ࡱ>  9:;<=x  !#$%&'()*+,-./012345678?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry Fc)60 n7Workbook >MBD038F22F8  F"fm7"fm7Ole = !-F!cover!Object 1  F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89qOh+'0  4 @ L Xdlt|Christian, Michele  Normal.dotmChristian, Michele Data 81Table",CompObjyOlePres000>\8DdO zp<  C Ab48{ߌ[4yͰL8Dn8{ߌ[4yͰLPNG  IHDRO:EgAMA pHYs12N– IDATx}8e}{p#0rCG`9&r"D3KPxg`EF.oϼX̋ϼX̋ϼX̋ϼX̋ϼX̋ϼX̋0+놡y8ck+Sx脰:D[Q/[??HPTI5o HuoD1ճC ]^Qhz|`VOOay Z8n#ʬCR6RJUoZ篟tXܳCPZNa~FET5ېbns#n[.ZW>w9 |[FV,:xۧ/{k>qvD h"СP))F #ƟS)!GĎjJ3+Dbm5Ĕn~CZLCa#`m魜;?kWOV!Jm UKaܣj\$܄=O9FV"kTגyn- jVw!:j<ݜwAxND(ySzYKz>pRN=XT*QU/{o+T&iJ6YK~=H'?0Ou7-峭+5GdA:Vc&~E|OJӒ*X@UNHtc>Z󋄆4OgҨz/'~BQ1| .3SZ$N588l ՃbjU4&٢x/1fç#N-olKu!,O[\g(yϨh:\4{5q=~)|*Xpu0zc7C6Jg5}9AFtFqr74՚ d4ϣnVH A? 'bq„c|sB&IPݝ6m}궕i#:'PfC.4NUc31Zoj!4Oqf3]o"eLt W<'aM(>e5v M:_Y*y]Ɓ ďg%u =ԖIWqBYm]Gn 4<rф 傼;+ZܞQ |V^kɶ=KL)9#bчMBHdG tSs 6( W<ϖO3qͧTʴ[K` k߂cd ؑ/\^芊 >1_OO, λX%Z뤿6@qNgϗI3<=Α}M:skfwvA[" %cŖ=yTwt|P @Y9[jO==E /`1{zX Uѫc5qVxͤe+WbJkAmؗHv&5vmԜ0?0`OwjtkᾛMX;>_*I|p۫7QǢr&C"[m%Ls h6>%k^n{;8c,z'F3{?ͲQ{@?YM|R5\טT}dufx ]"H!' C~H)ӘDVi})"OҼFZL0+IO1&f>}OXwMZѺJnrtw2@v&O7>z?l3bS]';q:MyT'fEmS ű+HZOn,Fa `D7·(-$T*&󟟢ܣX^$Q;_MuKé(Uֆ1uCs1XGb6(kg3h١Rq"3n논%SRbKO,Ts~f~90C`QɨĬlYkTsL,'˼k N ۽ [rLc(>-ZA )ҟFJAt~O[~O)gA{'maQ aB3r#Sq#rО5$Pb=6 ՅZvѺEfD+1EѾDT $wV{cDyhK֚&{)t }5 EyTV\vj.AsTr ;21Vm|hY%!#n>q^: nI {N4}&8Zܚ6HȖ܊)*# zc۶7o= 1z E@l>}= ׌7EBe¦cБ~P {9dkwe5-|dBͫ7EQm]eU0kl\% ~߳zlLrGݠ5fq~Ê Mb஁՚;vpl_3N( a5LfH>&Qb0'=fbLO&߃uY+XPEDJW]3LLL UJ oYs_M'6($>LYcR31[mU %G9L'0.Xָ*vKZ߫Z?NFD>}2 >wV _U 7Q <\YhNh1U=H' x?BkS|blyjrrDTP,8pCwqm?dο"B_WeP]ڀk{e'bf0ݑ]'إ)ԮZg:ħ0nY-ˍ :*1稝 RjVWAN$(VT@W&iP?|opOj=@Z=Nx>;&=VSj'4 &*NwCvό5\4c=:_8~T`w Ci??ҍ}mkP3ZGuxkТ-q K@ $Gۖ [ѐZJدqЀau|'eM_͉v*l' xZ3NX:D2m΂-Dzwk1@t_xUڏ|G-U~lLKوĞڱeJ? /v|v܈k,'|`Lqu`a0QT'{KE!S$,kض'8NՀ88dRdy:7pbmd?uPs7a,zh4@2,|u m16j=yסhg9Ms5'.)lp*,Gxst% UgBu 3ggwhxy׃$Ӏ._)$/]uQI͟ἧ&O:@9T'>t~m 4~@sTodZ揥&"_ [$)(zuOoyqS]n?ħyx++W"%EUO{/`,P'^qbN -=8R/]uF<'PkViHguDvTq=4~9 E[:=S{uCrN2o3CU%^MtKs^çyG-VK26۲uYwg3ЀRuJnى| +ZL'm)D9,,ϧw։MɓnS.!#1N)rt#|nDX~ұDx:} hG"8DD5׀AOI` C*T ^NԢ#qoWD^Km^NJϩ 4FŖBӳ٦hz4y.4yҝ4dIB,^N,il xs EbD CFLE[% aQNƏ*żgQ% *k<s&Tq~)qgK#X nX|L )4tsl(%9y3ڏ|ڑhzKn%g|S&)\>נo@3([W`ЎD_$ WQ`-Ml[C *\Dn ^0Cxj}A-.O5Af7JhtY?`Z|?}H$=E[]g?N><$*hnY !*2S>||Ͼ"ey?\ꋆCXAE)qO_EP=)N r ڱWoK]>,g䓿rwo?ۏU\2!QAp4._~0HhSBY2@"XbjZãuE+N;{b7Oy ۥ1{i3;irMCPq?wf|`*gBQ mGCvEǡ2CD:Sqxtd?r/J,P'O0[߻la<о@cH'i0o1h篟~ 7c=KY}H9PQq| ? /ЮwTdml&=ʒè ,3 Yf*s}73lǜJ<[y|OOm:*KD؃0 >g/CMrwDESt,|&sonu!]{yCDP`;4}toS^OwG/1Յ3٧*N.@~Hnl|mI}E5I 3$LNW`UXBowN?vNLDw|.ݪ8J:*Vn_1 a7 ?A)wk*B6sX.tpיhbЏADgO[Q?{l5LQ<76ٍ$UolFLs )9i"p ]msPw'6/l6j;Bňj kƶhԽ3 X}RWv]Nat;΅bPWU9s5z8%w_DDGݓD:Jܡr̷Đ}`Dh._G.E>IF.b=b#>Cͥ'1]sWO?9:L $(qTO97h*h0SJAV\:Dh=ΰk^ZK4N4SoNNZX>! []'*R힓]0*OPqy{K/IT[g ."Onn|ul}^-a"4byrab/<^)Pt7nF`e"Rص d5t[2~DNlRӇ˥a>SAۿK#sU?=x7ǽ ḀG~uZ.w鞖1EL\/\f<Ѯ04ԺzzOgٮ1i{u^,WF]\85PEB9bYiӶ5l]a~Im9e%dDŽ!`bKewKtRoO+VO2.e OO?|e|Sx|$+cֹB}ҙS=Rx#Xc%K|B{C 7cԟ}@TX@bn"ˋZvQe(b^œi[}nKA,8R⪞GKj#Lz67 fPS=C# vQ7+wB&o\~l좢E} ٠Ds`/'ב4Qr)qik )e-1B\ϯǓ2|cx{%F9!s9Y¥r1<)\[NS΂ߏkat~\D/#.0mbp<((v`hĊ/]㾼fUxL,۹h-Dq|.&\ARfj\lzxbՉWxY>vH5+ a.2_~kF &_'4 <螦oUlFwIEEяⰫ3އ"x !I[= ߸N|gdd9s& McbTrC13u)\qy)`f/2&A-0Kt O%wV3>>"s":Y#ɟ~t N)3*#5Vi ĶޘUx煱;Ձpn_³mw<*҆SxyfM:O' .mj r>ҋ"n*NT4pN c \)1 {on^ WXdrqޑy0]{tVgź? *xntlo:p;Fݱ&-WJ]0\OXg>.)8u;":y۱=ǐ淖}/ѳ"p+e:&s&gNg<8fe[M蚧}xV8q$,;<?wvG8$g}-y;,*=Qxu`w*ޟ쿽p:^cWqxd]YbPT怚wRfE"za0Z1јa4U{IMхBI*PEq,.bPlvLMZzm;Q|FJL#qL wbKzo6\#|3g/FcF3VUxd1dy #UB|q|F,~`C5>fG11]˞#y=~hauucX!-q|ڻ >=':B~[h*NV|=Mɧ92Y (E* vfx %ߵ $+lgoaBgڍ18M@Ty-q =k ;p1N/JPIeUKrk /PPG" XE7@ ?)8֋(|& <]_EmE#æV\lވbSM/2( d|izy8 yeo'+-kF3X@iK;-^(۽#m6yܔO"7?T,G/QdōLꚃlcL˰ |F3P6"|>Zё.(#§1Ѫ)ħ1Ƿɵوth1ُ)ɱ?<>JA<+ ?t/d CWOC#+y+y+y+y+y+y+y+y+y+y+y+y+yWQ~?|q^R2j^%"Eh嘫g^|g^|g^|g^|g^|g>$pxW.>w@YoJѝSqzx:tn4W%sW䡽F1kymЉO2g?Y3:̤&bstU] |b`,Vl k& W(|2\i|\}1ɸK^9(vS>B |9 >7ç6NcBB"|Xgx>8.45ǧp| [Qj{cюefu ;)X&~Jȧ5'| Ơ#2C AT.gӷtⳋsN pCvm>x~l bj; T^x[T?\MԭӦ̾1=qYP)<< еl=P<a x; ӼO(I}@޹? c%T.% 缟pk%c藹}gy/^%+y+y+y+y+y+y+y+y~a/9\~+Gݝ?eY׷[b9Plz}qUyڿeƵѷ]b6 q'9ϏC! ryAo,㣇[xw"xse e; <qxψ> (U)s Otnx B=/bIrvtllO(L@G q)cڹ 5*>U洡P}ጟ欙S7e;¿?O(戾vİjہ񁣧95?ϰҾǑ>ֲ%p?DֱЯ|.1E!=~A 8nag(33}8^\QRs ]0v1Cٜ&ǁxS32{GTGܘ98\*>E@8;BJ`aIF|윟|wԗBg>k1#!CNRh}a'Q}ȪQսbNg~iRQ4Es>/l?xjc1G^2Qsɱ&O'x2E祊tTЊlOT` T,Ŷ%LF2ٲLML\zjhb zyJ,|" Bj9swF|w0oJs\HTTÁ~k-ՎHL>!?yY+$)Y:zoD V_>|c+@283c\R1o 9f+< l?vJ=Y-a42v$r1v#|Εs;Ͻw\n; oR|МL 2p\_)`l8[0DǜJ>-l*ĩ릿o2KVڶmaI_4 }{0 |Zk<|{@6y07MNу՘;6`1|.|B;D:9*Őz ^"L=F#Pv ˻5} O#?tg4 $|x p{y,eԍ&.,kMi뺞/5oHyvZu#ԣ1[Ɛ9oOLE+ޜ p0OBěRyvh ٵ_r*6'\'쌹'MeQ0OVog=U(T1izg墈4+ܴiE(n[9ZAZ|idE_UQ dԇp C)us iC.*9Kt|2n Ԏ^?7cP ͐ + uL ZIl/ٿD{% ȜTeN|}NIka l?L';y$*||FeuP-;v;{Rwfoyy`[? wzPGDw)A_o$Er>s´"0<< U۾A5?'~@ѿ?) e痺:P8;_(IPLm9-/9">^wɩmf:iCe=>BHg6a!*2GJ`B)sᳱcli/soȑͧʣؚ l)?m f#TL=scb>[=lCc[~>LafOTA?Uk3wNa1kf=2l˃( d>_jSb Pħ_myݧ>Kh.#*MNPħC{꽏GE/!O^në  6ё-u/ G'YŻ'|1ERYU؟xL"&i1ULdiqqY`t陓4>#v5A>ɠR|2lOv,ϲp@?HVr&2Hj-//ozĩϕ=Uy[g# E%,~o8+U;N.|ڽa?oϼk=983Ec"ZO#f{DHJY&RO;u0XB/v6v09ASigz{$s |q3HH`oӼf>sHeWdB߷SqTZ~O7xkhvuB)E(Z}UaRw}~؃W\5Ƙ 8;[w"GɊ_M_1`Fxw[7+}Θ1'սi GHSʍ{`;EČ/O8G fJt#A~y$ݏPp~t4y GzDϴπ06666666666666666666666666666666666666666666666666hH6666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~_HmH nH sH tH N`N Normal,ndhCJOJQJ_HmH sH tH " pHeading 1,1 ghost,g,Ghost,ghost,g ,1ghost,Ghost +,h1,Chapter Number,Divider Page Text,og,Heading,Ghos,g1,Graphic @&CJ*2* Heading 2,2 headline,h,headline,h2,h headline,Heading 11,heading 1,H2,heading 2,Heading 12,oh,Header1,Heading 121,h g2,Heading 1211,Heading 12111,2 hheadline,01 Headline,Heading 13,Heading 121111,Heading 1211111,Heading 12111111,2 headline1,2 headline2@& #@5;020 Heading 3,3 bullet,b,2,bullet,SECOND,Bullet,Second,4 bullet,h3,BLANK2,B1,b1,blank1,3 dbullet,ob,bbullet,3 gbullet,dot,second,3bullet,Bulle,bdullet,heading 3,Bullet 1,3 dd,3 cb,3 Ggbullet,02 Bullet,bul,B,Heading 21,3 bbullet,Heading 211,3 bulle,h 2,Dot#F@&]#^F``B` Heading 4,4 dash,d,38[@&]8^[`nRn Heading 5,5 sub-bullet,sb,4[~@&][^~`fbf Heading 6,sub-dash,sd,5p @&]p^ `FF  Heading 7$$@&a$ CJ$OJQJNN  Heading 8$$x@&]a$5CJDA D Default Paragraph FontViV 0 Table Normal :V 44 la (k ( 0No List JJ center bold,cbo$dha$5@@ center plain,cp$a$bb col text,9 col text,ctdPP @CJ.". |col bullet,cb,Center Bold,col bulletcsb,u,cbbullet,C2 Col Bullet,cb 10pt,col bullet1,cb1,c,Center Bcbold,6 chart,Chart,chart @E^`EN!2N col dash,cd k@^`JBJ col heading,8 col heading,ch,Col Heading,8 col heading,8colheading,9 col heading,e,ColHead,C1 col heading,8colheading,C0 Col Heading$dPPa$ 5;CJZ!RZ col sub-bullet,csb ^`LQbL col sub-dash,csd^`FArF col sub-heading,csh;BB first,f,1#^#`CJ> > Footerd P2CJJ&J Footnote Reference6CJEHH*TT  Footnote Texthd^h`6CJPP footnote,fnhd^h`6CJLL harvey ball$a$ CJOJQJ>> Headerd P2CJBB note,no#^#`6CJRR numbered text,nt #^#`5;NN oversized graphic!]^@"@ paragraph,p"#d`#T2T source,so # ud^`u6CJ>B> step,st$8^8`5<!R< sub-heading,sh%;FbF table title&$da$5CJZ!Z trailer,7 trailer,t'x#$2/..).  Page NumberJJ TitlePageBottom)$da$CJXTX  Block Text*$yC]y^Ca$5;CJ$OJQJJJ File Name in Footer CJOJQJ^^ facing page #,fp,&@#$2/.5CJPK![Content_Types].xmlj0Eжr(΢Iw},-j4 wP-t#bΙ{UTU^hd}㨫)*1P' ^W0)T9<l#$yi};~@(Hu* Dנz/0ǰ $ X3aZ,D0j~3߶b~i>3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] " 8@0(  B S  ? #2  hh^h`OJQJo(#2 n @@UnknownG* Times New Roman5Symbol3. * ArialABook AntiquaY Harvey BallsCourier New;WingdingsA BCambria Math@ "1hJK#fiK&,cY0dS2HX $P n2!xxChristian, Michele Christian, Michele        !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\ FT&" WMFC l EMF \KhC   % %   Rp@"CalibriHRO`2H@,$O`2H@ o.1@H <:o.1 ,%7.