��>� G���d��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������U  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abce���fghijklmnopqrstuvwxyz{|}~Root Entry�������� �FtW$ց0\d9H#Workbook��������MsoDataStore Le@PeK�J�K�USR�CI�R��R2�W�Q==2��������LeeItem ���������Properties������������OSW���S�I�UGE�X��3J�D�Q==2 Le�eItem �������� � Properties������������Am�3�42Q�����AB��T�CN3�A==2�������� Le@PeItem ���� ����O_Properties������������]l T8�����\pMasood, Taimur [USA] B�a�=   � ThisWorkbook���=p48�@�"��1���Arial1��Calibri1��Calibri1��Calibri1���Arial1���Arial1���Arial1���Arial1��Arial1���Arial1���Arial1���Arial1���Arial1� �Calibri1�4�Calibri1� �Calibri1��Calibri1��Calibri1�>�Calibri1�4�Calibri1�?�Calibri1��Calibri1� �Calibri1��Calibri1,>�Calibri1>�Calibri1�>�Calibri1��Calibri1h>�Cambria1� �Arial1���Arial1��Arial1��Arial1��Calibri1� �Calibri1��Calibri1�4�Calibri1� �Calibri1��Calibri1��Arial1��Calibri1,8�Calibri18�Calibri1�8�Calibri1� �Arial1�>�1�4�1�<�Calibri1�?�Calibri1h8�Cambria1��Calibri1� �Calibri1��Arial1�<�Arial1� �Arial1��Arial1 ���Segoe UI"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)� m/d/yyyy;@,�'[<=9999999]###\-####;\(###\)\ ###\-####�0.0�"Yes";"Yes";"No"�"True";"True";"False"�"On";"On";"Off"]�,[$� -2]\ #,##0.00_);[Red]\([$� -2]\ #,##0.00\)$�[$-409]dddd\,\ mmmm\ dd\,\ yyyy�[$-409]h:mm:ss\ AM/PM�� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � � � �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �"� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �#� �� �� �� �$� �� �� �� �%� �� � � �� �� � � �&� ff��� �� ff��� � +� �� � )� �� � ,� �� � *� �� �'� �� �� �� �(� �� �)� �� �� �� �*� �P� �� �P � �+� �P � �� �P � �,� � � �� � � �,� �� �� �� �-� �� ���� �.� �� � � �� �� � � �/� �`� �� �`� �0� �� �� �� � � � � � � �"� � � � �  � � � �  � �1� ���� �� ���� � � �� �2� �� �� �� �3� �a>� �� �a � �4� �� �� �� � @� � � �x� ��4��� �0��� �4��� � � � x? �7 � x@ �7 � x��7 �x? ? � �x@ ? � �x�? � � x? @ � � x� � x�@ � � x@ �� � x��� �x� � � � P� � x? ? � � x@ ? � � x�? � � x? �� �x��, �x? �, �x@ �, �x��, �x? ? , �x@ ? , �x�? , � x? �, � x@ �, � x��, �p��, �  �@ ? , � � �  �, �  �, �  �, � �? �, �  �@ �, ��? ?  ��@ ?  � �? @  �� ��? � ��@ � ��? �7 ��@ �7 ��? �� ����� ��? �, ��@ �, �5�@ �� �5��@ �� ��@ �, � �@ �7 � ���7 � �? @ � � �� � ��@ � � �@ �� � ���� � �� � �? �7 ��? �, ��@ �, ����, � �� �6�@ ? � �6��? � �6 �� �6�� �6��@ � �7�@ �� �7���� ��? ?  ��@ ?  ���?  � �? ? � � �@ ? � � ��? � ��? � ��@ � ���� � �? �� ��? � ��@ � ���� � �? �� � �@ �� � ���� ��? @  �� ���@  ����, �  � � ��?  � �� � �? ? , � �? @ , �5 �? @ , �  p@ @ � � 8��� � �4? �� � �0��� � � 0��� � �0? �� � ��4��� �4? �� �  8��� � � � ���� � ���� � ���� � ���� � �� � x@ @ � �  �@ ? , �  � , �  � , �  � , �  �@ �, ��@ ?  ��  ��@ � � � � ��@ �7 � �? �� � ��? �� �5�@ �� �5��@ �� � � �  x@ @ � � x@ @ � � ����� �  x@ @ � �7 ���� � ���� �5 x@ @ � �5���� �8�@ @  ��@ �� @ ��@ @  ��  ��@  ��  ��  � @ @ � � @� �  @� � x@ @  � x@ @ , � x@, � x @, � ` � � x@ @  � x@@  � `@ 7 � x@  � ` @ 7 � x@ � � x@ � � x@ � � `@ @  � x�@ , � x�@ , � x? @ , � x@ �, � x��, � x? �, �  � �x@ @  �8@ @ � �8@ @ � �8@ ? � �8�? � � <�? � � <? ? � � 0 � � (� � x @  � @ @ � � x@ , � x � 8@ @ � � x@ @ � � @ � �  � �x � �  � � � @ 7 �� @ , � ��� � ��?� � � � �@ �7 ��@ @ , ��@ @ � ��@ @ � � �? ? � � �� � �? �� �  |@ @ � �  x@@  �  (@ � � 0��� � �@ @ � � �@ @ � � 8@ @ � � ��@ @ � �"< @ � �|@ @ � � � p@ @ � � �p@ @  � � x@ @ � �  �@ @ � �  �@� �  � @� �  �@ @ � �  �� �  � � �  �@ � �  � � �  � � ||Q}A} yyyy_)ef[$� -}A} yyyy_)ef[$� -}A} yyyy_)ef[$� -}A} yyyy_)ef[$� -}A} yyyy_)ef[$� -}A} yyyy_)ef [$� -}A} yyyy_)L[$� -}A} yyyy_)L[$� -}A}  yyyy_)L[$� -}A}" yyyy_)L[$� -}A}$ yyyy_)L[$� -}A}& yyyy_)L [$� -}A}( yyyy_)23[$� -}A}* yyyy_)23[$� -}A}, yyyy_)23[$� -}A}. yyyy_)23[$� -}A}0 yyyy_)23[$� -}A}2 yyyy_)23 [$� -}A}4 yyyy_)[$� -}A}6 yyyy_)[$� -}A}8 yyyy_)[$� -}A}: yyyy_)[$� -}A}< yyyy_)[$� -}A}> yyyy_) [$� -}A}@ ��yyyy_)��[$� -}�}B }�yyyy_)�[$� -�##0.� � �}�}D yyyy_)�[$� -???�##0.???� ???� ???�}-}J �yyyy_)}(}L  yyyy_)}A}M a�yyyy_)�[$� -}A}O yyyy_)[$� -}A}Q yyyy_)�?[$� -}A}S yyyy_)23[$� -}-}U yyyy_)}(}W  yyyy_)}�}Y ??v�yyyy_)�̙�[$� -�##0.� � �}A}[ }�yyyy_)��[$� -}A}] e�yyyy_)��[$� -}-}a yyyy_)}x}b���yyyy_)���[$��## �� ��}�}d ???�yyyy_)�[$???�## ???�  ???� ???�}-}g yyyy_)}U}i yyyy_)[$## }-}k ��yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}� yyyy_)}(}� yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}���yyyy_)}(}� ��yyyy_)}(}� ��yyyy_)}(}� ��yyyy_)}(}� ��yyyy_)}(}� ��yyyy_)}(}� ��yyyy_)}(}� ��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}���yyyy_)}(}� yyyy_)}(}� yyyy_)}(}� yyyy_)}(}� ��yyyy_)}(}� yyyy_)}(}� yyyy_)}<}� yyyy_)�[$}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}�yyyy_)}(}�yyyy_)}(}�yyyy_)}(}�yyyy_)}(}yyyy_)}(}��yyyy_)}(} ��yyyy_)}(} ��yyyy_)}(} yyyy_)}(}�yyyy_)}(}�yyyy_)}(}yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}��yyyy_)}(}yyyy_)}(}'��yyyy_)}(}(yyyy_)}(}0��yyyy_)}(}5��yyyy_)}(}<yyyy_)}(}Fyyyy_)�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +���  �� !%� 20% - Accent1�M�� 20% - Accent1 ef� �%�20% - Accent1 2�4���20% - Accent1 2� 20% - Accent2�M�"� 20% - Accent2 ef� �%�20% - Accent2 2�4���20% - Accent2 2� 20% - Accent3�M�&� 20% - Accent3 ef� �%�20% - Accent3 2�4���20% - Accent3 2� 20% - Accent4�M�*� 20% - Accent4 ef� �%�20% - Accent4 2�4���20% - Accent4 2� 20% - Accent5�M�.� 20% - Accent5 ef� �%�20% - Accent5 2�4���20% - Accent5 2� 20% - Accent6�M�2� 20% - Accent6  ef� �%�20% - Accent6 2�4���20% - Accent6 2� 40% - Accent1�M�� 40% - Accent1 L� �%�40% - Accent1 2�4���40% - Accent1 2� 40% - Accent2�M�#� 40% - Accent2 L� �%�40% - Accent2 2�4���40% - Accent2 2� 40% - Accent3�M�'� 40% - Accent3 L� �%�!40% - Accent3 2�4���40% - Accent3 2�" 40% - Accent4�M�+� 40% - Accent4 L� �%�#40% - Accent4 2�4���40% - Accent4 2�$ 40% - Accent5�M�/� 40% - Accent5 L� �%�%40% - Accent5 2�4���40% - Accent5 2�& 40% - Accent6�M�3� 40% - Accent6  L� �%�'40% - Accent6 2�4���40% - Accent6 2�( 60% - Accent1�M� � 60% - Accent1 23� ����%�)60% - Accent1 2�4���60% - Accent1 2�* 60% - Accent2�M�$� 60% - Accent2 23ږ� ����%�+60% - Accent2 2�4���60% - Accent2 2�, 60% - Accent3�M�(� 60% - Accent3 23� ����%�-60% - Accent3 2�4���60% - Accent3 2�. 60% - Accent4�M�,� 60% - Accent4 23� ����%�/60% - Accent4 2�4���60% - Accent4 2�0 60% - Accent5�M�0� 60% - Accent5 23� ����%�160% - Accent5 2�4���60% - Accent5 2�2 60% - Accent6�M�4� 60% - Accent6  23� ����%�360% - Accent6 2�4���60% - Accent6 2� 4Accent1�A��Accent1 O� ����%�5 Accent1 2�(��� Accent1 2� 6Accent2�A�!�Accent2 PM� ����%�7 Accent2 2�(��� Accent2 2� 8Accent3�A�%�Accent3 Y� ����%�9 Accent3 2�(��� Accent3 2� :Accent4�A�)�Accent4 d� ����%�; Accent4 2�(��� Accent4 2� <Accent5�A�-�Accent5 K� ����%�= Accent5 2�(��� Accent5 2� >Accent6�A�1�Accent6  F� ����%�? Accent6 2�(��� Accent6 2�@Bad�9��Bad ��� ���%� ABad 2� ���Bad 2�B Calculation���� Calculation �� �}�%������ ���C Calculation 2�0��� Calculation 2�D Check Cell��� Check Cell �� ����%�???��???��???� �???��E Check Cell 2�.��� Check Cell 2�F�� ��Comma�G��(�� Comma [0]�H��&��Currency�I��.�� Currency [0]�JExplanatory Text�G�5�Explanatory Text ��%�KExplanatory Text 2�:���Explanatory Text 2�L ��F� �Followed Hyperlink  �� MGood�;��Good �� �a�%� NGood 2�"���Good 2�O Heading 1�G�� Heading 1 I}�%O��P Heading 1 2�,��� Heading 1 2�Q Heading 2�G�� Heading 2 I}�%�?��R Heading 2 2�,��� Heading 2 2�S Heading 3�G�� Heading 3 I}�%23��T Heading 3 2�,��� Heading 3 2�U Heading 4�9�� Heading 4 I}�%�V Heading 4 2�,��� Heading 4 2�W��4�� Hyperlink  ���X Hyperlink 2� YInput�u��Input ��̙� �??v�%������ ��� ZInput 2�$���Input 2�[ Linked Cell�K�� Linked Cell �}�%����\ Linked Cell 2�0��� Linked Cell 2� ]Neutral�A��Neutral ��� �e�%�^ Neutral 2�(��� Neutral 2���"��Normal� _Normal 2� `Normal 3� aNormal 4�7���Normal 4 �%� bNote�b� �Note ���������� ��� cNote 2�"���Note 2� dOutput�w��Output �� �???�%�???��???��???� �???�� eOutput 2�&���Output 2�f��$��Percent� gTitle�1��Title I}�%� hTitle 2�$���Title 2� iTotal�M��Total �%O�O�� jTotal 2�$���Total 2�k Warning Text�?� � Warning Text ���%�lWarning Text 2�2���Warning Text 2�X��TableStyleMedium2PivotStyleLight16`� Dashboard�a�Results�4� Instructions��  Test Cases�bAppendix�q Change Log������&!  ;5 �_xlfn.COUNTIFS  ;   ;   ;*  ;"   ;  ;4   ;���Sf�fH@������ @�0�5b�-!ODw�30@Gbe� �n�!ODw�30@Gbe�PNG  IHDR��<q�sBIT|d� IDATx^}`�`SJsH� JH��"�� btJww� `�ynw]^O�9��f�3 o�7��𿴾gN��3�R+[V]ò2 -EcYt�޸!V66�+�-{mUu?RN}>_:ϭ��՛ֳ*ի�d~=qك۽rn}L=Q")))�,g%6�$.�(~f8x|G�=1�%1� "�;KaL!w�8يZdy(%,"ZB�f鴵�(�4\JV--� 8+x9|�o�=y�w�Oևo1|WF�o�9�h4�dqp56kWP�8>�7J( })�'�$8\�t�"\&�{r9|)��4� �JSkW�MjJBve |�>xW�?