oversight

Education Department Utility for Communications, Applications, and Technology Environment (EDUCATE) Information Security Audit

Published by the Department of Education, Office of Inspector General on 2011-09-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                    UNITED STATES DEPARTMENT OF EDUCATION
                                   OFFICE OF INSP ECTOR GENERAL

                                                                      Information Technology Audit Division

                                          September 5, 2012


Memorandum


FROM:          Charles E. Coe, Jr.
               Assistant Inspector General
               Information Technology Audits and Computer Crimes Investigations

SUBJECT:       Final Audit Report Reissuance
               Education Department Utility for Communications, Applications, and Technology
               Environment (EDUCATE) Information Security Audit
               Control Number ED-OIG/A11L0001


The attached final audit report, originally issued on September 30, 2011, was reissued and included
changes to (1) the report cover page, (2) the inside cover notice, and (3) my final report transmittal
memorandum to Danny A. Harris, Ph.D., Chieflnformation Officer. The intent of these revisions is
to demonstrate a clear understanding that Williams, Adley & Company-DC, LLC, was responsible
for the attached auditor's report and the conclusions expressed therein.

Although this is a reissuance of an existing report, the changes cited above do not impact any of the
findings and recommendations contained in the September 30, 2011 report. Also, this reissuance
does not require adjustments to any corrective action completion dates being monitored and tracked
through the Department's Audit Accountability and Resolution Tracking System. In addition,
becasue the reissuance does not impact the content of the audit report, September 30, 2011, will
remain as the official issue date and does not affect the Office of Inspector General's Semiannual
Report to Congress reporting requirements.
REPORT OF THE INDEPENDENT AUDITORS




               Final Report

       Education Department Utility for
      Communications, Applications, and
     Technology Environment (EDUCATE)
          Information Security Audit
               ED-OIG/A11L0001




                  Prepared by:
        Williams, Adley & Company, LLP
               1030 15th Street, NW
              Washington, DC 20005

                September 2011
                     UNITED STATES DEPARTMENT OF EDUCATION
                                 OFFICE OF INSPECTOR GENERAL

                                                                   Information Technology Audit Division

September 30, 2011

Memorandum

TO:           Danny A. Harris, Ph.D.
              Chief Information Officer
              Office of the Chief Information 0

FROM:         Charles E. Coe, Jr.
              Assistant Inspector General
              Information Technology Audits and Computer Crimes Investigations

SUBJECT:      Final Audit Report
              Education Department Utility for Communications, Applications, and Technology
              Environment (EDUCATE) Information Security Audit
              Control Number ED-OIG/A11L0001

Attached is the final audit report that determined whether the Department has developed and
implemented adequate information system security controls to properly secure and safeguard
EDUCATE and the Department's data in accordance with the Federal Information Security
Management Act and the Office of Management and Budget and National Institute of Standards and
Technology regulations and standards. We contracted with the independent certified public
accounting firm of Williams, Adley & Company-DC, LLC (Williams Adley) to conduct this audit.
The audit assessed the information and information system security controls in place during the
period October 1, 2010, through April 30, 2011.

The contract required that the audit be performed in accordance with generally accepted government
auditing standards (GAGAS). In connection with the contract, the Office of Inspector General (OIG)
reviewed, provided feedback, and ultimately approved the audit plan, monitored the performance of
the audit, reviewed contractor audit documentation, attended critical meetings with Department
officials and reviewed the contractor's audit controls. The review was designed to help ensure that:

   •   the audit complied with GAGAS and other OIG policies and procedures (to include the
       completion of OIG Performance Audit Quality Assurance Checklists that reflect GAGAS
       requirements, OIG's Field Work Standards for Performance Audits, and mandatory
       requirements contained in the OIG Policies and Procedures Manuals);
   •   contract requirements regarding objectives, scope and methodology were being met;
   •   monthly status meetings to discuss whether milestones were being met; and
   •   draft and final audit report reviews conducted within Information Technology Audits and
       Computer Crime Investigations provided the assurance that the contractor's work can be
       relied on.
An electronic copy has been provided to your Audit Liaison Officer. We received and evaluated the
Office of the Chief Information Officer (OCIO) management comments and the corrective action
plan for each of the recommendations contained in the draft report. Appendix B of the report
incorporates OCIO's management responses to each of the findings.            We have modified
recommendations where appropriate to address management comments.

Corrective actions proposed (resolution phase) and implemented (closure phase) by your office will
be monitored and tracked through the Department's Audit Accountability and Resolution Tracking
System (AARTS). Department policy requires that you develop a final corrective action plan (CAP)
for our review in the automated system within 30 days of the issuance of this report. The CAP should
set forth the specific action items and targeted completion dates necessary to implement final
corrective actions on the findings and recommendations contained in this final audit report.

