2>XBqJM5}Ycih6r^-b2E+C-7jt1r>r!{4jzLE9!b_P%?|`?dDIsF)+)Fv z@k7>9bEftBARK)6|0u`QoH79!%MX7BjUP51V+|idmR@H#eTcmKwW(^WdCaWpgEJ2^ zmJ(ABM?hvgNO*h7N?U3+fthlP=?r~P>K1Z6A)LO9``pD9h=o8OF&j9(;jFy>#aWfY zTaX?6fVvh6yglmzfCBAdqAc8fh;qrWO~MD#h&0{XL$CQliPo z%x0}9ntbDOr5eFdZgp}vU(_{{u_9m;VJ-R@GZ9p~6adZhXQK@x1q%8oD$_SVnZQR%Q$3CPJb6|P8$hK(F z5Mj4mH*T$Qm2wXi5Rj7%eC@f2Hg@wQbg3>li%#NLH56I-qxHq20oU9 zTk;H`Z)QBDI`!{fuh@bpX7%_e)1&~7x7lNr@R`l%PKQUp1Hr5>_8S7Po0~lLd@V8K zM0y8dhjuFi)YsF1DWE98uo`VT2PASzM(DPpwnED-+uXP%jS@i?zP0Yc-I=7qne_!E zdDNCs2_IUCMUv=*6ZHHbBs!%9#i~f496(mixL8`GK7GI-v#Falw|H^EIXXdw*iqW? z!&r9eT921$h-s{R+OCdDfJtQ@su|lUq)jtiN`9X`fKq0Y2lXXEHd1DW>n7+5E&`)^ zq_y&T<>Ei(0n|CaV=<~x!T|~@??9nM-w2>Fd80jPVQ-(g9_s8m7L}l)M#JEeryZ+e zjS|r583j5U01AkHp=iG}BBH>l^V5|nzpwUS6>`p_=dWo1pFK5^on1fA>IUojrF|$^ zdR?xxfe-(GQmN|)zI+lBq!2Ev=i zr1rkbWFKf`A%Rmg)XP=yncY~i^|o1jmDg#gclOq@bx$7Wi@YxzR<63^<$V`UREq=z zCL+n~;=XWd1z%65bsLkrVKUuHiB;re6-+_?U~2=VFwE?e>oTP0AW)ET&D)eDf6w_Y z_3)6}<=*(0rtXLmB>2H_J?*(i@lLWQuk%86^YBUFk9e*DIBAL*-(<62H&Yb``v!0E zIWOqObXuO8s`Jh&L!O$|9_Y1C5QFPUBF}tV;iH&wxMga5b>0RXP2`giD&|kyx(=d6 zHjRIvNbOQ$Z6dY1(O4(@HQ%)da*<>O-Ra<4z+kU)fFiOpyZ^d`i<>mR>DXn`A( zEIZ)VKXAprJ5+4b@XG0&7rKmSw!6F7v{D|$#w!R7Rl*a$Fo88J~)ojW3 zAGNukWRxX}<@3Be;|8w;Esh3Ls;ymg4HvMtdkBVtIou2+Le|jwQ ziizm`rp|`Lt688c>uRGJKwAd+0kspNbhXKKL;Zf1K4DKCkMlDCRl5ZFBJ#hm9Y9kC zn5H8GE3bAorO9bI&`r{wE@M1?7ucc)a!wSO@zwwauyW`FNZ+4C1aOCj)0V-I!4pQ~ zBPkhU_;qfmDIlDo@il6T$evQTqPr8DzK= z7aYU?J$c_i$2Wg}pL+zD0Pn}jbr^;ZcP-0739OdPRlMBf>$e;nU}(PML%57wENO2P ziRXY5p6bh<$dSv7)t32xm>tdtfp34s46y9XtE@N>=LVl>5HQUuyDq+>Z9HP1pbHC1 zaRo3jK^)(Buv$vijG{WL6+dwqhuW|7)5pi%+ypJNR+v`>D?l5#`D8aW`$<5<3rE7hRc zLlj4c5sh_pMWupHkHWmOsMm`2^HF=aw*w=zJH-2O<#zKdvBM6s&K#8AiG~Ku0w=mZ zgR??dcO>OT`RnDUOjaPB*(;Wp)@+D#coHmiD0%iVs2_kt@TFoTUI%WgzR+od0!