From 9275b6802f349e30a641ca397aa29c285decf23e Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Thu, 2 May 2024 13:58:51 +0200 Subject: [PATCH 1/3] Add support for SSDF framework --- README.md | 1 + backend/library/libraries/nist-ssdf-1.1.yaml | 1236 ++++++++++++++++++ tools/nist/sp-800-218/nist-ssdf-1.1.xlsx | Bin 0 -> 27609 bytes 3 files changed, 1237 insertions(+) create mode 100644 backend/library/libraries/nist-ssdf-1.1.yaml create mode 100644 tools/nist/sp-800-218/nist-ssdf-1.1.xlsx diff --git a/README.md b/README.md index 6315a3402..dff9d7fdd 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant 30. FADP (Federal Act on Data Protection) 🇨🇭 31. NIST SP 800-171 rev2 🇺🇸 32. ANSSI : recommandations de sécurité pour un système d'IA générative 🇫🇷🤖 +33. NIST SP 800-218: Secure Software Development Framework (SSDF) 🖥️
diff --git a/backend/library/libraries/nist-ssdf-1.1.yaml b/backend/library/libraries/nist-ssdf-1.1.yaml new file mode 100644 index 000000000..518feefe0 --- /dev/null +++ b/backend/library/libraries/nist-ssdf-1.1.yaml @@ -0,0 +1,1236 @@ +urn: urn:intuitem:risk:library:nist-ssdf-1.1 +locale: fr +ref_id: nist-ssdf-1.1 +name: Secure Software Development Framework (SSDF) +description: The Secure Software Development Framework (SSDF), SP 800-218, is a set + of fundamental, sound, and secure software development practices based on established + secure software development practice documents from organizations such as BSA, OWASP, + and SAFECode +copyright: NIST +version: 1 +provider: NIST +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:nist-ssdf-1.1 + ref_id: nist-ssdf-1.1 + name: Secure Software Development Framework (SSDF) + description: The Secure Software Development Framework (SSDF), SP 800-218, is + a set of fundamental, sound, and secure software development practices based + on established secure software development practice documents from organizations + such as BSA, OWASP, and SAFECode + requirement_nodes: + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po + assessable: false + depth: 1 + ref_id: PO + name: Prepare the Organization + description: Organizations should ensure that their people, processes, and technology + are prepared to perform secure software development at the organization level. + Many organizations will find some PO practices to also be applicable to subsets + of their software development, like individual development groups or projects. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po + ref_id: PO.1 + name: Define Security Requirements for Software Development + description: "Ensure that security requirements for software development are\ + \ known at all times so that they can be taken into account throughout the\ + \ SDLC and duplication of effort can be minimized because the requirements\ + \ information can be collected once and shared. This includes requirements\ + \ from internal sources (e.g., the organization\u2019s policies, business\ + \ objectives, and risk management strategy) and external sources (e.g., applicable\ + \ laws and regulations)." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1 + ref_id: PO.1.1 + description: "Identify and document all security requirements for the organization\u2019\ + s software development infrastructures and processes, and maintain the requirements\ + \ over time." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1.1 + description: "Example 1: Define policies for securing software development infrastructures\ + \ and their components, including development endpoints, throughout the SDLC\ + \ and maintaining that security.\nExample 2: Define policies for securing\ + \ software development processes throughout the SDLC and maintaining that\ + \ security, including for open-source and other third-party software components\ + \ utilized by software being developed.\nExample 3: Review and update security\ + \ requirements at least annually, or sooner if there are new requirements\ + \ from internal or external sources, or a major security incident targeting\ + \ software development infrastructure has occurred. \nExample 4: Educate affected\ + \ individuals on impending changes to requirements." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1 + ref_id: PO.1.2 + description: Identify and document all security requirements for organization-developed + software to meet, and maintain the requirements over time. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1.2 + description: "Example 1: Define policies that specify risk-based software architecture\ + \ and design requirements, such as making code modular to facilitate code\ + \ reuse and updates; isolating security components from other components during\ + \ execution; avoiding undocumented commands and settings; and providing features\ + \ that will aid software acquirers with the secure deployment, operation,\ + \ and maintenance of the software.\nExample 2: Define policies that specify\ + \ the security requirements for the organization\u2019s software, and verify\ + \ compliance at key points in the SDLC (e.g., classes of software flaws verified\ + \ by gates, responses to vulnerabilities discovered in released software).\n\ + Example 3: Analyze the risk of applicable technology stacks (e.g., languages,\ + \ environments, deployment models), and recommend or require the use of stacks\ + \ that will reduce risk compared to others.\nExample 4: Define policies that\ + \ specify what needs to be archived for each software release (e.g., code,\ + \ package files, third-party libraries, documentation, data inventory) and\ + \ how long it needs to be retained based on the SDLC model, software end-of-life,\ + \ and other factors. \nExample 5: Ensure that policies cover the entire software\ + \ life cycle, including notifying users of the impending end of software support\ + \ and the date of software end-of-life.\nExample 6: Review all security requirements\ + \ at least annually, or sooner if there are new requirements from internal\ + \ or external sources, a major vulnerability is discovered in released software,\ + \ or a major security incident targeting organization-developed software has\ + \ occurred. \nExample 7: Establish and follow processes for handling requirement\ + \ exception requests, including periodic reviews of all approved exceptions." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1 + ref_id: PO.1.3 + description: "Communicate requirements to all third parties who will provide\ + \ commercial software components to the organization for reuse by the organization\u2019\ + s own software. [Formerly PW.3.1]" + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.1.3 + description: "Example 1: Define a core set of security requirements for software\ + \ components, and include it in acquisition documents, software contracts,\ + \ and other agreements with third parties.\nExample 2: Define security-related\ + \ criteria for selecting software; the criteria can include the third party\u2019\ + s vulnerability disclosure program and product security incident response\ + \ capabilities or the third party\u2019s adherence to organization-defined\ + \ practices.\nExample 3: Require third parties to attest that their software\ + \ complies with the organization\u2019s security requirements.\nExample 4:\ + \ Require third parties to provide provenance data and integrity verification\ + \ mechanisms for all components of their software.\nExample 5: Establish and\ + \ follow processes to address risk when there are security requirements that\ + \ third-party software components to be acquired do not meet; this should\ + \ include periodic reviews of all approved exceptions to requirements." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po + ref_id: PO.2 + name: Implement Roles and Responsibilities + description: Ensure that everyone inside and outside of the organization involved + in the SDLC is prepared to perform their SDLC-related roles and responsibilities + throughout the SDLC. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2 + ref_id: PO.2.1 + description: Create new roles and alter responsibilities for existing roles + as needed to encompass all parts of the SDLC. Periodically review and maintain + the defined roles and responsibilities, updating them as needed. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node12 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2.1 + description: 'Example 1: Define SDLC-related roles and responsibilities for + all members of the software development team. + + Example 2: Integrate the security roles into the software development team. + + Example 3: Define roles and responsibilities for cybersecurity staff, security + champions, project managers and leads, senior management, software developers, + software testers, software assurance leads and staff, product owners, operations + and platform engineers, and others involved in the SDLC. + + Example 4: Conduct an annual review of all roles and responsibilities. + + Example 5: Educate affected individuals on impending changes to roles and + responsibilities, and confirm that the individuals understand the changes + and agree to follow them. + + Example 6: Implement and use tools and processes to promote communication + and engagement among individuals with SDLC-related roles and responsibilities, + such as creating messaging channels for team discussions. + + Example 7: Designate a group of individuals or a team as the code owner for + each project.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2 + ref_id: PO.2.2 + description: Provide role-based training for all personnel with responsibilities + that contribute to secure development. Periodically review personnel proficiency + and role-based training, and update the training as needed. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node14 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2.2 + description: 'Example 1: Document the desired outcomes of training for each + role. + + Example 2: Define the type of training or curriculum required to achieve the + desired outcome for each role. + + Example 3: Create a training plan for each role. + + Example 4: Acquire or create training for each role; acquired training may + need to be customized for the organization. + + Example 5: Measure outcome performance to identify areas where changes to + training may be beneficial.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2 + ref_id: PO.2.3 + description: Obtain upper management or authorizing official commitment to secure + development, and convey that commitment to all with development-related roles + and responsibilities. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node16 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.2.3 + description: "Example 1: Appoint a single leader or leadership team to be responsible\ + \ for the entire secure software development process, including being accountable\ + \ for releasing software to production and delegating responsibilities as\ + \ appropriate.\nExample 2: Increase authorizing officials\u2019 awareness\ + \ of the risks of developing software without integrating security throughout\ + \ the development life cycle and the risk mitigation provided by secure development\ + \ practices.\nExample 3: Assist upper management in incorporating secure development\ + \ support into their communications with personnel with development-related\ + \ roles and responsibilities.\nExample 4: Educate all personnel with development-related\ + \ roles and responsibilities on upper management\u2019s commitment to secure\ + \ development and the importance of secure development to the organization." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po + ref_id: PO.3 + name: Implement Supporting Toolchains + description: Use automation to reduce human effort and improve the accuracy, + reproducibility, usability, and comprehensiveness of security practices throughout + the SDLC, as well as provide a way to document and demonstrate the use of + these practices. Toolchains and tools may be used at different levels of the + organization, such as organization-wide or project-specific, and may address + a particular part of the SDLC, like a build pipeline. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3 + ref_id: PO.3.1 + description: Specify which tools or tool types must or should be included in + each toolchain to mitigate identified risks, as well as how the toolchain + components are to be integrated with each other. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node19 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3.1 + description: "Example 1: Define categories of toolchains, and specify the mandatory\ + \ tools or tool types to be used for each category.\nExample 2: Identify security\ + \ tools to integrate into the developer toolchain.\nExample 3: Define what\ + \ information is to be passed between tools and what data formats are to be\ + \ used.\nExample 4: Evaluate tools\u2019 signing capabilities to create immutable\ + \ records/logs for auditability within the toolchain.\nExample 5: Use automated\ + \ technology for toolchain management and orchestration." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3 + ref_id: PO.3.2 + description: Follow recommended security practices to deploy, operate, and maintain + tools and toolchains. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node21 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3.2 + description: 'Example 1: Evaluate, select, and acquire tools, and assess the + security of each tool. + + Example 2: Integrate tools with other tools and existing software development + processes and workflows. + + Example 3: Use code-based configuration for toolchains (e.g., pipelines-as-code, + toolchains-as-code). + + Example 4: Implement the technologies and processes needed for reproducible + builds. + + Example 5: Update, upgrade, or replace tools as needed to address tool vulnerabilities + or add new tool capabilities. + + Example 6: Continuously monitor tools and tool logs for potential operational + and security issues, including policy violations and anomalous behavior. + + Example 7: Regularly verify the integrity and check the provenance of each + tool to identify potential problems. + + Example 8: See PW.6 regarding compiler, interpreter, and build tools. + + Example 9: See PO.5 regarding implementing and maintaining secure environments.