In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector General is
required to report to Congress twice a year on the audits that remain unresolved after 6 months from
the date of issuance.

In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office of
Inspector General are available to members of the press and general public to the extent information
contained therein is not subject to exemptions in the Act.

Williams Adley is responsible for the enclosed auditor's report and the conclusions expressed therein.
The OIG's review disclosed no instances where Williams Adley did not comply, in all material
aspects, with GAGAS.

Should you or your office have any questions, please contact Joseph Maranto at 202-245-7044, or
joseph.maranto@ed. gov.

Enclosure

cc:    Michele Iversen, Director, Office of the Chief Information Officer
       Dana Stanard, Audit Liaison, Office of the Chief Information Officer
       Bticky Methfessel, Senior Counsel for Information & Technology, Office of General Counsel
       L'Wanda Rosemond, AARTS Administrator, Office of Inspector General
September 28, 2011

Mr. Charles E. Coe, Jr.
Assistant Inspector General for Information Technology
Audits and Computer Crimes Investigations

Ms. Sherri Demmel
Deputy Assistant Inspector General for Information
Technology Audits and Computer Crimes Investigations

U.S. Department of Education
Office of Inspector General
Washington, D.C.

RE: Education Department Utility for Communications, Applications, and Technology
Environment Information Security Audit

Williams, Adley & Company, LLP (referred to as “we” in this letter), is pleased to provide the Office
of Inspector General (OIG) the results of our review and independent assessment of the U.S.
Department of Education (Department) information and information systems security program
controls over the Education Department Utility for Communications, Applications, and Technology
Environment (EDUCATE). The purpose of the audit was to determine whether the Department has
developed and implemented adequate information system security controls to properly secure and
safeguard EDUCATE and the Department’s data in accordance with the Federal Information
Security Management Act and the Office of Management and Budget and National Institute of
Standards and Technology regulations and standards. We assessed the information and information
system security controls in place during the period October 1, 2010 through April 30, 2011.

This review, performed under Contract No. ED-08-DO-0046, was designed to meet the objectives
identified in Appendix A, “Objectives, Scope, and Methodology,” of the report. We conducted the
audit in accordance with Government Auditing Standards and communicated the results of our
review and the related findings and recommendations to the Department’s OIG. We also
communicated the conditions and causes of the conditions to the Office of the Chief Information
Officer.

We appreciate the cooperation provided by Department personnel during the review and the
assistance provided by the OIG.



Washington, DC

                           WILLIAMS, ADLEY & COMPANY-DC, LLP
                      Management Consultants/Certified Public Accountants
   1030 15th Street, NW, Suite 350 West • Washington, DC 20005 • (202) 371-1397 • Fax: (202) 371-9161
                                                       Table of Contents
ACRONYMS/ABBREVIATIONS/ SHORT FORMS USED IN THIS REPORT ................... III
I. EXECUTIVE SUMMARY ...........................................................................................1
II. BACKGROUND .......................................................................................................4
III. RESULTS OF REVIEW...........................................................................................6
  1.   Security Configuration Management Process Needed Improvement ...................................6
  2.   Network Security Controls over Hardware Devices and Software Needed
       Improvement .........................................................................................................................9
  3. Security Patch Management Process Needed Improvement ...............................................10
  4. Remote Access Software Was Not Compliant with OMB and NIST Standards ................12
  5. Perot Systems Network Operating System Controls for Identifying and Resolving
       Vulnerabilities Needed Improvement .................................................................................14
  6. The Department’s Incident Response Program Needed Improvement to Ensure
       Timely and Appropriate Detection, Reporting, and Resolution of Computer Security
       Incidents to Internal and External Parties............................................................................15
  7. Account and Identity Management Processes Required Significant Improvement ............17
  8. EDNIS Security Plan and Update Procedures Needed to Be Revised to Ensure Full
       Accountability of Internal and External Connections and to Ensure All Connecting
       Systems Are Compliant with Federal Information Security Requirements ........................19
  9. Federal Desktop Core Configuration Security Configuration Management Process
       Needed Improvement ..........................................................................................................22
  10. The Department Needed to Update the Security Assessment and Authorization
       Documents ...........................................................................................................................23
  11. Contingency Planning Program Needed Improvement .......................................................25
  12. The Department Needed to Establish an Organization-Wide Risk Management
       Strategy................................................................................................................................27
  13. Documentation of Security Awareness Training Needed Improvement .............................29
  14. Plan of Action and Milestones Process Was Not Adequately Managed .............................30
APPENDIX A: OBJECTIVES, SCOPE, AND METHODOLOGY .....................................33
APPENDIX B: OFFICE OF CHIEF INFORMATION OFFICER COMMENTS .................37
    Acronyms/Abbreviations/ Short Forms Used in this Report