{ @Calibr ŗ`2s:Lt9'1z%1<:dv% % % !F(GDIC!b K  QOPl0 (Oppp@@@000 PPP```C k                                  H       "             [           &" WMFC m            8          ^                5   2                #    h                                          &" WMFC M                            &" WMFC -                                                                &" WMFC                                                                                                                                         &" WMFC                                               &" WMFC                                                                       &" WMFC                                                                                                                                                                           &" WMFC                                                                      &" WMFC m    &" WMFC M                                                          &" WMFC -                                                                                                           &" WMFC                                                                                                               &" WMFC                                                                                                    &" WMFC                                                                                                             &" WMFC                                                                                                 &" WMFC                                                                                                                             &" WMFC m                                                                                                              &" WMFC M                                                                                                                  &" WMFC -                                                                                                   &" WMFC                                                    & WMFC " FGDIC" % % % TTAEALP % %   n."System-- @"Calibri---,n,TA Op(Oppp@@@000 PPP```C k                                  H       "             [                       8          ^                5   2                #    h                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         ''--- 2 pn --NANIWordDocument SummaryInformation( DocumentSummaryInformation8 ,SummaryInformation( 0 bjbj΀ 0 $$$$$$$$8!% -% $'9%9%9%9%9%&&&'')')')')')')'^),v)'$&&&&&)'$$9%9%>'f&f&f&&$9%$9%''T) f&&''f&f&&&9%q=4$&R&'T'0'&v,f&v,&v,$&$&&f&&&&&&)')'f&&&&'&&&&v,&&&&&&&&& #:         h hjh U    dgd  .:p n) =!"#$% 44Microsoft Office Word@ʗ1@KhM@FJ@(Z4՜.+,0 hp  BOOZ-ALLEN & HAMILTON  TitleOh+'0 P      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwyz{|}~ \pJonathan Isner Ba=  ThisWorkbook=h5x-8X@"1Arial1Calibri1Calibri1Calibri1Arial1Arial1(  Arial Narrow1 Arial1 Arial1Arial1 Arial1Arial1 Arial1Arial1Arial1Arial1 Arial1Arial1Arial1Arial1 Arial1Arial1Arial1Arial1Arial1 Arial1 Arial1Calibri1 Calibri1Calibri14Calibri1 Calibri1Calibri1Calibri1,>1>1>1>141<Calibri1?Calibri1h>Cambria1Calibri1 Calibri1 Arial1 Arial1(Arial1Tahoma"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_) 0.0%                                                                      ff + ) , * ! "  # P $ P % %   &   ' ` (        )   * + a , *p  0  0  p  p@ @   p@ @   p  h "x x  x *x )x !x x@ @  x Zx@ @  x@ @  |@ @  x@ @   x@ @   1 |@ @   "x@ @   (@ @   ,@ @  (8@ @   p@ @  8@ @  <@ @  8@ @   @ @   p@ @ 8  p8  x8 )x8  t  x )p  x@ @   @ @   p@ @   @ @   p@ @   p8   xUU@ @ 8  *xUU@ @ 8  pUU@ @   xUU@ @   tUU@ @    xUU@ @ , *pUU@ @        -"x@ @   `@ @   @ @   `@ @   (@ @   ,@ @   x@ @   x@ @  x@ @  0@ @  x@ @  x@ @  x@ @   h@ @   x@ @   `@ @ 7  `@ @ 7  `@ @ 7 x@ @  8@ @  x@ @  x@ @  x@ @   x@ @   x@ @    x@ @   p@ @   p@ @    @         a .*X ."X  (  "x@ @   "x@ @   "x@ @  (8@ @  (8@ @  (8@ @  /8@ @  /8@ @  /8@ @  /8@ @  /8 /8@ @  /8@ @  /8@ @  /8@ @  "x"  "x"@  "x "@  x"@ @   x"@ @   x "@ @   "x )x !x x@ @  x@ @  ||R }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef ;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L ;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A}  00\);_(*23;_(@_) }A}! 00\);_(*23 ;_(@_) }A}" 00\);_(*;_(@_) }A}# 00\);_(*;_(@_) }A}$ 00\);_(*;_(@_) }A}% 00\);_(*;_(@_) }A}& 00\);_(*;_(@_) }A}' 00\);_(* ;_(@_) }A}( 00\);_(*;_(@_) }}) }00\);_(*;_(@_)    }}* 00\);_(*;_(@_) ??? ??? ??? ???}-}/ 00\);_(*}A}0 a00\);_(*;_(@_) }A}1 00\);_(*;_(@_) }A}2 00\);_(*?;_(@_) }A}3 00\);_(*23;_(@_) }-}4 00\);_(*}}7 ??v00\);_(*̙;_(@_)    }A}8 }00\);_(*;_(@_) }A}9 e00\);_(*;_(@_) }x}<00\);_(*;_(  }}= ???00\);_(*;_(??? ???  ??? ???}-}? 00\);_(*}U}@ 00\);_(*;_( }-}A 00\);_(*}(}h00\);_(*}(}j00\);_(*}(}k00\);_(*}(}l00\);_(*}(}sef00\);_(*}P}u00\);_(*;_(  }d}v00\);_(*;_(  ??? }P}w00\);_(* ;_(  }<}x 00\);_(*;_(}(}y00\);_(*}(}{00\);_(*}(}~00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}400\);_(*}(}400\);_(*}(}400\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}<} 00\);_(*;_(}<} 00\);_(*;_(}(}00\);_(*}(}00\);_(*}(}00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}d}00\);_(*;_( ??? }P}00\);_(*;_( }d}00\);_(*;_( ??? 8 + !%8   !%8 2 !% +   2: 3 @%: 3 @%8 + !%8   !%8 2 !%8 + !%8   !%8 2 !%8 + !%8   !%8 2 !%8 + !%8   !%8 2 !% 20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L湸 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ٗ % 60% - Accent3M( 60% - Accent3 23֚ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %(Bad9Bad  %) Calculation Calculation  }% * Check Cell Check Cell  %????????? ???+ Comma,( Comma [0]-&Currency.. Currency [0]/Explanatory TextG5Explanatory Text % 0Good;Good  a%1 Heading 1G Heading 1 I}%O2 Heading 2G Heading 2 I}%?3 Heading 3G Heading 3 I}%234 Heading 49 Heading 4 I}%5( Hyperlink6 Hyperlink 2, Hyperlink 2 7InputuInput ̙ ??v% 8 Linked CellK Linked Cell }% 9NeutralANeutral  e%"Normal :Normal 2; Normal 2 2 <Noteb Note   =OutputwOutput  ???%????????? ???>$Percent ?Title1Title I}% @TotalMTotal %OOA Warning Text? Warning Text %XTableStyleMedium9PivotStyleLight168=,=,̙̙3f3fff3f3f33333f33333\` CoverPurpose Dashboard Test CasesOut Of Scope Controls#Sources)Legend3 Change Log!  ;0  _xlfn.IFERROR  ; I8$ Á"n-L'Š!6@=n-L'Š!6 ]xxuP[np+NB)RHqNhqC (5H79;ss˞53 #$!B  a95y {H"/}m>f>JleP 0 %$a LгPN'OО OR#RГ5z<]dhȨ(ȨȀ?$"O!3π&נ i|!;ľ~ #O!L_bfiV?uxM=)Tst,!@j,^ @So?$|1OkxII@Oژ4TS,ZC]qeD|G(T)5).*= c9+WkuRX_P=?H_"wC*`&+@(nVV?5}Q{YڼQJ(kqUp:HwI$ Y6 S1gj3+|pO}W xK#.rqH\n* Ip}b'0X PX^qNg&'1Oz^WEj>.6yuɼ{e_@}j| U|QCKeZQ1pM]]( FY/w$թN ǼV70Me/ಥKLMkV#2i^V}jbpGR"p Ҕ;92Py"@0ne;Sq#XlXf"ޗ;-& x7mt| SmL% M._z6WT֑MM/odjQԕhA3ؖe\L6gbbm'Ra+b¿'"Zj0u>_mI`s./.%O|^/&8;ğq4sM޾څ ρo8Զ](bGKIaY, ][AnҬJKy_PcdDŔ8\G/@)?2d#;B륽Eyh5/]%QڔS觍 @-Y'K]Xl捙j-/?xŸ4Ϭ,nlp` $۰?k&Y̨V Bԏs&7t:^2E+8 <m":vKT#|M>޻,$Z1Uza $iET+\#27Uof^`裷B2 #|./Bu~6 Q PYe['4'&vcbvPBJJ> ',gF`73Ȓ.K1{]D6̬>Qj"TnvS^GRƌ8,!9b>7cNitA_q% I+>頹bbݳrXTf%M]ļ~˾ݏ W43JK<*?%^6[ +EH:f*"Oz^ֻa-ߞ 7 w@D~GBͅrW({{34&0PZVOQ jC" X'@JgCd,O 4WhBt;yb^f0OciЉ%FBpѺ+Lј%R 8ݻ#GyB}l{|~\h΂W$% AZ鱄KD&{;3Y:V$ޏ7a(!"s6hy~ m]0)V̲L:]@6"{D,dH/6Ƙ ,eԩpa7:DHi*;^{!GΒaS^$?IoUAyo `/G]|"Ff} ]PU3XWQqJ9=9K9̉,oRv\o Qp7t\*{0-Wu8Ytb;އ,cʥkGjp/g pdydݤ^Np7!oI oJ7n_ڢaZ W0Jq >|ǃS2mQ L[@<3u@L0LuȱY%}fH@O{v:xnd?Ug'%Ư; uNc}nLR#zo~#SʞiΒ7?2c79L_nn|+-33 :İgg|cqHeQrhe{jbX 3qH0^A9`}e`B˛FpVnt߂ߑp҂]ׇ1L@uVWw*5wL~|нA61oRLqW ma XVu]SX*H YmKf-8p*g&{|g֊ M 6M?Xcj PXȺZa|5f@CH6BoCuVUue2h4a0dέv*[ڛQsT c,yڌt*7X"BUx\S-*wF+5Fihgoq:ɿ{饗uS° l5DLNh mE[^hbC?X|̮LfdqAi-kFL8KC]vDUinmiֶGac4LW"2?dd;WZXwxMfKT[`0lR Ey I_ .ةcI9^ >ER}E>4G JYӣ3pMQX<,4eۃ~ VbuITzڟضGFi1X^2UQQ8~N1$Y[B: ̼pe&?vK KČPtv8iF)xxōs9^Qi,K!ْP̼7] ^fhO4g+GU=-ۈo$x+U44@DCߐW^kv(Tqļo%߷x.'J^^ 8>AME }R*bA{=w8V!l 3բdC=srM z6lv̜vӳMr63hv()+IR~WS5XiFcZL^G}'tXu@|G!S s$ v/_qA ŋ+(Ը;o>-O m $бՔ}:Ni0JN5ȂC{a3AV3̱A$K )wTJ1k@;+#@dt"0/wҬXAmn:TdϬ;C^|'M@;|"\M)$(ЯC|_gϲIO85޹X/2<{-&ԭumVҿ!*WEE%S5,"0*]A#g,B*G{TBsO^"J=Au t7/O-]ŭ*eR9gVՈk7xx = S.hW+W)?۔iy(;Ep^ATVٻdτ991 epIE‘TLJ BL[zް|z7Z-c1)j ul@ 1`NvśPV@hRV#9pb&h\ n ÑCPxS.J}}I_ݸʖ" ?M~0Czu7v, ޜZW_rqq{<[(PH\sUKR/C: =e5G;'wR5zj1*LfP>Z,gR>m>w(#p#oF#l71t..6*yda L#cQ%KQvw[ d@aD|I7re>Fő c76S$w"$7dX6׌z4Avb}(3fmYH$dUFo\ifzUCG"7U8xd?!RDBcRւ%iʶw'h3?Fhח\$]Ef{:cӮ_6u]wA d !s6ԇ-ڋ P' ^/(M&5W0b -tvk{̋s&#&+vs'4o.~yFI4fO|3aCzIb!Q-R!gS.A'< [@iגaN=^O <؃}JJyoIc>=Um8o|$r-S[Ѡv Z8l53&TTw:-K2ӷrÅenCa".}V_%\;;cP95*ْ>RxW6΃چDG$-w|!8eGL٢!>^L [+ 'jh7dV᯻$pGϾCcSzX-9 LڳLAj;Al;xfhMr evL}P 82>yCE8r*_vZy i|)'Ur-v焃hX'C0Z<ʞoơ$g%VjQ6U]My.Xtpsƽཟ ہߝ͕\rDi$;SiG'#%UK% f:mg&Ƭ;f >G³X]U+|yV@\K_E8O@7 ;$Ƥؽ68߸]ZrwɎ=MVOC4'$Q >h&Dm $)-̇zAu;Un /w3CvQqL;."ݶ֩4ʽ22;ޔqۣμV`'/vС*N`(un;[M+͘阾)9~{[p * }ݨ r "J ! K"u{pTIi0íofxe%em3&G+p}?Q.e!Vjt$^-U74-R NIQM |o7aA<[*&"jXqIM#Rzhq_4`Y۰evo''U#ԇԍοž&CJ8k֙fj`lEu!Up+M1޶y>(:|B^{wů;-W}\717,qCD-ׄj :'v~`Ԛm`Xp7~]5XVݾD:l"WgsqxBAKTd] ՎiN+ߥ F\ڤ>ƽ9.Ѱ<6<0`70?r4w-d&B' a{aaÏMxJwM/#>.9n7KP O~~G;҄Upj٨S%^^m<5Wae;9V @9凶ߠ˺:mmj旖ӭ](4÷ucbZޥL1uLK#]L+%.$_R'ώdq9+jIC ws*R+`!-2|ODLdSk o/+b2L8Ȟh/cr{YZL&nz1â"9꺣cVldd73n#.c>ݐe^cRӍ1d|tV!/ 6+ 6mP-ώoMNթ$e5w0IIf"CPߏo. |Ӭv tlz[;{*B-'. Nj)(Tz哉T7̈́aE8˪"Bs40yv)X`mS +fxa<(|2F]{F>%9ٰt888p1ܕɳʶ3ݱ'ޱh?}=ಹ2͞("ܴ䆲rݵ!7ݱ%2]nň/2/8r;Zb5Fy kW3z |ruYNNyh ) Jp4y9BN.zfES.յWvDh mĹn s$B٧GDὐK_x\Txۙ-F<R">Vubw$YTII6z;gcdҗ '"= x n6a*jg/mDΒ>Da攷_a\Mz뭵!U 0|+JA,T ixd"jm 'GBXGtۨW52z[R.2.;rsAʴi0آէe-苼gCe;*?2OнIXp᧤6qߜL;Vh٫!7Rr Ѱ\WP0u} 'TV!(|`rQŚPuk]yc⛲箑8HIKZfC]tsD íxyM70Uƙ{xX<_~)/oǚ]? <nHiT\O;m(,u%T(T*WQQ%[RHITv/̙{/z|_ϯ˼Ҝ99>9̜32'=/1>ǃհշ [8Ǿʑ辱9<*YRڥg 'j)5h}1QB:ӗAf ݜ+d61]Jaio9$dnG}i{(R7@bJPפ8CvXtzɓTZZ-;w.~wJNjJPBw{I!ߊSK&%UiRu.Y\֊2LpJYG?&S;^iWJYK`+#{n J':?m9,UoIm鴍UG~5JƁao2-L~A-,eGN?sڬX'|UCw7um{iڲ5S^y]fʻ U:}((}j-˚?pvN7v&gw 4u})n}M-v'>GuGWث9;շYcR([C9{D ) jIAtEm3~rh皁)x&\rJLq𲊦5?