�3_T;F� ߶3>�b'{�j�-&VK)X�ܒ�[wBD86Xۊ�NORK�,"�*JK�z[6,goóIF7x�,bڮ~)w�-έf0�aC[cwnݱHGbo^rΓƠw @?�"�< /7�*kTK7e+600hG�K/)Xj\�Ir�`7VFd �0�|˗0o[мl�;�޻u3~�Y�+�#�#� ݈Je�-N�J�*"ݛ֔ƕ}�&0X ��!%?��"�c6^^^jR]J�|K�8gK keeج_)eݬ�tTz�_XAz ��VWӻE-�� f|rJH�1�9&UDG�.LXDI${J�30� o"Ψ"zɪ}`2E]Wz-%��;Yj�?`}ŔwX�#Io�G�>m e�ŻO�0q{He,H}Hs$M^xa�RT�2u�YuB�:DY:i_�#?�;� �CG�-C`סO/spC�nO� �5�� ~`_o]Gɗv�"� ^żd\צҶ{>�?�Հ܉�5~vyd~D7Gt���1痲sH~uwC:K�e\x+D⁰仡]doP_Kh$Rĭ{V�;ӆu.�2%�FZV/'�% ˹γWeEnߌF� ߢ^i߶1Xg!Oi ^� ],&Z׷uW|g[��kko^3cuDBy�䎋c^򍪚�$ٓ$fljK2 {K@�=yB bSI��ݭj�4Ho �M�� �7tl�+I�]'eڢmK�:34�5P�5g 8}LEloun탽l'�01�1XO�%R`~C)T4j�6`9�kE�r$X}Pa\Zש$H(I cz�8߮إmS} zH �1yVvd[=q�3�@ӍQnT�.zL��M!L�?t�8w�9� o =n�I̝w0_�k�;#|O�:sAS{:h|ч�ZV/+-G� �dJ�2/�&>nW� Zʜ-G��,<0ƯS,9�$r%t_E zs�,�>tml�+f�|%_ D�>⵼N� �6�?O�?Q � U;PA2 R� � xH�"}ֿ8Y� **�!mGȗ)Xv�9�;[��2 �lCsӹVB�+N?�0]���.]~ÜU*�&0 JDRP|hkeܜ `Rcf�>$ɪ�7<�+A�e 0G2�$�;Ag�2HI�9)Cț~ue)ɛ~�% ϟfB� x�%> �soL�=yDAwym]��0Mo�* �;^AV}4@�y%�$_k�n�)nBa`X�*rGvLIaZ7MeΓr;ުƁew�i� G�k@�?(6lĈ>[� � �:@d�ߍ_̇J�ud�|`�2CFK~r� כ߭�C7qd7iS'iO]xG~B/-xݨ_'�tq/ �: 76wɟkk&%мO_H�_)otCw%y�rn(�3��5GA��,ÿ[.Q5Q�7 #z1oP/_ݓ^ع}{G_Wuym���fK�>oLӘs�,z`�K0St@_TGb1M)C�(� DB�? U[�+H �H)W�&��rD!w�zC'E,jQ�!|�@~X3Jj�8ove�qr-5�'k{N�;u`BD�0w|6�&�_/HLQEz6�)Vմ�ѷP�E�Gk�8:L`Xxn�7�*�-ںx�:�?`06ʖ/�]��JBݦU�:o;(c�0�25^5ߐW^H�X]o��+Z~[� L2}r ׃GO���ltc!�9�pŰ�>*@H%kPH�i�pA%�� oՓmWI~.͔ݫxm3sp2 s5=Z~m7�-'/hX �0/Э�GMv}9Đz_�H�7.�x|˄ߍPmCiiX~z~e$��5 篷�+vK �,� �8.O� @/eL�L:mkWP� )gYI4 ͰNV]J� <4(� yHcown,�Ki�KR.S�%CA|X/ʬ]�"ƮN=�e 4�Bk�ۦC�mQsos��Y rd�CgL͸�7b-\�w,1ֵ g_C�&i]cPH.s�)\�,H_� ` `d?6J0R<� `�>E Hf{p0g+x|Wl�9w&�P#0Y�):4�&�t�/ޒU�x`�p KƆH�:C�̃D�% B�6��5gn/�zbAf�> rfҤ 5�QGkeJV=y�w̍:@?Co2A0ߏzECs=5�vxz/(sL8e{N� �5lXouUy$]J�>г�m�$&��.@=>�+� e㴑pV,/Ni�4�6�!opu�1A#�6hվ�Yk!^>x+�?g찭S�g&� >k˼AV#�5\=n� �,� `jF_l^Sz4�.;ay~860K�H[��gK^�?�10zai ,X`�g+��~� !T@=%__ӄ)�0.MgJ�?{w_� md�� �%d|?Tω�4W��&fv򛡆5kWOMҼV�`|Ń94ss�1�Xbk�3Ǒ%;a�A�*A�)�>~]jJ2|5rQ NP�<s�4Dn�~�(�& s� T/n{~փLZkO� �tGY�}:hCy�>}ʲ��,尪P?$ڲT2mնĹ�;帿7ρ%綊�<\M:N��އ\�)g�� m��!M}�*ǻa^&� Cwlp h�:M&i <1T0,٥�0h%=�}jwJ-�>�܌W.�~ܨջN)�TSL_eI󷾕4T�+�(.(JVOck>[� &~}@vE�-&>�SkZU;Gk|Oy.^-_}�/�.7�{�2 \ƞ#�QJϵ�RuVzg7� �,� 'Icp\�>{3�1݇Ӂr²Ѳֽ�|5ea'�;+价�!97�WQ͚:j�9�=� �9Hh�#Eo �Q5cJ?q7�$__ >ytik>}f�vX�6�~D!�+7�P^�Mcҋڜa�""=YbHD�~:�,?wE )x"`��3QitOU|�*Za(�t(� I�يfsI[ݣ?H Caֿ>V |38c�({�7SB#˱fKZu�x�=IdkOADtuiL_M`7(� F0Q.bJM@� �8Jp�#iN5f dv_ ܼf-to![(d�%B=?~�$a�b�夡Sߕ [g EKֽkbw5oڜrq߹V@G߁;pdP'�W�3 V\֧\p� j`iûɅ[e1kUJ!|>� � =m*˟̼60oT~[`�GX#HJE�9�/,��*`Wf�$�zl(,� Ow�z<�ȑrꮭ| @/faj>p�6+`,.J z_U]j�2�!O0q1�CpVG>@o&�wpi ';b%�'Vi-� l�?{쫈<(|1Q5*�+� i|֭�Sޘ�A8�>R�Ɉ�1�R� ݧ�%H}V陫a*mհ� zIzFH�$2ZL�6~怖If{Š�Lep[I�<@gx`Mn·!ǾX�b+uCױqɺ8YFá� Kf# `yW+FGm5�d`0D?I3䑘ۿrUk|qNrg潨O1O�'e\D4VC]'ĽG��1Wb@\ ʋR &�A*]�=��!u �JcxN�6Q� �9SwT�--M�ǟB�>[ϲ�4`���ک5��3KUG^�sr� 4h�$N=-HR_W�$խ˹qS�n8BƊ]�ⅲ޲R�%֫y�c�6CJMm�-_{懳�'җz] 1~A |P ;XrZ#�?oE�``]W�4H^vN7K�.�*wFJ26~k9n ci.f�6ۼ�:ㇿ&VMP{U�- $ރZn=0^׶miKfu]uٻcۢ^wm[ґ�݉.C-�:Ȓـ &A@g u9ɌS�)�:D*<��`mFzZD.Ŗr)�(Kwkr3Sj��9z�sx*�>xKL � KBwlq2s IDAT�bch͜{i}�DYr��/lf�`q1t&yU lBH͂� Cjmrŭw:]�@]V@N3�)y �xO@�8�T\2�H�4gx br=8W�/'ۏ>*� qN�oD=AD�ebk�.LOt� �,X��-%@��R�9nx�$ޑB�#I׃?@ouz5Z� �#zo.KW\rbwxS̿�e"߱W!FKcXU ��2q� Sgl`b�%�mҵ��)5�%[[9񤸜�,)�Jky�7ڋUJ<ɮ[� mfRiZI6R�)Rk Ћ{CR{]�$�%%�*Xiy_��'� ݑ̿귕:zicD{� Z�5�0y` ��zOI󄎎Oq_�O[~¯fq�2?a�܍��(=CmA�J-np6WQ�: k�/�B�ztDc Ⱦ� e&=]D� qf֑g�%,G\]�AqDL�EnBU��)|VѮކ.aY4y6|l�@ɭHjyJ �;ҥ�5U�>dycjjgeR Pf��S LBZ�('�9�1iCn u.JPa�/�;�<~� � /5�&{d�kgY)\`jlBJ�]͸ nlKd֬QVܯ.}_�G�3�X�-�+N5o_Olh b �%Pa֯Jo~6lhՁX@Y'�5lUd��2L{g)}A<~'�z�2$#�<-j*BPT�$u{\k�9~űe�iK{J�0�5ԯrq/Cc/E`鮙� k~E6�29DiE# FE�!jee#n]Urc {� �&e�>H x&p{�jy)�3褴ǪJ~ӽK�M?S�0y)��hhfCus̪YUN� lK#J.zg��,Bq}ە0��6T\�']ʑ�8Y;],'�$eYڥrj ì -Y1ݸAI^��1Rʧ앣jQ�w;W5C%61EJ#-LjRyhI�6lϰE��:�Y�3�&Bk =^߭ | H =N*r�*mՂr/aNhf�2� EsoGWe�4 s~|~ t`ːkB�62v�á���ǰ0GR�'n]!wo#�&� Ą�6^!JUF<* P�3D.+U�V&�5= �+�4h\�Mmj!�W� g�12s�*\#Ћt��";�5�S�l1֑o>~Eg�(S,reל@Rm�-`&@�uИAQ�(l�7ێp3z,eZ?*;Y��+S-��&Hj^ҿF xjY�pÙƞs�:_,}%A~ ,�'ˁ�eWW֫�/wQ:= I�=R�>g.l�:��=ͦKQdP/2kf ]U,�5><#؁J̴ͤ9OU�bKRIu6I rH<s�35`@l�Hy\[H]q?v�.7_$� M˪넒�ZKI4+�6 vRf58AO3OJW�dnVՕ�#a"L '} qr�cunצZll LO�#�n�'gZ&v�� 5`�SbxY}Rb� t^ ߇q�ZԮ)�.A�0l;N(a5w�+�-� �6[KU� PqB%�-bX��43� v�-V�>}\Sz ϗ y 8y1�;58&T� @� bL׺b3f*�?o;�.Cn,… eJBRZ)CL� Ľ�,y*�%�=H_�>J%}Pf/�"iڳ!8]�9_ݺ[ԼZ�}kXoV�T5^�=;o[[4Q� cn*ŒPuF/j=|[miQD2S�){�4y��*2�K�~eldZ�$,k $p{t̩U  y]t[iKB͊ff�!.B@�;�&6vt'Z_L_y�^�`� y��׬]ccVEUĻPS耭>s�>N`R�3}Sx+fݑH~erbKG0� *?0�.^O �[$2) ̫b\qez ki�;gzK!yGrB]�/4lu(�0UXZ�Nsv͝2BkkeəP�5AfGF� ?AءR GZ �;N+3m僣�a�0Rj�,-EY �oX�;Z'X{kI c_Δ@H=X˔@�ԉ]&�*Cn$!>b`�Ɗ@�L�S[�!Fc*m� Dnar0X P%P �[+ ˫X�?ӻ�Zˎea\n� ض�/�6u7դ�7u��?Y�>oXFy^?sdL\C1 �8Qy�4+CWbFæK=W�<�8R>ޜ2|Jڸl�,J% d,.6GScM�0� :Ex11`�\wpaH ��Ҡb)9q%H�-Kg{ �0P�pƇ#!�W}�� BNZŅ k�#_s0 k�uL76 [�Y*&�9P�( gj6�&TWSI�24ws�{�>󴥘?< ǵ€ 7a bt~X$v��b\\ ,4kEUulf5�s�`�,d%�(oY #,@.wϷjJG�'Jg �< ǰ�!8�:�+�sR@� �!@I�2cn�' �]�:,p� ��!ϵ~'^E/멐-�0X`�Lflu �M�+L֗Fe62n E�4�/<ɝx5u�du"�78jN�}��3ve&q݊u+~��NUeHrLEjtoB� JzZ�1ٔ۴�,U�" KJBB�( {!O+":IA2ֺիSF?�'x S`@'xF_sQOw�J m�lh5�Ov`" =�IW�iOJە� ;h�QFR2xQ14o˺�L2ES[#=�7rS�-`B�#^UsS�(��w �%:�8TvrILoyt0)(�ʰ�7V�5wHT��:aߴ~J� D� 5Ϭ%�ij,{q�>P5ݼ@:6v�2� 0KR^Z3�/u!Z|�'[�#�z $'m6r�p<~*Rui� �$tM�Az!tz�_{ߐ�w#bhNZq7;Yw9\~�M�6ȋ0Z�v`0[�0I�4� ["�%_}sx�;}A W�7,8�H>{9�<@:Co_gŒ�픲K�#1�P�6Wz|�__f>�?�r�:[�S� )�Oa,iH鉶6�(z SHi^w r�*UQko�!�>uYmz2RU쟐Q3�� T0B� ?�fx�yS � �,j�Q(Z$}7'�(Ld]Uw�8ixf�m4H�$Y9HYH�;Pj}:%2fDZ�-H_$K[�nq�m T� \ ~kC5v �%^7da'`Yc`/`M�1`S�Lmd2 PyO45dKuV�FQrCHJK  �;L FpA&Q&zJ%|F�r\M6�:A��7͗�*�N2}_�?JCr�=�ӡY�- -_M$[bQg5L��. �9CKPꑶʶz�)�".AU�/Etå}�, {Kr ̋Hh)\�ܧo?YR 6æ)P=�6 YVjTw�%JBe�wlTyU v0E���5=rHB|� qm�z {<�j|SQqM�?TZK�:� UPW�.K� X�"yfju��=�3� 8ːr⢭3!M�߉>8@Lƒ c�?e;_T�Cn IDAT�+ u NJq�. >HYUqxI�0\#I�!)RUe�026�s@ޫCrRYI;�W^ SR�5Tk�&� �gCvW@_]%>Y$gi`� �3�&_},GI@ dWCT�7m�)r/M@JwʞQlZ|Z*9o�M1Fʌu1Udg�ITa��5`i9NBԌ@:3dK%eFmTMȍV� QBc|_|�%PX�Rz (EkNε�'η2Ln"^s G�Hjo�:T8+�:$' !Xh�9c�2`]JWA=G `k� ~~fn p'@�6�>=Zޡ�._� �2nS�4�L̴E�?�6uT: |Q0x S39YBT ;Z�L�CL-lM'=q`2)WYl�XK#W�>d�F~J ,0LJ?N�3BI%.FbƮ� �]I�:2U)l&��3`uo�o\�3��8:�4_�o%� @*oہzHta x�]~t}<]8SV&~ژLJ���s1x{QN^*J'�2Ep:�2ZDd�2np�/$N^ZC^=U- Ju`��>dMلVˢs�bwK_8*(kȺkU uK|Z{ߑnG�qlL^�$E3H�y24EDbܛ'W:�#*hEgʬC΀ԃYvkI3I�op?zh7⣑|�=?K 6#nN۶l%}�X:% ڽ�E ]Jh|cV�zOouW I=�"�SIw*uSom-j*Ҍr&h]J>v]l~!O�;> �4�]T&U:(V:چ|Ҁ�P2>`\jx�69H~�5�).b)�PN@jP� uc�7N�8w7hW�weܤr�$�� BZ!�2@�0o@�9[%1�a� :�+Cq�hpwgXH~N.aJ�oxhwp��0�:ZM�,L, : 5�7AG'ϐ"QPEp[9 E�#eMu*\2�=rZu;� �~�,_ '?�@A� ʯv(.U�4~^ju V"_Lm�G{u� q\N�rCMesd'*R6Q� �Š)j.�,ڡ2׉E� xӋP\q�*v#ke6`UP�eTJ�#&Y�>~R -��bD@�00XU_w2��*��3��"Xq./K�_R�P�&�( W8>Of6�ZOw�/XB�;M~5rM�$g±� {T.h��@nCZ�J zJƛB\�>βb` pڌZ�<�h\u�{2K̻�k�2q2 � N<�>N>XT=Qd`t�>�$Ac'�=�ض�{�Yt(�.#�vp~^j�� Nz"Q �5!�wr^�*�_L׃uRǶzYx� Bcsh�<$ftJԌ�4�;C6ï�x48mBD@n'U{k4N&�2H HSJӿ8#�,�*�x^IzKJf[EK~�6q�bT-ފk� ‰E_�,LTqgkq�35K7aAGɯ>\dßٴ{w�`Q/GXS1[2HT�:ҰV�(�� L~�)Gpns�5C�U�H�+Y �_�;qfث!`�0A�(l��!�'+G n?� �fG(G<|*C@�'M�љ{T]y R9$i�z٬I[fFt2� 䪅��)�=?|7JYOt��%e�?!k�[\�)?D|�#KHcqNbu9 n+uIuG4KlM/�&%B@J�8go%�(7 ?P#S^o/c{��3|SIn+CIW�#Y5o�;|^N]�*G� sF=|,ҴvuOIHV8�8:Y�M6Bb��B}a���;6Ej?4�(`�*t`AUРvf|�[뇍HdBlC�q��:ӣ$� S NJϩ�2hg�?7iy}Ƴ�-x*Y)wm ?�~v�X3S[[�A BD�#�.&ݥkz<�+~sdɎF0FUL؈.� ppWn^NҸ�->P{=�JP�z{խYM򊔃d"-kx�qbL�5 (@`�*KNM7d5YVlḽ>Jx_`@C 0}��8#�?A� �+gh4OPSTAA�1/&�:WJ7�&Y˱`'_ �_� E6Sjp@KoD&ei�;PY}'8�<2]:�M|��*fp>5E{¼1k�Ǹy<�;x>��>0~15%Ė}7^��Ta�=5p�Ѱ¹7�??l1֧5ؘٿg����$gcQDp_�u7K(H|8 ~\p8�;�7ˑ0d֛Mn#zHO`eM�Y�/� ��IUFis�\U��(tQ^mZ#)�/khV�'}N'i9{ ۧ.c\�h^3ռ%+? #;6-3dN�'P�$�!u!B����������������������������������������������������������������������������������������������������������������������������������ݞd;~w��-~�ls� A#~j8�)Y5vvq�TT� BL�*[HT !ʐ$�/k 'e�?�E}FDA;i|YzdߝlS&x_ s7R%}[�r�V*ѰݸkwXط�6iMN3�-ŗ� �/�9LqF*n>"?ݳ#<'e^�od�B_BiP��xH\�9��.9IBaВyhh鬹`"Пud� Tnh�9v%hP"!p L%jipX�'pCy-� �g8VY^w=tuZ~0e58Q0DN^4KotQT�'�/`]a�2}�>ˊ˾dASTFIx�>tu �.|ӜX=;߲:99�*i� ϭxy[)[QHzr�0�>`EG!9YpN#�gxXRjd+�ar�9ҫ�5IMh,S� �dzA]|n�:�Bb" e�4�3el� 8"\&�&ݥ?xXfp11�,M"Q=1@0dƁll�>�S�*ƺܱ<BXٚ�_AE}�h�1B�}4�? @�� Kӡ]CPZzu��gټԏU�<*iEbCb53Sn>NP k%�dyy)Aʅ,��,Ze~B?,�r�+6� _ij�%Ŝ׉!W��@�Bqw�')�IE.�5z�R�|`e�% 'HFk� Ye�$n1IA�kV1�%DͱI�bT#�hn0wʝvo){wK矁mT�m|� >�<> Ѯ)e�Edx�>W'�js /o8IU\ky\xvrYڲp!^e~s\�>�3|h��7w�mܟpTl�7^ \-O$[�8;�,t�r�5�%M�*S˜?�:E{cR#wǍPJz��9-ţf��Bs,lj!}{bL�:1c'RV2x]�� Q9� L�8 ĘZMLM�$�L*K`nd7YeU)Y}=F� %7�-H_-wVQlgkɛ%x7��!�n�)@#�Q�_FmuRN�% Ut3߉3y�(`PgDf�rHB] �!!�&8^~� pW%�2P�8A�:܏ xTE�N�qy�H� �(�0�:��:ā~u w�mWVݳA�SRx!iz;m�\a*�8vZvCf yYE՞�.{g��?�-i6zXyØ\7؍OBhei�6M��2r08yh; k'{Iw8Jm4 4dyZr|VP8LAţ�3,tjA_�4 f}]-,SJ)�, _�.c RajAvX ˦�T-�:\߶|Ы� �kfFJU8tA_.ޮa6\Jkz�2\l\�JmHس}8o�9�2�2 "R�fISG�4{�S�\�2&��3y2kdqZWܡ%HVN:B_HJy�l)NJ��%aFBEeߢ�Ri+ĬG�F�'*�>R0PrMN+[V�(�i_�&.6IX[Sn]o�ڔ6ڛ5fzF[|C�زb�6LIV�;qp)C2?Q q{:���2�zJӺ6Bk r�爄\>�ڔ1oW>��1J_A�8O:cu\~W;s@M|:6W$2)LHvxS�jJ~󅲦{rfWbu([Q�1,Wd]nVA Ѹ�2mLA�́y,/ۼC�ʛU��);Zc�7rWhQ3}VRTO�/ej`֍@PEB�#0 oܞz~ d:0�n~ce1�.1T� �J0l�"�"EiOZYN"�v56a%�2d�QN � =VtZBO*�,�;�33g3q\�ηZ]Pz�"R Nϗ4W h(S}�(\“�ɧswt�9> p(1nbMBg\�DU%,st_{\p;U5�&�$2C>Xt6q�ܕP*.Ji�yW>d�X�7C�:�#x�9� s;Sz<�-M BN~yy�:_T[-#V�zBDnʛX_4FmH6D>Jf.