AT           Awareness Training
BCP          Business Contingency Plan
BIA          Business Impact Analysis
CAMS         Case Activity Management System
CAT          Category
CCE          Common Configuration Enumeration
CCP          Configuration Control Process
CM           Configuration Management
COCO         Contractor Owned and Contractor Operated
COOP         Continuity of Operation Plan
CSAM         Cyber Security and Management
CVE          Common Vulnerabilities and Exposures
Department   U.S. Department of Education
DHS          Department of Homeland Security
DLL          Dynamic Link Library
DoS          Denial of Service
DRP          Disaster Recovery Plan
EARB         Enterprise Architecture Review Board
EDCIRC       Education Incident Response Coordinator
EDCIS        EDUCATE Data Center Information System
EDNIS        Education Network Infrastructure System
EDMASS       EDUCATE Mass Storage System
EDSOC        EDUCATE Security Operations Center
EDUCATE      Education Department Utility for Communications, Applications, and
             Technology Environment
FDCC         Federal Desktop Core Configuration
FIPS         Federal Information Processing Standards
FIPS PUB     Federal Information Processing Standards Publications
FISMA        Federal Information Security Management Act
GAO          Government Accountability Office
IA           Information Assurance ion Assurance
IAS          Information Assurance Services
IP           Internet Protocol
IPAR         Investigative Program Advisory Report
ISA          Interconnection Security Agreement
ISSO         Information System Security Officer
IT           Information Technology
LM           Local Area Network Manager
MOU          Memorandum of Understanding
MSSP         Managed Security Service Provider
NIST         National Institute of Standards and Technology
OCIO         Office of the Chief Information Officer
OIG          Office of Inspector General
OMB       Office of Management and Budget
OVMS      Operational Vulnerability Management System
PII       Personally Identifiable Information
PIA       Privacy Impact Assessment
POA&M     Plan of Action & Milestones
Rlogin    Remote login
RSA       Rivest, Shamir and Adleman
SCAP      Security Content Automation Protocol
SHA       Secure Hash Algorithm
SLA       Service Level Agreement
SMB       Server Message Block
SOP       Standard Operating Procedures
SQL       Structured Query Language
SP        Special Publications
SSH-1     Secure Shell Version 1
SSO       System Security Officer
SSP       Systems Security Plan
STIGs     Department of Defense Security Technical Implementation Guides
TACACS+   Terminal Access Controller Access Control System Plus
TFMS      Treasury Financial Management System
TSP       Telecommunication Service Priority
US-CERT   U.S. Computer Emergency Response Team
I. Executive Summary
The purpose of the audit was to determine whether the U.S. Department of Education
(Department) has developed and implemented adequate information systems security controls to
properly secure and safeguard the Education Department Utility for Communications,
Applications, and Technology Environment (EDUCATE) and the Department’s data in
accordance with the E-Government Act (Public Law 107-347), including Title III, the Federal
Information Security Management Act of 2002 (FISMA) and the Office of Management and
Budget (OMB) and National Institute of Standards and Technology (NIST) regulations and
standards. We have concluded that the Department’s information systems security program
controls over EDUCATE need improvement to address the 14 operational, managerial, and
technical security control weaknesses identified in this report. The following control weaknesses
need improvement:

   1.  Security Configuration Management
   2.  Network Security Controls Over Hardware Devices
   3.  Security Patch Management
   4.  Remote Access Software
   5.  Network Vulnerabilities
   6.  Incident Response Program
   7.  Account and Identity Management Processes
   8.  Education Network Infrastructure System (EDNIS) System Security Plan and Update
       Procedures
   9. Federal Desktop Core Configuration (FDCC) Configuration Management Process
   10. Security Assessment and Authorization Documents
   11. Contingency Planning Program
   12. Organization-Wide Risk Management Strategy
   13. Documentation of Security Awareness Training
   14. Plan of Action and Milestones

Based on our review, the causes of the security control weaknesses generally fall into the
following areas:

           Office of the Chief Information Officer (OCIO) monitoring and oversight controls are
            not sufficiently designed or implemented to ensure contractor compliance with
            Federal requirements.
           OCIO did not develop its policies, procedures, and processes to obtain assurance of
            the contractor’s performance under the current contractual arrangement.
           The Department’s internal control procedures are not sufficient to ensure that system
            owners and other responsible parties perform their assigned duties in a timely
            manner.