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3 + ref_id: PO.3.3 + description: Configure tools to generate artifacts of their support of secure + software development practices as defined by the organization. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node23 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.3.3 + description: 'Example 1: Use existing tooling (e.g., workflow tracking, issue + tracking, value stream mapping) to create an audit trail of the secure development-related + actions that are performed for continuous improvement purposes. + + Example 2: Determine how often the collected information should be audited, + and implement the necessary processes. + + Example 3: Establish and enforce security and retention policies for artifact + data. + + Example 4: Assign responsibility for creating any needed artifacts that tools + cannot generate.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po + ref_id: PO.4 + name: Define and Use Criteria for Software Security Checks + description: "Help ensure that the software resulting from the SDLC meets the\ + \ organization\u2019s expectations by defining and using criteria for checking\ + \ the software\u2019s security during development." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.4 + ref_id: PO.4.1 + description: Define criteria for software security checks and track throughout + the SDLC. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node26 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.4.1 + description: "Example 1: Ensure that the criteria adequately indicate how effectively\ + \ security risk is being managed.\nExample 2: Define key performance indicators\ + \ (KPIs), key risk indicators (KRIs), vulnerability severity scores, and other\ + \ measures for software security.\nExample 3: Add software security criteria\ + \ to existing checks (e.g., the Definition of Done in agile SDLC methodologies).\n\ + Example 4: Review the artifacts generated as part of the software development\ + \ workflow system to determine if they meet the criteria. \nExample 5: Record\ + \ security check approvals, rejections, and exception requests as part of\ + \ the workflow and tracking system.\nExample 6: Analyze collected data in\ + \ the context of the security successes and failures of each development project,\ + \ and use the results to improve the SDLC." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.4 + ref_id: PO.4.2 + description: Implement processes, mechanisms, etc. to gather and safeguard the + necessary information in support of the criteria. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node28 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.4.2 + description: 'Example 1: Use the toolchain to automatically gather information + that informs security decision-making. + + Example 2: Deploy additional tools if needed to support the generation and + collection of information supporting the criteria. + + Example 3: Automate decision-making processes utilizing the criteria, and + periodically review these processes. + + Example 4: Only allow authorized personnel to access the gathered information, + and prevent any alteration or deletion of the information.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po + ref_id: PO.5 + name: Implement and Maintain Secure Environments for Software Development + description: Ensure that all components of the environments for software development + are strongly protected from internal and external threats to prevent compromises + of the environments or the software being developed or maintained within them. + Examples of environments for software development include development, build, + test, and distribution environments. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.5.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.5 + ref_id: PO.5.1 + description: Separate and protect each environment involved in software development. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node31 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.5.1 + description: "Example 1: Use multi-factor, risk-based authentication and conditional\ + \ access for each environment.\nExample 2: Use network segmentation and access\ + \ controls to separate the environments from each other and from production\ + \ environments, and to separate components from each other within each non-production\ + \ environment, in order to reduce attack surfaces and attackers\u2019 lateral\ + \ movement and privilege/access escalation.\nExample 3: Enforce authentication\ + \ and tightly restrict connections entering and exiting each software development\ + \ environment, including minimizing access to the internet to only what is\ + \ necessary.\nExample 4: Minimize direct human access to toolchain systems,\ + \ such as build services. Continuously monitor and audit all access attempts\ + \ and all use of privileged access.\nExample 5: Minimize the use of production-environment\ + \ software and services from non-production environments.\nExample 6: Regularly\ + \ log, monitor, and audit trust relationships for authorization and access\ + \ between the environments and between the components within each environment.\n\ + Example 7: Continuously log and monitor operations and alerts across all components\ + \ of the development environment to detect, respond, and recover from attempted\ + \ and actual cyber incidents.\nExample 8: Configure security controls and\ + \ other tools involved in separating and protecting the environments to generate\ + \ artifacts for their activities.\nExample 9: Continuously monitor all software\ + \ deployed in each environment for new vulnerabilities, and respond to vulnerabilities\ + \ appropriately following a risk-based approach.\nExample 10: Configure and\ + \ implement measures to secure the environments\u2019 hosting infrastructures\ + \ following a zero trust architecture." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.5.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.5 + ref_id: PO.5.2 + description: Secure and harden development endpoints (i.e., endpoints for software + designers, developers, testers, builders, etc.) to perform development-related + tasks using a risk-based approach. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node33 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:po.5.2 + description: 'Example 1: Configure each development endpoint based on approved + hardening guides, checklists, etc.; for example, enable FIPS-compliant encryption + of all sensitive data at rest and in transit. + + Example 2: Configure each development endpoint and the development resources + to provide the least functionality needed by users and services and to enforce + the principle of least privilege. + + Example 3: Continuously monitor the security posture of all development endpoints, + including monitoring and auditing all use of privileged access. + + Example 4: Configure security controls and other tools involved in securing + and hardening development endpoints to generate artifacts for their activities. + + Example 5: Require multi-factor authentication for all access to development + endpoints and development resources. + + Example 6: Provide dedicated development endpoints on non-production networks + for performing all development-related tasks. Provide separate endpoints on + production networks for all other tasks. + + Example 7: Configure each development endpoint following a zero trust architecture.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps + assessable: false + depth: 1 + ref_id: PS + name: Protect the Software + description: Organizations should protect all components of their software from + tampering and unauthorized access. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps + ref_id: PS.1 + name: Protect All Forms of Code from Unauthorized Access and Tampering + description: Help prevent unauthorized changes to code, both inadvertent and + intentional, which could circumvent or negate the intended security characteristics + of the software. For code that is not intended to be publicly accessible, + this helps prevent theft of the software and may make it more difficult or + time-consuming for attackers to find vulnerabilities in the software. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.1 + ref_id: PS.1.1 + description: "Store all forms of code \u2013 including source code, executable\ + \ code, and configuration-as-code \u2013 based on the principle of least\ + \ privilege so that only authorized personnel, tools, services, etc. have\ + \ access." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node37 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.1.1 + description: 'Example 1: Store all source code and configuration-as-code in + a code repository, and restrict access to it based on the nature of the code. + For example, open-source code intended for public access may need its integrity + and availability protected; other code may also need its confidentiality protected. + + Example 2: Use version control features of the repository to track all changes + made to the code with accountability to the individual account. + + Example 3: Use commit signing for code repositories. + + Example 4: Have the code owner review and approve all changes made to the + code by others. + + Example 5: Use code signing to help protect the integrity of executables. + + Example 6: Use cryptography (e.g., cryptographic hashes) to help protect file + integrity.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps + ref_id: PS.2 + name: Provide a Mechanism for Verifying Software Release Integrity + description: Help software acquirers ensure that the software they acquire is + legitimate and has not been tampered with. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.2 + ref_id: PS.2.1 + description: Make software integrity verification information available to software + acquirers. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node40 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.2.1 + description: "Example 1: Post cryptographic hashes for release files on a well-secured\ + \ website.\nExample 2: Use an established certificate authority for code signing\ + \ so that consumers\u2019 operating systems or other tools and services can\ + \ confirm the validity of signatures before use.\nExample 3: Periodically\ + \ review the code signing processes, including certificate renewal, rotation,\ + \ revocation, and protection." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps + ref_id: PS.3 + name: Archive and Protect Each Software Release + description: Preserve software releases in order to help identify, analyze, + and eliminate vulnerabilities discovered in the software after release. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.3 + ref_id: PS.3.1 + description: Securely archive the necessary files and supporting data (e.g., + integrity verification information, provenance data) to be retained for each + software release. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node43 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.3.1 + description: "Example 1: Store the release files, associated images, etc. in\ + \ repositories following the organization\u2019s established policy. Allow\ + \ read-only access to them by necessary personnel and no access by anyone\ + \ else.\nExample 2: Store and protect release integrity verification information\ + \ and provenance data, such as by keeping it in a separate location from the\ + \ release files or by signing the data." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.3 + ref_id: PS.3.2 + description: Collect, safeguard, maintain, and share provenance data for all + components of each software release (e.g., in a software bill of materials + [SBOM]). + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node45 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:ps.3.2 + description: "Example 1: Make the provenance data available to software acquirers\ + \ in accordance with the organization\u2019s policies, preferably using standards-based\ + \ formats.\nExample 2: Make the provenance data available to the organization\u2019\ + s operations and response teams to aid them in mitigating software vulnerabilities.\n\ + Example 3: Protect the integrity of provenance data, and provide a way for\ + \ recipients to verify provenance data integrity.\nExample 4: Update the provenance\ + \ data every time any of the software\u2019s components are updated." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + assessable: false + depth: 1 + ref_id: PW + name: Produce Well-Secured Software + description: Organizations should produce well-secured software with minimal + security vulnerabilities in its releases. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.1 + name: Design Software to Meet Security Requirements and Mitigate Security Risks + description: "Identify and evaluate the security requirements for the software;\ + \ determine what security risks the software is likely to face during operation\ + \ and how the software\u2019s design and architecture should mitigate those\ + \ risks; and justify any cases where risk-based analysis indicates that security\ + \ requirements should be relaxed or waived. Addressing security requirements\ + \ and risks during software design (secure by design) is key for improving\ + \ software security and also helps improve development efficiency." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1 + ref_id: PW.1.1 + description: "Use forms of risk modeling \u2013 such as threat modeling, attack\ + \ modeling, or attack surface mapping \u2013 to help assess the security risk\ + \ for the software." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node49 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1.1 + description: 'Example 1: Train the development team (security champions, in + particular) or collaborate with a risk modeling expert to create models and + analyze how to use a risk-based approach to communicate the risks and determine + how to address them, including implementing mitigations. + + Example 2: Perform more rigorous assessments for high-risk areas, such as + protecting sensitive data and safeguarding identification, authentication, + and access control, including credential management. + + Example 3: Review vulnerability reports and statistics for previous software + to inform the security risk assessment. + + Example 4: Use data classification methods to identify and characterize each + type of data that the software will interact with.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1 + ref_id: PW.1.2 + description: "Track and maintain the software\u2019s security requirements,\ + \ risks, and design decisions." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node51 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1.2 + description: "Example 1: Record the response to each risk, including how mitigations\ + \ are to be achieved and what the rationales are for any approved exceptions\ + \ to the security requirements. Add any mitigations to the software\u2019\ + s security requirements.\nExample 2: Maintain records of design decisions,\ + \ risk responses, and approved exceptions that can be used for auditing and\ + \ maintenance purposes throughout the rest of the software life cycle.\nExample\ + \ 3: Periodically re-evaluate all approved exceptions to the security requirements,\ + \ and implement changes as needed." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1 + ref_id: PW.1.3 + description: Where appropriate, build in support for using standardized security + features and services (e.g., enabling software to integrate with existing + log management, identity management, access control, and vulnerability management + systems) instead of creating proprietary implementations of security features + and services. [Formerly PW.4.3] + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node53 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.1.3 + description: 'Example 1: Maintain one or more software repositories of modules + for supporting standardized security features and services. + + Example 2: Determine secure configurations for modules for supporting standardized + security features and services, and make these configurations available (e.g., + as configuration-as-code) so developers can readily use them. + + Example 3: Define criteria for which security features and services must be + supported by software to be developed.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.2 + name: Review the Software Design to Verify Compliance with Security Requirements + and Risk Information + description: Help ensure that the software will meet the security requirements + and satisfactorily address the identified risk information. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.2 + ref_id: PW.2.1 + description: Have 1) a qualified person (or people) who were not involved with + the design and/or 2) automated processes instantiated in the toolchain review + the software design to confirm and enforce that it meets all of the security + requirements and satisfactorily addresses the identified risk information. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node56 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.2.1 + description: "Example 1: Review the software design to confirm that it addresses\ + \ applicable security requirements.\nExample 2: Review the risk models created\ + \ during software design to determine if they appear to adequately identify\ + \ the risks.\nExample 3: Review the software design to confirm that it satisfactorily\ + \ addresses the risks identified by the risk models.\nExample 4: Have the\ + \ software\u2019s designer correct failures to meet the requirements.\nExample\ + \ 5: Change the design and/or the risk response strategy if the security requirements\ + \ cannot be met.\nExample 6: Record the findings of design reviews to serve\ + \ as artifacts (e.g., in the software specification, in the issue tracking\ + \ system, in the threat model)." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.4 + name: Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating + Functionality + description: Lower the costs of software development, expedite software development, + and decrease the likelihood of introducing additional security vulnerabilities + into the software by reusing software modules and services that have already + had their security posture checked. This is particularly important for software + that implements security functionality, such as cryptographic modules and + protocols. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4 + ref_id: PW.4.1 + description: "Acquire and maintain well-secured software components (e.g., software\ + \ libraries, modules, middleware, frameworks) from commercial, open-source,\ + \ and other third-party developers for use by the organization\u2019s software." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node59 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4.1 + description: "Example 1: Review and evaluate third-party software components\ + \ in the context of their expected use. If a component is to be used in a\ + \ substantially different way in the future, perform the review and evaluation\ + \ again with that new context in mind.\nExample 2: Determine secure configurations\ + \ for software components, and make these available (e.g., as configuration-as-code)\ + \ so developers can readily use the configurations.\nExample 3: Obtain provenance\ + \ information (e.g., SBOM, source composition analysis, binary software composition\ + \ analysis) for each software component, and analyze that information to better\ + \ assess the risk that the component may introduce.\nExample 4: Establish\ + \ one or more software repositories to host sanctioned and vetted open-source\ + \ components.\nExample 5: Maintain a list of organization-approved commercial\ + \ software components and component versions along with their provenance data.\n\ + Example 6: Designate which components must be included in software to be developed.\n\ + Example 7: Implement processes to update deployed software components to newer\ + \ versions, and retain older versions of software components until all transitions\ + \ from those versions have been completed successfully.\nExample 8: If the\ + \ integrity or provenance of acquired binaries cannot be confirmed, build\ + \ binaries from source code after verifying the source code\u2019s integrity\ + \ and provenance." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4 + ref_id: PW.4.2 + description: Create and maintain well-secured software components in-house following + SDLC processes to meet common internal software development needs that cannot + be better met by third-party software components. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node61 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4.2 + description: 'Example 1: Follow organization-established security practices + for secure software development when creating and maintaining the components. + + Example 2: Determine secure configurations for software components, and make + these available (e.g., as configuration-as-code) so developers can readily + use the configurations. + + Example 3: Maintain one or more software repositories for these components. + + Example 4: Designate which components must be included in software to be developed. + + Example 5: Implement processes to update deployed software components to newer + versions, and maintain older versions of software components until all transitions + from those versions have been completed successfully.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4 + ref_id: PW.4.4 + description: Verify that acquired commercial, open-source, and all other third-party + software components comply with the requirements, as defined by the organization, + throughout their life cycles. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node63 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.4.4 + description: 'Example 1: Regularly check whether there are publicly known vulnerabilities + in the software modules and services that vendors have not yet fixed. + + Example 2: Build into the toolchain automatic detection of known vulnerabilities + in software components. + + Example 3: Use existing results from commercial services for vetting the software + modules and services. + + Example 4: Ensure that each software component is still actively maintained + and has not reached end of life; this should include new vulnerabilities found + in the software being remediated. + + Example 5: Determine a plan of action for each software component that is + no longer being maintained or will not be available in the near future. + + Example 6: Confirm the integrity of software components through digital signatures + or other mechanisms. + + Example 7: Review, analyze, and/or test code. See PW.7 and PW.8.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.5 + name: Create Source Code by Adhering to Secure Coding Practices + description: Decrease the number of security vulnerabilities in the software, + and reduce costs by minimizing vulnerabilities introduced during source code + creation that meet or exceed organization-defined vulnerability severity criteria. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.5.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.5 + ref_id: PW.5.1 + description: "Follow all secure coding practices that are appropriate to the\ + \ development languages and environment to meet the organization\u2019s requirements." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node66 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.5.1 + description: 'Example 1: Validate all inputs, and validate and properly encode + all outputs. + + Example 2: Avoid using unsafe functions and calls. + + Example 3: Detect errors, and handle them gracefully. + + Example 4: Provide logging and tracing capabilities. + + Example 5: Use development environments with automated features that encourage + or require the use of secure coding practices with just-in-time training-in-place. + + Example 6: Follow procedures for manually ensuring compliance with secure + coding practices when automated methods are insufficient or unavailable. + + Example 7: Use tools (e.g., linters, formatters) to standardize the style + and formatting of the source code. + + Example 8: Check for other vulnerabilities that are common to the development + languages and environment. + + Example 9: Have the developer review their own human-readable code to complement + (not replace) code review performed by other people or tools. See PW.7.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.6 + name: Configure the Compilation, Interpreter, and Build Processes to Improve + Executable Security + description: Decrease the number of security vulnerabilities in the software + and reduce costs by eliminating vulnerabilities before testing occurs. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.6.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.6 + ref_id: PW.6.1 + description: Use compiler, interpreter, and build tools that offer features + to improve executable security. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node69 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.6.1 + description: 'Example 1: Use up-to-date versions of compiler, interpreter, and + build tools. + + Example 2: Follow change management processes when deploying or updating compiler, + interpreter, and build tools, and audit all unexpected changes to tools. + + Example 3: Regularly validate the authenticity and integrity of compiler, + interpreter, and build tools. See PO.3.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.6.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.6 + ref_id: PW.6.2 + description: Determine which compiler, interpreter, and build tool features + should be used and how each should be configured, then implement and use the + approved configurations. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node71 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.6.2 + description: "Example 1: Enable compiler features that produce warnings for\ + \ poorly secured code during the compilation process.\nExample 2: Implement\ + \ the \u201Cclean build\u201D concept, where all compiler warnings are treated\ + \ as errors and eliminated except those determined to be false positives or\ + \ irrelevant.\nExample 3: Perform all builds in a dedicated, highly controlled\ + \ build environment.\nExample 4: Enable compiler features that randomize or\ + \ obfuscate execution characteristics, such as memory location usage, that\ + \ would otherwise be predictable and thus potentially exploitable.\nExample\ + \ 5: Test to ensure that the features are working as expected and are not\ + \ inadvertently causing any operational issues or other problems.\nExample\ + \ 6: Continuously verify that the approved configurations are being used.\n\ + Example 7: Make the approved tool configurations available as configuration-as-code\ + \ so developers can readily use them." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.7 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.7 + name: Review and/or Analyze Human-Readable Code to Identify Vulnerabilities + and Verify Compliance with Security Requirements + description: Help identify vulnerabilities so that they can be corrected before + the software is released to prevent exploitation. Using automated methods + lowers the effort and resources needed to detect vulnerabilities. Human-readable + code includes source code, scripts, and any other form of code that an organization + deems human-readable. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.7.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.7 + ref_id: PW.7.1 + description: Determine whether code review (a person looks directly at the code + to find issues) and/or code analysis (tools are used to find issues in code, + either in a fully automated way or in conjunction with a person) should be + used, as defined by the organization. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node74 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.7.1 + description: "Example 1: Follow the organization\u2019s policies or guidelines\ + \ for when code review should be performed and how it should be conducted.\ + \ This may include third-party code and reusable code modules written in-house.\n\ + Example 2: Follow the organization\u2019s policies or guidelines for when\ + \ code analysis should be performed and how it should be conducted.\nExample\ + \ 3: Choose code review and/or analysis methods based on the stage of the\ + \ software." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.7.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.7 + ref_id: PW.7.2 + description: "Perform the code review and/or code analysis based on the organization\u2019\ + s secure coding standards, and record and triage all discovered issues and\ + \ recommended remediations in the development team\u2019s workflow or issue\ + \ tracking system." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node76 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.7.2 + description: "Example 1: Perform peer review of code, and review any existing\ + \ code review, analysis, or testing results as part of the peer review.\n\ + Example 2: Use expert reviewers to check code for backdoors and other malicious\ + \ content.\nExample 3: Use peer reviewing tools that facilitate the peer review\ + \ process, and document all discussions and other feedback.\nExample 4: Use\ + \ a static analysis tool to automatically check code for vulnerabilities and\ + \ compliance with the organization\u2019s secure coding standards with a human\ + \ reviewing the issues reported by the tool and remediating them as necessary.\n\ + Example 5: Use review checklists to verify that the code complies with the\ + \ requirements.\nExample 6: Use automated tools to identify and remediate\ + \ documented and verified unsafe software practices on a continuous basis\ + \ as human-readable code is checked into the code repository.\nExample 7:\ + \ Identify and document the root causes of discovered issues.\nExample 8:\ + \ Document lessons learned from code review and analysis in a wiki that developers\ + \ can access and search." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.8 + name: Test Executable Code to Identify Vulnerabilities and Verify Compliance + with Security Requirements + description: Help identify vulnerabilities so that they can be corrected before + the software is released in order to prevent exploitation. Using automated + methods lowers the effort and resources needed to detect vulnerabilities and + improves traceability and repeatability. Executable code includes binaries, + directly executed bytecode and source code, and any other form of code that + an organization deems executable. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.8.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.8 + ref_id: PW.8.1 + description: Determine whether executable code testing should be performed to + find vulnerabilities not identified by previous reviews, analysis, or testing + and, if so, which types of testing should be used. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node79 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.8.1 + description: "Example 1: Follow the organization\u2019s policies or guidelines\ + \ for when code testing should be performed and how it should be conducted\ + \ (e.g., within a sandboxed environment). This may include third-party executable\ + \ code and reusable executable code modules written in-house.\nExample 2:\ + \ Choose testing methods based on the stage of the software." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.8.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.8 + ref_id: PW.8.2 + description: "Scope the testing, design the tests, perform the testing, and\ + \ document the results, including recording and triaging all discovered issues\ + \ and recommended remediations in the development team\u2019s workflow or\ + \ issue tracking system." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node81 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.8.2 + description: "Example 1: Perform robust functional testing of security features.\n\ + Example 2: Integrate dynamic vulnerability testing into the project\u2019\ + s automated test suite.\nExample 3: Incorporate tests for previously reported\ + \ vulnerabilities into the project\u2019s test suite to ensure that errors\ + \ are not reintroduced.\nExample 4: Take into consideration the infrastructures\ + \ and technology stacks that the software will be used with in production\ + \ when developing test plans.\nExample 5: Use fuzz testing tools to find issues\ + \ with input handling.\nExample 6: If resources are available, use penetration\ + \ testing to simulate how an attacker might attempt to compromise the software\ + \ in high-risk scenarios.\nExample 7: Identify and record the root causes\ + \ of discovered issues.\nExample 8: Document lessons learned from code testing\ + \ in a wiki that developers can access and search.\nExample 9: Use source\ + \ code, design records, and other resources when developing test plans." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.9 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw + ref_id: PW.9 + name: Configure Software to Have Secure Settings by Default + description: Help improve the security of the software at the time of installation + to reduce the likelihood of the software being deployed with weak security + settings, putting it at greater risk of compromise. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.9.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.9 + ref_id: PW.9.1 + description: Define a secure baseline by determining how to configure each setting + that has an effect on security or a security-related setting so that the default + settings are secure and do not weaken the security functions provided by the + platform, network infrastructure, or services. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node84 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.9.1 + description: 'Example 1: Conduct testing to ensure that the settings, including + the default settings, are working as expected and are not inadvertently causing + any security weaknesses, operational issues, or other problems.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.9.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.9 + ref_id: PW.9.2 + description: Implement the default settings (or groups of default settings, + if applicable), and document each setting for software administrators. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node86 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:pw.9.2 + description: "Example 1: Verify that the approved configuration is in place\ + \ for the software.\nExample 2: Document each setting\u2019s purpose, options,\ + \ default value, security relevance, potential operational impact, and relationships\ + \ with other settings.\nExample 3: Use authoritative programmatic technical\ + \ mechanisms to record how each setting can be implemented and assessed by\ + \ software administrators.\nExample 4: Store the default configuration in\ + \ a usable format and follow change control practices for modifying it (e.g.,\ + \ configuration-as-code)." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv + assessable: false + depth: 1 + ref_id: RV + name: Respond to Vulnerabilities + description: Organizations should identify residual vulnerabilities in their + software releases and respond appropriately to address those vulnerabilities + and prevent similar ones from occurring in the future. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv + ref_id: RV.1 + name: Identify and Confirm Vulnerabilities on an Ongoing Basis + description: Help ensure that vulnerabilities are identified more quickly so + that they can be remediated more quickly in accordance with risk, reducing + the window of opportunity for attackers. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1 + ref_id: RV.1.1 + description: Gather information from software acquirers, users, and public sources + on potential vulnerabilities in the software and third-party components that + the software uses, and investigate all credible reports. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node90 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1.1 + description: 'Example 1: Monitor vulnerability databases , security mailing + lists, and other sources of vulnerability reports through manual or automated + means. + + Example 2: Use threat intelligence sources to better understand how vulnerabilities + in general are being exploited. + + Example 3: Automatically review provenance and software composition data for + all software components to identify any new vulnerabilities they have.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1 + ref_id: RV.1.2 + description: "Review, analyze, and/or test the software\u2019s code to identify\ + \ or confirm the presence of previously undetected vulnerabilities." + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node92 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1.2 + description: 'Example 1: Configure the toolchain to perform automated code analysis + and testing on a regular or continuous basis for all supported releases. + + Example 2: See PW.7 and PW.8.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1 + ref_id: RV.1.3 + description: Have a policy that addresses vulnerability disclosure and remediation, + and implement the roles, responsibilities, and processes needed to support + that policy. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node94 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.1.3 + description: 'Example 1: Establish a vulnerability disclosure program, and make + it easy for security researchers to learn about your program and report possible + vulnerabilities. + + Example 2: Have a Product Security Incident Response Team (PSIRT) and processes + in place to handle the responses to vulnerability reports and incidents, including + communications plans for all stakeholders. + + Example 3: Have a security response playbook to handle a generic reported + vulnerability, a report of zero-days, a vulnerability being exploited in the + wild, and a major ongoing incident involving multiple parties and open-source + software components. + + Example 4: Periodically conduct exercises of the product security incident + response processes.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv + ref_id: RV.2 + name: Assess, Prioritize, and Remediate Vulnerabilities + description: Help ensure that vulnerabilities are remediated in accordance with + risk to reduce the window of opportunity for attackers. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.2 + ref_id: RV.2.1 + description: Analyze each vulnerability to gather sufficient information about + risk to plan its remediation or other risk response. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node97 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.2.1 + description: 'Example 1: Use existing issue tracking software to record each + vulnerability. + + Example 2: Perform risk calculations for each vulnerability based on estimates + of its exploitability, the potential impact if exploited, and any other relevant + characteristics.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.2 + ref_id: RV.2.2 + description: Plan and implement risk responses for vulnerabilities. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node99 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.2.2 + description: 'Example 1: Make a risk-based decision as to whether each vulnerability + will be remediated or if the risk will be addressed through other means (e.g., + risk acceptance, risk transference), and prioritize any actions to be taken. + + Example 2: If a permanent mitigation for a vulnerability is not yet available, + determine how the vulnerability can be temporarily mitigated until the permanent + solution is available, and add that temporary remediation to the plan. + + Example 3: Develop and release security advisories that provide the necessary + information to software acquirers, including descriptions of what the vulnerabilities + are, how to find instances of the vulnerable software, and how to address + them (e.g., where to get patches and what the patches change in the software; + what configuration settings may need to be changed; how temporary workarounds + could be implemented). + + Example 4: Deliver remediations to acquirers via an automated and trusted + delivery mechanism. A single remediation could address multiple vulnerabilities. + + Example 5: Update records of design decisions, risk responses, and approved + exceptions as needed. See PW.1.2.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv + ref_id: RV.3 + name: Analyze Vulnerabilities to Identify Their Root Causes + description: Help reduce the frequency of vulnerabilities in the future. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3 + ref_id: RV.3.1 + description: Analyze identified vulnerabilities to determine their root causes. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node102 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.1 + description: 'Example 1: Record the root cause of discovered issues. + + Example 2: Record lessons learned through root cause analysis in a wiki that + developers can access and search.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3 + ref_id: RV.3.2 + description: Analyze the root causes over time to identify patterns, such as + a particular secure coding practice not being followed consistently. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node104 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.2 + description: 'Example 1: Record lessons learned through root cause analysis + in a wiki that developers can access and search. + + Example 2: Add mechanisms to the toolchain to automatically detect future + instances of the root cause. + + Example 3: Update manual processes to detect future instances of the root + cause.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3 + ref_id: RV.3.3 + description: Review the software for similar vulnerabilities to eradicate a + class of vulnerabilities, and proactively fix them rather than waiting for + external reports. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node106 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.3 + description: 'Example 1: See PW.7 and PW.8.' + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3 + ref_id: RV.3.4 + description: Review the SDLC process, and update it if appropriate to prevent + (or reduce the likelihood of) the root cause recurring in updates to the software + or in new software that is created. + - urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:node108 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-ssdf-1.1:rv.3.4 + description: 'Example 1: Record lessons learned through root cause analysis + in a wiki that developers can access and search. + + Example 2: Plan and implement changes to the appropriate SDLC practices.' diff --git a/tools/nist/sp-800-218/nist-ssdf-1.1.xlsx b/tools/nist/sp-800-218/nist-ssdf-1.1.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..ad69041159d5c3f7cdcf0cd689091b85e1ee5985 GIT binary patch literal 27609 zcmeFYQXZQHhO+qP}ncGW7|wr#DlZJWLJw?~gY-Mjz6IWaOLFEVd(=6v3X zh*XdU20;M;1AqVk03ZY?h40|Wp_1qA>=27mz47Phx@F|~8iSMhW(b=IZxu(cs5 z1OcMR2LSr_{QnvM8(UyFWy)@l0YUUN^#eY!P1VRiQ57{%6n_e>;t5#Cn*hyk!kFUA zmmI9JQc4h_*v^PFujAF@AamctR<@<2K(6 zTYwEuS0A=48$d&$btsFKGSqukk<9>9jW3`mH#1(1#4FYrFGMGT^G>kNeX7JAQin>p zYCvpAJR`D1a%3rs&t8%U!(?QLt^T<(6Jo%E5-IT^Rk=@RGFMnMlM@UZ_b!Y9#Gr%8CEHC{hRB+?bbRU@$>~}cvYzJ^|?om3?G!6%6X%s;3rpgZRkbMWKF&S88g2P*fSG~JHKDW1YHVR@w{^C-19s$ zpUoPJJcnx|d>?cZysS`>?W)n2u64r$-9$5?33Q9-@>is6qBPKtIjDhjUwZ8wH-C8dwDT$GW zW&!7(ykBvEHg^|`IwSjUWs3QnGITS+mucA1PZYi~Ht-tHs?V__&F(aQ{IkOUL`JHj z)bPLVhyw!vU;#h?df3qaH#P3|PS!^D_SXLu+x~BY0RIKJe|Y`xJ-U--tcDq2LT*EQ zgBN-nlYSH?xx6Vuds;Wa85)qnWo?Wr_&qTBre+2+=)<>XDe1c)j)lngS5f>Ttqaac_G z@}<*9#{`|RjH!cb;X6e&Pu_E5`dIU`ETeK25!_F(hW%hB-tBF7S#)FLd;PHI?=hh# zBB7J><7gX$EWh;7G=V@p^9pp5_lL%SHAVOwanwo5q&q;AznG_unA)rd6aFI3K#!^L zag{J@(~~+kQNhIfUVJoAv&`_nIH~z=FPT;DkO*zvSyVb zyoJ4X#D?et`0ouZR`dE@PNN)2IJ`*}M9#b7yx0)6Q zz%@a=tM>rJzT}G#6VxhF5t3d7n|JcGv0=fX6CcK;I`L*6^;w)#r4rMXjK^d&W{F$? zm0M28p*zRzp%Q~q-*gv6J=)VBRfa&U{ByNxNn5_uB%zfy6@RO%rLHzb0wa2Mzw8NF z!kd7Rf*cHr9VJf9q-+mRxndFg7!dGFokv+`TVv|#6IuhtnWot}`4$Oy(ZBr56GrJE zF@WmERp;!J0dQP3sBNuUz~_<|;KyHhbp>w<25sC~$mu$AGhebpme2^@~> z>dLzNGcUKQqt{y-#0S;Q2m;t$*ye?pSm74P@dxC$J~yx5xcg{mq@R!v*dP%`?A5>I zMwM^hULdAs5MJ;v5b zg3D#*H5?9g|H@*tacoYR`eFjYYm|Qq4P-A(k{8EIAj?~ zQ)%x&X5GIlL1`R>N^?47X(930wkV3??7b9|3#Dx1f?uj^ACU|_F4MI|FRW}Rq@FC_ zz}82rj5_~>MMtW`5U}k5KreqLIxkX#%f>i&|5RyCC`2sj1n!HYkk(4L-5-^^+B-Od zR1&LKRla{d13tc z-QlB-Js~OGB;tT(<2w;0AxoGTMfFIbOGNAw8aW*KLpfUsep5kg7@mX8}*u zHs}){8eatgSwRf%#Q`50`G@7Sh}+6;rQ6jCP-VsRr#qJVCprJzT!kUC9 z=!^?W<$iY{VT?E|QD|B~D%p|Nm;b&$`*{@D)KM?iw3D2xP$+MA^96b=n{To2{3b4Z_-0Xu-N4ca-k zm`q28zhaLsCL4HS1dCRk)^64?{BC_5u0iog1snGIH)HVXyiN##ggL zqBi1sZwB-a{Y~Tp4+DAh<{kJlTWi{4`m&X9dVpu0ym%0`Kb21{i#Vv@X9_0PN(Z>g zbK&t7u0Fr9)#tTQ@LK-!=mjy+%Ur$w^XB#F=e!2A>`w z{dmUl-{Zb8ysNXfx^r+uJPqUvz80qir}TvetuT)cA-q0^sB5k~bzL&ncl#;}Q4Evd zwP0bRN(7K;{1Ahf84hv$E{%Qva-jdI0_UZq?PmXCp)&S=^$7l>0xlM&wx;y|nHm2} z3$8S0?6BDpdeP6g5xnJT){~4d6M?1E4%i%x)}*3vDs-*V5#2ioD7iaPCmI9-3oRF< z19!YAHoznT^cKq;vkPSdyM@A!q_nhDY{(w z)qzAB6U14fwFh$jZWp}*iU&1AFy|zwGY~L!Hhq43syu{ANk}1H%$$u z>SK;g^O9k9U^^rlg2WN)M1b%Cw^M4W)u>`qQI==~Fy#WTuJ;qdK%QAA44kF9r}h|? zmFPoca4Z&w*A43z$}16_h`43)g{QRu?;_t6|L`aP8fj2@EI?76AXnSy=?-9zkd>xg z(OzF>$~V-lA;hY|$|J&?$yD`dJx;#F^a3)pL|nRc<=VN5%>g)I1eL0#G0kY%_iW@X z(ga?uif-ge^(Z;tlYUr3GqG=8yY*;}8%1Izd~0d<*QsN*)Tn~n3!v%i_pfef=gJKY zU?+^QquupT&xp;8U@Ht-uxSZchrf7%K4Y4Uug9VH!reVf0sbi>z%pAX(S-3VO&igQ zx^-Rv4gh1Swg_7$As5CGLUDKCLO`(w^9bHs#O^|w3?-d`o=}+AX$gXNhQVYkd%bvn zt;^#V{daQuy?9tHK`@CP9`}=(}ejJ{&)8qT^k4-WCtm5;% zAD_;B3ykM?h|u@?JZv_R)AxQnz24$^?`Z?UPu}s#MvAnJBW|2ho|(ZMO38s8_;7zf zmd?WE0NBEx*Gl2+)j*o@>14N$c2VbhyalX|z2a)ZBQdHi550>earNuYYGy;%0oqyU zkwU+YX;O21FUdK6?XD#Ks*z8J15TD=;WezeAG7|v>yqF-Y71QE?Xz@;c^7B>^2K4-%SmdF}H6t%-rZMpG=oMvvIm4CLm;ZhTI~b zWZZM%QRjR}yf{uyg7rnJ9w0v$5DhZbQlolsk;N3*i4;FwchCy#CN0?;l&kBt-8M>I z5QP>JYxek9c@-*$ylmNk`@)lX_s@=xcbi-E(XbBV0y< z&vkWv*4}{qzIS%fq|a&Do`Rxf9eL{8bRM}_Ci4`>;Fd!YvzMGFlj5K$!lTIo+n2Vl z&!>>zwNTu^(V?wf2?kZgmrKDR_4^tIzhjwe4oXwL8^Y^zvmDt{#1K%Fde=a7Ob`*b z=pQx05B_v558^{ib>KFn3i1o6VzIS-oTQxiLSBq`{6K)+r#klmg0@0}q7C;?C!g>SI zb;w)?SOi{bc)$vRzD}I<5rlvA&2UN&6|>6tTKyT7P~eDHA%a*BZZs*pMKSt&aMehn zDL5{oBB_(9-2i@+P~Te{28Bz$UiRd%6}*$X zo;GdUe^jqnjq0PMDF2-IQ%0VZ8oZ8kZO(IfBdR6;-s*c=+!ijKPvST5F+M6`9iRLu zaO3n-K^yUF#bA>fMA3JG4Nn4HLK_c!o?~4UTP7>TRwL@>WpIHc~9^gTvbW39opW9c~qE9u1~>f*(MYaC-NL%(H`pXYwS*Wrmx=RQ6& z>BZ_7Q0IOi#n7K5;HYhuRh#|yUorMS!xDcl+4J?kHl;2 zPi!hqp0L|w_}3T#{eT0xZB(0rrU7rkE$Bd%O=lL3r5P+NPjazo8}D+bum{`%jH}m=>sRv+_B+~r(P#4M2M{q$CHXYS}Jp`Vxh)*>VZcd zozOc(-N*f7`tgoUO4+U^rs@`8@{93U^Bu{5kJ*=C_q`hmiL5^q?Eu0!Lqc z1{J*vDNWCiPRF|)#Z=_~u)qMP9^a8pZg_D#b+nKTGqfeWbZo&WDIWdT<4x+cNy#8I zm%6ZE@~q6E69)NW&fFLH8=;=ress9;026BuO@XBNs7>i1lUcosLXf#uAG(Ci?hyG0 zDL>?#oda^T#v_oFMOF;G_SpZqkV8c9xA4u)M{VvC?zd2K0ER~OQ8}e`6yc5}RiVMw zxUX{C9N}`~z$Plwp@xMPo|*y28$%dVL@ulfEc1;-sl6$JcKqer+g(Tw?2rTMfB~yh z*wbN0ECt2Dh7KnOsh3r4!Wn}6A~Brv%##kCTo3099wFKbh9P!r0`)__bjs-Vmi|A* z&3~qp)CId>1{hI)&|_dRnC22y0j*VhL6{2p?d5#C&recDs}t&sq_#?~r?t^l))y|> zN7Ib(oh|;}DDN@})EDP=&DV34s)Ot-L!O>r9WrjYwhrZw5~UtY-j9oQIb4aa&Lb7AewXaIPuGz|6lfSymzc6VI0Z18~QLLL7 z-J7dN?l+n$ZTV(maC|qR7~R21fAd6LajYQrGBZh9uw@%Jn(|9CG}V}ici+XvCCuA_ zW1M7OfF?%Ut~AkYkBbq*a#rj%#Fi;e%Rw=`#1V9}TF@HW;Q_VoIolpwJ+oNo__5I4%t!7+k-8{SmLkx@O(8o=PQKr)t{d0x5Pj>TAnL^1o&c;Om zL!?)5zEQK8Ob>;XT78-dl!rK+K^8yD1ggT=HXfG{tzUw3DB6L7xMMQ=%AaoXi0D0= zIo|c(pZNdVHZM^rc7)^v08nTH06_U~iEy?sbTTzjc5$+_GyhK+yX?CehqIb^{R!|0 z56K$|&{dI5s+q)^FL|E9QA9XUS`$9dKVCa|BiB^fsG~Vzb~*9ukO#+bdiq6bUW3|T zpV?KZ-N>8ai4ni1n%Y6%aM)-hdS(A}{O$F(`_j#r-^TB8VC)p%cits?r2dM1weNlJ z)xMYi^C8%5t1a8K3yW>rp0E9K6#nOU)BmT;e$;VyuPytY9e?ZUb+ayy2NRuryAyXV z+_r6iTz$xH`{sUb`#IUM>vH4RW6AaN`C@_`-}mV~*>%&N&jM}8u<3UO{EtuID<0eT zANXzN-zoCGkG)O%(VtEGm)+LGwOC{Cj*DK;#^0B0@~~nng?Z5b+$4_tKBz0K4+g*07Ht!QpguAw*z`YH9maj7ydCl2;mN4>KrR1#tvcVaLF3Y=3w-&3H?@sJ& z$NI8s`_3-21-mS1o?hQg+bq8({4BQu(NTA|q5Tgtj;s4W86%JWzAFa$*~f-m7wEL; z1(>y2H&D#$;iuJ~vVAxH7ik`6g}gC19;+xr*X*rJUp;-kjMZw}M)CTv*`j4_G3*%M z58a;5OYs=1My?u0XUE;{Ls`N%ZrN_3nz(MzKF32hUmsr$deD+q?BDWO7y7>s{$pm` z21mZ^e0Fs3#I0sH+4~Rj9?rjU{zq4C-*2s&ZP_ncpCFn$EuS|ZH;H`LJFB}Zb}eKH z?Ph;>;$DhxKI#{{#>7vTbba-c|8#)#Xb2H~RB>y+89L^NSWw4D1EKq{Jy!Y{kh{^6 zd1zb_8nInm+x1f&e62a%EnnaJKicBtgODgRb@;ya>e@FT;roMjtUy9s(iOBN+SfK1 z(|vbLuZ)IZK6B%IKci8Bnx8g6gSf~g|F&+@v;mJs)8ioTFyQ|*b10que#skd{rO6A z9CQ7AubV9st`YF{FgvLB#b@xRd6wUbMUm9$XeOI6+^xIXGyS9QwvM&WQ6lO0 zfx5iV)!X%#8g7%c_$$IM@Ik{h0oljdIRLA}8|HlwqaL%Xw6D-YU_oKs=B^!C9HlP{ zkASywB=8d%A9ERd)?0oeTx&zu-FtQ)aBy*}nPU!`LfbNqWp%FCs#hB?zmZ|GidvcF z+ibn>GCc#{4|t|+v~VecH9FhPId%v@HbdT&>{#XP^p8yZJw0dryCJW$XBbrs^QgoM zL&$Feu%)@dCT+P%`R6R%CZoS+m-g0^cQs~g!m>a6%WAffEgt)!q2rRl^Xj#B&3^q= z)^mNxPw*bxjA~ba!%YXE1F8kQ1?C$Ia`*jZDLy!r^o>hGkW71B`NcJkiNEe(^#S;{ z_gB!#*=4CO`_snAklFbLQu2U&{z7``-l*N&>Rzf3e;jRbfPBY=)>4pG(k9+X<8_m+ z1v=ACS3}43EBj(NmL)i9vo5Ur@^r$9Ex31JgGtw4TP-ctHL1#z`kFFSxd!@=b;Tur zrQJ=2{K}3#ole!dfjybN&}Vj6NY^Zx?#;OoDLoW%T+n-|R$2H<%l+FdYa7aD+8A&Z z<`^*c&uv4{k$F9*F+=NYQ+_%Nnmg!j^Hs%k6Qq}N6)Abcsarp%w!l^l;PGl|l6y1e z>M(1H4&N>h?CWo+vKN4&*aeqt_iwwk@fok2YdF$I?b!IOd3O|O94{(n{&OwRC^B=~ zc=^QuNSyjuCxrH-CwUJ2$m5I|pbImr*Qo3666&^dE(j7oxKnBKE8IM>>)jR(DaQ%l zjv)1+rN{Plqk{}9=f8CvyIV}vA5*$r$(&(v0hdd@1P93u+ z3ATr)6GB4h%ilHr)s`@BjQoo3^C_>m72w!^KWXL|gFir9kxmbt{>CeOYOGLm+$EG8 zfhZ;!N~BZYD4U5FRHH`>oP9plZEJWr&*$+PO@Q(h+ZWE5?g7C9h{6WO@Z(>Cy)RV= z`h^L{2`G;CImlw1GmsQ&ha$Hm*LL<`=I`8_H$k(g&m(q;)&UG{|D6WfCscl}61D+@ zgKDhI!Aulop8xuMh4AUxzNqzlK721b#s3|n0m^w_q8%LxUc4@;xQT~y-p%|x21K3X zb!n8@gs_d(h13G}B7J0Hj|f8Bs&pCLywp7{sKy?)A*>pu#VKH>U|oYUv0-zo-Taon4!{)a`WXunGX3KjR=neMXMI4V14d57L^%}YitiEH7$lsHM*DEKdQ5kEIMR_ zzqKM#$RYv9Ke2}^tVK4fjj{=yfHcxKL^pfpz0x0oB5uT61v9?GF%2I?VIpdcsuCu4 z&~kR5O_RO?EA-v?-NXh!rW`K6G}LchLQKNeemo2?hG8Lfs-d)0s3PuH-A|wAj=oj1Z>GNTk!)J4;&k%Fhj8k5UB6!g&)aUzg#CJzil z;AbOw>z`oVEyo-|*!>87-GQKCg&VL0glT9Rh-DZ=_OZ3SKE*i#GL6Lpmu$Q_sXJ}6 z5Fvx^DOzM#GQDhH*iHX6%Haj(XBT|f9hzVr9&Z%rN&)9fELxq7$r6 zTWS8PfEWiJY+m59KjD(?VIfj1LSyEDm_v?-*(n-Qg4{3NCy3WjvBZtgg*++ac7-lN)~eo zisQREY<3S!6oPHaYmawPv{s&`F}*ja-y_3IoKE`WkKSjn;ASG;oK0 z_0>?IhFHoe8;9Wi)Wa7(oY-w=N|6ZQ`<0Uvdjb6=C~nz?c_SDBvN~?q9?dWT7e+kL z?Rt7t`T-f(Y&_D%3PJFn*@mmXB9VBtR~1q9A3a<7mCa($&u|{8Up%8G=jhATN{E>u z{Qc&frd5A{=mS!RA;puwmHAKWcLQ9w`qwhuw$ZKpBF`7=~CLd_u#g zINJ>addl`P2A&*}@-^|WJNQa^Af-^&)WCUWf$a7jCtL^Rs6%#$Ha6sE7ouU0lRa!q zy~RS*WT$XSOs8Omij8ZXFPbRDMrRBb6EZou2tOD&fRN=G^DQp( zRY7>g?pQBcj2TyzEj&Whm?J~5W6tc?0C6V8G|Qy`Hp6g1%O)Na;wa|rGOlEw9_CO+ zyh?-kY$|U2cZ@SvGG;Xcojm=hE-}6U1g!dJfIM{HjX;0OEh97IBqsWX4Q0wVZN2Nv$69$pD3$#Mr$LjEN!@msy9svw4 zy~+PX84lG7=Wr6i;~epP)G{X3g>rfTh~yKCj0i+cfZ!CLph4jb!5BpCG+ym(XmDvB zI_F?+;4Dcy2)4qx!5zsg5D8!(vO7$?IOrsd4Q85{!9Cy~=J4!D_bLD?Y&nI@o808& z#7g}fP zv-is1KA~T1G_0M$8^y^aS>q|eq$L~M!u?cyqe>6hP3w24FhndTywf_j;t`5nWpKWk5UFSdZ9Qf)NRX^Zv+!{RwV~L! z&p^L3-<2Kg=|_rSvZj`D#wQ-Yco`9pvi}Q|hLH;HBc*&~0xJN@MmD-81LyL&8Mi0n z^7@P%C@yv%@Hf(WGBV|U(fxMgub?0mzJT!1bRo|(PS6ndcHjjfJA$hj5TchiC!ZkE zIAQq^(z_`4@&@x5M`28goKmS`1a5J0Qnfou+_bMENrVmskeu}0UsB(bzy9`y$l%pB z$jtf!7-m_ZokE(!34%{1QbJ@0SYwzoh<7m_h%0G~td6S4e6K9FV_)(IQmGt(n!M9O z_p0K7ps*5UL+_A|A-eq*l@_7gym9W^a9wTc61Xx3N;mMtRPn(m-Fm{=(!c25D98bV zz_I4n9%i16%_{r$o{flnUX8*^P=YWXE>mZz>s)hlq{cv;DGyU)ad+RZ2TBMeL9atD zxew70=pks-OtXqr`L-pWr5(y#GgBpdjJ|osOQw}jd%!$3Lk<{$wgdA|^VI7T%XNpA z>qIbPtBK1I7!W_%%5o?$dlWKsrQO*`ZtgQ(dXZk8e1qU@3{%wIXcv2>BjH^(IuXVC z(V!z&VdMoJi>0X&k;(5p=V!08Bk^P(W77fPn&x`kk2)y~RCmI%)~2 zFsTTb5pDvq4H{SPgg|x~X-8Bp*4nR0D{ts1nKQ_Pq2&eUnIZGdNQqr13-2*Tm!?Gz zrgI4p@VCy_`E~Vt!Y-=qV0JP%sTnV6~uaK#xWYtKp?YKX4a2m zC_JEmEwy;spNk~-hGqfYd1NrCs<-g=4uW$SLg5KO@~PcmbAgJRXlDRgklQ0Vt{;~H zlAm!L+gR=+i3snvT|m0D)*j1`q^7h=`M8h>3s4R+i)0kp7@@(q<0&%TcqHH_OOC?)8olma z8F>9m-9cxh_mm(Vq`2NX#XLs9DKkf9u)ny2@u#mRdRjyxQLM+4M4({4*Y~_w@PBUA z>BnpL)loXo|MaYwn~2R$C&Qux{wS8Oc_6;kU71iHZLe}C`MWi zK_}IB>rVL!1M;@{U>VqB#1Po^Gp8Nl4A5tAAjlOITa*T)#v#IC8x7LfRelI7#>csj zn-V;VsWX(58LJQG3m?Inxt-@CSnEyU&py(!RE%Z;3?&lQTg*=OLpc6fU?>faJw(FV zY5YFO`3!7Ng3);wzedHudP7AH)gP8La3{g8ITBcF zL0*QVT3})s$p)N&eAb{aJwF`ZB_*}<7x>|_*d%?+nYPNo#CNuOlTa_#r>qD+GzY{n znc3Fq=8y>>cJhSdD6(h%ttgHN_4+FNjnHb%a2??Cvr;CSR)b+8hR00x{J_}!Nl2M< zZU+={Jn^!`)3?h%yR$9t1#n2pLri3?Z6r}NZY5QVHhC|j2 zEV7w0+_C+#oJsnz8pWhTvfu|9?XfWjpVcv9{wXX>q~b0jki_~u(Ex?~VlO_bkKiCB z0a{w8qN11i<6#H_phvRfLbGpfJpxik=r8D3{^`+?J^fbx&uoia{P20Lz)Wacb#vJ4 zAzpU(GNTcyuGknNnSO?>5DYX3l!#lKX2HBBlq`0azI@+xRBvdQs8aY?V;PrbjIJ;B zL?t@dSH89HSvL!rinIj>$llpOa`cPmTw#ubkohT0^UR*{nk+g*L=RT2`?Pwm1LQy;CwkiX_veqF^%r-cx#ZF>$XGGv~|kPveQ901*}R z+2lW8%$YoaYZ?)O3%i0~HdAxy-U&3s;Js|_<`Y0jCRY60=UXGpV%QI01)gAgp7*BY zM$FQjW_EDb6|KLH(4WfgeXl@ag#b@O0tDf#+c57C!!sT7NJQUm0+t?1uPA_XYESLDZ19bX?J&QJpPJy6vdzzsaU!5-EH-V$jpHaz_WjKtJU)DL8X z;JO{m&%0UPjmuKYvlKH zkeO`yN|@!uO(*7wK^etR)g58qFBtM^Fdl7ejkkp~iFTT32&ohf*w}1yb|oUJjQUw#pBP$#|EF`t8j-I{ad;Nvw)b`;RL2h5+})jZtV3bR0agz7$$J7 zZPp7bX;D?>GdLm-M5C%_<9X}DQhzP+0fssH)~lja`M?}Tq2cn@?gD|w1dM5yrfHHo z?opq9DpVU&y zl7KV1(MSr+i1sB$@x@A8CE%d;HrNi4quifoT8|L?eyRnlYI0jtf=LOtA!v=W)F)m~ zn2tDM)LCBHP~}7y%udS*{K9x|R@Jmn1X<4$3HKc>Q0+K=kuuzvk8$y)BFptz80Y2S zOcM-qRv#mG^#C`MUX$lfTog7=Wrz)&nT2i}9{*XNgreTGFf5Gz!iX}=nYTh4Dm1Tg zYRUA~ExYFO=Q1z#)i5@K)3K4D!_|02Dyce&HXkq9IJ~lPlWYG5QQWX@P|ic?gz7#exXPMWZUr!I4;pi+AuG zwE=a{W_;jWU;^JS0UyPn!TvLy;SL~?A|36Cz*fHdKAK&1+5F+A|de`YTWIF&6@Rgm2p%PqIc z&)EBsbSj+lhyX?}4D(%lXhv7F#3_q*m@%ONU5jmB?sBGZ%s=4(%=gGe2#zl`mZrTd zC9vzYR7wceVG^-15%n~8mSBv(wt1vp<7h^|K_ki3n7Q|Ys$1w`MU^SJCzLsstc#(a zB=ec5oA5m&h@?a3km0$WpeSpqNpB|>VnX0*Q`P-GIRZ-38BcC0aD!kgx?&`4RRhon z=A%o#>Q~0!&zl5?OfysunTT&~f;ezyL!<}wpCDNpY+hrPYfa4A<(Z0&E1 zOzl3fC(#u-AWI{>L>6Z6AdLN{?^81zES3c^EfeHms_!sec2g zRsUX7Uc{naiz_>cW3mOL3+RZFk8vy>-iq;}q z)?A1H;0cXllko#oUK^6Ih>THyPG_6+H{bvzwR#z9AcG%hD1j?N_{eFr4pLIR#j%8- zUbRZF6(|ZcHpS;$zNLcxB+oRghAfoksrbq)Aybz!ZLYXpmLW+1yeY(7O!_7MQ}NxPf!)&RAbV=byeE7D`7g!8+&}9MG><-l#SY5NoJ%y$v~DdJk3eUv6MkPG-h%4|K>|tcGMJK+ zYv9JgRKh=bK?pVBpHk-n=D$sVxs~vSOkIH_(tjspWcO_?FVsLpydk%sEfR}AUzM@bAP18M=2fd2X%vDg2( z!+(U+$W)ks(jfWANjgFHs*B8~a{F1~Ra(-+;qgMnEjkc3LYd(zB%OnPwK{Hlu^emj z@^%RIQ$3&>s25PxD3$X{9HopwGUiuO?le%O<{?z8ZDAyt)K+jGf|zCv8%#h>Npq4S zviX-woN=NSOuv9^{vRp9l#ys_#oVxF5vP-4m)>{WMa8XIl$hW3sc4#fk?#JE*?-G_0u# zlwYi3T2d3RJrs-=1d*|5l5nmi3aJEWEI6jdTRABTg+H zO<#Jk$RCHqj8_`NMDaQE;N#`nOusl>N@?Idkme+{F$4VxZn$u}jsgoH8Vn`p*85^Z zR@(kb2raE7Cbd(+1nx>YL$sR&%7z<>RAxD~T4_T4xYL5B^i(vDk=i_@th{2u3h?;G zA)s73luYItuT;N z>`CPWNmDi4L(_>gnAGceU{obSRO?WdErE?CDfZ%k8I@Bq*=qe0dU80CB{kC?v>N#6 zm5jtcN30ypH%rfrBTq;6SEO3FY@gd6=o%*8)u39Fg(1E!Wef}*jCY0m5f5sCe0Vrz zD)L@Tcf8SIdRxH3nGa&htkWIjH8(O&+|cv(JOf6urmBlQgT4jezF z%T&Ml4%5V^>m)Kfhs%o%45?i2g#RE=J41(ZAAudoa?t366^#F$7Fy#MBfbO+1)PtgNo2*dc_ehk+z!C` zAQk~R3ml8PPXKg$k|6juNkF7 z-lObg&lULJE~G13%JF_g)he17ef5n#rU1`v0KF|u=$&pHl6JF&iQ12pR~z|^V+~YI zeRJrW#v~hhfvFQ$5@?l3_rOM=OGH4%G-!kM!v?N{CIY}G8A#&zAfYpvdsu1&-PE<) zZES6GQl@_^4xq{k8V;V)KSC$)Ou#UoC%H`BQd1vVOx}d`S-G4>l4>IE(n2m23+@5i zhaHU@v&vvZ9ZqVV2wdR1dm+4k~OjuUBG&TvzB5 zS^V&;K>hjte;z$cC(rf4Ezswl0tbs-L_@vfiWv{2RyI^4w`P}ay4@kmXgEsxFu^?0 z?|y2|fhn0PRtWR@CEG0 zj2(NJB<4Ul{Zd*;Uj_i;Z_=kwlf=2_nH=B;I*Dg+@Cq%cE7R0>{}O@Pck$Ur{NbcL zAuVG0lz9BhP^w%pSk3GQ2Ap?8cV3os<3Qye1fU^F6o)XF{dfZEVS2${m<*z`#4vU$$T#cB7mHqyipjziV1F>e?)+x6eMbwW7Wxq3B z`31D-v?W|)^EQ3_<^7RS;>>l9vUgp|1i~ec-i5;iI)E40O*pK!+qF&g30{x9fcD@A z!9Up{+Y7o*!dh%Gj~lu(kh9jC11Iga6xoUy<0f)faTqjhAi{r8BmxTgK`pO#PZYey z`}_kDCP0+DL%c{_P3=(o%X<=)BF7 zw6igr<&=v%VgR6SE~R3iDWb>Otl4Cj!fz7nzV)>^6a;$