�;f�0 ˍFz:ߤgYi�9ԞHV_XD̑꬙]4yΛiYU@jO�#x�$PӳlGϐ�$f}Խf%�?(cLB۞�ȓc5!`~SbH�?jryUU16O29p?�$7J=>t$s᭒�>zٖː�x٬�>&}�Ϸ[F,zΌiVJ>],�a_ӉK:Dמ�#�Ĥ}~S g&ӋlQS+,Zf;jF�+ FL� a}}⇥zy1E3Iq�9/oQ䘟H�'1S7%uHZoƢϒE-!F1�2*�7U8u�@�/�\X)�ή3]cBYR�;y 2TTog,T4�ר�[ǭ[b\V?� /N~E:ݘɗ6Ϻ�?aav`�� Hs� X �'�c� 4�64|X$�ё&S�6sR蓉o]ÓUxJ��J�4&kzLߖD�*CVS|KۇT�laJ0p�fA�36cf =Jqd_OSg�3 >4ȗa@*n v׿M;v\�4�.Y?){S>�a6~�I�x�H� 8ӈmmfpoi3ԛ�,�dPF.�M7| x)}?o׸kn'^�=v�4Da�"6Qu�09XLZ �FZR���3U'YyכCfJr�a!_t�G� �=||5+��mkrw�-RH})Lŏ;b3k6R~ѱ I&ARSޭ�;Pք@RG� ~uo{"jCڒ^�7�,ڸ۬"tdH$S�g�gEDG�65oSw��;ogxZ��QV93� |Z~tweBA�=�0~ q0vu^6QqL¤4D˵[kz_(,Qӳ�=�2OuE'�*�$�[AR�;w:hw�:X0M68D+wL l W܁͵^=Iý?MiM]b�+:G"�8� �JbXڞLVUw{w��uVQGT'rśwt��<�>E�)[� �?GST�0\oTu0sa)�?R�-Ǭa=īE�%2L�&m�6\#Ysl35w~S|HZr u�&��ƾ�)Z~ZLM�fhi�ۀq؊� zHnԇT́Bs{@�qn�[Z˼`$;pSV�-:u{�g p�+��q`+�>\]o�Z_}|;lP;uy�)� )rKLlzB^��Lv:R:�(i�1NGjSwl� Z6i@]1NrX0֯*>�,E*H%�,<&R�/ .򩛅Mp�+YV|5ެI\�#�#z<�2e*5B �/s/bfV�*]O�|�)3�!s@[�x �"w.�ђBWE0)c !S/T�=ze�$᣹f0Z!&gͶ!͂T/i{�-wɘV� U"��7 ~StO54d C7}#�#-H[�<$KB|ROۦkD�/� g(9l� O��$¨�V%Zc_P Yyy&~cA.%k~ӕU UD}W�?sAH� èlI?NDH>B'vDFYW KkH) UIwn#*iW�/�>9�!U�'�/\ʰ|�8�P�)e�;>Ypʏ@3@_E�T]6)h�#&8؇0�('F#�T:Q_�8A#~UJA~a�ifu8C� ~[KÍhj�*k�'�8W!|XBlFf$2cꂆ*{�Cjbi/İʁUL@fG6P�;eU#P�-n&)Gi@,Iv)I?�6#'dǤ:�4��UU~SAv �)GHGy-4�-|�.�3�@U0Elv|gLj_5+ddF݅ � +oq=@k#!%B�[Z�1yIgrŔu�hl�:ѻͤ�(�&j�0pK[Y.5&[|Crf_P0�8m%/Q;�?|cNk[Ӗ]/DXY�"Y(cP(E|�&SKd� o]R� 6�4S]ܧl1sU[8.mx^z:'�}�N t󙀼�XLg�-|�:όMp`vC�HlQv>!�7�<�0L1=u $�R%�GxA\s�2C�6sS&kc�)8c bWOz Mti� 9 �(*O�5 �@TnOeEWxƔ%YP �#q� ƣF�3fHz�-�vu_�CZc6ij?Ԫ�;S�5w^�!Y�9S�/�6UnФa;kh5Xl,+{�;X`N6v�]Ù J�?Hx~�6=*N>#g�5�:�YWCl�+׌@�0ݤl4`"�/�>txWa�3c{ 4խ9G�/I�=�-0P[ꅭY�OmfJ��!QKL(ؖmc\0ERM"?;XٓckS�)?v/%Kw)JpL4tT+{�?xʘG�)c�|seհ�07!GB�V�-Z�6U9$ "�4˱v4˄GD _(]H.3i) (| @Q%QgK_@C)y(2 !�>�$ٶ�<� !j ;#歱;W|y4Gk�rH >kO*OBs3c�GE�+*1rz߷ [no� ?h|O8h(?Q}ɼ=�k�%_N�XK}K @i�:z԰i^� �BS�1g}TBR$( njcQ`<.e>֥`b�$&Cה5f|�)-b�5Z3l|� [$D�2�=a8O�= ug" NjVޠtsM�'�,�85⊊e tɼ~@J0�v07dx@mwbYV�&)f� Y�7(B CJ΄/<�i)@yk�h>�u\ꩽ�J}p QvRl{kwh2�"P M%�!\bx2@z� � `xH"5Z|<�Σnm�j VY`':���1�%P,߰\BϔJ}tW�-_�)3mznUbfr�&J�bj�5ݔc~'9arx/�6 Q�8[udU96� K:/ITH?c۾́Yl�&Wv}��.,ujj@R.W5"급L`Slb^c�/OD`R��(ՑUk-[$oyg}t-G�3N�"g� � �11r[JRLD|QG~EKa�iqf �N蔶N~DiҲMstpI~uuWg+T`�_��16Xג" @vdtyp ,9kAȥipߣ#ְݕմө<ң=bbwV�&r_;I2JCy�*YՃ�Ƅ�,r.�.&`VRuQ�3BBЊ�-^�9ζXr.畕x"x$ψߙR� @n~};�/�.,-N$9yڛO�ʘ9آe�?2�;;\ݯo}�4G1�{;�*QyxDHr;2* 'ͥ X_qDT"suC2ezSG}\IUBG#�IQ9�A *U�MI:Ʒ])@rr"8?]bSOf�4 c�:m�?lױ ��픱�>DҜ?�7uf�=)ҥϣ;�(UWKS� yKzJ�d� �/i6�3OdfZe{R�-YS-� �$߻sC\6��Zrjr6�1_AC�>�'*�4�ѥ߶mNxS[�5!~U m{ti)aڷI)� vFyٔ{6R(�)?~ܵ}\m�>m�z}�)=t^}_-̧pD'nRUh�}d܇.·��!�:"=>j\HY��'{!b6ᇂ`T�6)3�tlGd�4s/ϔɗՄʼ@3xc՛|ʷ/B�#�Bk�#ys�Uev� JwXM��-&#vp|He�`N\"D9If7�,_G4IOrub ~mES^k׮١U;J�t �����*�4i�0oE@r�8KQoPf*]"ʳ-O贵T,KG̽u)4G=c!ȕ9 /%x8� ޻_I=�☓4Edy4S�G�)pxYi]Password complexity, aging and history are properly enforced. 6Password strength and complexity requirements are met.IOS-08AC-6�The router administrator will ensure that all user accounts are assigned the lowest privilege level that allows them to perform their duties.1. There are sixteen (16) possible privilege levels that can be specified for users in the router configuration. The levels can map to commands, whi< ch have set privilege levels or you can reassign levels to commands. Usernames with corresponding passwords can be set to a specific level. There would be several username, name and password, password followed by username name privilege level. The user will automatically be granted that privilege level upon logging in. The following is an example of assigning a privilege level to a local user account and changing the default privilege levels of the configure terminal command: Username junior-engineer1 privilege 7 password xxxxxx Username senior-engineer1 privilege 15 password xxxxxxx Privilege exec level 7 configure terminal IOS-09AC-2mEnsure accounts that are no longer required are immediately removed from the authentication server or router.�Procedures should be in place to enforce proper account administration. Accounts that are no longer needed should be disabled or removed immediately from the system.IOS-10 Interview�Ensure the enabled secret password does not match any other username password, enabled password, or any other enabled secret password. ]Each router should be configured with a unique enabled secret password and remove all others.IOS-11�Ensure passwords are not visible when displaying the router configuration. Type 5 encryption should be used for the enable mode password (i.e., enable secret password).tExamine all Cisco router configurations to determine if the global command service password-encryption is present. �The router administrator will configure each router using the service password encryption option. Service password-encryption is the required global config mode command. IOS-12AC-3IOS-13IOS-14IOS-15AC-11_Ensure the router console port is configured to timeout after 15 minutes or less of inactivity.�1. Review each Cisco router configuration to ensure that the console is disabled after 15 minutes of inactivity. The configuration should look similar to the following: line con 0 login authentication admin_only exec-timeout 15 0 fTimeout for unattended console port is set for no longer than 15 minutes via the exec-timeout command.IOS-16BEnsure modems are not connected to the console or auxiliary ports.L1. Physically inspect any local routers to ensure modems are not connected.AModems should not be connected to the console or auxiliary ports.IOS-174Ensure that the router s auxiliary port is disabled.�1. View each Cisco router s configuration to ensure that the auxiliary port is disabled with a configuration similar to the following: line aux 0 no exec transport input none 2Auxiliary ports should be disabled on all routers.IOS-18IOS-19CAll in-band management connections to the router require passwords.IOS-20IOS-21AC-4M1. Review all router configurations and verify that only authorized internal connections are allowed on Virtual Teletype Terminal (VTY) ports. The configuration should look similar to the following: access-list 3 permit 192.168.1.10 log access-list 3 permit 192.168.1.11 log access-list 3 deny any . line vty 0 4 access-class 3 in fRouter only allows in-band management sessions from authorized IP address within the internal network.IOS-22IOS-23SC-10�Ensure Secure Shell (SSH) timeout value is set to 60 seconds or less, causing incomplete SSH connections to shut down after 60 seconds or less.1SSH session timeout is set to 60 seconds or less.IOS-24AC-7IOS-25IOS-26AU-12�Ensure the Access Control List (ACL) that is bound to the Virtual Teletype Terminal (VTY) ports is configured to log permitted and denied access attempts.1. Review each router configuration to ensure that all connection attempts to the VTY ports are logged. The configuration should look similar to the following: access-list 3 permit tcp host x.x.x.x any eq 23 log access-list 3 deny any log . line vty 0 4 access-class 3 in APermitted and denied access attempts to the VTY ports are logged.IOS-27CM-6IOS-28AC-17WEnsure Transmission Control Protocol (TCP) Keep-Alives for Telnet Session are enabled. [1. Review all Cisco router configurations to verify that tcp-keepalives-in are enabled. /TCP Keep-Alives for Telnet Session are enabled.IOS-29.Ensure configuration auto-loading is disabled.�1. Review all Cisco router configurations to verify that the commands boot network and service config are not included. NOTE: Disabled by default in version 12.0, will not be displayed in the running configuration. 'Configuration auto-loading is disabled.IOS-305All unnecessary services on the router are disabled. �Procedures: 1. Type 'sh run | inc small-servers' from an enable console window (There should be no response, indicating that both tcp-small-servers and udp-small-servers have not been enabled). 2. Type 'sh run' from an enable console window. Confirm that the following lines exist for each interface (or as a global command, if indicated below): - no ip redirects - no ip proxy-arp - no ip gratuitous-arps - no cdp enable - no mop enable - no ip unreachables - no ip ident - no ip source-route (found in a global command; not under an interface) - no ip bootp server (found in a global command; not under an interface) - no service pad (found in a global command; not under an interface) - no service dhcp (found in a global command; not under an interface) - no ip classless (found in a global command; not under an interface) - no ip http server (found in a global command; not under an interface) - no ftp-server enable -no ip rcmd rcp-enable -no ip rcmd rsh-enable 4. Confirm that the following lines do not exist for each interface (or as a global command, if indicated below): - ip mask-reply - ip finger (found in a global command; not under an interface) Note: If any of the services listed in this procedure are running, administrators must present a strong justification for their necessity. The specified lines can also not exist, which means that these services are not enabled. 