                                                                                               1
The EDUCATE contract was entered into by the Department with a third party information
technology (IT) service provider, Perot Systems.1 It established a Contractor Owned and
Contractor Operated (COCO) service model under which the contractor operates the
Department’s IT infrastructure (hardware, communication devices, and operating systems) on a
24/7/365 basis. Under the COCO contract, OCIO retains the responsibility to monitor and
oversee the contractor’s performance, while the contractor is responsible for operating,
maintaining, and supporting the Department’s IT infrastructure. Additionally, OCIO is
responsible for ensuring that the contractor’s information system security controls meet or
exceed the Department’s requirements and Federal laws, regulations, and standards.

Our audit was limited to a review and test of the information security controls covering the
EDUCATE subsystems: Education Data Center Information System (EDCIS), EDNIS,
EDUCATE Mass Storage System (EDMASS), EDUCATE Security Operations Center
(EDSOC), Department of Education’s Central Automated Processing System (EDCAPS), and
Case Activity Management System (CAMS); and the wide-area and local-area network hardware
consisting of network servers, routers, switches, and external firewalls. Our review also covered
tests of the network gateways to the Internet. We also conducted internal and external network
vulnerability analyses.

This report contains specific recommendations that require OCIO to strengthen existing controls
and to develop new monitoring capabilities designed to ensure OCIO and contractor’s
compliance with Federal information system security laws, regulations, and standards.
Additionally, the recommendations are designed to ensure that the Department’s sensitive and
financial data and systems processed and maintained by the contractor are properly secured and
safeguarded from unauthorized system access and fraudulent activities.             Further, the
recommendations are designed to ensure that the network and systems information security
controls are properly implemented and maintained to adequately safeguard the Department’s
data from unauthorized modification and release and to provide an adequate level of auditability.

As discussed in greater detail in this report, the EDUCATE password security control
weaknesses enabled the auditors to gain access to one EDUCATE server administrator’s
account. Additionally, our tests disclosed that the internal security control weaknesses could
enable Department users and contractor personnel to exploit various network vulnerabilities.
These weaknesses could enable the implementation and installation of unauthorized software and
hardware devices onto the network to perform unauthorized activities such as modifying data
without detection. The user account identity control weaknesses could also provide internal
users with opportunities to masquerade as other users to perform unauthorized activities such as
fraud without disclosure of the actual person performing the fraudulent activities.

We commend OCIO for taking positive actions to implement new and enhanced controls to
address information systems security control weaknesses previously identified and reported to
OCIO by the Office of Inspector General (OIG) in the OIG reports entitled “Department’s
Processes for Validating the EDUCATE Contractor’s Performance” (ED-OIG/A19K0007), dated
May 2011, and the “2010 Annual FISMA Report.” We also commend OCIO for taking action to


1
    Perot Systems was acquired by Dell in September 2009.

                                                                                               2
supplement the Service Level Agreement (SLA) during the audit to improve information security
controls to address control weaknesses previously identified. On April 1, 2011, OCIO and Perot
Systems entered into an agreement to add additional performance measures to the SLA. OCIO
updated the SLA to include specific language for incident response reporting and security
infrastructure software, which addressed security weaknesses identified during the audit.

The audit assessed and tested the information security controls in place at Perot Systems’ Data
Center located in Plano, Texas, and the Department’s controls at the Washington, DC,
headquarters. We conducted the audit during the period October 1, 2010 through April 30, 2011.

In its response to the draft audit report, OCIO stated that the report provided insight into the
effectiveness of information systems security controls in place to secure the EDUCATE
environment, and accurately identifies several areas that need improvement. OCIO concurred
with 37 of the 42 recommendations and partially concurred with Recommendations 13.1 and
13.2. OCIO did not concur with Recommendations 8.4, 11.2, and 12.4.

We evaluated OCIO’s comments related to our recommendations and the corrective actions
OCIO has taken since April 2011, or has proposed to take to address the control weaknesses.
However, we have not verified whether the corrective actions OCIO has taken corrected the cited
deficiencies. Where necessary, we modified the recommendations in response to OCIO’s
comments.

During our fieldwork, we engaged in many discussions with applicable Department officials and
staff, including senior OCIO management and Dell officials, to clarify the weaknesses noted and
to provide clarification on recommendations. We also provided documents and other material to
OCIO personnel for their review.




                                                                                              3
II. Background
The U.S. Department of Education (Department) entered into a contract with Perot Systems2 to
manage and provide all IT infrastructure services to the Department under the Education
Department Utility for Communications, Applications, and Technology Environment
(EDUCATE) system. The contract established a Contractor Owned and Contractor Operated
(COCO) information technology (IT) service model for the Department under which Perot
Systems provides the total IT platform and infrastructure to support Department employees in
meeting the Department’s mission. The contract was awarded in September 2007 as a 10-year,
performance-based, indefinite delivery/indefinite quantity contract with fixed unit prices. Under
the COCO contract, Perot owns all of the IT hardware and operating systems to include wide-
area and local-area network devices, network communication devices, voice mail, and the
Department’s laptops and workstations. The contractor also provides help desk services and all
personal computer services. Primarily, through the Office of the Chief Information Officer
(OCIO), the Department monitors and evaluates the contractor-provided IT services through a
service level agreement (SLA) framework.