N)QB}%1*{_4s&*Cxz{@-Vi5e{p=5WSEK4IRUor6_|T0gmc!G7S* z(ioIpa@A%UhcT7CdIoO0PN}P?RIrG*%Fr`MH6e3}`1weq(8no!N&xsGgC9*kgdG#5 zn|3L&0P1GR${3)mT( zf|q0Qo8LO22^`R<4eDOub)tIq%|8wD1tT-YOg<=P|pcT-V1&TAFB7T zm&q|gsYD=bN0*%lGT5-)!3NJTS$^X|0SGso1dCeyP+@(OZ&>SPqAtyG-)7Z=2AmF3 zKiud@T3jPaqVlugs9LQJ3CXaJ>`kGe50{@>eLfBAU!5PEE<#Sc4&29Cz;^ubcFZ1v zJC=H1y2tLLPKCqs>B5m}GDMqMZo1<|qaEO(o_LH)0$6@|ldkAie9K)b!u zhT5XqE(y6UbjSM~nw%XiRUIQsk+|xN1rxp;9csB)(9i-^1h>dz35^uP$c(5E6nY_I^)dobLb?EHs4pFl_`8#J4t@CY?eSwe z1DKII=6$&h{kWsL9=@+paoJ>+4*N9>Ojt*4 z8W|($Jo7a>`ZfjeH>X^yVvqUev2eO`D_&y>XdPM;#g$JTsYsn}C`rY&+Bs#vB~;tm zGG!IKJ+(2*;%+?Jk)(2J9Y!Ro{rOrKmdggHmk{H9g);Ixd4bDFI5Bi2Q-GG3=TkYQMCzDDvfKWMuoRdaAkNj!wbRjXxOAX zzQ64f^_f|6Hw}Ms3uJ6z{}PGgHI3gFrv;{BX-<5yp;&pH8Cx^KQ}ayypI9SKL6`vs_x(G()2{c^!7E8 zt>($2dhYqHvUE6~X|m8@8k+A@1$=nsvWUe$|A2*=io*WagHEXDUC;yjGrP!_69TP8%NLArpx48lO||DZa+(7FY2*bsST zwUwva$kj5z&URE1EUTa~VQkuks3nJjKlQ8D3*RBBJF5!)nLBk5bpk?`alKt$3L_UQ zVK97eve_hCW@HnFd-oDz;jr!OU#3Sspoj3eLoj>Okptu)W!u$!_Rz?g=*d{K*$#qO z%ggoZS#iU#2#}p<%4LIU-#Ua82(}Ia=u0V7Z8iM9)c-+d|GC$)3S;;Gp86&JnUX%# zkgLo#%gvt^1zlYRFO(a~BNBzNAlt-AR``pk!K;BKWX-6HMI~0(uP%-;Cd8=+AbGIc}N`sF;ti7~4ozPgHc6sn_z=PUw$Nb?}veN(mdadU4GOah<2**&i&e3sg{; zKUD>+HA}#bM$bipkC4R}PrCGn}) zF;`c5`lJLLwR{+Nia-0^++WymOr2Zl0qm=2!b|ib6keF{aetxQkxbOCh?pfj4%CdY zC@7n6e?RP9m6=X&^%ov64;CT?ePy!Z6QMs?D&JuX+=Z$kOtu)w^H&0PB6?|rAizEb zwD9eWlaP4D$AXVFz61slL<05th1iOlo&_8RoVR+bM5ti;kNIqpRLbu5*FLt-$lnWD2@s3)-W z^hr|)x2|I5B4BSLim)DUV7ahAq{ABRhH&Gz!?>mjZk;|~ReMRFfnI3(Gt5?$f>iFq z3`*`>lmk>WkvE7Qj4b)9{_2x<$rtC8<7tpy>iR*=vour7(=txO9rYepHF0uZKpr3t zy{xyNdka>f_Zh*mGA}g{N_qEoq7*dgfDykcUPPgyn?)s;ZUPJxS8EG0*sa} zxb4Tx(l5)LpQur*4%`&wlI%t@I1}JR?o-9gj#5+{r9UHdRWB&)!tdR#j$K_ z9CwG{5Fog_yGsb}?(S~E-3cBbKp;SHCqaWdGq}6^-~_vqea=05@7#UA!I}AI=6Pzp zT~)ohtGc?@Zyg1U*64?Xc7`cg*TfK5b4Cv^sa6PLNSGcffrb|BQ0LXO#0t$8o?^I6pc4oVei+LR{g4w0)2tu^nc1-QJHQ7veX z3$M4NqN%8{`q)Zkj%uw&h=bhc+BMfqh;^zW`)yQ>TN(n_s=wqkU%Ax`O*q@qNbNZs zQrl=bh%@4qQyIv|$=VT&)#+dg@)!tGyB$OLwo%ZyVmqq|MVBQ2q*D0{K71W3!SE^f zBKGA)!Pp?g4^hf-2ERqo5KN7yz3An;hwxdEZ|jUKZzEdIoqTO!9+Vw zDv8-g^u}-YP0>Pf@P-byH=K`Gth)O^KlIbm>SF}r{UY7%@*!rTgi>=1)|2Z`o^Lw@ zUoS)!Ux&rS3kkm1kx0;C4w#BAQCtxbexF}}p5fLP>lts5Wzfc;@`*(=&sP z;kIXva*Q$<+Ek}zkb!lKZHX$*u&9Glkd|tICZ*M_sEwHMDAC??&+z(?v|oUuLWPMD z{I-s-MxR>(nlzWk$s6^Wjm7o*D{7BZ<#!_fnNA0!2AK>wBn%>`%~PEWGrQ+Fgz0Cn^|BJO&_m6%XC6x3iOevc)rO|4od*8 z@XBY68)X`Dgoi*;?iEuB6ivn#3bo@O$NN?R^?ODy`Q1A2qS-l4c;xwpPR~M!`i?jg z)Kh)qYz$Eta!;hK*)2#~akmssv9)6P9uH356{V8A|4DahjKA%mq!eiR-5k!YI={3B7dvi zZBJ)FYGt+_=;*W7M%O8US+Wa12=C~~*c%r;*9$Rf2zA0&k{+{P+%a+GUhX&{<6RgK zJ0j{Oh6myy2cbo}I7lzJ<+V#kh<|{!rB`qL#^znIGKeagt;?KB{R7ggSE)a*L5XGq zkE$9&wb20prQV+ql^*f_yu`0Wg&fomhx^#x(!edee8jlrbzp{Nk+!(q;6te{Q*^#t zq|1JQx7f96VqsL6zCJP(*Kqu(-=nS@`7siy;|a^OJoFnIN1J|Nfl* zLD;H2ltJ0gT)^}EDU4n`=*m%t%qKL>$1EiVXwTHXC2A(!XWmDwRd87zb7SG;?2 zSx8v=b?{#DinBJf_7nA_0`}^i9|F|})c7Hewn=UP{n<7@FOziKu@gWN#p(wMyDe$) zTLn6mgOSs;r`l41ZC`aL6Du0&JBM!!Qq=|1o{Wt0DmC`|^?u#byUvD@x{*HPiySVQ zDlG(wey}nGBrc@^`Nuh8s)B+mBzz+sk0w=zNJ|8RUQ=Pnvklf?pfsT)bXSj1x)qQ(hvyP7f^jPC>6rqWkUWS}AWKGA~={jXs zvUmGUXrnD>j$9GvlT#StNJcm5s;Z2NILCzYJdwM(3efKRTdO4?ay>iW?&!pAFH?DP z_sx`kpI++MgDP_ws=TC3b+`VkBVBy^!Kbme{vC~LN^@ZtEVd|BJ2b2 ziteI<#F?|Yf?iMEXc*D^qkC+V9@K1mlCJB4GIZ&=dc|q(qGIi_YjsPcmu@Y*UjF+e zB%J6~Uo0_`k{IXbMvP$bP%$ zT#t1TL~5#SCf4x0)IDZOYo*#pVSFBVz~wC%>uLNRBMl-(%lIe(nSOi>hRHG#(i_GZ z$%jhj@Xqqkv+xMx8@oUcRQ;f?*|yG=Uhh4FRKEmLNc=wXH?#6WfLm&oUOMN_ z$XCqQ=4lSI?}v+FGj6l-PL)1$MMnsy=AKuiB_F!A8V)KJWjoO@At0HEm@Z65M9i+7 zd2f`e*6+&&ypNHT5V&6sfz-fRQn*2eqvSp)hp{9J>~=_qqvMj;JPAoS3ODK!4D(vl zy{o=BO=t68B_gYPiq1!+z~pZNq!bJ<$oXQrXth=9?OS>(noR^J^cBmD_YjxBrEe_?5YHg#wswSM~HwCp?NVEOg zHjrDNM*$HBW^C(49IObbCFVmRYO^d(p9m0fZ$S(gqd(8S9LMClOf6yO%HZ^M2I~cT zf0?uuy2Hi|F~`A->6lTs*v2DPEuBRrt^hFM4`-w1Pebg>O66$ zSVsfGSDcBs=EgvTdDUjjli^XPQA?=G^QYB2D^f5uLT=%CSS$`AD%-%%7bN1Wexsz| zIS-=I+zIrQw=-A^quHuMaCgYgWrMmAaF=Tk5GA}Gtjy`d&+KQnO!b~}tRkX(u4o{B zM$fh>50PG7@3FSjB~vr6c|%=Ru2!=1UB7 z!r`HAUZfnU#adPxgf1`x+H_x>vUuZK(MQ+Y>!qrMw+Tn-rPDVMSb}|Sd)m0$r$8QS z>|oeKC_o|fabP5lE1}NIj8y56VV*~(oycP^^40W$r$w|27j4k|`U_Fns!wCy%~x(A zP=nbIeHpg5&HOTEWVq%yp&uT~DerjmQ?6!4P^|aLtT;UHkabujA3Y?S%g3|3vKC5F zw`(V}0jLW49p5RZvoh2oV3L)wFG%Ure7Ic@jXDbJDQ89wjJ_VBJA5974DO~qQDdpj zubsbSl606IpjmF9(Q0f_IUBUF7InJv&lL-twJ*g(C;2*Kx8p_72cjb>Lh`JzfzhEC z4wd@mT4z^o$7M1T5qv4Q9@ z!p0#O#GO2wH+1r3t2yVeX1Lcq?B%|_4of}ASqV*Vd+u@PtI$|od5zvWR-4$CdO1J9 zc%|zxrBv-X(2>ZX@;uLy7=Y9dJk~LZ(|PNDyhj$aQqcE27Wagaw^6VF1d^xSOz9!cYO>xCJembe9$YRqOqI}3C!kEY%lh<$9$0O)v}HdtDa(csf|N6~ zusPQv-$jo_;^9qn268?z_3oC}a2jE%-3{aYWUy?Txcgo&uj%+)&$}=sB6vR?=;s2m zof~ig%7_}kyh>>n3q;b7qq-q9cy@Wg#|ov4rO$OQ zWYQdd+O5HpclFhu-{VP|B}$OC!?lSPqf4b;JZpbB>6;oD8+rZ7u&qwaK=A2V0IPb+ zRghrdsrlvgKSfvT-uR6WfFrBHOLzZYbT#`g@<+}G#l*#5(bZ``Uo);ne}KT04AW?A zEoHb?)>yi+&q1uM*_!4y`ucNCfDMt%MJ%?<>=D#-xmpm??jsTh=)MPsvf;OSa0SuGTI-A1oh{|C(bxi(rM`s2S<#zu z-QLYPX4)~Gv)fO`6uacGjaf)cge?nqvuaSmw&B-K0q!_@LpDjDT6LQo^KC!~@7!8f z8sC_>$3``(Pkw?*#bUZ>Ry1QYVi-yBUEEQKsM1dIT2F5Ec3;r}CAS@Dzi)ceq3kxp!FrXf=z*) z>d<;??sr=*DTR_E_dUcNAU2 zBSl)B&`XAeWLivty?D~mtEfxMw$U1bts1@#w%y0Fa?r5}>8jPbN!vx8J(iV09(uO; z17t{TO*y*m6*lCnUDl&<^_ZXf3=`LFYctpc|j~)7clSvr(iPX_Iu9=4P_O`Ws z`#H*g=x_vBKT!g@@(##2LchwpVXCT=2(8JoVlK9dYhT^uXnk^W!kVpoWR~bK?m??= zpUPsLD9Oqg&b&WjZdK&ZqDrb;z!yoN`=mXLl$b!$WacPeY3T&?p37hp*evfQx!E#! zz;#jGaApi$WPae+{*>wEKGPfa&DP_%o7XM1EGtp5&~jDi%+YC?4WP+MT9?)fThFjc zp98PB4UNz3Pi zu%7~jT@x%BOcW82?N{kxi4j9gi31vraH47)&xA{lx$PnfjV<)V(6=JRWa3108eE0B zY=+VBeckanogaVJ#J2c#xl5Reb>j!+F|=iN9PdKKV^?z`FCR&3uHp}xM47)}YT&!Uxy5vx`nftyAzA^?>dJngWm9b#M%q{;JXf5p&WE=h7c) z_xp_X<;1!8WM##JA+re(Lye6WWZD)iSien%=SOn70dj=lw)07!5xAhp$;~msiR<*a z_mUt1hUZBLp~m_{Hs%n|3j)^LX`-xzmr=A;wA;pR0GPB^cZjRG3~h6J3y(N)O$Bi- z0cSu*FKi`ytmwRLt$7q*J1Qd*pY|yj3SmqDd3ytkYXgT1C-xZ_W$BuPa+@%`F-nG` zE$clU)3iRVdX#Tt{B7|KJ&zFQC#hXGgEx)a&=-Uj~kVubmatqyHXnZN~UpqWriX&ALvS-nG}dynm^Ru&PaRg0)d!# z8Fb7jA?E-Dp9{^8qQ3mz)?uQoWEW9U(m1Yl1g0VM?T}BXeWpbkKiH6%ys*A51cy#e zt{Q-_5cDdg-yrcVJc0oR$^KARJgG6smUO+e){Qwb)b6Ic8_8nnI5+c&VKO_dSx@e4 zrX!R#*5B4mp!p7!^HXkIKAFcJw<%qW+JCUiKD)83SFF+@YTxEiU3N?5njWu{Mc`8= z-y7ZJLmdlhjf6tw;!6^9F4=uG6jvDgnSu|!ZhufyFP))&=o1T!kfwm!uU8D)>#(G@ zxZ|Oe*b1wZz2!{F^Obe8?%WswfR;|r>!=8^U!J6hcCiF>sR4WAu#=p(-bCMS zv#xCbC29o@yfC}3b(CmQgtw&RD$=+4M{cpS)ga*ka0No?Lf38g7#s5KFy@40uPKUr zu_=;c$DGQ}xisdX=H0HABUlj#nL5#Rk^}j*w*}=3Yo-;&#a5_y4dUiWd5a3TJVK3y zeaHLoVOI1s1h{!<_BV{Vd6b|P#adp+?KW#v zyzp0<1X#RF!Q&`^zCYRCz=Ybkt^!4gM~q{U*?q8GmzvxyBfWJ6e z=%IoMiP*x#%%C;jw-3p!q2D`zKpuzXwpm?eM_6D&ygu$yu~IS+C$n!R%>7j+VQg_8 z6+X(D8AINhG>Hv~kl89Vh%k><;d?7jm{^pmtas7EkKM1*IUcWfim;&0XBK+sVY*`t z&0dA0{Fo%SGs87#Kt8anR&|+bOUbdDyOAqxqari%&~M4vBdkwSX8c}R8OM8>0o4ez z%|dFMWj8G@zD!S(EXGOS_bxt6LlZAo!WW1qFxWA|k@g*@0y^)`wN8c)f> z_2suGzw1z87`p2W&wtbiM`;(zwQzVFh9e~Wy}6-FLD5QQyEZd^Lay|fJLu5^#EKkT zvtm11m?Xx@)JN8{sND+rPG5d>(s8(w4H@00M5g1gOeY=OnsaAd;K$S)saS`~jELD- zG}pnt9>za<12-HcbVqWwUzfyrbMpY!7y~6KJR8;nNhLinki#?nkG4<>a`#%Z&|_;> z-XZY1cz8sxArUYmUSD--X`$D%BCsJNhC3XeG+$I>m6vq3*82<==Gz95GH=1EWEO<@mx3b_gT z?L>C&Bw$#9I_bJ9&n^IJBS5!xR%?(|htSI5SQwVG!-x5XAne8l%eFOmzs^Tkha97U zC^2fYP#g{j_v%T&ByG14Bop{)yCs>==^}O1a#^m_3La>2d5-w2pVMN%<%Uv^acjY6 zbyF``DcdDk%(?T`9Sj$f1DY@&2SOh{7O9xz6+<7sS?{dc6kySHP)#V_bUHbFu5Fg~ z3pgl@qnL}OCfS;GvSX9ZjeAHws~RVvOZjMWmrngxhcKw)urqRRSUSA5$3>N0bcEHk zX_|Lvd{aZI{@?(a_kGRgn{XH<&IK;%rE^B#mt{>yx6{%OT(5u1R=NdX$kDc3J&+il zj8KK67WU8ul%)d}pZE0|$0gVv0t`>=8YyRx^3P`Y(MOKG!ZjXdyrs=Ttv$alR(EkS ztPcWw(E2ElT*frM9yb?G?D8vJ*R3&Vo@kXDadJm>6qi3y=$50Sm5A>h(8bc)cS1Sj za~A{nm<u zf2LoO31h!tEMZ1e+f^$*RVI}ZD;EYjb$~Fy*x`0%oFF4X{-(Bz7z@!F; zdzEK<=?)R=7eU^BY<8;4P(gQXsN~H1piB)BOsD$b1xJql}N5PNv_>w zWj3%`vh?#crShyaugvaR)Y=ZsPo71V8i<661RRffhekWcvtB-)h|u*Er~26_IPRcQ zNoR^?pmj%*$wH@WZcouqo6}v_H_!wSojebuCtTC#162XHjvkJ6Oi<{)OG6Fvgj05(;Kuht84_suIWU{v_U^P)5 z7+$U0Zc59-PqCkM>MX6Sw@3FI6{6|Pag(bP1P$Lq6_4l^(VqKn2jz1y^pQ)k^ewha zBydZzs?I>EPKQX39N$nEuzzU`vC>db{sMENodRG>qvI!hV;09H1Vyu0k7m*rP|3@7 zQ;MdI^-~NjNMg;%7%hU;6yY?eia2^d&fHycSV`j=LYhszOAJ3Anx#v`5IW{agym|u zcSvDMe(8YNYuM5qL*`a4<8!SIVRiIReD1&?uluQ{>cjNHrB|@2RB`?4kZg^^-=FJ* zG!XMpT46OMKQ5p88bP%>)jMi>aI^37E_G8e z{2V!88ea!Mx2h8Hda6MPnNQpV?-7V~_2@(vM7iSwbVhTCBPl2vl_n@LsSMBPSA(LfoP{&;Yw> zwpgk?H@<1m(8>g-dRf?_+Cqc!N^|c7sGN`xoA5l>5Yx0b!g3@r(j~ptQ0avm1g>S25Ao;>Q+KGb`6!oNfU16|}fW2USaI z{HZmtpg2>~GtfK8jn0tV3|(^=EhSVGWqzc;2jhWTjs3R8ZS^vY0cRO-ik}>A=7LbN z_SVeHW;Zk_RL#VR70P7;$KxdGqtJ|k>=nyJu*o*5OPil!5?ZGNN}F2f$M&9=-f+yum@F6eh1Jl`D1>}!4k{F$z*w=5oE zNBd?f?hMbr)9_Uazi##UV{-HB)(Q#51SYxtbM~S?PvF0P{X;IJ-v$1jSLLq)CE#o1 zFIiT8H~f2ciN6{yf=S8$f3At&b$-t^@TU?E;vYJH%{=hC@$Y!{KaEMjE4P1xwf}DV zJJb13Q%a0KOn)al|1R)5ee+L&R^0zo{0|7{Us;^LtNae=`%`6=@Lw(X9oP4}!td+U ze<~2D|6@J=ShfCL Date: Thu, 2 May 2024 18:12:09 +0200 Subject: [PATCH 2/3] fix locale --- backend/library/libraries/nist-ssdf-1.1.yaml | 2 +- tools/nist/sp-800-218/nist-ssdf-1.1.xlsx | Bin 27609 -> 27665 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/library/libraries/nist-ssdf-1.1.yaml b/backend/library/libraries/nist-ssdf-1.1.yaml index 518feefe0..bfbc0be1b 100644 --- a/backend/library/libraries/nist-ssdf-1.1.yaml +++ b/backend/library/libraries/nist-ssdf-1.1.yaml @@ -1,5 +1,5 @@ urn: urn:intuitem:risk:library:nist-ssdf-1.1 -locale: fr +locale: en ref_id: nist-ssdf-1.1 name: Secure Software Development Framework (SSDF) description: The Secure Software Development Framework (SSDF), SP 800-218, is a set diff --git a/tools/nist/sp-800-218/nist-ssdf-1.1.xlsx b/tools/nist/sp-800-218/nist-ssdf-1.1.xlsx index ad69041159d5c3f7cdcf0cd689091b85e1ee5985..c4d6a71aece34c059088e9dae084857f963038aa 100644 GIT binary patch delta 3555 zcmZ9PX*|@87RQH~v1H92NhNz2g=$11$&4*)$eQfT*w^Nt5keS^>|u;8Yj&oxW=Wc2 z>_TPVmqfOi+w8BXis1r+1Ih${Pm!b;wyKQL^tDYw z3GLBHxS^!HwNNOi#G|j@*=>V}02LaHq-L=RH5vTU_7?R-D2&Kh1%p;c9q1 zxWPYOIlBPL{vmU&;GFu>5S}0 z+gkLC-lSCH2Q3Qr*N|U$b%&yIWEV@0EMrcWU06&y)80YMauyUfJk0#+Bl~JjR802H z8lZkmtS+h2PNzQ^+Oj{5aAAK3=E9=w@?CZLoo;*1o5Bq^n=f;U6tZ+F$pt*Ctish} zdrq)gH(}*EU%`5dx|l`^hh3YB^C?xP(pT=a!|!}f#I|nWm~whjY<7D9rqn_?lz>lN zqBHFXj^a#75b`FM?S2b}Q|X|j0(VJ(|0!0O6ui9L|MH_rw@7@7sM7YE zcQ)U&Ctq(Ec#&p`r&l76@BU_OTZHNJmU{#kVk7hoIeIbn2RaS$kq~dOQI`0kZ|MDX zs+)_)XF0pT`AL>$1^EnbW7Of<3&xoce77_Uaw=7AgMgDZvM_g zsq!r>de*q9Z+kgP)?oKJ{@qK`ZoGU~s)oVo-h0I=4$=?GX~hnbt?BjQl;xxV*95=eEotw9{T_=t=?Wv2lt6X(x=QEyt1 zj(Ft%RHsZy`4ai!m>cczjL@B@%IS_yR;HgcUvn&+1{QvN7T^D3))#WFnt(0pdE=X; z6?ASm8D+Gy;Ok|88#iR6x2X)kXh`~6_^iO6ENvc=d-CA(ex z)g=xG-W`$eWf%;t^$0GCf zmd|*8cm==}Dl@$#g}x9>AcaXH5pAXqcpbV;V>Lh}#<1hQPX6o_bHnd8GRTa|VHT&e zTR6N}q@9N42?S&MWv&F70oOhSqKrl$~;`Cte;{6`zIG+B8_J2 zTtHO&FzJ~N&rJTE778?36i9xy{z>^koY2-$P|2iDy$V*udH0SIsLgUpOw|zO*z?a9 zU{wcOKbxa8d`BtPZO^87*W%xYe&*0-NU(q*%`_^)HKWKBnZUe@_W359&+;?NG17NC zXb4H@;YH*y4+_$)d*zdzLOo=iE<-12oL-OBIyMloqqpp`2fW)WB{4*VqfL43*d;5M z1KP3@3ph?7j5)iq{b0ZgiC{Nm+(yY;Basm)`rRQbX91172llCWFZw2u<7~vSmZ&o; z0j$_guZSM2?DC(g97-|2J8AoR_i=8BJIjdDgnPn3xpTkakBIqqgTf{>!pWeq*H>GXEZ#9 z8G|L1fa~Qi^Ff$vp-=fger=Fg_i$j`yHGoWu7BNOr)G6=d-T`jenWrxvBdi7yeN2d znx&8}BJU4rG$^y;6--XySNZsWdb?}IYfPWYT}W9{ZjRi1S}*b&_=5M?=fvo~MkLW& zN*Wze_no6C(Gea!?6oILKDl0Hk_=BNMbwsNVQ6MS4-n5DdUgs9Y3L`~Eq1KVL@(Ja z#an>yVV?}o`gwY$?l*sT$MvzAFv?a8B9Km7#+6|dS3A=d9c2s;qAYEX{n-&(9Rce=}2a7+YbFk`sTd6y+|JR z%CbdXz83Bj8+$ox_(ZHUPz1#G!`M?3Bh4?^FZ0ID_Ghwov?D2Y?z4)=@0zPuZIAf>cNY*Ptb+gL1_`$3qIcSoozHwRdErB67)>!jXLdvpT+9& zF%$%%(f)V?4WK2znDmN(vEH_Y&e1Wj@0dTXt&qnG7* <$8r4b_yu{YJiCa^1{&$ zDpbqFRQojYRGXn1GS~V|a@AVPVNi;>L{y`_<@`!L%Qp8TIR@9zCpA zP{B7X5JN*yo;Uq5sFk<2X?WP7a}+y=c;ImKxOj0opj8L0gB|YMQSTv^q@Pu!SeT^b z@(-NBCv{Uv?shU!e< zCX>}wER1m|=!US8U!XlPntZV&FqiN4m8og1f&jzX3=5OP!rs2f7^64Cw@TBs>TE6V zvJjn3ZJs!j4>?7oStGKj`LXJxO{GwyeCVZk*gZ*3H}}%pQm>Rd?x{HS(QA1M-E7q= zpE%;mrl&ZC=kX;N<#|Q*Cxq9ilNev8qT1y5zv4Rkj%~lmgYde7xzO!J#!7~oEkVJn zK(|^aR1#QC?N)=fEH28|FfERLzPU%z)I82SHFB=67hE-2#dy|xpKtbXY$5kVQd4a< zRZf|`tla$Iwc657u;=&^g_~Pj%^9Bm_FdafjrV;UJsKaA=uOukyN_{985^3m@8>(> z;ufZFWKj7uwoUJ4R6ac$Hpg*T>X&TM zOAqz+HobkfO7^#jiDb3?-^g3jOx_;`a`zzfom}lP+0;f)R#$Z+%@^0<{ScXlA-*^k z=vCEp522a0hY?Te!Tu59V0+$ZltR-) zte)U=mj)DS+_O$oB&<(Wq9w~$2d>g1{hR*5N6Uwj2}~!{w=9$0QVFRJC#MLl@Ipwb z8}t+$t5tKfD?XR8J>FXLN=d*R%XVGIqSrram+Tr_H5ZEOyFEpC+gKj&NCrecvAcKO z7-dIm^zb0jy0C6E3#-4uE$94iszyLY379E?K+oK3aavn}x&?;~P=g7^4Eh!%;_geb zceF>Ffy0K{X!R9kJ#HnUT-0ZgnNQ2ElcsFQq4ijBuW_5ymDc;7+x0DKXG(ZDqSokT zoF;oWLaeZjH|AG{eCjUF8_c96rQ@ zng8=D;Zt1|h5r94{3HH4DriuT68&hn7g>p-$SMYfxQ3xYbXDwISudau0}8Bgs*Zx&#>e2 GSM487`ne?l delta 3478 zcmZ9PXHe5!v%o`;5{M9K2~|;wQiCB12qFlf7a>%oDLtVH7!>i3NReIw(u4;>5fA|h zp-ENgC{=+_rGpAeQ%b`1aqfL*-n+B2=fm0aWp{tOXOqVnCdL@5&O(64V=j8rU=XO9 z83f`4fj~icd4kVf+-)BpoLrC>zR+UQdmaf3aqu`6#rtN&#Q- zgJ`1)WfzGrQ?3`h4(>QDI0nEv zWB4vjq@%r)$Z0zY!Dt=Tctk02anDd7ET(uKZzrBf@ zC_+}-_7HvrsMT}%oHY$0Xktc(mC;ke)fvUV(7d50C+dtMz=O@v7fSkieAbdJ=j*RljQT{S;qCB03=H( zlJUE8hr8*8H-a&_wc+Pa$ORE?Zx*eWE+}?9!`3%&qrdzp;;DYi_U!J0B1J4{+Pxq~ zx#cUyIO0N`3g<{!eTQDe(hEB;IH~M4NxHX$D(Jvh7PEGE63$hLxaQRif|u-`T`REU z$VRLY4zV>!q*FzWjI9ah4Q!J(fiIoL-{$65A*!t(h;Wq(fGb#fcJ+d<*!}#htI`Jg z?G{hiUN1;dz@Rd7B<+2NTkcnrHs8uL@elBwFn(RtzMd3Kq-ZjD{fs~6t)I3^ys~S6 zc&VkdpY}ux_o1!h_{OdjTf>;9&cf_5u~H`U8|gbg*a~+l?Tj0l7S~gfS@z)Z&lSQs23ccQG#@!|GEZn~> z`b`fGUnRfaMR^zO}@{rQ*4LYLA4%~~&^h18aZ0|W!MKEWEU*J4x6+ZEJ zZ1+oHmzb@0hF3U!Lh~dWsbeTZV**d)F9)J0r!e4PRK{V?u-d35!dgKu+o22#@v^L% zI^)ddh0O<|5=#Rg9>e2$PL2wC z-5(M>|54(euZiXr4mb8I&}DMR*+je996;F48<_XRZOkL%njNXgdQjih@vHA&6v$98 zMzI_%J*V45?j+K>L!fG7A2;m=IL@lRmK+LkU&&vQCpp$aw|&Fa9xm{X2dY-SF~t4& zf*p!M_OetkM|PT>fjm=ZeaoNWo1h+0-O51BXXGKf!P1!_>Matx-~XVFCbGbh0J{te zML55K*C-vO9WV2iRFV>auj_t8IPb$S^&}Z=d*1AbzV8-Ej%vntv%8&jgAgwIN< zNSyq;bgX4fv8sAjOi-OIY&0D(tl81cSPw>&m7R!6o4*NprKYK<*nj(|m@h|pM68uX zGIIuhB~f}plmv^fiW1R}UL1K5_)<|?V5garyR*lBf%l8>KQ0IRg5nqIEio4NLYOc8gle}rO5fE;Ncd@=qO(fE<2p$gk@>RCjS%`r=GF?t>I_4r!0Bj8*Ijj;J z(j}eNm--fmvZ3#$3`UmR74&psKL!2PUm=@0M&wA7@_Scb_%=eh*9Y7}7-_I7luzgT z>Un;FIX+Xd!o@nXtxS~FoAVl|3J3P0OWq6IbgsPcwaZG7&R0Q?#TAV(@QNj1m!zbn zaZLJs@1fZUaCjBxl&sVi~ccOD>n&D z%iog$%A`$EBav@!+i0$-7;bzfmy~Pt#I0Ih{yKe$-*bTUfW^~wF>gUjYwQh_;&!8% z1&z`)>e{XNWfl^cZT_bB*ba3JedZg=m7yGio4Y_N5Ct{9H18xe@6Cn=wD zwF8AbS?4k{#VCSC)l_m`afXd0>fG!;rd!w4t)4ONuHhcIr?c*x4cu#~@KogU&)!tb z==qfrCPZ-J&Hg72d4)Bnrs@joBciIHH4* zhd3H6_e=i7(2!`_K3~Am#L5}Y8f(=Ju2TxXYu3ntht5dd5i5OozpoXTR+pEcAeTusnY=1 zZpDf33E0v7juBi>#A2m#0!Xr!y|m>jxc=P-x5ig4Cw&%7z~J~iqBSn0N>DeOkH2?