[ݕPЈ}\15MI*CMp# Wq6KO, ^e u6$ `n 4>sY,k^ֺ8UM;أz%Jf!wNdʮقЌECW7儧Oy%{"ar9G~e\k$~Tؖڲpmq޶$M4w1+[bSf1 &N`g֌ܲc\y &Yr 9딙Aɱt x;+J{]QY4概&)ComsZ$OejM'~ xb>V"U=k"D}RMcLDOC3 f}vrlm3<)u:18s<K7Hl2i`IT2u\/דsGԦs%q~SO\buI Ȯ$=:y]n QASWggBl{^bӷӯE ؔ$Yn,UtK>6jJLMr /KxXeחȎ0)1ˏ kSkm;ywDWtX`G&kJ4MV$捁fN$[NַO-{_Ϊ\Ƶ!?潵Okb-hjȴ r M]S<5H~.˛cӅK^Ŝ*+Km\%;[GxbVgQbܪd7x涓?]qr~F^m_g DQ#b%wvؚ9MO4Nȍ齧qL)d$tޜ["֐㳒gF^6T?ɻqfS{y`[K6uA/N+""Dsܫd) YY?%)o`'ԁ?oVTƅyu): W5T{d/Z[W|obyBԽ_cuBӊ&3./g΋9=uSsJi͒'8x&w{lk66_~ڱ?s-7OX~9F"g996ÏNOZ"U㶙"+RU?Գ~k9NǼu,~}'5SԹJÍvū< >6ճМC~緡8|;-%/̴ܰ>/虾6G9Ϲ9Fi$rժ9OlǓX߹eTzb}A52.aE8LK"&NiϱxauY># dۣUH%=lt3wY?X;qzU%ZZT~ZdHTY׫G__zڀ*E.ע'zZ YiL |ݤ+S+TU.kFnoi20Wkh^qyV5̑ܝ =;*y)ebʇ-$ Y " ǏN=3Wl/;Uwǹ"_Mso]aE|GL^#@4y`%qc"%~z]W/t FjvziARC6&LzQe3͏S]ǖ^PLTvdj%M+^b(S_zݬ*G-&%"~@iod&z\Pɼ=-rC+0ku W=u÷G[CH[Iۤc0?" 'B[TJL2vSXIC+I{M??H@BI:6noG7@ 合c2yCByhFБ5)SżLjAI(XV 6&/))$%%aD"inn9r|r2FVVavڅp6y%M,v8ϱ%0s[in"\#҂S[SxD7O#qrR33\S&/ AQ.^0h{0 /@a.5RmD0yDW'/R8C+An,'>&.A[mj"I-O9QQZTPv6dMq(S@4!?$ L-O* F:iaax +:,( p8#DZ(L dǓ:8/ :2}{<Bf^_7ôOdlxlBB` "lyG&71OC)CU;Ba(;Óat710 `" <)*&gx#T9NSQF 5"#lH"\+`1aѓbϚSգaUǑDF$|9B5'%(F 0kõ$mk t<J # Aʛ ZucWfsDΓ GZ4Bգ3,ESe8Qh .Ń虡2i1,y1[ PưBe1b̴;(7yʐu%0¾³ R\ zC&KN NhP-Mz4B DF`m-g % TJMpJ hb9ZOU=Kv"XePHy#efe`GHФ D) a0P Ȧԣ'R̟OJ4.# d$+ "H?IkR@KޯCPgXȆ)*5X4B  _ARnbsF: 0DA]IO`|$ 5.}JUyDKQgDIgOhsr0;| I'=u")3P9$ EOSIj+HE`S(y eIV:(%Gt iDG4xOa.n~#7ɿxm# < C;G>Ԧf90ưűI΢yٹ()N03~ T8CX^ZiaDZ؎(b C ״$AP (9*85 }< L`c@Ul[#VBd'@Ʌ|@ɦ̍Cefa@!LaF䉈J 4'p%UVzo +M!p$`kDBଅĎb~2˨4Fa"gGbޖ!'{C BȠ<#"yBb|< ;9*Mvy"[bh} 3Bu1Lfx2j!;JuG'eG͠劲GE&XOg/fn<"8r9A/T?#&CyEE2VU<'*17G$]3ԙCĂ?Zȸb]#ӡ=/BW/WEAOmi7{Z4-X4#*~ O^TT2~'0?+_6<#|L͝öGFhe5y-6ԟ<ǖJqcK`l8ϱ%0s[i9sl qxBӽI(L u &)7WTX>0Hi7x&Ț.` \IТ:֯sA1c@?Bϯ0?KJ u*2*0b ?l/!ײ>f\CCr/%m DsXPg:C9? RgMuQȨ2> Damlx2V]є@Hf9 X,Oe [t伬2& ʗYز1J/I "xf "$'6 mvpptk8D-~ OvL OYW r^ ,::aH, {/݃>O6QIKj'3t&A@ဗE>E^ck1^Ht~  WxL\"$ j7## [>W 4bzIӂxPx5Jm(EAb`eqS)LO{G4zL"~xhg>J2X1HN"/9"TL2) ^MiQ(A8 $? VEw*AyChoSѐ4@DCڴnq3!"<?,#AKLlm-ğ(BI,-szkT]s6[ә_DH).;k+1ə݉͏kIE1yjV4u&C&7<=Lj^EwR7Ϥ(&ܝx*ItnԺ#\"! p)7kg΂Ԯ)RZj<>'qQPbOs&gb.Ll],(3weIdM4ۭONH:5~WԻn딏 (_ {TA@ȅaN`9=?Qnwq#rE? ~[{*w9 zO, Kү?eA¼V$OoiڊaxS~~8NZn;զNƗ _Ts `!ODkK sCJ+)V,E&KR|tOۀ\w3Wm-7h7XdO=#cVEELŲv+&sCG!}~89j_i }"Ucex uPUf3/ TPN7?r$(sR<}\x>>9S=n.3[P&RFuj^ N<'*<F[gYb?aij^GMg|ΰ#7Ey¯pr({oVȟ>ン, TK`uuG_7"+n+ ^N,6Jyd[T F=gt͙M qa- ;26~5y 6e >-հ{/*ĉ#ڿqu<:v7V D;6 kywwiCN!'>VW@Տ 'a`ůݮ_gّ_\GAn _sbǴJf!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ%+3z A\$[WXϧ ďo<}2C *+&%;T_^|oiih~8=^wL';M?>; ]{]܃lx!+/tiz<Q*AL'B!r%ZѽiQ3 ~TF|b2]a{տDW/--SÓ^t(@@1tmkM7z.m9]“^5V׶S؈* 9P)KEm<2Yv<]aa)~ϊ"[Aa6rSs}vgXR#; rFe/O%trohF"QRٳX a3VeOqxZagM0Cyz '<}W hnR}g(iWj;m„D7e/wo_+/Ņ:yʎI﨓+.=}s*@{Yq-Ga8<=:s7s<O@aO $; Y6pÂ8Kח[k ý`f~[lҔ?%wp{ϋZH CMlzu~kO7k):+:/aհx OфXH ;ҭ+'dz$i;Lf8Gn/YT-Ӓ`8(Ӧ.݂ m|;3?8lӘIqQǾχW ̃2c5~__gaOvi9 o,ϰUkj[jo)8d.+q˧A<>%Xsۏ%Ί)Q^ @΍qKqƍ>}UjR/]ש.ue/3 <ʘ}RGy45X gOԂnsTx[~/Y|zk~-y TRQ &SI_HBz/lYkx><~`o2FpQ2G?O QrE텛'? sY9óy,?y=`2-gPW-@xЛG@ a@p(pZ]ӽ)!X3|sdgfOoS r]uAX)?`b&'kmœ(WHi.}|VꃰR߱.rW\ ),cmpJ];+Ox^ ~r+tx:@6( v<}$joG:uoxf5~O|woِz$k) !U{G6@J7˹!ͣrכ ecoGoDCUיvo"es49m>xvǛXM@; +u/VkӢc)=/2ʰdy7s34 !׍ 0qW1Vn [,p&[629iXI3+:{Iv=f`n5Lzp<;!4>elwX0:OhyO9*q{ z][^8OAqdu~<3Ka>,s .=xLU;%@dz [˧:BQ;h (@퐊WX\#&}Hi'F.odzڣ ᜖#Dmѐj5>W#vn҉9wnljBnz'#CPhm`-=`fHZ]#wQ(cCΔ dHUs~tCw1Df'&A⽹.xa ;|^,:ZH'w9g> #$$Dko % s_sh~A(]{4[_&ujI Fh `YuhAxLjZ W}kd:O,A<*S >βgI9̦:=<3eό=MG^TFPE4Kx$I?PWM߈jwRn튤Pww<4 6Q/'u" &шm9"uxR./Itp":uL'Gʛ+oK$\3Nj^r}-xk * m.'`6*o=~!*mhsAp$U͑H v b"`n 3vdELb+Tt{p@aC[g-Z~;x<7OqYckJoX*/Uн*Υxp23I%DFMI8+е8>'چkk [Ϗ 3,J65*ʁ&29zN6v{ m6#$*h5ҏ`RQ #XMGj>>q,`@v'PJm'i 212ueƦ4aKPAJ*)2>+Zɷ4%紳(5?s<|tआE6cɧs7.źx253͍FFs'.&ճGM= J6ڠf%"#_ҤTmD;6xz}}6TGVOj(@j~fVDGtZд҉(9'7-jL+z 7ZP5™rw,m5=g #L;*wZtk'4E t>UqlULIEa IQT* k?TdwEC4o7A@_ 1Plz[Gu $:X<ɢ&mR.Ӎ8׋a|k'uU#Je:XW4I_gynafl!T,~E6KSpQɅOY/C*BL`0jn;mxׂr*}ѡ4uojHzx3OM T߱r/:U8 ŊMJQramoktf-ݩN!6vRCc'ibyሲB#2 G pƩ 7+DџlnN~wҠ9F+CPCՁ9Ak\oݶ`4x7[khhNMVO JUӸ{P ?^@!* "lEaI_{LL0P’s~y iΗ/iOl5ѦjC#+2-`SJHRJ ҽpl3MȊC_ϵ]t_լ@@%lx-RYiv fB;$Z(2"u( 5bhRۇb1Mwh x? \&]IU!ʓsiR^i\&K5ã0)vYU20PYo*> ϯC 5*4qPI`^碷Sڐpz d)*V D渡}Uotvw}:8y,?UX>gBAfC6*5xy5i 6\*h`?@.O{!u> S'AF`!sw5rPUƞu0C+4Q"kt7U;L)v{:+$B6|OCo'LĂ^AE-f|5iH%&Vm-RbJKJUe]l'gW n4) ]k\d(9j$qh1nWn-/ ç1;$NϏ-$?2Uj<ڰy}DVj5G}>% ' jEX\ Lju=vJZܩXz} g_,U7;W#&vWv %xvBg2O= {2pxd}˳jbGlJ96E|r[f|v1~h'z 7tTdnr'X5#_URjT|/OE0@;ÓE6DZ}K>jʉ h 7 N#߅i> -='Ϩ8ވ cAAV15.s %,;}}O(mw&ҩbV':G b^- /C3 =(Su+Y GzUygĽxPFJˀ71x}RswB7R8˅發(V+5s/Q{%4\ BgwEa@YfA͆[ S,^p'6*Ym(2kz<;ᓼ [Hb~`$qUnĒVbYz FK#om <b=hZlxr kG_K"h"f5;$`t7آ"K_ۯ=! \v?Iq7@AlQDSL\ƕ>L6w\'ƕ.|x@6M>>+h@MuL8}8Q\(QtBGtC%GeI_'czǰc]F>T7fF>KN_Y]kEcjRFaq_xc]  32]<}|0g 3A\ُ(|wcdg-5% .C/_!a2x^34n<1|JL6o)&v  ؒV[{{~E&TI)q+?|Vl^<'0-z8HW[Y'QfH'y he koYU ʁWQhD%I7:Փv: IP1N@_H < >Б _A%ZVRȑ#w"z\_ܝ˰ҙ7e%ՅkD7;>U^ЛWl#H5 ُ3QH(=ـQ_* <>9) şE

{ EӶgzdL* QKvK U$'^}7,$Q42t`3$ #8q?ަ)~|ֲ'N{mqxMzO09Ny$Peu|le.C7"v3 #,o;Ҏ8H""RGp~"G36I;peKqp4N *>;>uV x6|iP<t@哮TsMC!mnzٲOxR4;㨭%PiB\X0qx4LY'LH&/{ZK?\*.2Zt`c' =r`ـXzoց5Cy ątplD`(>5*M$ՅS㝲]rƳ֞4oo/zk,fdz4}Ϲy5;໖ p><촠>UKx}^x*3`~]7Z]x1(Ǧ9Hh| v޾7Čz<Bpl+:Ғ+ ǚ{uՈTp'hu%FxUvI7DD_OFnPQÙCq E*gB녟wr~ |!6P9Z!NfGv9+atg5+ dO'vтyhT=rTE?>و!Zdѱɂ31İհzʰ±<,d #]akCJko_"EOǚ2#<1TjIm{oSZ]=$W%!ӤH>c!L%ٟfͱէ\䥱败:I&݆[x[StxːFg̍0ZArtd c<ˤ$Rz!k#%\]W@,i'GN_q*YI5bƔ:|' @KƗ^?>'#?Fٳ>"t:Ɠ<[ NR>ވZv )Eh>sS (W*N`}$ќ3Qe@^IRb\1ћb*TfMFbEҥ6Rc&6K1 MƌB%oRU|sxNMގ/ZU,%g5%ޣHpܮT19ԒjфMY4J[6 ֙'<< x3h&Q>ɽ7OhHDGgu -#)I#/rkxb[8$a״Ot^gMOZ2Lyp6L5ѹ6g,yqa2xiTxBQƽ떭`Vq$mcgk'DHa[aGuZȳy$̢؉NpG5d &K3utϡ߬g`NHPx4Ĉ4!QQ# !̏:Jr%$'wlwHdހo Ert=86W-%ZB>&~4;W=\ϹÛw: *.1-/ZON܉gp,7lxC> H9VAH4紸.>;'s=L< j{^ғl4@BQCwRR\m?A&9\ B2:vEpecHޞ 'gX9b:wl4gGg0^cfdx*\t;a]N0 #?9Cu9i@y8@^<"93?'nwBr@dwZ+' jH1v ?>Nmm 9=ns ;_v.:[ Gqc_'b~幞%@]sX.Nrj}NdUy$3yMhm|=TQ4?Ceuo fi,5< Ӎ|V>ֳ0S鱫!|)܌[Xs-:$kϵ<dߦFV]eNO>Mjy%ngxDP/EMۮd8_6 m{S<|~ǬlI:;( X3'V3lմ!|==ʻ巡<"k.֌F UߘxaO#tBq0^`~ڽ hO_X %Cߚ˳gx0cXgJougL׉=RbC<կ8.$w3ɠxag7?|->kC_8G:q^?kO~g:׿Ÿ%C?niO_? B忖!#Ÿe/+OΣ3Ӈ3D*GO ޶Ro+ 7{S AA@A@   1 Procedures: 1. Acquire from the agency personnel documents containing the following information: - A list of users that will require access to all telecomm equipment. - The list of specified devices that users require access to. - The list of access level required for the users for specified devices. - Proof of local manager approval for stated access to routers under their - authority. - The list of authorized approving managers 2. Verify that the information in the documentation is the same as the actual list of TACACS accounts and access privileges.VAn approval process is in place for granting access to routers operated under TACACS. YA documented process exists for approving account access to routers operated under TACACS>Password complexity, aging and history are properly enforced.  Procedures: 1. Verify that the router is utilizing TACACS as the authentication method by executing the  show tacacs command. 2. Discuss with the security administrator to ensure that the password policy is followed for tacacs users.C TACACS user IDs must follow username standards whenever possible. LAll user id's, including TACACS user id's follow approved username standardsThe router administrator will ensure that all user accounts are assigned the lowest privilege level that allows them to perform their duties. 1. Review the running configuration to determine if key authentication has been defined with an infinite lifetime. NOTE: When using MD5 authentication keys, it is imperative the site is in compliance with the Network Time Protocol (NTP) policies. Example Technical Checks: ------------------------------------------------ Procedures: 1. Type 'sh run | inc enable secret' in an enable console window: 2. Type 'sh run | inc enable password' in an enable console window: Expected Results: 1. Something similar to the following line should appear: enable secret 5 $1$yPL1$zNGeZu9blpdYLYEobTNwX 2.No line should appear that starts with " enable password". Note: The  enable password command is included with the Cisco IOS for backward compatibility with older versions of the IOS. The newer "enable secret" command uses an MD5 hash for encryption of the privileged level password, and should be used in its place. _Only one local account should be defined on the router when an authentication server is used. ^1. Verify that the site is in compliance by reviewing site s responsibilities list. 2. Reconcile site s responsibilities list with those accounts defined locally or in the authentication server. 