+NK zU(e=003;+arTRW{TFZ`e9b8mr95dgm@~RS43N8 z(f^0b3o%P2`~k(;Grf|k;2L4w;CJfVBld%4e{eo;p=HFystWo-#-9vA2h3`qVJ-)d zfEhtte=@K^vm(&VaO(x3c`lG@RUaX`ojFHku-~;IXbaq1-%J7`>tt*6OlwqyQc}wK z+M$|j0hO50PV9%$;S~lTB;_NnKNqyWjJhOPz*Y)DkeBAGGKA|I9-1YiyYI2j%ZF!c z!Aq}H;5?C?j+r1!g1}2n%huA_Ol*p@(f{2rsZ?>K`8w^={Uc4V^KK^VFpN6j5;^~~ z)%s>Su#p*%z8&RP<+m`rqV`8bA2a1&)-Ade7zEEg7~6b)iOPOfuF#>UK$r%t;BTOK z@>4cqb_D0t6E+V9ZLSmEs6hs~3hU^8oHr=h=k|Is0&8HL@dM{Hbd#7WR(&WEWiG<0 z6521rz2r*t&Flxpp~5;&#b?aTT8@4Ms8n+nPV==XQ0PHidJ|2 zH@XxC02-Su+?g*D;l}3o>D_wETKo5Y^mkQ3S_~BtYqPfThBw~9c`E9iAy)7VC^CQ? zT@X8!NzBoAmSP7n6ETyF`o7i@6My91HvW&?6MR*ba#ukTJPtP)6EoqPC51uE^!q`% zrNqR9uPUgBGMm`^1>A}V5d_J^l&JWF$>2i|e1iqJ*{Oc*}U zQ>&nt^tG=40HcTztGE2x32G2VkAH&pZ!r=t?u(+t=i&QOSbGLHX&I|NbcixTWf=5N z(M)wL$SNv~cU%WiP6Q)Z&2@LK)PHapM7>UXvQ|bI`Wf#y0?w!LM7~$Gv6lE_2mZUu zRXo<}>i}Huc>EL7@zky@^&6AGI&~DQas~1#tO4d#uTt@9psqg6BJ#th2dJ7q{>T6{ zSs}s@N_YSj5IDq=hd0Eso*7foP{)>x>;1VLn8i|yTs$iK0adMYjagIGkA}^a&ATmO zo#MWJpp#%R@b@@Uya2~4=_~d>z^!UrZRXoOaziEom4H+f;?Q)(Oc-@QrBHyFq_w-H zydOPqgafD=BQs#luYFs+ppgTLBR}Pd#S!cus)QEf8o<>`8g0M7DC+cJv|A1TV%mzx zfs!%!Z?sGfgQ%iAcI$5QqqZy0aI-#)|50Wpj7pOAr!3s#1#EBxM!pp&1(-+xx3K~; zK>qk|hJX%bAIBw`L5Cb!(_#juOgUAg+b?Mk`{DSzm4YmnQGYU*5CH#s9nH zq#i)6{6`Krvapueb+Lq5h2yHZQ_lTy%ifOH4}YaYnl&T1LcC!P9-bq~ z!5P6Spa9CPj@mFyv;MHlwE=|RMXOX8qHb%JxY_K$RP!3yo$#Fn_0Lc(bTsR|KZ3@LklckuWy+xt z0YLvsubnMkt6ST64426M1-(#CBKhoJA)D|e=^<7Y0P$zP(-;9E@?8KUj|p}m41Zz$ z6&s*iz@Qtg9rOL8_G+-&1FbiLpWFzYd-H$%zzMAAsOr~=Aru&ZAXuSq{stbTVXdwZ z56=q0_8(Rrzz(9($l@tQOIrWg4XVw+On^KUpCu`o0_Ume;jo1RHCXGfRP~l{2hr80 zZ0iFNRv+wr0F|JckqZ;&S%Y)%Sw!yyS4FX^u*evwJ#`Zj@z`&kw;1qEQyMw>14S+&JSb;z2 z5EUOwCtu^;MH;tT*8Z^QGTMj0Z^pO!qtEHYoWGBz*EtlHDKz70Zgm{8hH|Fv{V9gi)k1lx57;R6$TXz(88?