5. In step 3, if the "no service dhcp" line could not be found, type "show proc" and look for a DHCP process (there should not be one). 6. In step 3, if the "no mop enable" line could not be found, type "no mop enable". The command should be rejected, indicating that there is no mop service present on the router. If the command is accepted, then mop is running.4All unnecessary services on the router are disabled.IOS-31VEnsure Internet Protocol (IP) directed broadcast is disabled on all router interfaces.1. For Cisco IOS version 12.0 and higher, review the running configuration to verify that it does not contain the command ip directed-broadcast. For versions prior to 12.0, ensure the command no ip directed-broadcast is displayed in the running configuration. $IP directed broadcasts are disabled.IOS-32AU-8<Ensure that an approved authoritative time server is used. �Procedures: 1. Type 'sh run | inc ntp server' from an enable console window to see if NTP is configured. The response should show: 2. To verify that the NTP client has been configured for authenticatio< n, run the  sh run command and look for lines in the configuration similar to the following: ntp server <ip.address> ntp authentication-key 10 md5 1043100A0014000E180F2F32 7 ntp authenticate ntp trusted-key 10hThe router uses the NTP service to synchronize its time with an IRS approved authoritative time server.IOS-33WEnsure Simple Network Management Protocol (SNMP) is blocked at all external interfaces.� Procedures: 1. Type 'show snmp' to verify SNMP has been enabled (if not,skip the remainder procedures). If snmp v3 is being used, type 'sh run | inc snmp' from an enable prompt window and review the authprivgroup setting. The last parameter should be set to Priv, which provides authentication and encryption. "Auth" means authentication but no encryption, while "Noauth" means that no encryption or authentication is used. 2. Evaluate the strength of the community name strings. The "snmp community" settings contain hard-to-guess community names 3. Determine if unencrypted read/write access is possible. 4. Confirm router access is restricted by access control lists. The numbers at the end of the lines refer to ACL numbers for either read only (RO) or read/write (RW) access. Similar ACL entries: 5. If SNMP read/write access is permitted, review the permit/deny statements associated by typing 'sh access-lists'. A line similar to the following appears in one of the ACL's: 6. Type 'sh snmp | inc logging' from an enable console window. The router should NOT respond with: snmp-server group authprivgroup v3 priv Unencrypted read-write access should not be possible. Read-write access should not be enabled when snmp v1 or v2 is in use. Read-write access should only be enabled for snmp v3 when the priv authprivgroup mode is in use. snmp-server community password6 RO 6 snmp-server community password8 RW 8 snmp-server tftp-server-list 98 SNMP logging: disabled�Expected Results: 1. snmp-server group authprivgroup v3 priv 3. Unencrypted read-write access should not be possible. Read-write access should not be enabled when snmp v1 or v2 is in use. Read-write access should only be enabled for snmp v3 when the priv authprivgroup mode is in use. 4. snmp-server community password6 RO 6 snmp-server community password8 RW 8 5. snmp-server tftp-server-list 98 6. SNMP logging: disabledIOS-34�Ensure Simple Network Management Protocol (SNMP) is only enabled in the read mode; Read/Write is not enabled unless approved and documented by the ISSO .�1. Review all router configurations to ensure SNMP access from the network management stations is read only. The configuration look similar to the following: access-list 10 permit host x.x.x.x snmp-server community xxxxxxx ro 10 &SNMP is enabled in the read-only mode.IOS-35SC-5�Ensure a maximum wait interval for establishing a Transmission Control Protocol (TCP) connection request to the router is set to 10 seconds or less, or implement a feature to rate-limit TCP SYN traffic destined to the router.�1. Cisco  Review the router configuration to ensure the ip tcp synwait-time command is in place to monitor TCP connection requests to the router. The configuration should look similar to the following: ip tcp synwait-time 10 sA maximum wait interval for establishing a TCP connection request to the router is set to ten (10) seconds or less.IOS-36vEnsure Cisco Express Forwarding (CEF) is enabled to improve router stability during a SYN flood attack to the network.G1. Cisco  Review all Cisco router configurations to ensure that CEF has been enabled. The configuration should look similar to the following: ip cef CAVEAT: If the site has implemented SYN flood protection for the network using the perimeter firewall, there is not an additional requirement to implement it on the router. CEF has been enabled.IOS-37xEnsure all routers are configured to log severity levels zero (0) through six (6) and send log data to a syslog server. r1. Review all router configurations to ensure that all routers log messages for severity levels 0 through 6. By specifying informational, all severity levels will be included. For Cisco routers, a sample configuration would look similar to the following: logging on logging host x.x.x.x logging console critical logging trap informational logging facility buildingA pAll routers are configured to log severity levels zero (0) through six (6) and send log data to a syslog server.IOS-38�All FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). �1. Determine if IP traffic containing FTI is encrypted when traversing communication lines within the agency's local area network (LAN) and when FTI is transmitted outside the LAN across the wide area network (WAN). �If FTI is transmitted over a LAN or WAN it is encrypted with FIPS 140-2 validated encryption, using at least a 128-bit encryption key.IOS-39hEnsure, when saving and loading configurations, the running and startup configurations are synchronized.�1. Cisco  Compare the startup and running configurations. This can be done by using the show running-config command and show startup-config. 5Running and start-up configurations are synchronized.IOS-40�Ensure at least the current and previous router configurations are stored in a secured location to ensure a proper recovery path.Q1. Cisco  Have the router administrator show the stored configuration files. \Current and previous configurations exist and are stored in a secured location for recovery.IOS-41Ensure the system where router configuration files are stored uses local operating system s security mechanisms for restricting access to the files (i.e., password restricted file access). Ensure only authorized router administrators are given access to the stored configuration files. �1. Have the router administrator display the security features that are used to control access to the configuration files. 2. Interview the ISSO to ensure access to stored configuration files is restricted to authorized router administrators only. =Router configurations are securely stored on a local machine.IOS-42IA-7YEnsure that unencrypted router passwords are not stored in an offline configuration file.i1. Review the stored router configuration files to ensure passwords are not stored in plain-text format.FUnencrypted passwords are not stored in an offline configuration file.IOS-43 Examine TestwEnsure that all Trivial ob Transfer Protocol (TFTP) implementations are authorized and have maintained justification.81. Verify written authorization is with the ISSO. 2. Interview the router administrator to see how they transfer the router conf< iguration files to and from the router. Verify the running configuration for all Cisco routers have statements similar to the following: ip ftp username xxxx ip ftp password 7 xxxx FTFTP implementations are authorized and have maintained justification.IOS-44�If Trivial ob Transfer Protocol (TFTP) implementation is used, ensure the TFTP server resides on a controlled managed Local Area Network (LAN) subnet, and access is restricted to authorized devices within the local enclave.