3. For each authentication method in use, confirm that there is a process in place to identify unused accounts and disable or delete them after 90 days. Interview the router s administrator(s) to see if this is being enforced on all Cisco routers. Check for the following: Ensure that the enable secret password is a unique password constructed using a length of 8 characters and a combination of at least 1 numeric or special character, 1 lowercase and 1 uppercase letter, and that it does not contain versions of the router ID or location ID. Note: The router ID can be identified by executing the  show config | include hostname command. Ensure that when an authentication server is used for administrative access to the router, only one account is defined locally on the router for use in an emergency (i.e., authentication server or connection to the server is down).6Password strength and complexity requirements are met.C1. Interview the ISSO for compliance. 2. Request documentation. 1. View each Cisco router s configuration to ensure that the auxiliary port is disabled with a configuration similar to the following: line aux 0 no exec transport input none zEnsure the proper authorized network administrator is the only one who can access the device by ensuring in-band access enforces the following security restrictions: -Two-factor authentication (e.g., Secure ID, IRS PKI) -Encryption of management session (Federal Information Processing Standard (FIPS) 140-2 validated encryption) -Auditing -Two-factor authentication discussion 1. There are sixteen (16) possible privilege levels that can be specified for users in the router configuration. The levels can map to commands, which have set privilege levels or you can reassign levels to commands. Usernames with corresponding passwords can be set to a specific level. There would be several username, name and password, password followed by username name privilege level. The user will automatically be granted that privilege level upon logging in. The following is an example of assigning a privilege level to a local user account and changing the default privilege levels of the configure terminal command: Username junior-engineer1 privilege 7 password xxxxxx Username senior-engineer1 privilege 15 password xxxxxxx Privilege exec level 7 configure terminal z 1. Review all Cisco router configurations to verify that the commands boot network and service config are not included. NOTE: Disabled by default in version 12.0, will not be displayed in the running configuration. 1. Review all Cisco router configurations and verify that only SSH is allowed on the Virtual Te< letype Terminal (VTY) ports. The configuration should look similar to the following: line vty 0 4 transport input ssh 1. Cisco IOS - execute the show version to verify installed IOS version is at 12.3 or later. Procedures From an enable console window, type 'show version'. Note: Newer releases of the Cisco IOS are in general more secure, more stable, and offers greater features than older releases. It is recommended to never be more than one or two releases out of date. The IOS should not be older than version 12.x. It should also be "Release" version software, and not an "Early Deployment" or "Maintenance Interim" release. Release versions of the Cisco IOS are the most stable version of the IOS available and have undergone thorough testing for production. [1. Review all Cisco router configurations to verify that tcp-keepalives-in are enabled. Procedures: 1. Type 'sh run | inc small-servers' from an enable console window (There should be no response, indicating that both tcp-small-servers and udp-small-servers have not been enabled). 2. Type 'sh run' from an enable console window. Confirm that the following lines exist for each interface (or as a global command, if indicated below): - no ip redirects - no ip proxy-arp - no ip gratuitous-arps - no cdp enable - no mop enable - no ip unreachables - no ip ident - no ip source-route (found in a global command; not under an interface) - no ip bootp server (found in a global command; not under an interface) - no service pad (found in a global command; not under an interface) - no service dhcp (found in a global command; not under an interface) - no ip classless (found in a global command; not under an interface) - no ip http server (found in a global command; not under an interface) - no ftp-server enable -no ip rcmd rcp-enable -no ip rcmd rsh-enable 4. Confirm that the following lines do not exist for each interface (or as a global command, if indicated below): - ip mask-reply - ip finger (found in a global command; not under an interface) Note: If any of the services listed in this procedure are running, administrators must present a strong justification for their necessity. The specified lines can also not exist, which means that these services are not enabled. 5. In step 3, if the "no service dhcp" line could not be found, type "show proc" and look for a DHCP process (there should not be one). 6. In step 3, if the "no mop enable" line could not be found, type "no mop enable". The command should be rejected, indicating that there is no mop service present on the router. If the command is accepted, then mop is running.1. For Cisco IOS version 12.0 and higher, review the running configuration to verify that it does not contain the command ip directed-broadcast. For versions prior to 12.0, ensure the command no ip directed-broadcast is displayed in the running configuration. Expected Results: 1. snmp-server group authprivgroup v3 priv 3. Unencrypted read-write access should not be possible. Read-write access should not be enabled when snmp v1 or v2 is in use. Read-write access should only be enabled for snmp v3 when the priv authprivgroup mode is in use. 4. snmp-server community password6 RO 6 snmp-server community password8 RW 8 5. snmp-server tftp-server-list 98 6. SNMP logging: disabledG1. Cisco  Review all Cisco router configurations to ensure that CEF has been enabled. The configuration should look similar to the following: ip cef CAVEAT: If the site has implemented SYN flood protection for the network using the perimeter firewall, there is not an additional requirement to implement it on the router. r1. Review all router configurations to ensure that all routers log messages for severity levels 0 through 6. By specifying informational, all severity levels will be included. For Cisco routers, a sample configuration would look similar to the following: logging on logging host x.x.x.x logging console critical logging trap informational logging facility buildingA 1. Cisco  Compare the startup and running configurations. This can be done by using the show running-config command and show startup-config. Q1. Cisco  Have the router administrator show the stored configuration files. \Current and previous configurations exist and are stored in a secured location for recovery.hThe router uses the NTP service to synchronize its time with an IRS approved authoritative time server.1. Have the router administrator display the security features that are used to control access to the configuration files. 2. Interview the ISSO to ensure access to stored configuration files is restricted to authorized router administrators only. 81. Verify written authorization is with the ISSO. 2. Interview the router administrator to see how they transfer the router configuration files to and from the router. Verify the running configuration for all Cisco routers have statements similar to the following: ip ftp username xxxx ip ftp password 7 xxxx 1. Have the ISSO provide copies of router change request forms for visual inspection. 2. Have the ISSO provide copies of router change request forms for visual inspection. 3. Interview ISSO and router administrator to verify compliance. Ensure Simple Network Management Protocol (SNMP) is only enabled in the read mode; Read/Write is not enabled unless approved and documented by the ISSO .1. Review router configuration to ensure that an authentication server is being used. 2. Review router configuration to verify that a two-factor authentication method is implemented. 1. Cisco  Review the router configuration to ensure the ip tcp synwait-time command is in place to monitor TCP connection requests to the router. The configuration should look similar to the following: ip tcp synwait-time 10 Comments/Supporting EvidenceNIST IDTester:Date: Location:IRS Safeguard SCSEM LegendTest Case Tab: Execute the test cases and document the results to complete the IRS Safeguard Computer Security review. Reviewer is required to complete the following columns: Actual Results, Comments/Supporting Evidence. Please find more details of each column below.