$ z@K1%JIB)?LUppVMM6&+GJn*S}Kv)w~vHbcHRP<0dl@Cn*)hcR6q@vG;RV6B0j@*t1 z1Rk9O1=T$auG1neMZUlv?{UTKhRXU|pWj2B#Hkh;TcfgLz%Py|stnQ$v-}jaZQRg0 zJO1mK{?4~2=@&^kAZRoi%*5H|OCgQ0Jse|!Q!g9=4pFzKXrJut1SVKCuBNEj*02pl zS~ZU)S{U(E5r;gGs*;Jj+9n&OwxsiRuq zVGY-4{FPYM#CA2Gdtl=+xIlAaX$VzRU|jB(AbEC&91IQ_X=(+I41dmt6X>52Au*YW zl>`jo!)^~ov!h%^%}%}~Ygk&m@{G9=d(nq2P_7wuJ6$9U&qXzRpfa*R5Dt~^KZx}n z^}7#-Dh&I-#0MYB_eX-D*g5Zogn<1;cn za5=(I;LWlN2+`AoDdAZyTUMbi0CzI*6oOr2tlx59TlO;Jv ztil_W@Izz6s0`T3f10rBD*g}#y7>*G(}>0fGP!5|cqHgId!Dg*vrH9h2KTgN42{b8 z0quk+M-bpe(ZnDQz#Cu?2OWFfh6W{+s?8e^$0&nz0Q_I_jSD=VF$YTgEw9O~Vu$PC zS)1ONf4y&81vKpmrpo>rfooNgbKB%^z!*(WN~s0b3j@#Xj4=t!tkKVHgGn9xDG3{6 z8~Y3p0#eli9sTnt5Lb9%tYe4&1c=!>u@xqYJflh?+C-e(P zKrs$s5uGw+NVg4@T`9a&OH6@?MjQkN3afTY_E@GGnm){~>Wnk4{5zftWO*?iTuk9bo8IE-iQz{@UaLu$ho`lQKE4Go aH_K#zIz|Lu8N(-dg})Ba z3z)3h*+bfG*V9EH5p({}TAwbW0djMsssREm5kvI7KX^QKBfzHSFEn^&$?E>(?iJVN zw-oc$9&o(#$mCCChW-NpG%G>S;nfUNpr?WFk1Kk!OuX&V(~f1}w}=)qL+VBb>`lQ8 zW9;zgdBZ=M1KmN=&XZ9FH_I(9^4KJdwx|XZ$iR9OY+-qH356&d|I!2mDQ`rtP=WG0 zPIB%pDa@+!N8fG!f|4fe8)!0fz?>z-S+d>j?4AR@U{CT79`Nv>$$51|d7LGY7hE6> z|BQf1iLchFiIHCZVxrdKn!}iws7RQXu z>)_8CaN#z#aDolG)5N>MeBS?tr!#RL^e=FTXz2e^vkv^FLPbkuK~iwLJ0aML_%|3f z@a16I?R_mp0}Gkh6)J1-zI9|3+uZii&wdrPisOHgBaZW*X3-`ELv=-HopSL%Bh$}E zA0H;voO5z))l)uaI0uIL&&N=7#o!g-$LBjDpic2CRA83z+E+n|VM%dmvXxA2iz*Rn z5oUcO8?qHLGB6$KN55QhNj(S&pu&m%c5<4xE$dmi^8H)K)vmPVS%UHCX%-MiR)ZDJHm-Sw80Tw~66d%WRsr!QAducI_&7F}W|yG} z4B~KidsN&W`9vEDR|?dTB^Jqy=QI#H<@%Im1nc{8mMbiR$KdlljxvThfL^2~7sKua_QMS^qt3qD0@b1}x;&E)x0c**I+jhs74Hs%khL+m1qeh*xotR(<&Xxw)eKnnjNzF#)(JsP(n>0CCEVm2b(W5Xr`idNSGw zoK*(%L*Y?ivwyt&6r{n_!!>$^c<5HfY> zsTj^9jSMth`^?$yJ|m8n z`N(30g@x>Tqc+l3GT?E3p-_y)2o>nE2;;ttQhd3_o&ALSaXD*%PXqMj8f=@2?