Our audit was limited to a review and test of the information security controls covering the
EDUCATE subsystems: EDUCATION Network Infrastructure System (EDNIS), EDUCATE
Mass Storage System (EDMASS), EDUCATE Security Operations Center (EDSOC),
Department of Education’s Central Automated Processing System (EDCAPS), EDUCATE Data
Center Information System (EDCIS), and Case Activity Management System (CAMS) and the
wide-area and local-area network hardware consisting of network servers, routers, switches, and
external firewalls. Our review also covered tests of the network gateways to the internet. We
also conducted internal and external network vulnerability analyses.

Under the COCO contract, the contractor is responsible for operating, managing, and
maintaining information and an information system security program compliant with Federal
requirements. Further, the contractor is responsible for the day-to-day security and operational
activities including but not limited to:

               Installing vendor provided operating system updates and security patches
               Configuring hardware devices based on configuration management rules
               Performing security administration activities for establishing and removing users’
                accounts to the network and applications
               Establishing, modifying, and removing users’ privileges within the network and
                applications based on system owners’ and information security officers’ direction
               Performing continuous network security monitoring
               Reporting incident response
               Performing backup of the network, databases, and software
               Developing and implementing procedures and processes for restoring the IT
                infrastructure in the event of a disaster or other event that causes a disruption to the
                network service


2
    Perot Systems was acquired by Dell in September 2009.

                                                                                                      4
We evaluated the EDUCATE information systems security controls against the Federal laws,
regulations, and standards as specified in FISMA; OMB Circulars A-130 “Management of
Federal Information Resources,” Appendix III, “Security of Federal Automated Information
Resources,” A-127 “Financial Management Systems,” and A-123 “Management Accountability
and Control,” Section III, Assessing and Improving Management Controls, and Section IV
Correcting Management Control Deficiencies; the NIST Federal Information Processing
Standards (FIPS) Publication Standards 199 – “Standards for Security Categorization of Federal
Information and Information Systems,” dated February 2004, and “200 Minimum Security
Requirements for Federal Information and Information Systems,” dated March 2006; various
NIST Special Publication (SP) Series 800 such as 800-53 Revision 3 “Recommended Security
Controls for Federal Information Systems and Organizations,” dated August 2009, and 800-53A
“Guide for Assessing the Security Controls in Federal Information Systems,” and “Building
Effective Security Assessment Plans,” dated July 2008. Additional NIST SPs used in the
evaluation included SP 800-63, Revision 1.0.2, “Electronic Authentication Guide,” dated April
2006; SP 800-37 “Guidelines for the Security Certification and Accreditation of Federal
Information Technology Systems,” dated February 2010; SP 800-30 “Risk Management Guide
for Information Technology Systems,” dated July 2002; SP 800-18 Revision 1 “Guide for
Developing Security Plans for Information Systems,” dated February 2006; NIST SP 800-128
“Guide for Security Configuration Management of Information Systems,” (Draft) dated
March 2010; and SP 800-61, Revision 1, “Computer Security Incident Handling Guide,” dated
March 2008.




                                                                                            5
III. Results of Review
Based on our audit, we conclude that the Department’s information and information systems
security program controls over EDUCATE need improvement to address the 14 operational,
managerial, and technical security control weaknesses identified in this report. From the
information provided, the causes of the security control weaknesses generally fall into the
following areas:

          OCIO monitoring and oversight controls are not sufficiently designed or implemented
           to ensure contractor compliance with Federal requirements.
          OCIO did not develop its policies, procedures, and processes to obtain assurance of
           the contractor’s performance under the current contractual arrangement.
          The Department’s internal control procedures are not sufficient to ensure system
           owners and other responsible parties perform their assigned duties in a timely
           manner.

This report contains specific recommendations that require OCIO to enhance existing controls
and to develop new monitoring capabilities designed to ensure OCIO and Perot Systems’
compliance with Federal information and information system security laws, regulations, and
standards. Additionally, the recommendations are designed to ensure that the Department’s
sensitive and financial information processed and maintained by the contractor are properly
secured and safeguarded from unauthorized access and activities. Further, the recommendations
are designed to ensure that the network and information systems security controls are properly
implemented and maintained to adequately safeguard the Department’s information from
unauthorized modification and release and to provide an adequate level of auditability.

The audit assessed and tested the information security controls in place at the contractor’s data
center located in Plano, Texas, and at the Department’s OCIO and other Program Offices during
the period October 1, 2010 through April 30, 2011.