(Identification number of SCSEM test case'NIST 800-53/PUB 1075 Control IdentifierObjective of test procedure.6Detailed test procedures to follow for test execution.LThe expected outcome of the test step execution that would result in a Pass._The actual outcome of the test step execution, i.e., the actual configuration setting observed.Comments / Supporting EvidenceReviewer to include any supporting evidence to confirm if the test case passed., failed on not applicable As evidence, provide the following information for the following assessment methods: 1. Interview - Name and title of the person providing information. Also provide the date when the information is provided. 2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where the pertinent information is resident within the document (if possible). Ensure all supporting evidence to verify the test case passed or failed. If the control is marked as NA, then provide appropriate justification as to why the control is considered NA.Version Release DateSummary of ChangesName First ReleaseDUpdated warning banner language based on th< e IRS.gov warning banner.JUpdated the NIST IDs for Test Router-47 to include CM-3, CM-4, CM-6, SI-2.Procedures: 1. Type 'sh run | inc ntp server' from an enable console window to see if NTP is configured. The response should show: 2. To verify that the NTP client has been configured for authentication, run the  sh run command and look for lines in the configuration similar to the following: ntp server <ip.address> ntp authentication-key 10 md5 1043100A0014000E180F2F32 7 ntp authenticate ntp trusted-key 10#Added command to test ID 32 and 33.r Updates: -Cover: Reorganized the Tester and Agency POC information cells, to better reflect possible multiple POCs. -Test Cases: a. Changed Column G header to "Pass / Fail / N/A", to more accurately reflect the four possible status indicators. b. Added conditional formatting to the status cells, and included summary cells at the bottom of the checks. c. Added control names to the NIST ID cells. Primary control is listed in black; any secondary controls are listed in GRAY. -Legend: Updated the Pass/Fail row to reflect the three possible status indicators (above). -Test IDs: -Test ID #4 Made IA-2 primary. -Test ID #15 AC-11 (deleted AC-10 - not in 1075). -Test ID #25 Made AC-12 primary, AC-7 secondary. -Test ID #28 CM-6 (deleted AC-10 - not in 1075). -Test ID #38/39 Changed to CM-3 (AC-3 not as good a match). -Test ID #45 Changed to AU-3 (AU-7 not as good a match).  u>HChecks to see if the organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. Checks to see that audit logs are retained for the required amount of time and are protected from tampering or deletion.OChecks to see if sufficient security relevant data is captured in system logs. Procedures: 1. Verify that logs are reviewed and analyzed on a periodic basis, and that the results of each review are documented and given to management. 2. Verify that security-related events are recorded in the logs and are available to Security and Telecomm Management staff members. This must include unsuccessful attempts to access routers (ACL violations and logon failures) 3. Verify that gaps in log data are treated as a possible sign of logging being disabled. Steps need to be taken to ensure that logging is enabled and functioning properly. 4. Verify that logging is configured such that all audit disabling or failures are recorded. 5. Verify that audit log data is protected from deletion or modificationThe organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls.xEnsure all routers are configured to log severity levels zero (0) through six (6) and send log data to a syslog server. IChecks to see if a warning banner is displayed before a successful logon.YEnsure that unencrypted router passwords are not stored in an offline configuration file.i1. Review the stored router configuration files to ensure passwords are not stored in plain-text format.FUnencrypted passwords are not stored in an offline configuration file.wEnsure that all Trivial ob Transfer Protocol (TFTP) implementations are authorized and have maintained justification.FTFTP implementations are authorized and have maintained justification.If Trivial ob Transfer Protocol (TFTP) implementation is used, ensure the TFTP server resides on a controlled managed Local Area Network (LAN) subnet, and access is restricted to authorized devices within the local enclave.1. Identify TFTP server addresses and determine if LAN has traffic restrictions and devices with access to server have Access Control List (ACL) permissions and restrictions.Ensure Trivial ob Transfer Protocol (TFTP) implementations reside on a controlled managed LAN subnet and access is restricted to authorized devices within the local enclave.MEnsure the ob Transfer Protocol (FTP) username and password are configured.1. Review the running configuration for all routers to ensure a username and password have been configured for the router s ftp client. The configuration should look similar to the following: ip ftp username userid ip ftp password psw )FTP username and password are configured.Ensure all router changes and updates are documented in a manner suitable for review. Ensure request forms are used to aid in recording the audit trail of router change requests. Ensure changes and modifications to routers are audited so they can be reviewed. Ensure current paper or electronic copies of router configurations are maintained in a secure location. Ensure only authorized personnel, with proper verifiable credentials, are allowed to request changes to routing tables or service parameters.1Configuration management procedures are in place.FMaximum number of unsuccessful SSH login attempts is set to three (3)..Ensure configuration auto-loading is disabled.'Configuration auto-loading is disabled.VEnsure Internet Protocol (IP) directed broadcast is disabled on all router interfaces.WEnsure Simple Network Management Protocol (SNMP) is blocked at all external interfaces.1. Review all router configurations to ensure SNMP access from the network management stations is read only. The configuration look similar to the following: access-list 10 permit host x.x.x.x snmp-server community xxxxxxx ro 10 &SNMP is enabled in the read-only mode.Ensure a maximum wait interval for establishing a Transmission Control Protocol (TCP) connection request to the router is set to 10 seconds or less, or implement a feature to rate-limit TCP SYN traffic destined to the router.sA maximum wait interval for establishing a TCP connection request to the router is set to ten (10) seconds or less.vEnsure Cisco Express Forwarding (CEF) is enabled to improve router stability during a SYN flood attack to the network.CEF has been enabled.$IP directed broadcasts are disabled.pAll routers are configured to log severity levels zero (0) through six (6) and send log data to a syslog server.hEnsure, when saving and loading configurations, the running and startup configurations are synchronized.5Running and start-up configurations are synchronized.Ensure at least the current and previous router configurations are stored in a secured location to ensure a proper recovery path.1. Review the global configuration or execute show ssh to verify the timeout is set for 60 seconds or less. The default is 120 seconds. The configuration should look similar to the following: Ip ssh time-out 60 1SSH session timeout is set to 60 seconds or less.