#vEK zVO!x&@%_dOO{Df3P*WF_KGGJRCYDS1qF7R#-Qx|`>PTX~8}DoNWfXP3<^PlgF~ zVZ=P&mCnbCQeWJ9$MO zJs}6Q1$;wO!-lPVDM3H2kViEB%9AT`_w*0axc`~~buTd5kOD(+yb1hWG zH1H&D#qrr!M15*yBOxtBnn1QAR#s{f-#Vcy*rw=?7)c}*VB%|5)pe}SU#q_U0}^wh7;1UsK@XU^)s-*?F`1M&?Hmb#TM z#RpF8zPQb)@o>0r(lXqvqdag6t90zO7x(+Q`i^Of_6|z+W5csNoo@TLou55=z*fDD zeEmzQfBjnB(2N?Dve9XqTP_(Dh|3$;%?Cr7x`XjOQG2aTYOVchA^M)dChYbKS+}Vp z%)>9e5)G#Ll@LNnVCqY;aDvC^Qmtp zc$7CC3`vj~FNQ}`966lAZhr|9((v~pGqNCL8O*uU$BmSd&*G^vr2D|*+=`A?4&O_g zv-@d8x=~LBYILgGJVL${c(v=`h0SuV=6Rz(@h;Z8Mq$C zK&Pf*$!V5h@u*-1bF>=&_~B+O z3PL>GyPwrc9eQ_$<|ez4L&~_s85wRPI~$DXrlC*Sp5s*1hCdmB?jT|tnWR}q=9dzFf zvxW6H4q;M0e<3^t9TQ(TX#pO=d;{wV-bBGpStQ>fp|*Tf%TuJVUS8*?8f$OaU)oQO z$DdH>KyxhY=nLjPt^M9f?oamd0y@TDHv}&&ZWQ~L{*wsw8ToN2NQe2OsJ`x@x{2CB%d*FjLdwBCyhQKC@aHvsn!}H zs+QtvxzRJpxHYHeOe3MKB9J@#L{Q+(&DM)u6sC}}+;Im@V}40l(LREk!^v?D(clD< za{DBSgN^lz5P#Oe;?Ab`!7Hq|ZQkj-FAD9v4dkTghM|p#C zC^#g~x=gn=Q;aOVm&U5czTF=MEcCb`fBaT7&!NOg)rao6d0se-c8pyLluBX*@rN;# zW*;71bablAZ;Im|)Jek~)^X-YEofr~Uwkc^Is4l9bP$&)S02h>`Jbf3*UW24vi`bO z+{kmoT`6ZvNd{;F(~G{+|9U6884)#Bgfr3V-uxc=^fJe}de<*Kr+*0)i=D4b&`KG7 z@g=E9k<&K>%d>HFhvq3IPHXT`?m0x!?wOQ4^EuQZpy2bRbc$S+p#{-j{1D^!;-Qo$ zlGc6&FSWbZzlU0JPi$(>)6FMbFxuxjND7)If1ll*iV) zE>x`v_AH2Yyry_3P>()&?Z}whWh;3;_u|uV+*EG&*+k=_WHDs{h|h3&FYvOqsBk=*0d4IyT>Dchq9qFa}tT8O-{Fr)kImD}j7P0wv% z{o91gCi8TH&o3B7D;^}hTklb>*mO%xKJVFjL#P97R7_3suIjxw^nE{RJEHU-;Si(Y z?-gMt!i^lM%WgCm-`f#r(%zdbJfumyrfK)arS4cOW6aFW@o|f2t=`WPx#vBPecDR4 zzC^NO6VaQE(A;r@KK1)$op;_A79$(E_bSNV^uc;ur;hvMcXcH7ip9aF$i8P5eLQ`P z-o=6CdGkN9y`SQPs_jbT4w!;!?27QyXZ_EvZ;7c10FJu)ebJ z?t<=5HDt$enpq!nfi1BMRwTiTIar7HGyBIwWNRHR(7dpqe!>aab{r?YO{Kl}Evi|b z%iEtncc5eWt%_j(-AD%&^Ix~`MXECur7bYV+?`G!HSzXmJKLohl$GcZYxJyImBA-D zpaaT?D*bx;*E?pMP9E*jvU$%uHTG~iK?ZDYL>5$!P3TSh^G5iJX*_pK;_0!T8FO9} zKLPU*JC+}+nHNt%Gsz?