} zbbaVM{f~W9wT7K4jedoTt#ah9Dt{NP?)dcI4rGtjc+TK{HObcJ{(9A_KYRDVMSZq~ z=YKq049!DJcZh1scTk(JCtT7(ntcMBjfP?RzU@imUo57Cxmg&P7N7WToieD9c0onp z+?_bI8d#D_=5Xo=d8MQP?3Hj>a~)`KgkGO@aO8+Y-e%nhtq_V{jdKpr>NT<01z{Ah zZ5oJpM)@{%d&Zcr>he3i?|TeJ^e5MZ2)(WWFr8m|=>@Mn1S+Es5SM^Z!v08Y<@z(y zBrj8{cw8rzL4nfSNUv72faF5oFj;D4Pi;JK0Kf4ed$sgj?&viZ-Gru|)iFMy^wKVQ zZq~kU^D8tF`p;m1 zfbNG9{;Uhxf0z|Y2Oz3ZED}z9$bs!MWe>u$v5Wjd{1M_2vc&q?X4JXCmPISjf k2>#7B0|?~zXT>`8UoV`9rMRo$?=HkO+*#%(_kZvH2W+5negFUf From d96879a4a7a659e1fa9eea46525a8555083096cd Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Thu, 2 May 2024 18:21:15 +0200 Subject: [PATCH 3/3] fix copyrights --- backend/library/libraries/nist-ssdf-1.1.yaml | 3 ++- tools/nist/sp-800-218/nist-ssdf-1.1.xlsx | Bin 27665 -> 27756 bytes 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/backend/library/libraries/nist-ssdf-1.1.yaml b/backend/library/libraries/nist-ssdf-1.1.yaml index bfbc0be1b..1ab939427 100644 --- a/backend/library/libraries/nist-ssdf-1.1.yaml +++ b/backend/library/libraries/nist-ssdf-1.1.yaml @@ -6,7 +6,8 @@ description: The Secure Software Development Framework (SSDF), SP 800-218, is a of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode -copyright: NIST +copyright: With the exception of material marked as copyrighted, information presented + on NIST sites are considered public information and may be distributed or copied. version: 1 provider: NIST packager: intuitem diff --git a/tools/nist/sp-800-218/nist-ssdf-1.1.xlsx b/tools/nist/sp-800-218/nist-ssdf-1.1.xlsx index c4d6a71aece34c059088e9dae084857f963038aa..d3d335dd6a2be88b14203367caa03605346b75fa 100644 GIT binary patch delta 17819 zcmV(*K;FNR*a7U=0k9$o204--KLG=iCqIC}3LNpvKM8+R>()DOj z{Gz$5REE5a8armfau%Ztn5s2DSBxsX1!o!1{ry3?u`>V`yEve-MTb1-aveq&KcJ@-!i^`!a~{- zBFiy!mWV97X*GtdiY4T^t?y@L%1|?dBc#a zT|B$zw|RrGbX1FTYPAQ?lhF?-&>dYtxj+t} z%XjxTLv4F;0lPErLGZPC)r^~Zn@1s;TF0o>>q1c5dg_P0Rsaj@%KRvpO=Hv{aQxM4 z-?><(z zZ#czt6s?aPajg5@6B|Y`OcWfY#YqCkUtxmTeHh7pBKQqtF7{~9Lk{T~q z)P%FdbnhI~z%1u$!ZwNd_j6`VOrw^Ftr6va3@7Fu*XFzQ_ut}L?kRrSVk`}C!Ro}^ zN?A>9yUw?`MD-o7FoQP*7bTLg6dSv)1V-yx8I{!b94E9(M3~unn3nl9PD&&`?J6th zWrZYJ5lZA<`!bC(pT6HPF3^es)W-EuZZvKvJfji)CR+O4J|)QouX!Qwz^~1Vg5>yr zd$^Gu*(e`8f#L7Dk!cd7@jX9!ZC5TchP)X>%6?;mc+3xg80=ZX0 zTj6NYjP}v`|NnhfD(a)$U6-koNr{Gk+>6aBF|*9ke@Z;KeG~-Ilj-lA>Yo}iPAEO_ z?2HwB7~njX--3L6O8402 zq+LL+&KY@Nf7ZwzLudhwu(*n}+rb!3aS_%18B{I|sLt9zRYmt|Mk!+3)l3)FuzsXu z!%Ez$q%jPoc4=(6AYZ^#O|u+--eVZ{aHL6+D+y4kE4C@l$M@eOG(HPdJ>y2lue#wi zxT;J})BLZ5o=w>;yPZo8pm>eGUr3jKZT!at^;5F(@n$u#sBXB_d6Fx@HJXl0l=mrngBJ*8q;x8Yp z`Er(d{=|vgW%yN>$H6NAT{pv_=cu<*eWL5*@Bke$w#Eh8QTcp$nV7@#A9zi6WpvQ` zi@b2DT_oo4{6T$ZxS`sA1BU5`8a@u-*VqXH;Fq(9XtB&ZYvRl%mVb`}D+*={EAZ#D z#UhIw&zXN6T@-%cnxOABaNxN9w5D*G5M8ich);toF-MCQzRn-O9%GNZ(0L48$I9*< z*YZO&u_obtU}b^pEkb{`46$lo-p}k~OM@ zj2^(yhxx}3vz^i#Qv+Cngw|xVwzix4zTq`UW(KN*7FQ~zCA0Xc*S_gAu(IDI8$Swy z)R%uuwDd@r>U$Wfssx9X;#&!=Jwh}z%wqhe7M(fMB)rme72zG9W%~IWB`LU8MpbrzWd9iRt^J8V@fp96ZvEed2@_w# zi*N(}=n9M92}>_9mo7csiZXwrfAY~V4p)!4mnUKB<;&#Jn+(I;OVj0O zF-b>@)p+d$9=1N{)NGjGPkvf>#U;1*CMq~y0!@|iPN zyC^|3u3rnKHg4k+{t}>s={GnD#;tgPB{WS&7a<-3^Q%{NW0dqSns3Kv{k-q-FPeW8 z%)nALKSgP43<5DFRBYSWuWI)h#JaXPn_@0pGfm6G3Jk|C#$X1Kli{jCCO(N2?lfW( zvVH&Fosg5kIF5oijE3%59-O-oB?TCp3kRo!Z;e&*9KwluC{bK>#rYQ*|jm&WaDRd8R^%dG}*VUy8iI~a~j5e zxJ->HUYu!t&*&?&joF!uo{#kO*1E#_{MP!sUznpX^&?~VcP1z6UF{Oo%%XqVfm)b) zK3F)GQc{J{)iR695|qN&;;~#;t(RLRxS2(F`0PB5qcEz|?n&931U0j$-ay&H=ponZ zRd2QWOjoC*lmC0q_#HgL7LFjyUNt^UM-81WZ1m8XMfDEU!dSZLVGmqrk#bXyqTS4* zJ9JfsE{q;}*aM}e-bAaJMRi)(T2Tw5hhD4?ofjfLRTu`j{Szw!>B67clQL~3)GQ_o z&zg=HwQDvd)@B%M$BR!008}yFB|=TpMUV}H)H?pH~VkfaqPyiyyU-%zJGP z_)pB@`M*AEu&>SXuwC_wmW$8~S50??ne4-J*8Qem_dj(@Jao|>Mh?7disAMf+iCvZ z-@X`Dt8TH!uZGQ{(_6+HjDC54-n_Z#M~rK+IxI2ta^AaP%^`QYO}oOZ4!Z@u@?m#= zeg0Ulg(S6`{wEFfuYdW!W3wGF^1d4%H^xqrt$a(26ZeA}$sO?$0< zf-LXaeRqBLNS}7^>u+nfS`$cIvubZgds26OSn1v4qx0#mzOTv8T!LPIEFls7)txQ; zusBdcw3Ww2feSvHc~w5J6T21@JS_GQF&p)EH((WUer!2->h}1*`8Ezv0urd%+`fC? zuD4i;kH3Ok>jZ>#m(bhDH`mxPm;PL4Yh%KU`W=q`dJC0;v-8*m0y?M3f7@-A+X3Un z7mf*Um=Awi9I5kv{--d1?oWQnxZ}G0{8#7Gp;n+iJTr0Dz7Lo`mingOEzh>?4vHkM zTw0Unu$O*o=IY5ovJ%)T? z4A_ia(_c|EplGOUHhA2LBZ^;550Dr;3v@NOH*)Tx94l{ zO1>Y*7E-{cTy?E!K`qH`4|Cb}*)FsT8SmZL-1hq$=|hcww1W!Tu7*2mW=Qk4gT265 zvfb)7Ev*`CB~^3S*3$~7*cbimsOdkc?`;@R)!bh$-Ky7MaHikF`kT6hI!z|t?dM`8 zFN&j%f_Np{rib;k@ORBMwiMbH#sjJuMuVIE?y!PlXfL_ru(i#y9~U$h_yyjx>!?dI z342s3rKhle<##{1+dx~40c6${l6bQjR>L)v+`e7BjrM+pQ+t5X#%Q|DyM8xp@_U~F8rMTq2T*0g1>3Q6LY%y_6wYln7oNsO!R{iC!-O0rX z2f)P<3cke#yn~nyJ9lSphT8^i`gPNn1KM@8`P^b{74&2D0JVlV@WFOt0ndi3vsHhE zf$>DyDaDD$YsT{?Y2jZ%3unG;^a&&!dI5bMXqotIKD1ffEmnB6xqv*Vn}Hq?{|h^X z*b&iv^X`MM}@iX%>D9!isv3WS*C4-w#KdmtpUA~d6^qTK?`nGI^peq z^{(?!)(v8|kX7Rrj?fvD8tew_GNNK^cjHfq|x!1hj%p*C{2=s5A!z%QP&AGS4FnM(cg%MegYlAU(jxR8r~BBV7K0Ev=#?;t2OuF2T~W@JvsicQ%go8C zM#1~8U6%^?1wb*VJS=P(I%tIj^5v08fuT$u2AIHo*%RB(!7lDN&Y*^H#ILSkL1HL( z14szw1r`KqhKQSEZ1CTxXAl!CX>qzuk7p(LEi*zPFy7^si8>Rn&Ax_z?LX`k;^>)r zx{n5LmhOl7)o)^~=ExU}l4QTzTtkKHE79B$gPfn9Qo}wQHhMnnlp!TS#u&n2FORQa z_8cn6UxZa0J)LH>7sKYN*TFUegZU%?1kp04OVr*>u0tUFx6Hg^cysX}IJvOFNq!O4 zm;!o2zQX`i#lveu6Zr&xtp9ot1Q1*@Ivo5ORy^RX?OO3jHaJ4Eu^O`DS6bb7ep#Q;r(SK?);%m@*7Vw!$&2HA8768lb;n2Wh+Vi7O)J zAgW%a-hQ_=d?oyh3JEY^zc{Q8>kxk^T1RxA20(Q&o&{VlFO@Gq%nci!B~mEChyBg4 z>wls|4_Ee7MOgh_ZctTPqxyOWyh?r^W3u!MYF4R;Ou`?3;Io{v)lY#Jz)IqTBT014 zoDR$rW`il%e~mZ&)=t0ql<^$myJ3d{m_ZYmVH$b9!o%ep+%Ul2Q*g{+dN@hYERT&` zpVHn0B?@e-10H7qxA3^+I$@_3LT?dm?I-8x#fI`pJhrkuBSNdDWscIaWrktWG1ocu z*%Tw=W-w`g$jls_5PcXNfr+P>uSP<9B2r_?I0UAg7i@)xDuNy(_!{-vv6$;AG(1A9 znMA@3M)WuA01joNEL0_cZNrX&(`0!lM-*r`O!g*v`Dcn^JySs+wp8~&@3Bm4Oy{gX zxja9Wbqsz0AT{7-0lcn!u>yb8w8TtDB$wgB)|WDW@&;Z56cK`%Y0&d~6V3tj07?Pg z>R9Z}0SYE$pcSvK6~#(L;t;_TTp(M8_(rauod^8k0CE7~Y5XUD#js)5A6ZI0RpfBHp8Sit6c_}v;T z1{;bj4#TMcwbB`T+^qVyoa*JFN6ftKw;iy)uDbp6uW)EYI zOcHFK(u@|9WA2XqD14Pmz;8=nxYV!+)DrlAnx)K{ppcp>c8Gwt9ESMQ47Xqg)AV^z zU3i8}i(V&S`vD;yp~h>NIrn6uRNDgEavLznq*O~ZzPbW76zzD-3;46|CgEOS2}GH- z6{We4kzfq_Vj!irY5_}($^$;7DRQy~paL5cV{9e|y8UfOa3;F@`ia0Jqj=?GhuzyNqz)!9DffpFmB&E}Uaz6erT>dPiV47=fyT3TJhMDmTB`83 zJlO~zJ=q~Cg&+nzx@GjrY@O%lk}-iCO8MnuNBI7GaVZEA!TVvlPWeTI3qp&36&dHK zRnWH5ebd}2o#y3I@R&Z&vFS2Z1@Hl$)?qk|z_ws$dgztxWa`)Pv}_TE95cEgjvm_94%m03N_U(M z;3C+1{I7|>Subg@Y}~*0$GklMRrVOTLx$H~cmFJcWTYEgszZ z(IoI;XMlVjCJYr;ZVzzrK~9*$2M_|#6}yH`0n*u)W`NoWT*Tb=d1`>kdXBhTn)pPK zkoayof?X}_c~o+xWi3;GA03I1Pzv$PQKl%Hm<59!Co3BG2(ASzji~ytQurwP4?hzLm1HOb-DY{P?mZk!@QfrS5O&FbeK@Y9d;$f`2MT*G z*){v;qgIdp{Pg4JLEEud7~>B zRFknQVbCG+1~a?#PKY(HvhWX zRS)Qi{A*O#kFnArwGATKesRwIKwL=%uKc6+3JwkYiiyH6;v}#;l8sh!Ane)+Y6q2Q z8JgnFfaHXKdMuQ(^l{|xk`lK+Ab%aS?Gk)WW;M=?k2y7bq$|>|l+?rVvj7gV=58)t z945dKxjYA)(YKlZR8qu3J^s^wL@is)x?mkYwJ8y1D+Za7hm6WReT;2?NXq9q+yJ3C zbGzh_%>8u060m{h{zgOS(2zR+Y&2B9_QtMF9sz^5`pP# z6_ppJPrNV!051}6I+pOWwPJ$TkiQ^5)P20%O=f&l*!>A2w{#IN=0PN*U;xyhl_i8&jz&sFOB8c@U&Sxm?qm zHmO(SXHQYKkx?zRMwmADv)m6#OoGv*OC?2rhRo{tl)PP;o$QerP^TYe4VrKpU2^n4yU;#FW zy6;4WYpOVf#7U8$$euP9JX6)T3pB zpsX6x`StB(NJ^Rs3QTay#3CZ*B)DgS>|po~l%(j1REIz|$#KY>t>aoL949w_W5K;B z)KndN@suvG7XlFPRMt?UMRlnrZ9G|3dR=lX=7xYTAO&s$|Cto|5^`0i@L-nHg#a1} zThlCz0lCwFbF&eD{E>vgSCi|XfQ%S;NuMiuJ=Nyai#LPu@TT>8`5=DkcF+wwiho{4 zRCS8xrBv?!aCE2zMT((_jL*q?VO_>9GWQ*Vaoh{#+ygDeuqq@VOLy?vomfdg4X zp!O{@--aZ#)m1*>;wJ%?Dlav-l`f`=i%5C5$#Yw;4>%UktqNkny(b}?qyE}>C`J?K zN+?J2{fk!@0K%>02i^zL{CCE@cRm`}b|ig+3}bv>Dk)X@8AB8-I(%GzIs^}yfebgx zEV4>uJlM-~AypwwO0lxS!mGnZhOcE#HbfzSZ>+$h(9Z4_1ni8@fI)!5V8tmWW)F-u zqBO^Kkeo$XF(m`B7JJ4hd$lbpKylaiLAMAT)IT0(uaJZIZxD)TOX12-+X1NAX*=c+PMq6x1&iH>}WK&$dc>6F7UpBQQPRL#2j zAr5dgE?Gi?vsI@FP zeM`PXH8wMZZJ+x*|fEJ7w!FUdAt&UdupHL{Eq`5z-)tiBV&!nZZPj zacTGm99O{CdNZE`9Rr|#dq92Cg2BIL-6L0|TDh^g0qiW=y9R?HTqSra*lS8FNf$s+ zkgoz=nFTkbU650MC}skiDL}she}$jz6ir1FDYQze z2|HQTG;UP%8(;~p)HzQP0AuwqP&z&q<7>^Mlu_@QjD>(Y(l&c|&Sj3XeFuOu@Dn1C z@^!3fX1z3|4OlIzQjlzh$c>B$uPpCrhB5wb9;JIn7UTYcL=&r-9dJR`+Lwl+sg#}M zDV*sw(gpf|Bv6@^*^fL#k)^`ti3c5eg_Ks-lK13jMnVVI$}7Kp9Kh1c81r|O4#9@h zUB;xgDnJVm=*3cgSZn0`^x2@{GR&%RnUQxkK^zWeLM0F&Exk8w7%^zol=JvZ;ypc! zjudOkwl{aNGB^DV<%=ks1XD!bWbqzW>?X;WJHi)#b2m7cr?&YaK+|&f{-By}YMz*F zdu_GVjg^1Em8$CY6!pf6_M<5{><9Iy)vO^u1k3{-BY1dLZN&OeYTirHfMih|p{q`9 zuGoH{c8vo{J5W@c<#@NBBdj9Blc=o2Oim$Yui)AtDHOLZZc|3F^_pr@Cqd!^t?$fI z?BIcab(c^r6Y8vJL;#*bMH?o+fGO-@B(y|EsD(=#6_s&|ewgq3SG$hM=C0bWL80Ae0*XK>l!EVTVp*ariV8CMl&gGy0`=|-Uj1KXX4JUYi&|y7;Z}T15NK-MNnNFyC7@SO=ym+3v zI01h;kAY3X5vt#S4HXnd*m7>&=_UpRT-|~?z-l%1HK@FDXAes+|MaCF|lvqkcT4Z+UL=g6_lHQP{R#EY2Mq5N!O zZUPN+4{B&+Ko*9V+BMJFRK$D(-STa#pe=UXLnT#0KWLC|4vL%JwuP8!bV2a2? z6MXx9tW2n61uT+>iO)-r&1*WQ?I~PzQFcp7`SJ4T)b|U44T#gQ z>jW3LFV?FLTvDeRTIz1X6?)hJs{%cNRb!PoYsVBOu*nR5$xdd0#H?`z+cwdEL=z?M z!CwfYtX3NaK+aNH$*74lemc)T5ZQiL zIX*ONyqBATuQTR`GAaeX#wbgF$=QK71qM9?k+CAlq0Tgl5+ef;80+D8A}6tM4U{hd z=Xrl7XQ@RlJQ56WeMN(}c1M2#7HjR~*!hnMSt|g`bB8pDD42S!)VHa{Xh{ZpedE0vCOe5c5}g_yB7m+t4(4@Ar62sbVzww3f#I4;WL~)OERi; zj{ZPeZ;^Nm>_|N)1Si(U(sJW*`AF1q+%EN3I1x?1VbP(UkxyNftG2lG7!go~@@#xr z%}`YJ@krH+uqEv!Yot1VtA;S#JI)WW5|AY25}ns+eU?l-y`7W9cu+pB3Y+r~kRcyh zwa6Z-%FJNHoU4hiM$$ACXP)saD7t3Z2>dh$2+60HuK{cgMqEV4b;0xe}x z!allF7?|7`c+qe~d8nco{ru6Fxql zMZG^-4^6(^YIL2HM6WP#@wok^)2e=-amyp-S0v0lVpLMFFqJy^p-+gFxrM?Vas%=v z92PFaP~?AfP}TWAwh*Nr%G>CQ+zLbt<()7-a1*Yq3V=hhNu%c+nDbGCJBd3~InYd1 zCwN{q(E99u{L@nnw4(Gf6eO`seYAqeM3mHv_te4?hmR|tksCwI@POqn4bSsP>~+6J z_)REmviJP$@3gH@;sOU;*k^{DLzTp+%4Gw>S_~vsOA+f&S#zCJhT*-UC!w`@FObwL zrr^9=4(J{!Rk0tUZfUo4>$MpBIuW|km-qh`lQ!PCS= zpEV01Ueob# zE{lXuE@lQ)WHL34RI-6vP7>Kr3x8<5Q+x2bfi5g;_LdZ6;E1YK7W=O&?Oz$dylwz5 z?yLoGUJepmv*=`3ead^bC(LrJimb1*1$SA0NwycDW%D|c1**imKv{wHh=3T&1+eV# zSRL_MkN|q7gpo%RUjjgj1nLOH2c>mV)ffSik>k!Z16ycBc@d?YMR&j?b3@}*d z!o|{2um-JJANq0Dv zJ3#=fBoRjl;mvvT0=zQy8_`V$1hdSyQS4(-`r*=TC%Y7;Mjvb`;_tXRkfVkSPioc( zNsZ0?eaNcUxn>0Hwp(4NZ$%N{2!%IqW>tOxX*uqpRyKU*a{fJi%+fiXbPDixQyBuC zr;A+jKOFq|=5YN1`(kmagK*`39ZKAqRe66(SZXYcs^9pU;Q_UUA^zu;Pb;;>8-38iIC zP5AnPZ(=i+Q_#N2`qU z!deU-Xt;o8ZB819Q})K2#1ws+a#BfhB0^Vba}Q3me^A@xtN}oO*{y=RR6X-5^!^`a z0)7Uj;+y^UsvfIh@W+>R4gcIL`^M^t&dGJh};uI;6Avc%JNCM&5?p&J(7-dv< zJd^+jV#$UIQu)+>HFwZ3S3R<;C7k$MwO)&XO9EJ8*|-wY)*=!r|LC|X)~$pDnDB`` z6s#`?&`Q>H=7v93(7{WhlacI!-<(jJa(Vpn8$ymaT6CI`&|=FyUEBsQIV%sQl?b#% z*bVFzQ6xo#+~|6z_e$**6fC+T2ah|>}0Rcla#@Zk6tTQo?u9JCFTgWoKj4s$&yM zBzE1#0-*|hI4p(bS#?g?El+Zn0SJpZ!h0L;qcz4h*edGD%hKy3GPiNhxW z8;tmY7Bsqlg%YGeZ+tY>RL^s;U~^z&b-86BLciz0nuG6k!wdM;XqN)fv(i|Oq=G02 zfxz}f%q}`cp8a4uOF9+uL>OG4FNd}}-CP*2lsM8mC4lYK#heH9?rTup#t=_kvhqHc zyf2bkE#;#^7A$8G#5>2Y8zFtQqBHrbd&mpss{+~4h>kL~5U)y8rk zXbleD&eZ!xkQO-G$fK$AIF%AP_mq+&E!>=@ex$0~+sr1Yy}YfAQ%83^TnQykSGZy% z);}MA+i00ka)Qp_F0-B`_Ne9`)UvMBCN4a3q9N0s8bh8>_X1igCrxsaS2;QWqKRo% zfj>amLki*G1Ra&zpcEIlxLV{xS`6eh*?#a*sKF3alzOLyvI$QCsUZg|c+NvJy)SCI<@2e2O_huc zFPK_G$&1~E$BKla@1D6XI49|P06592@c1s4UPMOU-&vDu&!>t!aKCGs+&T0t8kUTI zu(NO#K>fT<8l%U0e*;3Z1Za%T68U%=A?P{2Fj+}g2ng@%5OUa_?T0fd(Hx0**mz3y z=||rP4tZnu6j3YYG{{8D1iAuyVFrb8{|Y#U7CS*4HW59|ThvQ7Cs&yU=Ui0~YAOpE zjBPhUtI5Ixdf+P9A$WKL0LhkQLD z8k{y=VCt6%@fQR>cnC9mE~fyT5}WU=dOR%7|K+7|EGN}XvrbUwqJnFG>H|@y zVNa1F1~ijxj!CHM2&^6~4WYG|E)5lBx{zD*iAES3}E ztktM?$jmV0a@q?P%~^_ie`mKxxc$i4kmGCd7Y|_RYs5l;_+x9!>zzq|oU@dovt!Jf zhY)Kj+UASt-%_HAp;lKU3Re%lc=U3BndZ__L>T$>O z59fYbVA0s}l}=T>fxakzvK|q8p+iwf{do1M+({AKs0hs=WC27XXiw|L^c)y&Hm zwd#ie&jtj_3v1=neF)$|B~Uo-13Hyh!zNORynm#I$*Ity2DfoaMN4L9fbe@z(k!nOb^kj#&5=a2?i>$zMRv0FIZYJ-@qJ4beSx z5bCL(6#)uV-tI`Hg_2;gpDGVT(I`7KRh=$K289H7V~cC)LKH{_t*(PM{pRU^nrFWv zF_x4!C%5BG+4z9G@8WY z7AaO9h#@icr}*UTwFc~|t02*_?EZKjgM1Y{`fxf>xK}LfonP*zUGs~n0k3gt3txFpezO zL*q0lFkISyzwcL5&RhC9*yLw8wUeUrHg%Jxl!#+7pluQQ4GmrF z?15?$h?2ZT2QpA89w*<-VmO^=c%*bhw8Md}#5+Xz2bI#w*;4hI>;F>@ zW~HhlzO3|cTp(x{66LRe)LZR;vg{W25L=(q7~|JCxl;Y=Hi)A6o>ib3 zJir7C+&2B=zoFv>c!F&(6J0k7aIL^;0*}Qzyq0&Hb`1}u%mjwriv|up5&PxK?M%rP zehrMVvWX39c5wfr-+_po;*Kc05l$#V$LMYxrA+59Os|?EU(vlrg=|<6>UJUks zMm^VPu3_eRow;B9M46fP8>O6N_jkdK;&mEFDoQ=ZG%tpg&UPa-nX-;ui}5A*iL1pN z{`7VyQpyfL{S@~vIyiZBEH_ChOOO#ZOO}Y2P7?Te36fB%H6*uqJ0V?MbQ=uQc2$S< z7<+VLB<#mZQeL0q4d;-CMmK5xlP!~fLkbA|3}SjEwt}QlENmVZC=1;6!=!y-;RD$r z(?kC59#E3ppXc?Ys1$iJ`kMtR;~K{6Q_Xgo^PiUd#CBI)s$U;Zb;ZI6?2a;aRxyF3 zf%q@t2;hp57EJ@|uvvCvWu*B{OIaPfQHB_s_ayvL^%2v&-`1R4NaA5b0vB)@`_>1** zFg%Ng&btJ}bb4LB2jT zvpeG1aB=)nsQ8k^7+|szs!4@^iV8~o`uNAOV}7Zs-q1rW1qg|4oQ{oHmz&7o)QK@EnHM)FwE5?G(-ZgEI3o+ZUE4>iTsrp(?jcu3;*z z!_7m5(_k4hmmO8`#&&T_vUYTlBS4B%K4VT}#I8e=qcHJb&VRkY5FnsjMRb^Ak~Zf5Tt+t6>u%n6V`WLhu(H7$WWQr^5C7< zbQ26gH#NvPXfA8sy}K|=i{^G{ND=SJp|x=%q5GwjsPtv`%Kli?9dbP?fv~d^BmB19 zm7>>BYC9Gdr6^c7^w~XsVIy-muS2cFJZJ5hILs*AjK{r#ql}I?)ILyl&LAlsp6-sE zWnca*D&2I@{REgC_Qy{JE83xo9sA)ys8#L-q4+c^%LqX(_wMT z$Atba-UWkX3|^jpKm(Yi!%Ei`#C{Q_bUlxX9agIzH#;qY^W>Fis%QZ76$_6FZg6R_ z>y`DjJE2xtvedJ4g)fij!moRx&QK^})FTpotUH+@9lrJ27%#d~XBc%nAyctlev@H} zYyvnRDRefAG2hJ{6$$5&rU8zY|75sJB(dh+lwYK7O>^UaFqA~I>UFsU>`2KK#tvrj z6j#?TQkv!-PrC)-nox&)-AS!TiwzxDiy zu;B(xwhrL>)9r18`4s&=6WhKg@56z3u2voNChL*)Clq=rReDIJ&NA&Qq~V& zUA%bxMj7C&GAjBqukG6wTpX9SmD7w?O6_3 znCr}6MH^ByoX`x^%v?TK1Tbk3Rp1jb?@CGCMK1V z6LEw$D)x9y^1(Ba52^;&s~ISN-&d@!Vpm&=+mX=ND+Oy~th9jfQD$hv^syLl(is>8 z%2Tpr!71yPx6h0Oi~IN$2xk3vQ+7qrxasYQ&LfKA-@vUvJX2}49{dRlK{AR6Mc-UlcvKkpy!_xsoT_vfSi=%h2~DRaPskP8Le0bRpA#ath{e%`IY z$Byye2Puy*a_*Gzcn3&#oG=X+OVO-HZrG38P1nSRRK{ z(-7FGOo_Y7*cqt|AM7ga^g-ACEdm7bj z*3;@?yEd)MhrG_780{eRNH1W*Pkg+($Hf1P(p1L_L&p@?8ku2a6UlagWKnIw>6e(9)g9%C>9Os<3<7o7;hKx%aPv}&gced~>Cs3;PiDGY z?^N>w^9Fx~Ea$n!rq4XZScUSW9B1{qxwrXuS_Fq3ul31(EIZd|SJ==3!vLUOV9mC% z9a6k>c$G>Qm=U^G{Sj2OVVX>aY%p~4B7thbRK={QHRUJmj}0pNoZ!GEcFx*+_=y7< zJNu00W^>ZtydQA!BXQ$r@H-OjG4K?=1o^1w1)h@PPh2eUks{7~C{27*R<_BzF|80f zad}{NKr)w}1YOvei9w}3$6=8qm&b!{=J{x499gA6p0>V7npO zFkU_hZbvs8r7e!zfwX z!edvWRR-7qxe|9aZ0=5#s&5OVoiMJ+%^Z5>`ku7jJwpp!FBX6dQafl;ZBj9^7uhIz zC*rZKM|76bYZH@4RU>js@3clMk3~@>^#l}HLdZBdKeBm_m~9gZ{Y?q7-0gj3{=B7A zx|=rVL(Y6v9B$c*;~vZ8CoiDSbGIGnzs;Ja4&jUW-8A0-Uj4rHhKDNGm(F+pw)rH qkw)M(AS_Z}gGfgt(wWqCG;a--4l*OOf)iN~?lPy9d!crxxg&Oq8ZUE7G^X6;wY~rJt&z1c-&m zh27Pl$Scx#x{^xMMGj$aN#EOQ_=WH%0SukS6PPYs6(ZHjsHJTKG~ScGh@S+Qkh2tQ zFLUrVq#o9MEnE$ctaSKJR^bsVd;ueW!H3ZZNUPRL49R;ZTK~wcgNB2p$oc(Vx*jdd zU$k(Q%8{2-W4|$BIZMzLOx1>;E$FKJT8SL2Bee#sZc z$O;Tyxq>dmsW8f?#t7G@)@iw@q|>ogDmPfdI!Motg23;P2%pH7UiQd;2$!ZVZy0j5 zk7xhB-|L0_QTPmh!RRnf6|HP`P=bR_P!Gy}Vfsn8jfDhpCD;p%r{Hk; z?*3|MY|k!Wcjny-zA-PFaZ_*mAS6?p1a+ejg4#7xzY}!>SlHC&2f=KXpgw`)uUY%f z#VP~NhmFu3j$4AxIF0w5CUE&~IOBv*NY&>nkgM;Wta~CC3r+QIp6<173@5rfgk8Sj z6w|SDrl*X!