~Ensure the maximum number of unsuccessful Secure Shell (SSH) login attempts is set to three (3), locking access to the router.1. Review the global configuration or execute the show ssh command to verify the authentication retry is set for 3. The configuration should look similar to the following: ip ssh authentication-retries 3 AModems should not be connected to the console or auxiliary ports.4Ensure that the router s auxiliary port is disabled.Ensure the Access Control List (ACL) that is bound to the Virtual Teletype Terminal (VTY) ports is configured to log permitted and denied access attempts.1. Review each router configuration to ensure that all connection attempts to the VTY ports are logged. The configuration should look similar to the following: acc< ess-list 3 permit tcp host x.x.x.x any eq 23 log access-list 3 deny any log . line vty 0 4 access-class 3 in APermitted and denied access attempts to the VTY ports are logged.Ensure that the latest stable Operating System (OS) is implemented on each router in accordance with the current Network Infrastructure Security Checklist.lLatest operating systems in accordance with Network Infrastructure Security Checklist should be implemented.Ensure that the router only allows in-band management sessions from authorized Internet Protocol (IP) addresses from the internal network.WEnsure Transmission Control Protocol (TCP) Keep-Alives for Telnet Session are enabled. /TCP Keep-Alives for Telnet Session are enabled.2Auxiliary ports should be disabled on all routers.Ensure use of in-band management is limited to situations where the use of Out-Of-Band (OOB) management would hinder operational commitments or when emergency situations arise. Use of in-band management should be approved on a case-by-case documented basis. WOOB management should be primarily used and in-band management should have limited use.OEnsure that all in-band management connections to the router require passwords.CAll in-band management connections to the router require passwords.1. Review the router configuration to ensure that an authentication server is being used. 2. Review the router configuration to verify that a two-factor authentication method has been implemented. CThe router should utilize the most current supported version of Secure Shell (SSH) with all security patches applied. Routers should be configured to ensure authenticated access control, strong two-factor authentication, encryption of the management session, and audit logs are all being incorporated in the access scheme.M1. Review all router configurations and verify that only authorized internal connections are allowed on Virtual Teletype Terminal (VTY) ports. The configuration should look similar to the following: access-list 3 permit 192.168.1.10 log access-list 3 permit 192.168.1.11 log access-list 3 deny any . line vty 0 4 access-class 3 in fRouter only allows in-band management sessions from authorized IP address within the internal network.Ensure in-band management access to the router is secured using Federal Information Processing Standard (FIPS) 140-2 validated encryption such as Advanced Encryption System (AES), Triple Data Encryption Standard (3DES), Secure Shell (SSH), or Secure Sockets Layer (SSL).0SSH connections are allowed to access VTY ports.Ensure Secure Shell (SSH) timeout value is set to 60 seconds or less, causing incomplete SSH connections to shut down after 60 seconds or less.Each user should have access to only the privileges they require to perform their respective duties. Access to the highest privilege levels should be restricted to a few users.mEnsure accounts that are no longer required are immediately removed from the authentication server or router.Expected ResultsTest Objective Test StepsActual ResultsTest IDProcedures should be in place to enforce proper account administration. Accounts that are no longer needed should be disabled or removed immediately from the system.Ensure the enabled secret password does not match any other username password, enabled password, or any other enabled secret password. ]Each router should be configured with a unique enabled secret password and remove all others.xEnsure route management utilizes the Out-Of-Band (OOB) or direct connection methods for communication device management.OOB or direct connection method should be implemented with authenticated access control, strong two-factor authentication, encryption of the management session, and audit logs when OOB management is necessary.ORouter should be configured to utilize the most current supported version of Secure Shell (SSH) with all security patches applied. Router should be configured to ensure authenticated access control, strong two-factor authentication, encryption of the management session, and audit logs are all being incorporated in the access scheme.YEnsure that all Out-Of-Band (OOB) management connections to the router require passwords.?OOB management connections to the router should have passwords.BEnsure modems are not connected to the console or auxiliary ports.L1. Physically inspect any local routers to ensure modems are not connected.[Ensure the proper authorized network administrator is the only one who can access the device by ensuring Out-Of-Band (OOB) access enforces the following security restriction: -Two-factor authentication (e.g., Secure ID, PKI) - Encryption of management session (Federal Information Processing Standard (FIPS) 140-2 validated encryption) - AuditingnEnsure the lifetime of a Message Digest 5 (MD5) Key expiration is set to never expire. The lifetime of the MD5 key should be configured as infinite for route authentication, if supported by the current approved router software version. NOTE: Only Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. -MD5 Key lifetime should be set to  infinite .tExamine all Cisco router configurations to determine if the global command service password-encryption is present. The router administrator will configure each router using the service password encryption option. Service password-encryption is the required global config mode command. 1. Review the running configuration and verify that only one local account has been defined. An example of a local account is shown in the example below: Username xxxxxxx password 7 xxxxxxxxxxxx WEnsure each user has their own account to access the router with username and password.1. Review router configurations for local accounts defined to router. If an authentication server is being used, examine those accounts with access to the routers. Individual user accounts should be created for each authorized router administrator. Groups, user accounts without passwords, or duplicate accounts should not exist. Ensure passwords are not visible when displaying the router configuration. Type 5 encryption should be used for the enable mode password (i.e., enable secret password).Procedures: 1. From an enable console window, type 'sh run | inc service timestamps log'. Response should read: 2. Review the logging mechanism to see what elements are recorded. (If syslog servers are being used, you can use the command "show logging" to see the setup.) The following elements are selected to be recorded in the log: Expected Results: 1. "service timestamps log datetime". 2. - User ID (if available), but do not log password used; - Action/request attempted (particularly: interface status changes, changes to the system configuration, access list matches and/or failures) - Success or failure of the action; - Date/time stamp of the event and Source address of the request. 3. If the router is configured for dial-up access, confirm that logging provides explicit audit trails for all dial-up access. Note that it is OK for this line to have additional arguments, as long as it contains these four words.5All unnecessary services on the router are disabled. <Ensure that an approved authoritative time server is used. Ensure the system where router configuration files are stored uses local operating system s security mechanisms for restricting access to the files (i.e., password restricted file access). Ensure only authorized router administrators are given access to the stored configuration files. aEnsure that the log server has the capacity to retain the logs for the required retention period.=Router configurations are securely stored on a local machine.\The log server has enough disk space to < retain the logs for the required retention period. 