�1. Identify TFTP server addresses and determine if LAN has traffic restrictions and devices with access to server have Access Control List (ACL) permissions and restrictions.�Ensure Trivial ob Transfer Protocol (TFTP) implementations reside on a controlled managed LAN subnet and access is restricted to authorized devices within the local enclave.IOS-45MEnsure the ob Transfer Protocol (FTP) username and password are configured.�1. Review the running configuration for all routers to ensure a username and password have been configured for the router s ftp client. The configuration should look similar to the following: ip ftp username userid ip ftp password psw )FTP username and password are configured.IOS-46AU-3OChecks to see if sufficient security relevant data is captured in system logs. �Procedures: 1. From an enable console window, type 'sh run | inc service timestamps log'. Response should read: 2. Review the logging mechanism to see what elements are recorded. (If syslog servers are being used, you can use the command "show logging" to see the setup.) The following elements are selected to be recorded in the log: Expected Results: 1. "service timestamps log datetime". 2. - User ID (if available), but do not log password used; - Action/request attempted (particularly: interface status changes, changes to the system configuration, access list matches and/or failures) - Success or failure of the action; - Date/time stamp of the event and Source address of the request. 3. If the router is configured for dial-up access, confirm that logging provides explicit audit trails for all dial-up access. Note that it is OK for this line to have additional arguments, as long as it contains these four words.IOS-47AU-6Checks to see if the organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. Checks to see that audit logs are retained for the required amount of time and are protected from tampering or deletion.�Procedures: 1. Verify that logs are reviewed and analyzed on a periodic basis, and that the results of each review are documented and given to management. 2. Verify that security-related events are recorded in the logs and are available to Security and Telecomm Management staff members. This must include unsuccessful attempts to access routers (ACL violations and logon failures) 3. Verify that gaps in log data are treated as a possible sign of logging being disabled. Steps need to be taken to ensure that logging is enabled and functioning properly. 4. Verify that logging is configured such that all audit disabling or failures are recorded. 5. Verify that audit log data is protected from deletion or modification�The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls.IOS-48�Ensure all router changes and updates are documented in a manner suitable for review. Ensure request forms are used to aid in recording the audit trail of router change requests. Ensure changes and modifications to routers are audited so they can be reviewed. Ensure current paper or electronic copies of router configurations are maintained in a secure location. Ensure only authorized personnel, with proper verifiable credentials, are allowed to request changes to routing tables or service parameters.�1. Have the ISSO provide copies of router change request forms for visual inspection. 2. Have the ISSO provide copies of router change request forms for visual inspection. 3. Interview ISSO and router administrator to verify compliance. 1Configuration management procedures are in place.IOS-49V�% National Security Agency Router Security Configuration Guide (v1.1c) (December 2005)�AT-1, AT-2, CP-7, IR-1, IR-2, IR-4, IR-5, IR-6, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8,]PE-16, PE-17, PE-18, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-9, SI-12, SI-13, PM-4�AC-1, AC-19, AC-20, AC-22, AT-3, AT-4, AU-1, AU-7, AU-11, CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, �CM-8, CM-9, CP-1, CP-2, CP-4, CP-6, IA-1, IA-4, IR-3, IR-7, IR-8, MA-1, MA-2, MA-3, MA-4, MA-5, PL-1, PL-2, PL-4, PL-5, PL-6, RA-1, RA-2, RA-3, �RA-5, SA-1, SA-2, SA-3, SA-4, SA-5, SA-6, SA-7, SA-8, SA-10, SA-11, SC-1, SC-7, SC-12, SC-15, SC-16, SC-17, SC-18, SC-19, SC-32, SI-1, SI-3, *SI-4, SI-5, SI-7, SI-9, SI-10, SI-11, PM-2�AC-21, AU-13, AU-14, CP-3, CP-8, CP-9, CP-10, IA-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, SA-12, SA-13, SA-14, SC-20, SC-21, SC-22,tSC-25, SC-26, SC-27, SC-29, SC-30, SC-31, SC-33, SC-34, SI-8, PM-1, PM-3, PM-5, PM-6, PM-7, PM-8, PM-9, PM-10, PM-11DUpdated warning banner language based on the IRS.gov warning banner.JUpdated the NIST IDs for Test Router-47 to include CM-3, CM-4, CM-6, SI-2.BSplit test case 40 into two test cases - #48 is the new test case.#Added command to test ID 32 and 33.qUpdates: -Cover: Reorganized the Tester and Agency POC information cells, to better reflect possible multiple POCs. -Test Cases: a. Changed Column G header to "Pass / Fail / N/A", to more accurately reflect the four possible status indicators. b. Added conditional formatting to the status cells, and included summary cells at the bottom of the checks. c. Added control names to the NIST ID cells. Primary control is listed in black; any secondary controls are listed in GRAY. -Legend: Updated the Pass/Fail row to reflect the three possible status indicators (above). -Test IDs: -Test ID #4 Made IA-2 primary. -Test ID #15 AC-11 (deleted AC-10 - not in 1075). -Test ID #25 Made AC-12 primary, AC-7 secondary. -Test ID #28 CM-6 (deleted AC-10 - not in 1075). -Test ID #38/39 Changed to CM-3 (AC-3 not as good a match). -Test ID #45 Changed to AU-3 (AU-7 not as good a match).<Updates: -Cover: Added SCSEM disclaimer language -Dashboard: Added test case calculations -Test Cases: a. Updated NIST test case method on old to new test cases b. Added test method column -Out of Scope Controls: Newly added worksheet to identify out of scope controls -Sources: Added worksheet for source documentsFUpdated for NIST 800-53 Rev 3 Updated for new Publication 1075 version2Update to new template. Increased version to 1.0.Booz Allen HamiltonhMinor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab.�% NIST Control Name&Full name which describes the NIST ID.NIST Control Name8Identification and Authentication (Organizational Users)(Device Identification and AuthenticationSystem Use NotificationAuthenticator ManagementLeast PrivilegeAccount ManagementAccess Enforcement Session LockInformation Flow EnforcementNetwork DisconnectAudit GenerationConfiguration Settings Remote Access Time StampsDenial of Service Protection#Cryptographic Module AuthenticationContent of Audit Records%Audit Review, Analysis, and ReportingSC-8�1. Review all Cisco router configurations and verify that only SSH is allowed on the Virtual Teletype Terminal (VTY) ports. The configuration should look similar to the following: line vty 0 4 transport input ssh _1. Verify that the site is in compliance by rev< iewing site s responsibilities list. 2. Reconcile site s responsibilities list with those accounts defined locally or in the authentication server. 3. For each authentication method in use, confirm that there is a process in place to identify unused accounts and disable or delete them after 120 days. �Each user should have access to only the privileges they require to perform their respective duties. Access to the highest privilege levels should be restricted to a few administrators.GCheck to determine if the agency limits consecutive invalid attempts to three (3) by a user within a 120 minute period. 1. Review the global configuration or execute the show ssh command to verify the authentication retry is set for 3. The configuration should look similar to the following: ip ssh authentication-retries 3 aMaximum number of unsuccessful SSH login attempts is set to three (3) within a 120 minute period.�Ensure the maximum number of unsuccessful Secure Shell (SSH) login attempts is set to three (3), locking access to the router within a 120 minute period.