To assist OCIO in understanding the audit results, we have presented the audit results in order of
highest risk to lowest risk.

1. Security Configuration Management Process Needed Improvement

Although Perot Systems performs monthly scans of the network, vulnerabilities in the security
configuration continued to exist. We used the Department of Defense Security Technical
Implementation Guides (STIGs) to conduct our review and tests of the network devices. Based
on our reviews and tests of the software configuration for 25 EDUCATE servers, switches,
routers, and databases, we found the following significant high-risk vulnerabilities with the
configurations:

          Four firewall systems had only one logon account each, instead of unique user
           accounts for each individual accessing the systems to establish accountability and an
           audit trail.



                                                                                                6
          For four Windows servers, anonymous shares were not restricted, which allowed
           unauthorized network connections to the servers and enabled unauthorized systems to
           access shared information.
          For one Windows server, there were unauthorized users with excessive operating
           system privileges allowing them to execute operating system commands and bypass
           system’s access controls.

Detailed information on the vulnerabilities was given to OCIO for remediation.

FISMA requires each agency to develop minimally acceptable system configuration
requirements and ensure compliance with them. Standard security configurations provide a
baseline level of security, reduce risk from security threats and vulnerabilities, and save time and
resources. In the annual FISMA report to OMB, agencies are required to document the
frequency with which they implemented system configuration requirements and must document
any deviation from common security configurations.

We also found that OCIO had not established monitoring and reporting procedures to track and
approve changes to the hardware operating systems designed to resolve network security
configuration vulnerabilities. Additionally, OCIO had not established reporting procedures to
require Perot Systems to report on the status of installing vendor security patches and
recommended operating system configuration changes designed to address known
vulnerabilities.

NIST SP 800-53, Revision 3, requires agencies to establish a continuous monitoring strategy and
implement a continuous monitoring program and a configuration management process. It also
requires an agency to assess the security impact of configuration changes to the information
system and environment and to report on the security state of the information system. This
guidance also requires agencies to develop controls to ensure implementation of approved
configuration settings; to identify, document, and approve exceptions from the mandatory
configuration settings; and to monitor changes to the configuration settings in accordance with
organizational policies and procedures.

Additionally, Sections 3.4.2, Tools for Monitoring Secure Configurations and 3.5, Using
Security Content Automation Protocol (SCAP) of NIST SP 800-128, Guide for Security
Configuration Management of Information Systems (Draft) dated March 2010, provides
additional guidance for assessing networks hardware devices for managing configurations. NIST
SP 800-128 specifically recommends that an agency should consider a tool that can
automatically assess configuration settings of IS components within the information
environment. An automated tool should be able to scan different information system
components (e.g., Web server, database server, network devices, etc.) running different operating
systems, identify the current configuration settings, and indicate where they are noncompliant
with policy.

Perot Systems did not document the reasons for not remediating vulnerabilities in accordance
with OMB Circular A-130, Appendix III, and NIST SP 800-53A, which would permit OCIO to
assess the potential effect of the vulnerability versus the costs associated with implementing the


                                                                                                  7
suggested corrective action. OMB Circular A-130 Appendix III and NIST SP 800-53A,
specifically require agencies to assess and evaluate the cost of implementing controls versus the
benefits to be derived in implementing security controls as part of the overall risk assessment
process.

Also, the EDUCATE SLA procedures and processes do not require the use of a specific scanning
software such as STIG automated tools that would allow Perot to identify security vulnerabilities
with configuration settings within the operating systems for clients and servers, databases, and
network infrastructure devices (firewalls, routers, and switches) supporting EDUCATE.

Poor configuration management practices for the operating systems increases the potential for
unauthorized activities to occur without being detected thus leading to potential theft,
destruction, and misuse of agency data both from internal and external threats.

RECOMMENDATIONS:

We recommend OCIO:

   1.1 Revise the SLA to require Perot Systems to take appropriate timely corrective action to
       resolve network security configuration vulnerabilities or to justify not implementing
       suggested corrective action to permit OCIO to assess the potential effect of the
       vulnerability versus the costs associated with implementing the suggested corrective
       action.

   1.2 Revise the SLA to require Perot Systems to use various scanning software such as STIG
       and Security Content Automation Protocol (SCAP) tools, as well as the STIG checklist.
       The security scanning software should be compliant with the NIST SP 800-128 (Draft) to
       identify security vulnerabilities within the operating systems for clients and servers,
       databases, and network infrastructure devices (firewalls, routers, and switches)
       supporting EDUCATE.

Management Response

OCIO concurred with Recommendations 1.1 and 1.2. However, in its response, OCIO provided
suggested wording change for Recommendation 1.2.