9Examine the available storage capacity of the log server.BSplit test case 40 into two test cases - #48 is the new test case. First M. Lastmonth d, yyyy - month d, yyyyCity, STAgency POC(s): Name: Telephone # Email Address(###) ###-#### x#####First.M.Last@xx.xxxPass / Fail / N/AMReviewer to indicate if the test case passed, failed, or is not applicable. Info Percent (%)StatusNumber of ChecksPassFailNot ApplicableBlank (Not Reviewed)Total Tests PerformedAbsolute Total # Tests NIST ControlUse Of Cryptography ( User Identification and Authentication * Device Identification And Authentication System Use Notification Authenticator Management Least Privilege Account Management Access Enforcement &User Identification and Authentication Session Lock Configuration Settings 'User Identification And Authentication 'User Identification and Authentication Denial Of Service Protection Information Flow Enforcement %Access Control Policy And Procedures Network Disconnect Unsuccessful Login Attempts Session Termination Auditable Events Remote Access Configuration SettingsCM-6 Time Stamps $Cryptographic Module Authentication Content of Audit Records (Supervision And Review  Access Control Audit Storage Capacity Test MethodExamineTest Interview Examine Test Test ExamineSCSEM Results DashboardOut-of-Scope ReasonRA-1 Control covered in the MOT SCSEMRA-2RA-3RA-5PL-1PL-2PL-4PL-5,Control not selected in IRS Publication 1075PL-6SA-1SA-2SA-3SA-4SA-5SA-6SA-7SA-9CA-1CA-2CA-3CA-5CA-6CA-7PS-1PS-2PS-3PS-4PS-5PS-6PS-7PS-8CP-1CP-2CP-3CP-4CP-6CP-7CP-8CP-9CP-10CM-1CM-8MA-1MA-2MA-3MA-4MA-5MP-1Control covered in the SDSEMMP-2MP-3MP-4MP-5MP-6PE-1PE-2PE-3PE-4PE-5PE-6PE-7PE-8PE-9PE-10PE-11PE-12PE-13PE-14PE-15PE-16PE-17PE-18SI-1SI-3SI-4SI-5SI-8IR-1IR-2IR-3IR-4IR-5IR-6IR-7AT-1AT-2AT-3AT-4IA-1IA-3AC-1AC-4AC-17AC-19AC-20AU-1SC-1SC-12SC-15SC-17SC-18SC-19SC-20SC-22 References+IRS Publication 1075, October 2007 RevisionSC-13IA-2AC-8IA-5AC-6AC-2AC-3AC-11SC-10AC-7AU-8SC-5IA-7AU-3AU-4 Control IDAU-7AU-11CM-2CM-3CM-4CM-5CM-7IA-4MP-7SA-8SA-10SA-11SC-7SI-9SI-10SI-11SI-12Pass / Fail / N/A / InfoDIRECTIONS FOR SCSEM USEThis SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented a Cisco router or switch running the Cisco IOS that is involved in controlling the flow electronic Federal Tax Information (FTI) files to and from the agency (perimeter), and within the agency network (internal, core). Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.AU-6AC-22CM-9IA-8IR-8SC-32SI-7AC-21AU-13AU-14SA-12SA-13SA-14SC-25SC-26SC-27SC-29SC-30SC-31SC-33SC-34SI-13SC-16PM-1PM-2PM-3PM-4PM-5PM-6PM-7PM-8PM-9PM-10PM-11Number of test casesLast test case row:SC-21AU-12HExpected Results: The warning banner is compliant with IRS guidelines and contains the following 4 elements: - the system contains US government information - users actions are monitored and audited - unauthorized use of the system is prohibited - unauthorized use of the system is subject to criminal and civil penalties Procedures: Run the command 'show config' and verify that the configuration file includes a command beginning with 'set banner motd' that contains an appropriate warning banner.Booz Allen HamiltonjNIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Revision 34All unnecessary services on the router are disabled.#DESCRIPTION OF SYSTEM ROLE WITH FTInProvide a narrative description of this system's role with receiving, processing, storing or transmitting FTI.System Hostname:[The dashboard is provided to automatically calculate test results from the Test Case tab. The 'Info' status is provided for use by the reviewer during test execution to indicate more information is needed to complete the test. It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of the review.AProcedures: Verify that the authentication server's configuration parameters meet the following requirements: a) Minimum password length of 8 characters b) Passwords must contain at least one number or special character, and a combination of at least one lower and uppercase letter. c) Maximum password age of 60 days for privileged user and 90 days fro standard user accounts. d) Minimum password age of 15 days e) Password history for the previous 6 passwords f) Prohibit the use of a username within a password g) Prohibit the use of dictionary words or common passwords h) Prohibit the use of words from a customized list of dictionary words and common passwords i) Administrators can override minimum password age limits when changing passwords j) Users are forced to change their initial password during their first logon Interview the ISSO to determine if the site is compliant with this requirement. Example technical checks for access control: -------------------------------------------- 1. Type the following command from an enable console window:  show running-config . Examine the subsections for "line con 0", "line aux 0", and "line vty 0 4". Each subsection should have a password assigned, which should be encrypted, and should have a line that begins with "login <authentication method>" where <authentication method> is either "local" (for local authentication) or "tacacs", "radius", or "kerberos" (if a centralized authentication server is used for authentication). 2. If remote access is being used for administration of the router, check that access control lists are in place to restrict which IP addresses are allowed access to the router. Type the following command: show access-lists. Make a note of the numbering of the access-lists, and then type the following command:  show running-config . Look for the subsection for the VTY terminals  "line vty 0 4". Note: There should be a line within the configuration similar to the foll< owing: Expected Results: 1. line con 0 password 7 06160E325F59060B0144 login local 2. line vty 0 4 access-class 10 in A line should appear similar to the following: tacacs-server last-resort password 1. Note: The line beginning with "login" should not say "no login" or should not be missing. The "no login" command is counter intuitive; it sounds like it would disable login access, but actually means that "no login" is required for access. In either case a remote user could then login without entering any password or username authentication. 2.Note: This line enables the router to default to the privileged enable password if for some reason a connection to the authentication server is not available. Note: If a remote authentication server is used for authentication, type the following command from an enable console window:  show running-config | inc last-resort . The line for "access-list" should have the same number as the line for "access-class" (in the example above "access-list 10" is the access list applied in the case of "access-class 10")  Procedures: 1. Type 'show snmp' to verify SNMP has been enabled (if not,skip the remainder procedures). If snmp v3 is being used, type 'sh run | inc snmp' from an enable prompt window and review the authprivgroup setting. The last parameter should be set to Priv, which provides authentication and encryption. "Auth" means authentication but no encryption, while "Noauth" means that no encryption or authentication is used. 2. Evaluate the strength of the community name strings. The "snmp community" settings contain hard-to-guess community names 3. Determine if unencrypted read/write access is possible. 4. Confirm router access is restricted by access control lists. The numbers at the end of the lines refer to ACL numbers for either read only (RO) or read/write (RW) access. Similar ACL entries: 5. If SNMP read/write access is permitted, review the permit/deny statements associated by typing 'sh access-lists'. A line similar to the following appears in one of the ACL's: 6. Type 'sh snmp | inc logging' from an enable console window. The router should NOT respond with: snmp-server group authprivgroup v3 priv Unencrypted read-write access should not be possible. Read-write access should not be enabled when snmp v1 or v2 is in use. Read-write access should only be enabled for snmp v3 when the priv authprivgroup mode is in use. snmp-server community password6 RO 6 snmp-server community password8 RW 8 snmp-server tftp-server-list 98 SNMP logging: disabledNote: Remote access is defined as any access to an agency information system by a user communicating through an external network, for example: the Internet. SC-8 SC-9'Transmission Confidentiality/ IntegrityAll FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). 