+)%8)(w+^kt<4&+4dJ)^nIm41bC zQmM4}C)f95fts7Ex-W_*Nu?+1kH3g2#+msmi-+8{N|d&VpYL7bpY#z}GSxfi5vrg;T}?`KIH{fz zvFkph;huPs6(TYJ5N=>f^653^^w&_4+|z+~x4$R!R`ahpLXIz=^H`-#>{^xX8K*6~ zn>zL{8EtEfY`oG*=W;o*-wkbqnn-Rt+lXBw(dExHDBWf!TA}z0q_-bx9jrv936C1C z3}1E5-oA+xC3gkQy^`R@i(O3VU$&A}heI9QhX(5)z4PnqmQG1x_kc1;Y)8b8otph_ zQux;Yr34MyMragcA~~`!8k!S+3*N1F{&nc{aJ~#52lvDW>u$MYs(Q;ZQo1R({yt~M ziQ|=3WKJ&6+S-J`FAj;QqNm3MWtR)g>2}!ECO`5@;bQB)GStylEWv*4QQ=e7^t<%w0%2>q$phgAV$sE) ztNCsD8Typ8CtYi#3bQKW%>|2U=L%k4=&UF7$)kiea z@n-P^Rda!I3bN_UusK`jP)JU$!-?&xk27()>0FPd300pOB37bUlv!+ub*Y?6S}4bByqm`FKNs4D6w3j4??*n>huoe zqT<~IUZF;zGNEq%XoIwlt%(Hi`EO1u_F`O#Z< z+_3|d#83GFPuD|pF2_(`@pY(5AU`|$yLLyJd~5Qgni6L3e^vG6@lb!?|1*}cgsf>q zWRFlYC}bI1mNLR1!l;QXg-Z5bwun-eB*Y|1#xltE$&jt0EGD804GGp{^OqRod7TMSJtxUIK1rNCSiYCX56Pl& zBP!Em%BP^pw9p=Ti8lET`~fx*P49f8o9Ncbf_dS{durODjb>9&!}A}M6+opX?%vN;OGW+; z;4&GWy_2O#y<590g$+;Xv8{YCpMKc4M^vIsw1bA@|Cw|D<#(I6h5GGA^#zgud|#HI zeP6&B+AWrAc@XZp6~mo9dg{#wqN}@`wpWDo02p0FGe7Nqu2m{>Q4Pw8t?Cu1_9Sht z9#&Pq%z%!O$BhmzwvQHQJy|<9btN2(V8l3y3ije#`VEg*2WfPcZkDCKLlXUSMF8V* z=fOO>#ZKm8_7qK3k2cxR^VOVXHH6ciL6>O~AKqd$VIw;1S|d)fDa-9vF-qKG)>aIa zEA3@`=<4x7%Td^8;jVAvS3?Lh0Nu7&105k^VH(>aQIYkaiN%$XoDNzPUSY86b+ z0-H$#!$-3u=V6Un4?vs|EB_?*IK8BU5vd^%s}{p7vZX^*5(kTq$pBz~Dm7M{Vy6JH48jEtYP)KC zX~}-X>%cTn`DuvH=BR%5vutQ>uT_^!LY&I9SVC2A`v9tIY=}=P=|*r-H%k>OFwrUv zAnxV~id}~uLuiK#JS&x_24l^J{wv~#eQmcGI0ggwe*_N<_J1)g^SsyJs_KGzZb4ay?LHI;}iKg=n8O+WAHNH zgF6YXu}QiAK7yf`kBvTQATi?tl)V%nV7k?rw9YU{Jc9HDXg8Wm=rUx{n->}9wR9Om z4V(uezR71cOMdhG{o9M+0)dU3f?E+D_7wLDt!d2*IO^2y0Jp% zi79k3?|0zYK48sf6gbT_SDDtbDVm4A(9KD@w|>5!XFqkOLK({3SgruuI(I$JCFx*2 zGXNq?d3-rDxYw~Gf);NOyTQBn_V@Fvrf<@z-zRktew%!#2OW>vDx6@f{`T@>Es8C_jiVnIPJxTZU^TBr zYQZ87S`y&WBB!