@J?SdhAmI_l9Roiy7rAP#+O2J<{A(@pUe*a=i6Ks?fFEwrW#XA7u0aq zmnqF}8!7;w3C6hl456X({iSu&B5~_miv-aCpTL6D&RqgdI@6xJxu}AgUGs$+{sWVt z0~CK@Z!N;^0{{RA4gdfR0001ZY%gN_};RNvt(CGR`d7YXAEl8%T&YnPg^LRn0@N59b_z=i<*M`OsF(dLgo* zf~Uy4bCE@OA=Z>{QuOC@ZcmWaD9qQG2~K}fv?mSvkp22g(x^QnPg_Ei1ul4#qODT( z)Nz_(ODf#liJEYDQwmvO1yi|knpzUPZnROw9N%>#r^1w@&cn1SZgEm!`FU5{g{W$* z=!!C`_Qn^os$%+a!-d2v22fisz=hR%k@T%r4vQG+59?I4kfIT#x&yzCC`($9AK`z- zPVC^~=m|W(&yyEAu747HE8poUa3p!5x_l^0O2JiQ6=KI#ib4RYQ!xF^#TTCIS5VP+ zxw>TJgZ)J#XAGeOG{OQjaM`cMb>6SlmRC{TU$FLopn7Wy*EQQ~j?#tgW;4@N$N3|p z8(xu4B};&mx~a7ll70nK&1QcEyeB~RaHJ_(XbF_kbZlE*j_x>%Ii$#C|&~9IUUj z%NVj|+^ZYv2EcD!@=ZGgIOKK08c61pa&GF`lLQ!21sWX@{0Y4uIM;vD$9al=*Vkb- z+BvHoWs33xiJmvGAfer6)1)b^%C&BW;o-b#)A57fX zTSnhZtqxuR=(;_gK(2nP^nKZ!O$X@E_m;XCj4uH$*#SAqr~P8F>PqkO2QV zAsZF5ZxELT38e{^%kl#N05+2k7chUeU^%Gm2+gf%x|}I$WD^!em87>8dG`+GB>~)n zkpfyMQvCk;XNJ>0arLSp!&tgx2JAZEctNzTs<-%nVcqEw0o`OJ?y?uYA*KU{$|KHhvTYsV{$-Xz7WN z>3bNet_6ps;#&!=JwY@y%wqgzEjn|dNq!GbGQHV$9#^tML@63!k3EzU$+M?bt28Sc z^nC~u#>qkB72zFUWcv9VB`LU8M%8wJWd9WNt^J8V@fp98ZvEed2@_w#PPhWTqN4YO z6b`Sf=oJ>f6P8|KE?qj?iYkAne~QsC4wsLGS0rKT6^rE2n+(IkOVh<@K1oOO<#_l) zXVXexg`F#+q0Z^2Fk6HP^=H$*fqn?sn>S-(S@{eNa0@6BQu13V`OKNCU6i01*RQ2g z8@KTZe+f{+^c$Q6<5uio0Zo(Bd4etfs~5!~3i?;Yx8sX?(RcV4O-g@eV4<3yqOxlY z0Z&o|HQP4!tJ;4Cv07W4O)(R$m9px%1jDh1F_b~%WVmXOiBBShJB!$Y?9jjWXXIos zj-wzBqoF&LN9S!sNeRXl!oexwTVs{Hgm9*wc$kBp=W=o8#limov8bm2(|C+2yFmZR zbXn~E{RIF3|Nj600RMmgl$G6XgD?z6Uj^j>1`hOBfV8eJf*4Y-x~ZUUd;7&0HTAbJ zC3h7%aAG_DT921un9kkQwe{`eE4wv@Og4UY*U|ktmL~hAs_T#MKj&fWhwIds;>DV_ z?iqb$wlO=Cx#y#MdT(t(b$)N_ykD4;F#BhQ4i6@G)`!|AsF{C7wFR{>`}tu0SW4+C zjINehRFz%q2wOOUFbCCmKOHr6cVVN4&Mc~TpcY0q-rq%~c2KmMSycO`%FKm{QoGhf ztC>Z$Us_QMqi0fHglEqC5FaWGgPi`Pia@&XHG5K|1u~5=SSS!`YpX^nsW!t{J7&xR zMQs~Fz(uXw{1To5(`JF97LHP)Zidm0fwMrm2e6lK!7usTkj2dXUz3v>qY3ip2d@S> z002;vKO6mjzxv?YZ^r)HZ}#7|ciq(=`{nen zn|59K`MB8i+dbw!{rany=O0i1_Po35H(hhlEe^YWf7iV3{(R_n-MZWC#|G1FE{3c9 zZM*B5=iR$*HEj9G^daAE#sj{wziIc)7@oA7K4}bpPgH*^M8HTU|*Z%VY})V zEf=8~uA1%&Guemdtou#B?tki*c<7=%j2w8^6vOQ|w$uE*zkM;RR^4KcUk#f@r?-qZ z82$2pym@oej~Lftby#BP<-B*pnnUh(n|6g+9d-+R<-_j$`uwq83rT7>{ZAU|U;pxd z$7VZV^%g1xXXmjC1awZ5|F+vKw*$tDFB}uzFdzQ3I8x{T{7+$j z+@JiCamRK0`LE8WL#;r4cxK|PeIGD?EcH#lTb^y(9TZ7ixwIzDVc)Op;ANj*cG()? zIHgH``W4jCyS}^CD-PQwr2L3}f$~^&kQ01!bATGTdkp!)7_b?;roWDm&L!B3#km!{yxZqL`?m3%*rEu?@?x$0Wef?AT> z9_F&`vt4KxGTytfx$XBi(uW#hx>c{i;7q@T^*411b(&1P+t0;HUKB?i1@TI@O%Lm7;qRJj zY$>!Yj0aRRj0QLR-C+gA&|Y%KVQZUZKQ3r2@C&?W*HM>b685N6N>5>b%kO@2w}G}8 z1IVl^B=Kf5tcGhSxqZ8M8}0oHr}hA&jnQ>Zv) z?ccRHN^!}3xq?^2)AP80*<#|DYID`EIN#hdtoqAcyOWC(4uFdz6nu*fcn2{ZcJ9vH z47Uy3^y{WC2ej*G^SQ;^D(J`P0cs6#;DhbP0-g<5XRH1S1LKLZQ;HLh*No>)(!#%j z7S4Rx=o3gd^aA=i&@%Dad}y<{TdeSCa{+l!Hv>H){ug!%$I;J!Rnp+v(@bo~!*)v- zm80W4Wa@Ic&gPJ9(3wrQ`%rl3_@fEACTfN1?12h{5Rl^RL}ldUMd8Jz~iPKBRA=&1K*M4FE+A zfs8*N>jwGLsX=~!hC_}(QO3V;O&IAgB%)h|6Sb4By1f~o-tlL%3p7{I5xYgN0K?tY z%mU#dQ}wGuYz7VrvZ|aJkwr7m{QLI^e7oK1u6gz2`KRX}|Hmu>ocYr&#>Iou?WL*i zj|y|&nfv7d70*3%vP|0uZH-+CS_66|^D;Mxf)?DWbi&(z>s{xetQ*8^A*;qM9HBEP zHP{WZ}HZ&e+TAUAqqU9$Gw$ zq@$}DY#3tFZ8BaEVimO8-a9VS4EtX5{2BLl1|Jxe?6Dh=~>tSEE(-D#zTl3?9V+=GUa;+(8 zP^%-rj#WAwKSLQkBwCoq3XGB!(7zsF$R(ez&6DbXgZFd_4Fb}$yF(C$Q!yf3va@;E z>%ZM7=7K`wKdh)kb9WEZ2G$mx8O)jJjEf*KpLkk#agcsg;vn(u8B|nL&!5Zzj%UF6 z5EUqJjL&aZPz%ASOmC5Q^u8aZBz!cZ94T|eh(p3HgWymgsnVl!z=@nUuiUyYhII?0 zMJqsmj&OjFPxrA!Ee0WU&?{jO4?sd5x}uybXR+?qmzk4Oje_@GyDk;(3xHx!d05yo zbkGV5^W4BzX+>1dOFQ$FNV!k zuY+v{2J=Y(2%=?7m#Dp&T!%pTZ<%?;@aEz{aB^XTll&s8F$MI5e1`$3iig*RCh`e? zSpW4P2q3s*bU64mta!j%+qL46Y;dxA4?H&siC9pv@Q4EO9$RdvAv+rcfO0n|=klWu zBU2fU=pHx9C!d5C`F^$|&G~z@-#+ zn_-^C7=TS&b{lxK41nrlJPWv9UMgRJm>V`cOQcYO5Br;8*Z)L`9{<+@Pwo zM)ma$c$NG-#$@Ri)T~kwnS?)oz-KvStDgcdfR)4vN0R88IUSfM%m!1i{~B-lt(|`J zDdRcBcf$?^FoPyA!!+`Ig@?;IxM6_3r{I{u^l*}(Ssoj?KBc`0N)*^u2RzOKZsBps zb;3?7gx(_B+E32Wiw)(Icx+{RMub*P%N(U;%M8P$W3F@RvnfW#&0x}hkeN9;A^I>l z0uxU$UyX$JM5M-&aR^K~FW3qXRRldo@HOhSV=>oLXn2HHGl_&7jOcIJ0UXLkS*S_? z+lCzlr^)hAjwsM>nCwmT^3N2-dZvOtY^m;l-eZ~8n9f;&a(R9#>lpk1Kx)9v0(f2d zVg>%FX^EMRNG`*LtuJMNiA+E_YS<8z!D+8onMa6z^Xb`IoB(IP;98{;={$@XwukjKKA zWM&TXALE=n-b=nv0Z`m>gwSN}oScnH{`8BGuz=0?@Vhlw3^o*59EMW?YNa#wxLNgY zIn~QUkC=JeZ#!UpU3L5CVc&&koNjM=pxx##(z0Q$%^t=anIzaer5P<|HOISlcq8E(N0rs?yby6_B{7QIfu_5(sZLXFoj zbMDDRskQ~SBYetDtSA`=+^5I?cUyB9B?1m?yxzeVUNQsmAz3CQjC4m_Poy#EA zPK;ZB(%A8B=z?{={9k?rwq3_W%IDA#*X_l0 zk9m3itL!mwhYYW!isHa?GLd^ndG5KcAu1UvATto|fSX{l*YH9F-!U!4RO;Bc?Io)2 zE-5pZCxZ)5K+rP@pk^f_b;_dg7{=4gMdHkVogffSF2mXdSsz$k%1rie>UV@bdxRHj zEY^05Z$08>x;`gRM!l`b7_#UD37b^S+2xEVcnSk)T0FS*qecC%xQMy!^V9&7^&D}xH1UZdA@SXG1iM<;^Qh!X%UY&? zJ~|R1p%mhoqfAjYF$)GePF6JV#|44O>$Wtb3~xlp$zr}c{U~B!?Z)r~I*(DJEN3FE zjno=bAwleFg8SJKax2G7F?p8f@-6~9;3Am1XFTIG$NqQSY76i$5nKyc8d3FOrSMVo zAATkhD#=g=y3O)n-FrBe;2B9uAncNV`*2)I`2-4>4;1!XvTOFwN39?!ZiXJwLhWD1LaW&jK! z>~@}BUK@;M-d%Jg!hp+T^%N#@_La2JP&iSEX~PSWu)JN%eM12~w|p94Zy1aqZoo5^ zW0gB6Yu4jW>^EN-g$Ls5^8cgSTR^F~)Ns3v1q!k|Os4Q6)foe*nY z%OB43Ei|ddngGL*A+Tu9%D@PJai7sJrh|>+5*pw-zOg};u1BD3CC%wvBL~J|bKl3< zF^U{0gPt1T3$EIJB@S}1`xBguqj%6ba>}V46q2~I*Xxw&s~*r3`PZnfA7iCMY8ynd z{odK-jet)D9}qGBm}T0m%t}^;jrn>Ep=X zB_(cuK>j*t+a>s%%xat&A9HH>NLQp^DXE9!X8{~!&D~tQI81;ea(NCoqi-|+sicU7 zdiF0Y0Z-UYQ`BZ5@t-=^_OK$QTpR3tuKAko(V0;#q2d#J zn}SX+(&;*eal#3plrqpWd5@@4Hl|WlP$zAG@*qfua=E5AZBnnu&z_=eBcobsjWBKQ zXSpAgm;|Fqmr9C%44KvODS5jxJJ};MpiV!`9!3-bBB8%*p!Mp{Wb_AFVj>4abp#o- zD>_~9K(UM-_S@f}AP7m3skXzKtwS_nzyN9okZtLn_)>NwG_;mx;_$nRU)d1Al{b6w zP$+5;4=f}C2yE2$*Hm!|iIXBhkv(m! zWW=qvP$l{l2)hI3$YI&y!@truOK2~Sl``3HCpnjZz#T09g z;TnkHSkZ(H(*iHy+Ans46RKtmze(*?6v5!a(qpsCs7K2LL0L7X^XuEokd!nN6qw+Y ziA6-rNpQ~u*}?D~C`r*1sSbf`lH-s$TgSChI8JVV#)5lMsHr;k;wfEVF9aaosjQ(y zi|SHM+IX_6^t$9&%nbowKnmOh{xd1^CFH73;lV7Y3js6|wx(Ga19GPU=Vl}R_#+8} zuO`<&0U0syl0H}RdaBK-7jFjR;Z5uH@d$dl~9i4`xmb+0EAn~54;bg z`R|N*?|d|{?MV6t8OHd&R8p$)GlnQwbojV`bO;_Y0~v0XS!9*Sc(9k}LaIWVlwxIt zg;$4-3}4HfY=}Yt-&lc1p`G0=2-q2)0fPXA!HQE%%pMqRL}`xeAUTV&VoC;LE%uC2 z_G(*Hfa0$2gKiNxsDC`nULgnZ%e5M-%H2gsGEyC}g4j8xe2-p3E+de}b5B!YROVfO z25wq%2kK+s&Q)ciL=#?l5*_&#fmY>@(kX{yJ~7hnshV~5Lmc+v=vf9C&R-av*Ww+S zFIhaFj*1%`s)TF~W@ufv9zW>6NKszQLk$dH(Zy2?=zCDN6$?FMm8Hz=?>AZ0`_w%v z?8F-oa^+%9^_4K$5V{@mUuP^a%dcI3VgX>R+a-)TQEORp`j!H)+tp+EmCWy>p8zNV zi++dtbwz|ScgogVyo_Hky_SKZh@KE>BBVhO6QjmdGlPj5B$C=EKD(rA2oJ2AY2qSiw$b!~GeAB=F<^N;} zIxiWwy|JQL83Ox*2Z54Hxtt*<+VCl5rQa!y3YW(6FA5xLkP23rSp}w^&Fgn04e3El z!d&(fR`McFHk*+1bj$%PhtC3krchRlJP#9}&g-E$Q)rb`6LzwwY22vjH^35HsdJtp z0LJQJpmcmJ#@CuhDWl#q84Ce*q;2-_oXZ?%`wjqS;3q^Ni6&MvJK%z>wJ!}tQz<*iQ#jLWqzm+aNuV+-vmbeg zB1?tO6AwD{3Ms9uCGW}6jD!xZl~;cIIDn;>G3M_m9fA$1yNpR~Re%;C(2J$~u-3@= z>9aw@WtdgtG9&M7f;b$`gi0VlT6%BVFk;ZEDd+K-#Cv)c9Vyn7ZEx;kWp4T#$`?^M z38sj=$>Ke%*iDi#cZ4s0=5BB>Pi^x%kgeM zM_5IMCsA34nVdq*Uct3PQYda++@_3T>owJ+PJ+Y-THl$a*uevT>n@>MCe&HchyXl= ziZ)Ds0aMt+NN9vTK4;Rqq^W2rJiWkZngN z1H6pH0K`1r&fv1c%Y}rLr?gfK6^~ySW|kO9M38)n6w-{w2Ak)~okGo4WPFgTe!dGS1TaRUBy9s`?%BUHZu8!9M_ zu;tvk(@hKtxVi;(fYoa1YfznH4IgG;P2a?4%O@uKfC~F9-<0^V3euc>asNqCp%wfa zC29FnDI>T=v9>?LzwsCyn?sgvHsj3EhRy`ugaDMl0aXHj%nm?5SRV$a&(!iE>HG|& z;6vsK{Ol+h;pn`9XN%+w8-ksg&yi!9Yqp`th!-)hL;2an+z!435(JaGV9QQUu{#_Y zQXl5_5QStv%U3!BKktwX??`(ImDUL&U-=<1H+{CEJo*@PIEegQ)Q^h8`03neJTnpt zMiTOsfF?bEv1FpI{#pvfGZ`_e$*h|9WJ?OUUr~g>z!Z^(CIYnvNDKV?#cyB!@E`LI zSea1C3Rol$6Q7qLo7Z$q+f%scqU@HE^5f;vsqYs88xW^q*9k6gU#wRhxTH=swA9^% zEA+4dRt0(jtHvsG){ZGmV3QgAlAX)~iCNhs4M zu||ZaXb<2C{6Kz0BpVfd_NWJb2;}he6;`m!60v!=wJx%gb9`vlcrP~vUuVn>WmF1& zjZv0=lCuME3JiJ(B4b68L!D_9B}N7yFxJEGL{4Ji8Yo`^&h!3E&Qgn9cqAC$`icf` z?T-EgEY{k|vGX4jvQ_|==MHHQQ7{u(Lr%9#bIE%TCSDv99Pgq1Ayv063^;oCftSNN zeu;CnM+GNfwM0Jm3@+CUKQ#A?n$YI_h%6<45{xLl#``EvOB|)vhS8J-`+*`-KvOC~ zW0_-B?B;?;cP|FuR-43*LL2~N=#cWV6u5O8!e=;pmSj}x9Q}c`-XifB*pYfp2u`ex zrRB!s@{y?JxLxY6a3Y$1!=ghyBcHk|S8Z|WF(RM}<=ObMnxUxb3jihNP z&OGB;P;~tmFzHqX%y50VjfUy$dK7Drzii8$nseSDL3^fM2Gg|7Qkouyn^>0+I^;Q8 zTv>fDMv4A#k(l=^VUb7AXM^R`@0osojvXmW1K13saQ}4`yvo>gd6lN=0 zh6Lvu%2SX@WmX;IWyzKdmF>_26;dG;YlSr2K-$wvH>7~gROcp5tY79YCk{l@R%N{w ztq+UVn3134H8`~H)Ah2&^yF{sC0ZRe``vgKSY&&w1zO6Ygne|UFfh3>@S@>}@>YR9 z9vr7sPkJ)&J&T53+yjG|@w9-4f+)#y4YiC$sg z;&J;+r&awv1#9MC;ds&Y@D6TZq& z1Pp$|zF0yhjHDVR%q&5FM$L|qg0=PFfj0CM$=BEs)7p##KWi33yr$#zBDJorLaRq{ zRN1pg;;y^WI<+*`M(E=rXKv24uGNjUan5F-z>nvZUQ0sQKSm?#28998jx3Qi9&Ga= za~a)$9Qq?f1n7asj=q*t^R72BxK6Rh6a45CJkANdYNqOxZl3agmKA2ggUtU-Br%8e z3lz;CD>u+O)o?vhnjdC@SvZw`DEFEb3sE-|f!Xn;#9>yfTowtRT+9rp$Yg37sbmAU zoFuZL7XHw9r}p4=16^3y>@6wCz!6oeEcRbl+P^Y@dEEeB+*u3Wyc{IBX3@#6`jq!< zPnhLc6GeupYwU9%IRMRXcy1)fx@J8MTL8gq%q=3*4kBx+|JYPymtww zEI6gV83uV5@cymo11U18)*+t1DZ(G?;}e!it>O+>7+|o@g^Q)5VA<^z?c*Kte**Pb ztvO{DiM*A6ZZ@zAA(9G2A`LA!_9ctW4qK=b$SOSw=2YJODo=CegJ$qLpoF8+KNT`D z$2>wCqavg#GGlSQGDyz_IewJ2CHBDpkM5Vt6_Q6g&@ylj!MY>O93G-*E2@@P-_;@o zZ@WHkh@Uwr<|U&v`$+TEFs4(f!mKlX1_Pe%F6pO#lJ0OScY**|Ng|FA!khEv1$brZ zH=>&i2xggYqu9rw^uwjwPIf6wjXu~?#NTmsAV&=up46-nk{X-&`;b+ybIl0YZMV8k z--;r@5ejeK%&PnX(sJBGt!((r<@|g4n5A<%=@j7YrZNONPZzr!G6lgNfxIEaR^Pkb zD*Fe2uoKZ1@_qf zvO9|*eLAm`CDer-&ff9+JHqur?9<6+f5EkX#9^5v5=zUOn(_r&S-23yy2VU-#2k$t zlCuS>UTOgmbKN|W-rCNZa*&!93_zyj@HHgAv7=7Daq!3ztj(}urAhdxuyWZm4seoJ z)`;5pwyIqAdS`<7@d2_gB3g*ki%1fqvKq>(15`z}R_KBNJu}G(6^ly-aOgTG$!EZS zo17Y_6|l

NnzdG_r!1rR=w5ju^|E*XRdr*(qI7QlZiw*D$@$D#=Xi5&QEjP`^1t z=O6+0OdpFU!yAl>U6$)e(FJyCH8Fr%Gsil$7V~!fj#e4xg|!$w&~O3G+MF~Hr|gY4 zi7EOt<)o72M1-!=<{q4A|Dd+XSp$H7vRegrse0yB=>0#;1pEw4$1^9wM1t}t1CYPJ zl7Sli`zx8)80f!T%~Y_4&*s5|<15yvBWRkFPF+T*zUQVR=|9x0g=<*yxDQtNWVe&) z%}}s82`9b>=MRNm^5B^`#VJxCLvAjckp#lA-MKaoFv_Uzcqjo5#F7mar1GhMYwn<7 zu6krwOE~ejYP}W%mjtlHvT-G(twkhM{?Tz&tXl~QFyRw>C|F+(pp~rY%ng66po5o0 zCnMPdzd4~c92WXx&g^5NOnTV-DLiQpxdSU=l66yr8 zu%^g})!v%v3*+|vc>ZP00hpD?d+Xf`^WIh2fY|Qo5{FL$HW={(EogLq3nfT{-uP&$ zsh;Ox!RElm>T=6MgnrL~H3#48h8OUw(Jlp|XQic8Uk+_|y16i3DRHECN&wrdi#ZSI-PfSHjUk@8WaWJ>d0!;8TFOU-ELhGWh<7e& zL-Weo9G07L{7zo0mZ7bGe;}b%JX(yk-)wQUfoGZG2S&a_91JC(Ye%AKS}ytBvJ8&>9@PovHVYAT4mVkw;VK zaVjNp?kOclTDUn){YX`}x0y{)dwE+Kr;hG;xDra7u5iUjtbaa#w$U=7`~1>sAXNLO}%l@E$W0SoJ9q3{~LEleAaJ9&Xv>3>1 zvi;zrP=g_;DD_SYWfPtPQbP__@SKNcdSBFZ%jZ-5nkpF?UNE(Wk{7!Rj}-|;-#v3( za8A^<<+Ye__qB#=ru|pE$-S7^Y~6wg*q)twz1DUZXn;-0vz;~yxZL9jK!a<70Kb%?RkmUM z>tFs8H~#TjYKAv|{mcI&{>w|_SWc>&W}TqUMFrP?)CZzY!=55V3}`0X9FtJh5m-G~ z8bWI^T^cGzufSJF7{@|6UIpfaou-kHRBL^IqH+1#MeVg%Tg>fsJ?eVa6LSS%;RS*ua)keOk~<+K+pnzI!3 z{?2ZXaQl(7A;;I^FCM_s*NBAx@yFJd*E^GcIA&#$KE^il(g)Z>olAI|->z@o9`E1jx%1AS3{ zWIZDGLWiP|`tj;hxsxKeQ4yL$$O5z!(m_q2Z}G%?tC^QCYSj+`o(%|;7uL$D`w+l` zN}zDu2Xrd2hE1drdH+Za$&1s)Ab@X-1)})qIUys~d}uy3kEIL|1V|O__9JRLFEj@X z2R*FZr9z?1pJ&dJN|fK-{K*i9GXQ6ClF zR$%7KpmMvHT8o%WaPpCZ9cEE;ZiRUROU&l8ggaePnbHBivJ^vJJ%Ol0e+h8dE!sn} z{cy-xR2{EhKC8H;zhGX4m-P(Xicm_O^34>T_=<1}iz0gjUJOkq_g~laTc!MeIm>b9 zf?k!`;;r>dGPU&79I@~#;5w`$lfQtT0UR$)dwzGd8lrpXAkPw~mwYYo^_ zS3#m<+5Pc62Kg#@^x<@%aIaX{JHOmbyXF^D1773!O4ymN$8Arnl~^QUmTiaLE4#2x zCOb8E+zn+Y?4tGKMTsRQ62&p7N9(a?%N&4o*S%KXVH{bmhsJ4AV7Rn@f8VdBoVWCI zu*uJGY9~eKZR#dzS8YNp7po;*N{mQr8O^d;5j;0tJSKDO0D8P4Cvp>TQ$2~Pj?hJv zI-!%Q&8HA~t9KlFI1CWs8W@64oN&biuT?yhjVSWOIr#v2-AcT_hpW6B;GNPRWn_Sw zhwNH=sfH3KdLBd(#Tz4kd)6bQ*^z$@JQ*1Xomw`iFb(b4=SaVv!&`a*Z-#+%!C+!RR!fC&gGvvg81B=VT1*49J7FvQu4`66_OZ4MHp0Sq!0-lwA%*SHewL377msy~Ft{ zAL<^)J2R|NEi4UYb~&(IHbVm*oi}fI4fQcEa=H~Jb?#73KYW;P=^kB}+27{9eOc+@ zxIoY@B+6d_skhpHW!Ww4A+|oJF~+ZPa;5s!Z4gECJ*z-7cz_8OxNZ8!e?!L&@C4gn zCc17E;97yx1RjfbcrEWX?HV3RnF$QL7Y!VIBKFId+nJIp{2CZzWfL3J?BM=KzXK6F z#T`+0Bb-o#j?vvXN}0}Im|io5f&wJxr6oJ0(v6}$y%_9&je4%pT*J)sI&;7Hi83?o zH%d9l?(c#d#p^VVRFry*XWYOC*d1l;tYQL51My$P5x^BAEt&?_VYBSU z%1HB@ma;l{qYN!RQ*{-J@+Y@pa-Yi@h+^kMTYc|;Lo5-!?OJwrXD3nK!s26wN@fYjsV0ab}op%X{$qmnXL@E)+ zLT-=U`AO`KmrjJy6NZTYiZ=lJoCvr^rGQ(3xF2!8f_!~wW_QH1;o|tEQ1K;+F~DRc zRFevS6%~~F_3@8m$NW-N$+3xj&`-qr0IhY6d^j8xKs{|#>dM72OeY4}|CKZk6 z)AVEN8L0&;K<{AxHrQD&ShCC#>(h4!!MEkfAcK<-t3z=_VM0ZfcNo&|KEMdv{@$ z7R~L@kRslbLu=zkLibB4QR&O>mHn}(JLGy)0%2z-M)+;HD@CuN)OIW^N>Q+E=(Br& z!bawBUWZzTdCuB1ahOrK8IOAfM;RS)sC}U9oIz4NJl!2R%f9?!uIdWg8OV3jgbN{z zP4jYdjcdlQo8J<^s2Ybnkv7Ab$dO59tSV#&@n`Xtnb@T4m_kD;m1slYELzcf_%4C_ zNe?aRdA9C{8Vbl02=q%`lLzr+a}o4^Y4Ns(@wSZFIeLxdnJ>`)vdfh6+88e?aFVDO zCXm1bPbko?ywhrEBd+`L!X=jXF>U1|W~Ab*{$lPZ65p|-gF6K1d8tpa+Kw_YYPZj- zzsf1a@q^#0P>nGG(ro-Zvj|u%3SX&JFHecZgyG(=gBM4RM7zDD;6FV+~Cq;*DLF5cS5bQWT|K83SS=4 zg|s7ECFSa&i*I(+N3FV)|H*KdNMg;sDZfbFn&!rTVJL}a)$4Kz*pZSej2+D4DXy+xq%_Svo^}huHK7jq z#=EaW0G)QfOyyaO+l98q4 z?UpRjB-Jz)%1@39AlB8O+aV3>aCCdv_yLUVs5RU;g7RecEJj&>lYKRjlxlaJ zVGQ1E^27$D%DZ-Q9tj2eINe&>OGEE)R7+dKvdn}Ve(U)YVZ#lYY#qS$$EgoS*RxI3 zHl(Fk&Gl4f3je}a7sNXGkP1eqsS)H$O3~5ZdlbFlrK}&mx_I&WjWWPlWmNQKVA&Jh zl>zG(@i}gn#SP$=6Lops#gz zi3~S~;zMlhqB?jfRltHh!Tl4SN8U{WV%#0&W3rtVC`El1Y5>r~!|$h9&vxDMA z8SpS;e3RWWXft(T0D+SkV6c5J6sdfn{Y^fw4XrvP!yeAq~-`l zat`BIVyDR{`ZWVR(}1{57JmL?P?&L*GY*g|LC8(W*i4+6U*x!C&d3q}!@Npy&3L$f zq5o0of)YqFa=<4*TD3V+Or(6$XUYZ^{uc8_wh7i&UTs^ z&N|?@k3AoEsh2~4s#x!b^suvlT`Crfm&;klq&b}(_H9+L#d$@dm)gIJXqZJD7G)5g zk4I&irwH7+DL1VuiIv!-k5!RrDVWE#86!g-_{6 zGm~$m1`R8GBbYO`fKZz<_vdi467ql^VpwBAwEo+|&0;8jXHvx?VDNwGHF!LWc3^%G zl>mxYVC#+xD$dOWEoO%Scm!|?c_l~c_-5*MqU#X3GCRWpv&dRwUjbCj7|mNd)%iK7^Y6)yE;m2K93%B2OD_nH^(Pop)7hCY;?@T`@Q>T|nZ z$W5f0ZznB(2nu08V%gM&hSuHhc;Tp0v*<~Eeu_jxJNev#0aX;+OZE!}BsS@*1ZE(A z!flR>DK$gl?ShW$gCn_^MI_3jjh_Ydt|lEsKjxEKYFz5T$J#F zuWi6(*c>nbrJQu_1YQ6cw?{0$wrRwDA%&%dL~qc4;?eGOVaa`P!n)<;a^&a0_`oK} zx6?Wv$9o6f^{r6s7`4b#<%MCanX;er@?*b}7kvzYfa5OG6wOkmY$##TqUAmACz1X@ zVmco~)=%D`C-!`Ncn`zW>o3$xe2n&66|i95>)yLXOiU^zC*lZiRP6DZ0>eAq%$xGl&56Lf>YKnZ=V?n7WeTh z5X}1TrtFHKansuqoktYKzkyqUc&5^7J@^wAf@BmCioVrUW#kteQmEDq9IVhS7|NOr zpws~9NJXAkebTSATcdC~lo`W0+29V*2dwXZKXRRl0EBn3m)IZ|CY2^bQc60Nvv5r! z)7{GWSiCg#)(OslO!gZK`$g{UR8cbj(4Zdnw7$$MJNABy`r}O;CAqWa8Zv#eF7e!A z?I88_#M(JWC1xBmN}Ez~Id7e`%D**RWd8Bb%3R&#cJFpI7ykk|_XfY*Kh2Lm`)B7K zV7XXuy}n|46$f|jmV08X9-1=qJxetN`Kn}C-Wr#Nq$~+&4>wr3qJiJ~>c>YVw=SnD z7p*y}dE`iWkiYmNHkIC4sAJQ>edrW=?2;EvRH`BUn$ef7Cn2WH+}!TV(6rCAqvy<_(6Qn@m7 zdT<-d!~o$>a#~X>%?df=_buA2a`p7f_*Jj@a~GdtY&@j#HdufCf{iym>$>D#JFb3b zi+cFh9f9vpq-Hqef2paT>sWs+XN5Sw?5eBTPs=5be$B9bS> zF1^1ImtSVM;e&C8_RpwSN6fx|ZJF|N&fVr|d;T3Rv0M{+@2))m?z0>F_ta1MeB-#z zm#EU?c1Kw?>fcO1ZpXU+#S8t-94~I1cl^G~+4=8m$?J+|PBCx1yOCX?@Tb_5-#4Ex z;F`E|%e;SjW_)YbhX2}N_wq|+?yZ-Xg@xVi(yf;4*?aKI=E9gb-~VD9%8r>838%X` zX1#ZgKl1EwclY!A_Ot$pIeiL^n6$>=Dm&%a^OkT}zw%_^x?a|A}&z|=C>&M+( zpf|7Xzbs$owaZUmY%>0vBJ=(Jzk2Xi;GH2J{4DF9?7O|0HAS7VKHmGVfymMOtoxl$ zR?pt@ySZf>b7^xUbE0T_zTwW>UA|J2GPdXE-^$(UEMIfRR(=1RVoxjU6Iwr*l21pa zYV>h%Ied(ok~Mwd^d!N13lCT=V_BWWDrwc^y7|vHwWqT_-8!&&rKv=C6R(YDQ`azmHZ1m;O~Q3}*9-+_m`I+;fHPIS2id-rL>SWNzjwY`R#l?Y#Ws zv#&DmhVpt}eb>c&D)^wL`GJ_+Puup}$*mIMZ+pw6op$%s`>N=s9rn*&UoG0I6Yz|& zT0DX0w)ZlH8Tnlz|G!n$g+Kqo(Q$x%$#N_4r=?#$MCb&}n~)+i$a7GBfN567?)|Y4r0LfE#e3 zz+rM_mK9^<