1. Determine if IP traffic containing FTI is encrypted when traversing communication lines within the agency's local area network (LAN) and when FTI is transmitted outside the LAN across the wide area network (WAN). If FTI is transmitted over a LAN or WAN it is encrypted with FIPS 140-2 validated encryption, using at least a 128-bit encryption key.FUpdated for NIST 800-53 Rev 3 Updated for new Publication 1075 version_Ensure the router console port is configured to timeout after 15 minutes or less of inactivity.fTimeout for unattended console port is set for no longer than 15 minutes via the exec-timeout command.VEnsure the timeout for in-band management access is set for no longer than 15 minutes.?In-band management access is set for no longer than 15 minutes.j 1. Review each router s configuration to ensure that the console port and the vty ports used by the Out-Of-Band Management (OOBM) network require a login prompt. The configuration should look similar to the following: line con 0 login authentication admin_only exec-timeout 15 0 line vty 0 4 login authentication admin_only exec-timeout 0 transport input ssh h1. Review each Cisco router configuration to ensure that the console is disabled after 15 minutes of inactivity. The configuration should look similar to the following: line con 0 login authentication admin_only exec-timeout 15 0 1. Review each Cisco router s configuration to ensure that the Virtual Teletype Terminal (VTY) ports require a login prompt. The configuration should similar to the following: line vty 0 4 login authentication admin_only exec-timeout 15 0 transport input ssh 1. Review each router s configuration to ensure that the Virtual Teletype Terminal (VTY) ports are disabled about 15 minutes of inactivity. The configuration should look similar to the following: line vty 0 4 login authentication admin_only exec-timeout 15 0 transport input ssh < Updates: -Cover: Added SCSEM disclaimer language -Dashboard: Added test case calculations -Test Cases: a. Updated NIST test case method on old to new test cases b. Added test method column -Out of Scope Controls: Newly added worksheet to identify out of scope controls -Sources: Added worksheet for source documents 1<ZgThe IRS strongly recommends agencies test all SCSEM settings in a development/test environment prior to deploying them in operational environments because in some cases a security setting may impact a system s functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the operational sy<stem configuration. Prior to making changes to the production system agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary. The IRS welcomes feedback and suggestions from agencies in regard to individual SCSEMs.gSafeguard Computer Security Evaluation Matrix (SCSEM) Cisco IOS Release IV July 30, 2010 Version 0.8M 4 5UY $( E"%m%M)|U-3B6 :Ng?#G2KK\gL>MNOOvPPq9QqQ QAQyRjRR:RxSSSS$ Sb 3T mT TE T~ JU X+XkYKYZ`^{ccB  +\  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U} $ } } $ }  } I} } $ +                           @                              0l*2# $ % & ' ( *  #' # $( $ %) % & && && & ' ' ' ( ( ( *xL**(   %O2 S N Group 2Horizontal Rule"x ] `4~vB B >?Line 3%O]`P4|B  D)?Line 4Z 22]`T4  PA ?1?IRS Logop!]N`  $Word.Document.8">@ "  '' yK First.M.Last@xx.xxxyK Nmailto:First.M.Last@xx.xxxyX;H,]ą'c(( yK First.M.Last@xx.xxxyK Nmailto:First.M.Last@xx.xxxyX;H,]ą'cggD  Ȥ@  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U} } $     @            g  h       @0$0$0$0$$$$$$>@"    ggD    dMbP?_*+%&ffffff?'ffffff?(?)?"333333?333333? &<3U} } } I J  000000 0 0 0 @    n o n p+q ;1PassAZ.r #DD B p+q ;1FailAZ.r #DD B p+q ;1InfoAZ.r #DD B s*q ;1N/AAZ.r #DD B p$pH@ ;1A[.r? #DD B p# t  % p p# tH@  % p   H@  D .I@ ;@@B@"*ooonh??1>@   ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@D  ; ;@@B@B@$C@D{+{  {+{  {+{ {+{  {+{  {+{  {+{ {+{ {+{ {+{ {+{ {+{ {{ ;@@B@B@$C@3[ t|{{ ;@@B@B@$C@3[ t| Sheet2ggD  $Ca  dMbP?_*+%# &CIRS Safeguards Cisco IOS SCSEM &C&Pof&N&?'?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"UXX333333?333333?&43U} D} I D} D}  D} C} C} IC} C} m D} B} C} $ C   X@ H H H ! H H H ! H H ^ H RH $ H H H H H H H H H H H H B H ? H H ZH H H H H H V V V& V V~ V V} V Vf W%~ F? F jE j G G G G`F ~ F@ F jF j G G G G`F ~ F@ F j4 j G G G G`F ~ F@ F jF j G G G G`F ~ F@ F jG j GC   G`F ~ F@ F j4 j G G G G`F ~ F@ F jH j G  G G`F ~ F @ F jI j G G G{ G`F ~ F"@ F jJ j G| G G G`F ~ F$@ F j4 j G G G G`F ~ F&@ F j4 j G G G G`F ~ F(@ F jK j G  G G`F ~ F*@ F jK j G G# G G`F ~ F,@ F jF j G G G G`F ~ F.@ F jL j G G G G`F ~ F0@ F jK j G G Ge G`F ~ F1@ F jK j Gf G Go G`F ~ F2@ F jJ j Gp G Gq G`F ~ F3@ F jF j Gr G Gs G`F ~ F4@ F jK j G Gt Gu G`F ~ F5@ F j6 j Gl Gv Gw G`F ~ F6@ F j5 j Gx G Gy G`F ~ F7@ F jM j Gz Ga Gb G`F ~ F8@ F jN j Gc Gd GQ G`F ~ F9@ F jN j G G G G`F ~ F:@ F j j Gg Gh Gi G`F ~ F;@ i k k Gj G Gk G`F ~ F<@ F j7 j Gm G Gn G`  ~ F=@ F jK j GR G GS G`F ~ F>@ F jK j G G G G`F ~ F?@ F jK j GT G G\ G`F Dlrrrrrrrrrrrrrrrrrrrrrrrrrrr~rr H! H" ZH# H$ H% (H& H' H( H) H* %H+ H, M H- H. H/ H0 /H1 U@2 b3 H4 H5 H6 H7 H8 H9 H: ; < = > ? ~ F@@ F jO j G G; G G`F ~ !F@@ !F !jK !j !GU ! !G !G`F ~ "FA@ "F "jK "j "G" "GV "GW "G`F ~ #FA@ #F #jP #j #GX #G$ #GY #G`F ~ $FB@ $F $jP $j $GZ $G $G[ $G`F ~ %FB@ %F %jP %j %GB %G %G] %G`F ~ &FC@ & & & &G &G &G &G`F ~ 'FC@ 'h 'h 'h 'G^ 'G 'G_ 'G`F ~ (FD@ (h (h (h (G` (G (G (G`F ~ )FD@ )F )jK )j )G )G )G )G`F ~ *FE@ *F *jQ *j *GD *GE *GF *G`F ~ +FE@ +F +jK +j +GG +G +GH +G`F ~ ,FF@ ,F ,jK ,j ,GI ,GJ ,GK ,G`F ~ -FF@ -F -jF -j -GL -GM -GN -G`F ~ .FG@ .F .jR .j .G? .G .G? .G`F ~ /FG@ /F /ji /j /G> /G@ /GA /G`F ~ 0FH@ 0F 0jR 0j 0GO 0G! 0GP 0G`F ~ 1FH@ 1F 1lS 1l 1G 1G 1G 1G`F 2aaam 2ccd 3\EEE 3eEf 4eE 5eE 6eE 7eE 8Eg 9Eg :EEEEHHHHEE ;EEEEHHHHEE <EEEEHHHHEE =EEEEHHHHE>EEEEHHHHE?EEEEHHHHED lrrrrrrrrrrrrrrrrrr""@ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ @EEEEHHHHEAEEEEHHHHEBEEEEHHHHECEEEEHHHHEDEEEEHHHHEEEEEEHHHHEFEEEEHHHHEGEEEEHHHHEHEEEEHHHHEIEEEEHHHHEJEEEEHHHHEKEEEEHHHHELEEEEHHHHEMEEEEHHHHENEEEEHHHHEOEEEEHHHHEPEEEEHHHHEQEEEEHHHHEREEEEHHHHESEEEEHHHHETEEEEHHHHEUEEEEHHHHEVEEEEHHHHEWEEEEHHHHEXEEEEHHHHEYEEEEHHHHEZEEEEHHHHE[EEEEHHHHE\EEEEHHHHE]EEEEHHHHE^EEEEHHHHE_EEEEHHHHEDl` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~  `EEEEHHHHEaEEEEHHHHEbEEEEHHHHEcEEEEHHHHEdEEEEHHHHEeEEEEHHHHEfEEEEHHHHEgEEEEHHHHEhEEEEHHHHEiEEEEHHHHEjEEEEHHHHEkEEEEHHHHElEEEEHHHHEmEEEEHHHHEnEEEEHHHHEoEEEEHHHHEpEEEEHHHHEqEEEEHHHHErEEEEHHHHEsEEEEHHHHEtEEEEHHHHEuEEEEHHHHEvEEEEHHHHEwEEEEHHHHExEEEEHHHHEyEEEEHHHHEzEEEEHHHHE{EEEEHHHHE|EEEEHHHHE}EEEEHHHHE~EEEEHHHHEEEEEHHHHEDl           EEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHEEEEEHHHHE  (  R  C ]F!T4 d ZR  C ]F!V4 d ZR  C ]F!@X4 d ZR  C ]F!Y4 d ZR  C ]F!@[4 d ZR  C ]F!\4 d ZR  C ]F!\4 d ZR  C ]F!]4 d ZR   C  ]F !@^4 d ZR   C  ]F !_4 d >@Z__ A ###w11;@Pass;@Fail;Info397935;7935d  @Pass;7935d  @Fail;7935d  Info{+{1{+{1{+{1{+{39{+{39{+{39y  Input Error5Please enter an accepted value: Pass, Fail, N/A, InfoPassFailN/AInfoN1 Sheet3ggD  $< L&"  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U} v} 8v} $ v           ~T u 5 u 8 u 9 u p u j u /  u 0  u 1 u 2  u :  u U  u V  u q  u r u  u  u  u  u  u  u  u W u X u Y u Z u  u [ u  u k u  u  uD@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& !"#$%&'()*+,-./0123456789:;<=>?  u ! !!u " ""u # # #u $ $$u % %%u & &&u '3 ''u (\ ((u )l ))u *( * *u +) + +u ,* ,,u -+ - -u ., . .u /- / /u 0. 00u 1m 11u 2 22u 3 33u 4 44u 5 55u 6  66u 7  7 7u 8  8 8u 9  9 9u : : :u ; ; ;u < < <u =] = =u > >>u ? ??uD@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @ @@u A AAu B BBu C C Cu D D Du E E Eu F F Fu G G Gu H H Hu I I Iu J J Ju K KKu L LLu M MMu N NNu O OOu P PPu Q QQu R  R Ru S! S Su T" T Tu U U Uu V V Vu W W Wu X X Xu Y Y Yu Z Z Zu [ [ [u \ \ \u ] ]]u ^ ^^u _ __uD@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&`abcdefghijklmnopqrstuvwxyz{|}~ ` ``u a aau b bbu c ccu d ddu e eeu f ffu g ggu h^ hhu i i iu j_ jju k` kku ls llu mt mmu nu nnu o; oou pa ppu q< qqu r= rru s ssu t> ttu u? uuu v@ vvu wA wwu x xxu yB yyu zv zzu {w {{u |x ||u }y }}u ~z ~~u { uD@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&@ n u | u } u # u $ u % u & u o u ' u b  c  d  e   ~                         6 &&&&&&&&&>@A  Sheet4ggD  ,(J)  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U} I_v} $ v xCu yu zu {u zDuwd>@vr Sheet5ggD   /2  dMbP?_*+%# &CIRS Safeguards Cisco IOS SCSEM &C&Pof&N&?'?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"<XX??&U} J} M} 1I} m}I} I} mJ} I} &K} II} IL} AI} I} $ I ,X@X@@,Q,@,@@ @ ,@ @ *  + NOOOI  P,R S& P-I ~ P.II  P/II } P0I I   P1 I I   T I I 2  U3 I0&:::::>@KURJ    w Sheet6ggD  91=  dMbP?_*+%$!&CIRS Safeguards Cisco IOS SCSEM &C&Pof&N&?'?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX??&U} } $ } %} I       X4 X5 X6 X7Y$@Z?@ [8 YY4@Z@P@ [9 YY>@ZY@ [: YYD@Z@f@ [ YY?Z m@ [< Y]N@^ @ _= Y|Q@}@ [ YYT@Z@ [ Y YZ[Y YZ[Y YZ[Y YZ[Y YZ[YYZ[YYZ[YYZ[YYZ[Y(T822222222>@YZA w Sheet7ggD X 8Safeguard Computer Security Evaluation Matrix (SCSEM) IRSJonathan IsnerMicrosoft Excel@/\@v)@xm7՜.+,D՜.+,l PXh px )BA&H  CoverPurpose DashboardDocumentSummaryInformation8CompObj r Test CasesOut Of Scope ControlsSourcesLegend Change Log'Test Cases'!Print_Titles  Worksheets Named Ranges$ 8@ _PID_HLINKSA kHmailto:First.M.Last@xx.xxxkHmailto:First.M.Last@xx.xxx F&Microsoft Office Excel 2003 WorksheetBiff8Excel.Sheet.89q