`JTn`q4wUmXs2Bd-{cvB;E!D4DhWwswDA#xcbxIkJ=Zj^fnjBKfR z0WXtZ2^^@w%rI$+)VarYu;gOzOwkcw71cbmgrwLHUqaW^T886nd=lOru%ITuHn6LQ z`)Bf0fJW}Pw6SJooDJY6kmB2FQ#+^{DrZYM>ax}zmRE{fZn$Wd!|so%6z>x=Dt$o7 zm>uxt7sW5oG*B;m`26<8K2{|;th@=X!7B+L+rP`=h8e0TPtD zAmA5K{h{u>C*beA8%jK>uZeECzEq>7KpY2eBDN*1gSam)8BjFw@<4w`%2XNy$^GtnzM+?3gO2*yLflTJ+gV{ z)yBXp$g7(1K>%KSRjQQE8pFGt+>;tb9(9&u&PS%09zZ4m>GC1?y1ipyYST^{m;VU2 z4}X$;%+M#rCLjzIJ2SNts+DBVT%2isQm$zl68gQI;cu3obk8)qHG9WMJ*%gf!Y1_d zp6LPO{0`cXlvzHn`-Q0S4fU*By!+ZL`GIPQ$fLOV=;CpmtM&>kgDK|{e@uA9_@j}& z7;AT-!IFa^YS>__!7TmDKBclW-i<4Uq;F&Zi(l<#@g;!*c~CIFr3-uk*l`l=>s(3fvXlXJ5C zel~AgmuXyf*I16eY|}7L@qO+($o-Xg&HFCIm6o^#zmz8k_pBAyUV-?_lr?ouQYy##~@#hB*qw4<%Xod)@z# zAfs((nd5L83dVBLljYtHX-|#h^$rU3E)-qzVfGm8ti-yys&7bu6olTK&^oe0C_GWF zua?$1HiU>0@0-RgCJAPZdN`5SO&)jhOR7oZua}|oKQnV)aw~(9xOcML(=?xH$LHl% z`P8#f>(@>5b99sB>9-o5m=@==Foc@<3o)MaJ8Lc8AH(>F4)eFQd=bStx+U`Hw)csg z=_?n*pNYDA?uCjwcy=G_Ied7q%VrWADn(HrU>Nv|m0k-41z(eH(oMl6`POMJ7l7Ts zpRxHlz%B8+Php-pHQh}A)x5*yKe@V}c<1JcFtIZpwD&fH7F(Z*GtPtbw_W>S&Io6I zyM7Q@IzK^R>9mDZTCC5i2}|vJ&ZdjKDTtMaV%TAF>Rtu7!(MV1@Tt<4}=G;ngzL)OOjsX9D*x~|@DuKt(@@~dY&-80lt zwNcQ}S4iF%CB+jWDc)HL`Eq5+QgrE>{SCyGL zwhn)}>-jDbAmJ~gx%m>u97sRlkFnZ+tc+UvSZQ}tOF8hTI_B^ey9CAW--BqWA#YqY z$=wOTMxNj~pMZ+dSAD~IJQr!98Gn2`-Wo-8SZ;oA8=XoGnD{kX&7J$|Lf~#2uV93! z|9Z*e&T^@BBu3)&XQDx*2yD~ZGLGCLJs6z0$SqtN-@NL>4|8yYVh{B2AhKKQCCs_! zk2>Z!2Vg3>BagWiKRX*k{(7!LJNKDBi1U(u^ODCrBRetv6PXnkt_QzzZA;vuXnW+h zc$D;ie{})1wDAheU01MX;aKrH&uzaiPCdSPZZlD|)29C*LWc{H)~v~?5e(?E^zhat6et;fV%sv#N$?cVENm%4{UYu%~sLP%oGsq0F-rk}qt<^kb4 zZ*sT{s8;?zs+(n^ElHk;n69xi;hYG12vtCs{lwoLU?M+4r($R*bL}Ab#7%4XH}`Vw zu`jzF`0`ir&4jqkI!I4uFxaEvJu|eP_jD&xKZ{PJrAvj{FUZ=TM%2HtCZg>Z)TeyT zz>2{CC@bFHv!