*Transmission Confidentiality and IntegrityCryptographic ProtectionUnsuccessful Logon Attempts�1. Review the running configuration to determine if key authentication has been defined with an infinite lifetime. Example Technical Check Procedures: 1. Type 'sh run | inc enable secret' in an enable console window: 2. Type 'sh run | inc enable password' in an enable console window: Example Technical Check Expected Results: 1. Something similar to the following line should appear: enable secret 5 $1$yPL1$zNGeZu9blpdYLYEobTNwX 2. No line should appear that starts with " enable password". s� I nEnsure the lifetime of a Message Digest 5 (MD5) Key expiration is set to never expire. The lifetime of the MD5 key should be configured as infinite for route authentication, if supported by the current approved router software version. NOTE: Only Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. �m �Run the command 'show config' and verify that the configuration file includes a command beginning with 'set banner motd' that contains an appropriate warning banner.5Verify that the authentication server's configuration parameters meet the following requirements: a) Minimum password length of 8 characters b) Passwords must contain at least one number or special character, and a combination of at least one lower and uppercase letter. c) Maximum password age of 60 days for privileged user and 90 days fro standard user accounts. d) Minimum password age of 1 days e) Password history for the previous 24 passwords f) Prohibit the use of a username within a password g) Prohibit the use of dictionary words or common passwords h) Prohibit the use of words from a customized list of dictionary words and common passwords i) Administrators can override minimum password age limits when changing passwords j) Users are forced to change their initial password during their first logonaNote: The router ID can be identified by executing the  show config | include hostname command.�Interview the router s administrator(s) to see if this is being enforced on all Cisco routers. Check for the following: Ensure that the enable secret password is a unique password constructed using a length of 8 characters and a combination of at least 1 numeric or special character, 1 lowercase and 1 uppercase letter, and that it does not contain versions of the router ID or location ID. )Update test cases based on NIST 800-53 R4u�% NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations (April 2013)HPlease submit SCSEM feedback and suggestions to SafeguardReports@IRS.govHObtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-ProgramSA-22Unsupported System ComponentsSI-2Flaw RemediationInterview ExamineNVerify that system patch levels are up-to-date to address new vulnerabilities.*The latest security patches are installed.D1. Refer to the vendors support website and cross reference the latest security patch update with the systems current patch level. Check to ensure that known vulnerabilities (i.e., Heartbleed) vulnerabilities have been remediated. Note: This test requires the tester to research the current vendor supplied patch level.IOS-50VEnsure the timeout for in-band management access is set for no longer than 30 minutes.?In-band management access is set for no longer than 30 minutes.3/3/14: Updated to 30 minutes.�1. OOB management or direct connection method should be primarily used and in-band management should have limited use. 2. The ISSO can provide case documentation granting approval to use in-band management. OEnsure that all in-band management connections to the router require passwords.# �Ensure that the router only allows in-band management sessions from authorized Internet Protocol (IP) addresses from the internal network.#5 YEnsure that all Out-Of-Band (OOB) management connections to the router require passwords.! 3Ensure that an authentication server is being used.c1. OOB or direct connection method should be implemented to restrict access based on IP address. �Ensure router management utilizes the Out-Of-Band (OOB) or direct connection methods for communication device management. The use of in-band management should be limited to situations where the use of Out-Of-Band (OOB) management would hinder operational commitments or when emergency situations arise. Use of in-band management should be approved on a case-by-case documented basis.&7 �SSH connections are allowed to access VTY ports. Router should be configured to utilize the most current supported version of Secure Shell (SSH) with all security patches applied for management sessions.IOS-51�1. Interview to determine how the routers are managed. 2. Examine documentation that evidence the process of granting approval for the use of in-band management. �1. Type the following command: show access-lists. Make a note of the numbering of the access-lists, and then type the following command:  show running-config . Look for the subsection for the VTY terminals  "line vty 0 4". Note: There should be a line within the configuration similar to the following: Expected Results: 1. line con 0 password 7 06160E325F59060B0144 login local 2. line vty 0 4 access-class 10 in Note: This line enables the router to default to the privileged enable password if for some reason a connection to the authentication server is not available. If a r< emote authentication server is used for authentication, type the following command from an enable console window:  show running-config | inc last-resort . The line for "access-list" should have the same number as the line for "access-class" (in the example above "access-list 10" is the access list applied in the case of "access-class 10")h1. Review each router s configuration to ensure that the console port and the vty ports used by the Out-Of-Band Management (OOBM) network require a login prompt. The configuration should look similar to the following: line con 0 login authentication admin_only exec-timeout 30 0 line vty 0 4 login authentication admin_only exec-timeout 0 transport input ssh�Ensure that Out-Of-Band (OOB) access is secured using Federal Information Processing Standard (FIPS) 140-2 validated encryption with Secure Shell (SSH) or Secure Sockets Layer (SSL). ! Q1. An authentication server is being used to validate access. Each subsection should have a password assigned, which should be encrypted, and should have a line that begins with "login " where displays the centralized authentication method in use, e.g., "tacacs", "radius", or "kerberos". Agency Code: Closing Date:Shared Agencies:B1. OOB management connections to the router should have passwords.�Ensure that access control lists are in place for Out-Of-Band (OOB) or direct connection methods for communication device management.2C 1. Review each router s configuration to ensure that the Virtual Teletype Terminal (VTY) ports are disabled about 30 minutes of inactivity. The configuration should look similar to the following: line vty 0 4 login authentication admin_only exec-timeout 30 0 transport input ssh 1. Review each Cisco router s configuration to ensure that the Virtual Teletype Terminal (VTY) ports require a login prompt. The configuration should similar to the following: line vty 0 4 login authentication admin_only exec-timeout 30 0 transport input ssh �1. Review router configuration to verify that a multi-factor authentication method is implemented for all remote access to the system. �Ensure in-band management access to the router is secured using Federal Information Processing Standard (FIPS) 140-2 validated encryption with Secure Shell (SSH) or Secure Sockets Layer (SSL). �1. Review the global configuration or execute show ssh to verify the timeout is set for 60 seconds or less. The configuration should look similar to the following: Ip ssh time-out 60 O Procedures: 1. Acquire from the agency personnel documents containing the following information: - A list of users that will require access to all telecomm equipment. - The list of specified devices that users require access to. - The list of access level required for the users for specified devices. - Proof of local manager approval for stated access to routers under their - authority. - The list of authorized approving managers If TACACS is being utilized: 2. Verify that the information in the documentation is the same as the actual list of TACACS accounts and access privileges.?An approval process is in place for granting access to routers.EA documented process exists for approving account access to routers. ;User IDs must follow username standards whenever possible. ZMinor update to correct test case language. Updated test procedure for IOS-06 and IOS-09.k1. Discuss with the network administrator to ensure that the password policy is followed for all user id's.21. Type the following command from an enable console window:  show running-config . Examine the subsections for "line con 0", "line aux 0", and "line vty 0 4". Example: 1. line con 0 password 7 06160E325F59060B0144 login local 2. line vty 0 4 access-class 10 in A line should appear similar to the following: tacacs-server last-resort password 1. Note: The line beginning with "login" should not say "no login" or should not be missing. The "no login" command is counter intuitive; it sounds like it would disable login access, but actually means that "no login" is required for access. In either case a remote user could then login without entering any password or username authentication. 