OIG Response

We did not agree with OCIO’s suggestion to develop and implement policies and procedures
instead of revising the SLA. Unless the SLA is modified, Perot Systems will not be legally
required to comply with the policies and procedures. However, we did revise the
recommendation to include SCAP automated tools, as well as the STIG checklist. Including
STIG compliant tools will ensure that anything that is not covered by SCAP will be covered by
STIG. Also, including the STIG checklist will further ensure that anything not identified by
STIG and SCAP automated tools will be addressed.



                                                                                               8
2. Network Security Controls over Hardware Devices and Software Needed Improvement

Our review of EDUCATE hardware and software accountability security controls found the
following deficiencies:

           Perot Systems reported 1,675 work stations with an undetermined operating system in the
            Perot Internet Protocol (IP) Scan, dated December 2010.
           Perot Systems could not identify the location of 2 of 10 UNIX 3 servers sampled from a
            population of 363 servers.
           In their monthly scan reporting process, neither OCIO nor Perot Systems officials could
            explain why the December 2010 IP Scan report contained a tab titled “Servers” that listed
            12 IP addresses as servers with unknown operating systems and unknown “Host name.”
            Ten of the 12 IP addresses were also present on the IP Scan report for November of 2010.

NIST SP 800-53, Revision 3, Appendix F Family Configuration Management (CM)-8,
Information System Component Inventory, dated August 2009, requires an agency to develop,
document, and maintain an inventory of information system components that does the following:

           accurately reflects the current information system;
           is consistent with the authorization boundary of the information system;
           is at the level of granularity deemed necessary for tracking and reporting;
           includes information deemed necessary by the Department to achieve effective
            property accountability; and
           is available for review and audit by designated organizational officials.

OCIO in conjunction with Perot Systems had not developed policies or procedures to fully
account for hardware and software installed or permitted to be used on the EDUCATE network.
OCIO did not require Perot Systems to resolve the reporting variances or to provide an
explanation for the variances, such as undetermined operating systems and unknown host names.

Without accurate accountability of the hardware and software permitted to be installed on the
network or to be connected or installed on the network, OCIO increases the risk that
unauthorized hardware may be connected or installed on the network that may permit
unauthorized activities to occur and go undetected for an extensive period of time.




3
    Uniplexed Information and Computing System

                                                                                                   9
RECOMMENDATIONS:

We recommend OCIO in conjunction with Perot Systems:

   2.1 Develop and implement policies and procedures to fully account for software or hardware
       installed or permitted through exception to be used on the EDUCATE network.

   2.2 Revise the SLA requirements to require Perot Systems to implement procedures to carry
       out its responsibility for ensuring that only authorized devices are permitted to be
       installed on the network and to verify the number of devices permitted on the EDUCATE
       network or to obtain a reliable accountability of hardware.

   2.3 Require Perot Systems to resolve the monthly reporting variances, such as undetermined
       operating systems and unknown host names within 5 working days.

   2.4 Require Perot Systems to terminate the network connections and authorizations for
       hardware labeled as “undetermined.”

Management Response

OCIO concurred with Recommendations 2.1 through 2.4. However, OCIO requested a
modification to Recommendation 2.1 to delete the words “or permitted to be used.” OCIO stated
in its response that the Department’s Enterprise Architecture Review Board (EARB) maintains
an End User Catalog of software and hardware that are permitted to be installed on the
EDUCATE network. Additionally, OCIO outlined efforts to detect rogue devices installed on
the network but did not address efforts to detect rogue software that may be running on the
network. OCIO stated that Recommendations 2.3 and 2.4 have been completed, but we did not
verify that the corrective action corrected the deficiencies cited.

OIG Response

We reviewed management’s response and did not agree to delete the words “or permitted to be
used” from Recommendation 2.1. However, we modified the recommendation to include the
words “through exception” to acknowledge software and hardware that are permitted to be used
on the network by individual exception. Individual exceptions address specific job/function
requirements that may exist only in one area of the Department (e.g., OCIO), and those
exceptions are not approved by the EARB. In its response, OCIO stated that Dell Systems has a
process for identifying rogue devices. Additionally, OCIO stated it has begun engineering
analysis to pilot network access control software. Network access control software compares
authorized hardware to what is installed; however, it does not identify rogue software or software
that is permitted to run on the network through exception.


3. Security Patch Management Process Needed Improvement

We conducted tests of the security patch management installation processes and procedures to
determine whether the security patch management process ensured that critical security patches

                                                                                               10
were installed in a timely manner. Because the Department had not defined timeframes for
installing critical security patches onto servers, the auditors elected to measure performance
using the Dell End User Computing Workstation Patch and Configuration Management Process.
Section 7 of Dell’s process states that for an “Urgent” patch, Dell will initiate the patch within 3
days and complete the deployment within 30 days; and for a “High” patch, Dell will initiate the
patch within 5 days and complete the deployment within 30 days.