-?NZFjCn8giYf?Vh=Q7hVKaiNF(%?7nt2U#={Xped5P^7 zypO;KuvEr)G(jWoU;B*%X5EZeXvQkLEpM!#5|6TVa_+iz!g^{mbKcA3w99ILOZQ)a>s1+` zbaycnz@8Kuu+&)z%KFdu6xFi=o!=;j{0t6r)PD3RhPjAsEynvrJu0 zUv|2Fg2Q0y7auJ|1oov}d7_$$>z~Y+xNhpoMPB=sH^$vmDMb(3ow)3htiJLgvP6rr z2PXbA0@Mp)A#w(fSYSh5Q%m8j2GYTo+Nk2g>@cMwJu-`dSjeTe^te_&e}T3KNoDuy zvRdn5O=kzEXJa|DZpcAxRPq4)*Pp3JNZFP*_9n(Oi^wCt+DAfuPCdGjWQ?GFxC40G zIezJ~@Lay+Dk*agGB-@X0Tuq0jQ}J69nGNP>og8#EtAIQ$_?XpKsmwy1s|WAOHj_- zsErhI2;^^*;BV-8(Ci<;A!O`yUD+J_BeGjyx?ks3|HuDijk%KCRIB$E=0M6v<@p|s_@MgCRXT^j?e@uZ0npBx-aGl& z)Ml1qwW8E^_`6=jeRJd9OR^$Rc?1{1V$kc&#y4{F`d0VE-WoDb#uwVo*F_H1+ikPy zV}NeH(&fxp38~h7S#|4DT`#D;jK=5d>_k+c%k>_=YE|=}*)JEYJL{3HPO3(>}Pun+aIu~BwXUu)FbB*}IUw|}48{9J+(K&%o2Yj&aY$wziHu6ajDSwp2C z6N;4{Kh-}M70K{%xo?MSW>b57*!O{*ORODWZYgGFu3R<+66WkI7fZcQJ&X0|?7g(` z)q}%2swuOG^n5hh*e_Le4kF8e*w;YCJSzkJ!4Sw&TNsxv%x!=$anTi)1LQy~A$cSn z1FWBxFCaWgw~KGyB(SqxB=+%cqijEJoX$Yo;`}fWitATq(cQ;~0q!6Vy-}Vel&$uBp?cv3p?vdc z3%3V%BAYHcPyj6#vlYYgS%{ato169gQuA&$lGDemolkl3H^+pbdc(GtetgedqI zP`R#fpn$Mkj0(sOEGDyjTPk_;mg4yZ_emLe7z-DbeT-Q6fwtk+PiYglDr`o;YPc9{ zbl~BqI=WxJDE14Gqq`oWyv0#HFYBU6vvWnv+VbPsEjcTMhD$`ea%Qu{_Rn0mal+}Z zRP-6Z1oT&hBrhYs-auwo$s7Cqfr>RQ-h5F+a;OWdRPyOjcWG1apf%Jd7g10zygpis}1}JaMlV1pqh&4ikTCeQhst-zLGS)l4m~?{rTc5U^ zy;l30v1^Z7`qrBAf|PkS9QAy5E`_-=GQU)7$fcc9Q1tHR?b_>+p+(7XCy%zTR3R+0 z>V;CqD3$Agqyz7F%Lyh~NGuXhL%hCDL=H9nYQ4SUcSzCVjI@GUUH(7;e!13-Tc_ga z7LhL*{=IdDXTr^(oDA^JI|XH_)vi~n;|0tO)$^qEQt39R)}2Yly*tzC%OD)DLjr1( zbdrA@#CWo7L5;ukSCgS0bvya$xR6{~e~fiqZpx0wLaU4JE{uRdtv zwHB2fEKEg?Pl%jfa0`(;k={3-Jzd72f3Yvt)476M(>_l=O$-~DlOC{$TM9j-A9|?) zfcfGrg^2ZGC){-FCV}CrTd6s3LjFXlwTGx%pNI=0V$F^j|4e_L){QUGdLn8(^^5l> zo%F$oCEW99AG24(vhWY9*YU{(z_c3)+Xk$jZL{04REt9A5F`)_QBsS<8Oi$LHt!BR zw;__2Q{e>c2;1!b2+-NgeJPg82~xZYU#t zb*>KVm=+TbWvkxKa3-Wd*GETL&K5(4>$aCpU!