2. Note: The  show tacacs command will show if the router is utilizing TACACS as the authentication method.l1. The multi-factor authentication mechanism is sufficient and utilized for all remote access to the system.ZEnsure that remote access for all management sessions require multi-factor authentication.1.4.1-Minor update to correct test case language. hostname#sh ip cef4hostname#sh ip interface | incl Directed�Verify no result returns hostname#show run | incl boot network 2. Verify no result returns hostname#show run | incl service config�Verify no exec hostname#sh run | sec aux 2. Verify you see the following  Allowed input transports are none hostname#sh line aux 0 | incl input transports �% Criticality,Sections below are automatically calculated.All SCSEM Test Results JFinal Test Results (This table calculates all tests in the Test Cases tab) Overall SCSEM StatisticsPassedFailed Additional Information RequestedWeighted Pass RateTotalsWeighted Score Risk RatingWeightDevice Weighted Score: CriticalityModerate SignificantLimitedIssue Code Mapping Criticality Rating (Do Not Edit)Criticality RatingsCriticalHAC14HPW12HPW13HAC19HPW11HRM1HCM9HCM11HSC17HAU3HAU7HAC11HAC2HAC18HAC15HCM100HCM10HAC13 HSI9 HCM12HAU11 HCM12 HAC13HPW10HAC7HSC15HPW1Total Number of Tests PerformedPossibleActual.A baseline risk category has been pre-populated next to each control to assist agencies in establishing priorities for corrective action. The reviewer has the discretion to change the prioritization to acc<�urately reflect the risk and the overall security posture based on environment specific testing.sAdded baseline Criticality Score and Issue Codes, weighted test cases based on criticality, and updated Results TabHCM3HSI2 HPW1 HPW100�NOTE: When using MD5 authentication keys, it is imperative the site is in compliance with the Network Time Protocol (NTP) policies. Note: The  enable password command is included with the Cisco IOS for backward compatibility with older versions of the IOS. The newer "enable secret" command uses an MD5 hash for encryption of the privileged level password, and should be used in its place. *Criticality may be upgraded to Critical if a password is not required to access an FTI systemHAC7 HSC16 HAC100 HPW15 HAC21 HAC7 HAC20 HAC10 HAC7HPW8 HAC19 HMT16 HPW1 HAC19^*Criticality may be upgraded to Critical if a password is not required to access an FTI system HAC29 HPW1�Remote access is defined as any access to an agency information system by a user communicating through an external network, for example, the Internet. HRM5 HAC19 HAU4 HAU100 HAC100 HRM100 HCM10 HCM9 HSC1 HSC15HSC16 HCA2 HCA1 HAC11 HCM9 HAU100 HSI3HCM7-p�% IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (October 2014) Ensure that the latest stable Operating System (OS) is implemented on each router in accordance with the current Network Infrastructure Security Checklist. Verify that system maintenance is in place and the router support expiration date is not within six months. ,Latest operating systems in accordance with Network Infrastructure Security Checklist is implemented. The router is currently under support (either through vendor support for COTS product, or in-house agency maintenance team), and maintenance is available to address any security flaws discovered. {1. Cisco IOS - execute the show version to verify installed IOS version is at 12.3 or later. 2. Interview the SA to determine if maintenance is readily available for the firewall's inter-network operating system (IOS). Vendor support must include security updates or hot fixes that address any new security vulnerabilities. Procedures From an enable console window, type 'show version'. Note: Newer releases of the Cisco IOS are in general more secure, more stable, and offers greater features than older releases. It is recommended to never be more than one or two releases out of date. The IOS should not be older than version 12.x. It should also be "Release" version software, and not an "Early Deployment" or "Maintenance Interim" release. Release versions of the Cisco IOS are the most stable version of the IOS available and have undergone thorough testing for production. �1. Router should be configured to utilize the most current supported version of Secure Shell (SSHv2) with all security patches applied for management sessions.w1. Review router configuration to verify that SSHv2 is the only protocol allowed for management access to the device. �Verify that audit data is archived and maintained. IRS practice has been to retain archived audit logs/trails for the remainder of the year they were made plus six years. Logs must be retained for a total of 7 years. �1. Interview the SA to determine if audit data is captured, backed up, and maintained. IRS practice has been to retain archived audit logs/trails for the remainder of the year they were made plus six years for a total of 7 years.�1. Audit data is captured, backed up, and maintained. IRS requires agencies to retain archived audit logs/trails for the remainder of the year they were made plus six years for a total of 7 years.mUpdated expected results for IOS-81, IOS-01. Updated IOS-51 from Audit Storage Capacity to Audit Generation.  �% SCSEM Version: 1.6# �% SCSEM Release Date: May 15, 2015�� j����8�6�Oo������ � ��1����� ��1&,! �� :/&����~(s�*��6� &;�@� E�#J� M�Q�CW� ^>^b h<i�jPhk(r�}8�      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEF���XIJKLMNOPQRSTV���WY���Z[���������������������������������������������������������������������������������������������������������������������������������������������������nA��e��O=���~��j@���S�1a��$�fcc��B����� T8� /e�Y�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M6Microsoft XPS Document Writer�X�� odXXLetter����DINU"L r SMTJMicrosoft XPS Document WriterInputBinFORMSOURCERESDLLUniresDLLInterleavingOFFImageTypeJPEGMedOrientationPORTRAITCollateOFFResolutionOption1PaperSizeLETTERColorMode24bpp MXDW�"d���?�?�&�U} $ �} i�} $ �/;;�����h@�@ � � � � ������������������@�@� �[� ��� �Z� ��� ���� �b� ��� ��� ��� ��� ��� ���� �� ��� �\� ��� �]� ��� �^� ��� �_� ��� �`� ��� ����� �� ��� �� ��� �m� ��� �� ��� �� ��� �n� ��� �o� ��� �� ��� �Y� ��� �:� ���� �>� ��� ���� � � ��� � � ��� � � ��� � � ���D�l   �!�"�#�$�%�&�(�)�*�,�`-�`.�`� � � ��� !���� "� � "��� #� � #��� $� � $��� %� � %��� &� � &��� (�?� )�Q� *�R��������( � �� �� � �A�:?��?�:�The official logo of the IRSPicture 1The official logo of the IRS"�PK!�9^�[Content_Types].xmlAN�0EH�%NY tA�*T0�'E2�� JMN� vi{ɖz$cȢ*%�2�-uAg�>zӶ/�3[0߀:r5�a8�>GT�8W�r>wOo?aΫ�Uv_��PK!K�5��drs/picturexml.xmlUQo�0~�`b(!J�4$Ӥl�`�5c#MRM;iuCS;�3WV�-ӆ+`d�*.79qBI'f㇫}�3*Fi!�.}S6BuLVzW x+7f�2 c��Ъg�� !d 3�9�q<��#�+�#[x$(-� GPQL չoRuKNj`�,?}r+�|�?hkU�4c R.Z4Tnt� \~{݊ �/͌.LbYlٜ˅y�@P����w������X 3Insert unique identifier for the computer or device�H #Insert tester name and organization ode�O *Insert City, State and address or building� Sheet1gg����D T8� ;�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M� 901 15th St - Room 4025 - Xero� ߁� od�LetterPRIVx-Arial�Untitled0:0:0:0:0dX222222222SYSTEMLettero� o� o� o� 1'v�"d���?�?�&�U} � } � } � } $ } $ } $} $ �h�m��m�m�m�m�m���m ��m � �@ �@ �@�@�@�@�@�@� ��`�`�`� t@�$uuuuuuuuuuuuuuv� w�$xxxxxxxxxxxxxxy� z��${{{{{{{{{{{{{{|�&z{{{{{{{{{{{{{{|� zU�${{{{{{{{{{{{{{|� zV�${{{{{{{{{{{{{{|�&�}}}}}}}}}}}}}}~�&� ��       � ��  ��  � ��   � �� �� �� � �� ��  �� � �   +  �;6��PassAZ+  �;6��FailAZ+  �;6��InfoAZ*  �;6��N/AAZ! � D D � D�D � % ! �;6�B�! !I@ � D D �% "I@�;6�B� #� $nnnnn� # �  �� %� #&� '�� ',� '� '� '� '�� (�� (�� ooooo&~ )@)*@�;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�� ;�� nnnnn&~ )@)*@@�;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�~ ;$@)t@�DD�D�!� DD�� nnnnn&~ )@)*.@ �;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�~ ;@)B@�DD�D�!� DD�� nnnnn&~ )�?)*@�;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�~ ;�?)@�DD�D�! � DD�� nnnnn&� <�=zC �dD� 0%��%��d�?&%��%��dB� nnnnn�&+,,,,,,,,,-----.� � � �4�666*66**<X��.B�2����*�  ,�PH ��0�( � �>�@Z��� ))*�w�  ����;� �0�( � ���������� ����{+{ � Sheet4gg����D T8� % �   dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ �} m �} $ �%������������������� �� �@ �@ ��@�@�@��@�@��@��@�@��@�����@� �� ������������� � �A� ������������� � �c� ������������� � �d� ������������� � �e� ������������� �"�������������� � �f� ������������� � �g� ������������� � �h� ������������� �" �������������� � �� ������������� � �4� ��� �B� ���������� � ���� �C� ���������� � �5� ��� �/����������� � �*� ��� �+����������� � �0� ��� �D����������� � ���� �E����������� � ���� �F����������� � �1� ��� �G����������� � ���� �H����������� � �6� ��� �I����������� � ���� �J����������� � �W� ��� �7����������� � �X� ��� �K����������� � ���� �L����������� � �3� ��� �M����������� � ���� �N����������� � ���� �Q����������� � ���� �O����������� � ���� �P����������� � �9� ��� �R����������� �B� X22222&222&2H<HHH<<H<H<HH<H<<<< �!�@"�#�$�� ���� �S� ���������� � !�8� !��� !�2�!���������� � "��� "��� "H��"IIIIIIIIIJ �"#��KLLLLLLLLLM �"$NOOOOOOOOOP �|P<HH&�PH0��0�( � �>�@P���A � "$ �w� Sheet6gg����D T8� Gj�.@A  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M6Microsoft XPS Document Writer�X�� odXXLetter����DINU"L r SMTJMicrosoft XPS Document WriterInputBinFORMSOURCERESDLLUniresDLLInterleavingOFFImageTypeJPEGMedOrientationPORTRAITCollateOFFResolutionOption1PaperSizeLETTERColorMode24bpp MXDW�"A���?�?�&�U} $ �} I�} $ �} $ �} ��} E�} � �} �} $ �} �} � �} � 3} � 3} $ �} $ } $ �}  �} $ �tt� G� @����������� �M ���� � � ��� �� � � ���������U��� �� ����������������� ���R������3 ��� �,�����������/4 �� �� �� �,� �� �;� �i� �� �� ��  � �  �<�  0��  5�� 5�� �j� �S� �T� �W� ��� ��� ������� �  1��  ?��B@D �Critical qD � Significant JD �Moderate &D �Limited """B� �n� �U� �V� �W� �X� �Z� �Y����� �  ���  ?�B@���42�LCritical qL Significant JLModerate &LLimited """B� �s� �k� �G� �l� �J� �I� �m� ���  �� ��  ���  ?�B@�� �u� ��� �<� �l� ��� ��� ������� �  ���  7�B@�� �y� �o� �-� �l� �p� �q� �r����� �  ���  ?�B@�� �~� �t� �.� �l� �x� �w� �y����� �  ���  7�B@�� �� �o� �-� �l� �v� �w� �x����� �  ���  ?�B@ �� ��� �z� �/� �{� �|� �K� �}� ���� � ��� 7� B�? �� ��� �t� �.� �l� �z� �|� �� ���� � ��� ?� B@ �� ��� ��� �0� �l� ��� �L� ��� ���� � ��� 6� B@ �� ��� ��� �1� �l� ��� ��� �B� ���� � ��� 7� B@ �� ��� ��� �2� �l� ��� �A� ��� ���� � ��� ?� B@�� ��� �t� �.� ��� ��� �N� ��� ���  �M ��  ���  7�B@�� ��� �t� �.� �l� ��� ��� ������� �  :��  A�B@�� ��� ��� �3� �W� �e� �h� �_����� �  ���  ?�B@�� ��� ��� �3� �W� �q� �i� �d����� �  ���  7�B@�� ��� �o� �-� �l� �b� �j� �p� ���  �� ��  ���  ?�B@�� ��� �?� �F� �W� �k� ��� ������� �  ���  7�B@�� ��� ��� �3� �W� �c� �}� �l� ���  �� ��  ���  ?�B@�� ��� ��� �9� �W� �� �t� �~� ���  �� ��  2��  6�B@�� ��� ��� �4� �l� ��� ��� ������� �  ���  6�B@�� ��� ��� �3� �l� ��� ��� ��� ���  �� ��  2��  6�B@�� ��� ��� �3� �l� ��� ��� ������� �  :��  @�B@�� ��� �o� �-� �l� �`� �s� ��� ���  �� ��  ���  6�B@�� ��� ��� �5� �l� �a� ��� ������� �  ���  @�B@�� ��� �?� �F� �l� �u� �@� �f����� �  ���  6�B@�� ��� ��� �6� �l� ��� �v� ������� �  ���  6�B@�� ��� ��� �H� �l� �E� �C� �D����� �  ���  6�B@�� ��� ��� �6� �l� �\� �r� �]� ���  �^ ��  ���  ?�B@�� ��� ��� �7� �l� ��� ��� ������� �  ���  ?�B@ ��D�l:�8K��������������������������� ��!��"��#��$��%��&��'��(��)� �*��+��,��-� �.��/� �0��1��2� �3��4{ ��5�6� 7� 8� 9� :� ;� <� =� >� ?� � ��� ��� �9� �l� ��� ��� ��� ���� � ��� ?� B@!�� !��� !��� !�3� !�l� !��� !��� !��� !��� ! ��! �� ! ��� ! @�!B@"�� "��� "��� "�3� "�{� "��� "��� "���"���� � " ��� " 6�"B@#�� #��� #��� #�3� #�l� #��� #��� #��� #��� # ��# �� # ��� # ?�#B@$�� $��� $��� $�:� $�{� $��� $��� $���$���� � $ ��� $ 6�$B�?%�� %��� %��� %�3� %�{� %��� %��� %���%���� � % 2�� % 6�%B@&�� &��� &��� &�3� &�l� &��� &��� &���&���� � & 2�� & 6�&B@'�� '��� '��� '�;� '�l� '��� '��� '���'���� � ' 2�� ' 6�'B@(�� (��� (��� (�;� (�l� (��� (��� (��� (��� ( ��( �� ( ��� ( 6�(B@)�� )��� )��� )�;� )�l� )��� )��� )���)���� � ) ��� ) 6�)B@*�� *��� *�?� *�F� *�l� *��� *��� *���*���� � * 2�� * ?�*B@+�� +��� +��� +�8� +�l� +��� +��� +���+���� � + ��� + 6�+B@,�� ,��� ,��� ,�8� ,�l� ,��� ,��� ,���,���� � , ��� , 7�,B@-�� -�� -��� -�3� -�l� -��� -��� -���-���� � - ��� - 7�-B@.�� .�� .��� .�3� .��� .��� .��� .��.���� � . ��� . ?�.B@/�� /� � /��� /�3� /�l� /�� /�� /��/���� � / 2�� / ?�/B@0�� 0� � 0�o� 0�-� 0�l� 0�� 0�� 0��0���� � 0 2�� 0 6�0B@1�� 1�� 1� � 1�=� 1��� 1� � 1� � 1� �1���� � 1 ��� 1 ?�1B@2�� 2�� 2�� 2�>� 2�l� 2�� 2�� 2��2���� � 2 2�� 2 6�2B@3�� 3�[� 3� � 3�=� 3�l� 3�� 3�� 3��3���� � 3 2�� 3 @�3B@4�� 4�g� 4��� 4�7� 4Fl� 4E�� 4G�� 4G��4���� � 4 8�� 4 6�4B@�5�� 5�-�5����������� 5�� 8�� 9�� :�� ;�� <�� =�� >��D�l���������������������B@� A� B� C� D� E� F� � A3�� B9�� C3�� D3�� E3���x�  � ���@�/�( � �R� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� �  C ����� �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d �>�@P���A �w�f4   )4 $' ""    4  ����;�  )4 $' ""    ���������*����Pass����;�  )4 $' ""    ���������?���@Fail����;�  )4 $' ""    �������������Info�  ����;�  )4 $' ""    ���������*����Pass����;�  )4 $' ""    ���������?���@Fail����;�  )4 $' ""    �������������Info�(( (( ����;�((  )4 $' ""    ���������*����Pass����;�((  )4 $' ""    ���������?���@Fail����;�((  )4 $' ""    �������������Info�## ## ����;�##  )4 $' ""    ���������*����Pass����;�##  )4 $' ""    ���������?���@Fail����;�##  )4 $' ""    �������������Info� !! !! ����;�!!  )4 $' ""    ���������*����Pass����;�!!  )4 $' ""    ���������?���@Fail����;�!!  )4 $' ""    �������������Info�   ����;�  )4 $' ""    ���������*����Pass����;�  )4 $' ""    ���������?���@Fail����;�  )4 $' ""    �������������Info�  ����;�  )4 $' ""    ���������*����Pass����;�  )4 $' ""    ���������?���@Fail����;�  )4 $' ""    �������������Info�  ����;�  )4 $' ""    ���������*����Pass����;�  )4 $' ""    ���������?���@Fail����;�  )4 $' ""    �������������Info�  ����;�  )4 $' ""    ���������*����Pass����;�  )4 $' ""    ���������?���@Fail����;�  )4 $' ""    �������������Info{+{4 !{+{4 "{+{4 #{+{ {+{ {+{  {+{(( {+{(( {+{(( {+{## {+{## {+{## {+{!! {+{!! {+{!! {+{ {+{ {+{ {+{ {+{ {+{ {+{ {+{ {+{ {+{ {+{ {+{ ������/  %9<4�/  %BE4 �/  %!"44� Sheet2gg����Dh4h Range1h6hRange1_1h8h4 Range1_1_1 T8� jp  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ } $ } $ ����������������@ �@ �@ � ��@�@�@�����@�@�@��� t!� uuuuuuuuuuuuv � �"� ������������� � �T� ������������� � z�� {{{{{{{{{{{{| � zP� {{{{{{{{{{{{| � z� {{{{{{{{{{{{| �"�}}}}}}}}}}}}~ � �a� ������������� � �'� ������������� � �� ������������� � z� {{{{{{{{{{{{| �" �}}}}}}}}}}}}~ � �&� ������������� � �%� ������������� � �� ������������� � z� {{{{{{{{{{{{| � z� {{{{{{{{{{{{| � z� {{{{{{{{{{{{| �"�}}}}}}}}}}}}~ � �#� ������������� � �$� ������������� � �� ������������� � z� {{{{{{{{{{{{| �"�}}}}}}}}}}}}~ �4`�222222&2222&222222&2222�PHP��0�( � �>�@P���A �w� Sheet7gg����D T8� yo  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ } mT} m���m������� � � � � ����@�������� t+� uuu� �(� �)� �*� �=��$@��?@� �.� �(��4@�@P@� � � �(��>@�Y@� �!� �(��D@�@f@� �"� �(���?� m@� �#� �(��N@� @� �$� �(��Q@�@� �%� �(� �T@�@� �&� �(� ��?�@� �'� �(� p^@��,@� �)� �(� p@`@ra@� qO� �(� pa@r@f@� ��� �(� p~ rj@� �{� �(�p�?�@@� ��� >(�pd@�`@� ��� >(sssssss�4p�8222222222222822 �PH`� �0�( � � >�@P���A  �w� Sheet8gg����D ��� ���  !"#$%&'()*+,-./0123456789:;<=>?���������������DocumentLibraryFormDocumentLibraryFormDocumentLibraryForm This value indicates the number of saves or revisions. The application is responsible for updating this value after each revision. �Oh+'0 hp����� � � ��� IRS Office of Safeguards SCSEM$IT Security Compliance EvaluationBooz Allen Hamiltonusgcb, stig, pub1075�The IRS SummaryInformation(���� ����c0DocumentSummaryInformation8������������t|CompObj�������������k������������strongly recommends agencies test all SCSEM settings in a development or test environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.Masood, Taimur [USA]Microsoft Excel@/p+@s@e�՜.+,D՜.+,�@ `h|�� ���� � � securityOffice of SafeguardsInternal Revenue Service������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������  DashboardResults Instructions Test Cases Appendix Change LogAppendix!Print_Area'Change Log'!Print_AreaDashboard!Print_AreaInstructions!Print_AreaResults!Print_Area'Test Cases'!Print_Area'Test Cases'!Print_Titles  Worksheets Named Ranges� h-5AMy��� � � � _PID_LINKBASE_NewReviewCycleSubject Keywords_Author _Category Categories Approval Level _Comments Assigned To�$IT Security Compliance Evaluationusgcb, stig, pub1075Booz Allen Hamilton securityThe IRS strongly recommends agencies test all SCSEM settings in a development or test environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently, it is important to perf� ���� �FMicrosoft Excel 2003 WorksheetBiff8Excel.Sheet.8�9q