*<@Ps{vhiCTo?fKm2OtTjx z)@&Ew;vJtT5v|M#>T?30GH%4!j#)FTp?5oynT|3Xy+u*l0rgACx1m?As3qvz$8%&- zRO%@3(#700rqlnf@qRjkJ$$j8$UEyKY2E8Qe^a=G`6qknnX~2D)<=@xl9 zix^bq2E053H)jI3GC;AzcIEPTMkEq^r*o=$NHXTk+2H=SO={@-TGk2^U%;%Rn$MOi z-5=*`m+gH`V77CFoqGtwF2y9`4A$D+8aC=C2z~gc>1fovc#u5}c@t2P%ADH$rK6dB z`FMr~?Y)NJ_ih~{Pz%Y&%L#W*^WL&dNx=tUqdO>jA9Ni!zub}KITS%Z0${cWpAz2i zYU-R=*`6{iKSwjk@bpG8XDPmZU8?_#6eu2kAiZo@LUm=Hy2K$Hz ztqPo5j!-cJ#Ymf--xGaB^Ul2Tv(lhG39yCxVppkJ6(p&PFlnm=d8^ZiA1RxW9R?Nk z9B&DT1e&Z62nW`;U|0;NFg+wN9xs?1d10*$GA|E26$%xTSibVLTbI|LY9qggtU?U3 zV;5x}VzF2LbBNVM>t^!YAMocXd<2}_KGtL}+3KgSbLvPo%C1Mls3SrS$C+eQ(#ec} z_}m^P-Vvg&co9ij86l-}XTywo#w?v@A56HJr|5Oqb3mYsTAZzMDe2>BQn&(hHFWiG zDl~kNM0y$AT;lj0ZF?LLgm6(dWRuSPv4XK}iCNtjq{Kvcd-niH(n26fv%`w3k-~u+ z)(^p1Bvaa+xZLqyDYKOD!TclTm&~w^{k>Si4w!e`+DXB~jXFLUPyy^c>x}_0C4Wy) z$?5RRGNCo-hR&LuiG6OA^OdOV3tJB1UYeQmeC}aK;?HAu;X2a%zQvLs{QH<48}peo{26Z8lj>tj%wwjIZU;W>2mcwhyC95@Y*8W z-0eONla0pqU9@O*{}_S0|3~d>T7WsTp*S&m(CQgXN}JB-+k{JgqaN+t~Z zIVxn$-DXiWyU_+gJm;N=-Mx$t)3|VOsK3@2de3KI(}*$GKn5!B6tu_nBk0PR?hU{1 z^lTaS{hphRQUp9ke_TeGK`;PBe#lL>iO-n2jR0vsGE92zkhDb{c~=U}AeaH^+xSX1 zqoTP89zdjb=knH>#S!hqqhnZX&q>hjDes0(Qk^*lq>%L0)lTLi0>qzaHk)<~3n~W8 zoe)qlV5}owtvfu(J5vmMW7eB>?1UgrP0qgo1z${g8K11ks4@V^%t30?ZadyHve50TmOIuI8=Zl(Xw;1DT?42U@OY_ z(7)m~FfwSZU?Qvr+^7i!r=Bri){|k`A`De9I|X);n?RXm>kf|le!m*Mio%}rhF(-C z4PNgA2TSacs8PvIA=G_r%Sjw&>vonV{OIjc2eDN)ivc&UQ|lUt=&bNu*V|9^Kl^eN z^jNA~VZjSJk=1F@0@bUly{Vo4mQL)o!@Y7kkI?(tF0x<2)1Ap89KQv1N*ZE{n;i%JKNCi))KV4@rSjR z<_EvT%BE>qp;>$GI$Qw`owaN|Dtvo{{f|*cSVm3u)wmkgz?dj@caeC%WB>V)ct$LB zrVsKPxLR!_8Q!U@;MV;g*<4AJ*@!4j6FDK_`z$}B2qJ1fRWWK?Ux@JXiaK2y6~0}XK7S)o zhj6_wp<(-S;&AW@antyK1Fe&Lm*vBpYH>S;n)MeVzdS~_s9QVFR?U* zlez}WYT0Sq+Af~OzUgPxPBOYNKCeaXqHFtq9^3sD_`AkxgVVoS)}`|rd6