Our tests disclosed that OCIO had not defined timeframes for installing security patches on
network devices in the SLA with Perot Systems. Our review of the Perot Systems’ patch
management processes disclosed that Perot Systems did not initially install critical security
patches on network devices within the 3-day time period as required by the Dell End User
Computing Workstation Patch and Configuration Management Process. In our sample of 25
devices consisting of 19 servers and 6 switches, we found that Perot had not installed critical
security patches for 16 servers; however, we found that Perot had installed required security
patches for the 6 switches. For two of the servers, the patches were not installed until 40 days
after the release date. OCIO was not aware that Perot had not installed security patches on all
network devices within the timeframe required by Dell’s process (30 days).

NIST SP 800-53, Revision 3, CM-8, Information System Component Inventory, dated August
2009, requires an agency (including any contractor to the agency) to promptly install security-
relevant software updates (e.g., patches, service packs, and hot fixes).

OCIO had not established the procedures within the original SLA to obtain assurance that Perot
had implemented security patches in a timely manner. During the audit, OCIO updated the SLA
to include a 30-day timeframe for completing installation of security patches. However, there
was no mention of timeframes for initiating security patches in the updated SLA. Additionally,
the original SLA did not require Perot to provide a detailed performance report that would
disclose the following:

       number of security patches released by vendors within the past reporting period;
       criticality of the security patch and the number of network devices affected by the
        security patch;
       number of devices patched; and
       number of devices remaining to be patched.

Failure to implement security patches in a timely manner increases the potential for unauthorized
access and exploitation of security vulnerabilities that can result in unauthorized release of
sensitive data, modification of data, and theft of data.

RECOMMENDATIONS:

We recommend OCIO:

   3.1 Amend the SLA to establish detailed performance reporting factors that would disclose
       the number of security patches released by vendors within the past reporting period, the
       criticality of the security patch, the number of network devices affected by the security

                                                                                                 11
       patch, the number of devices patched, and the number of devices remaining to be
       patched.

   3.2 Amend the SLA to include language that would require contractors to initiate the
      installation of vendor security patches within a 3-day period from the vendor release date
      or provide OCIO with a justification for not installing the security patch.

   3.3 Require Perot Systems to report monthly on the security patches received by the vendor
       but not installed during the period and include a schedule for installing the patch.

Management Response

OCIO concurred with Recommendations 3.1 through 3.3.


4. Remote Access Software Was Not Compliant with OMB and NIST Standards

The EDUCATE network software that controls remote access settings was not compliant with
OMB and NIST requirements. We noted the following deficiencies based upon our testing:

   1. The encryption algorithm for Department Web sites does not comply with NIST
      SP 800-57, “Recommendation for Key Management Part 3: Application Specific Key
      Management Guidance,” dated December 2009.

   2. The EDUCATE network does not require multifactor authentication to gain remote
      access as required by OMB Memorandums 06-16 “Protection of Sensitive Agency
      Information” dated, June 23, 2006 and 07-16, “Safeguarding Against and Responding to
      the Breach of Personally Identifiable Information,” dated May 22, 2007. OMB requires
      agencies to allow remote access only with two-factor authentication where one of the
      factors is provided by a device separate from the computer gaining access.

NIST SP 800-57 Part 3 recommends using Rivest, Shamir and Adleman (RSA) 2048 with an
algorithm of secure hash algorithm (SHA) 256 for a Certificate Authority. For a certificate
generated after December 31, 2010, the public key is also recommended to be RSA 2048 with an
algorithm of SHA 256. Further, OMB Memorandum 07-16 requires agencies to use a “time-out”
function for remote access and mobile devices requiring user re-authentication after 30 minutes
of inactivity and to allow remote access only with two-factor authentication where one of the
factors is provided by a device separate from the computer gaining access.

On September 16, 2010, OIG issued an Investigative Program Advisory Report (IPAR),
Weaknesses in the Process for Handling Compromised Privileged Accounts (09-220005) Control
Number L21K0002 to the Deputy Secretary and Federal Student Aid (FSA). OIG determined
FSA did not identify all individuals whose data were potentially compromised; the Department
and FSA failed to conduct adequate log reviews of compromised privileged accounts to identify
unauthorized activity; FSA kept inadequate records of its remediation efforts for compromised
privileged accounts; and the Department and FSA did not require two-factor authentication for


                                                                                             12
remote access to Department and FSA systems. OIG also made recommendations that the
Department (1) identify all potentially compromised personally identifiable information (PII) by
analyzing all account activity during the period that the privileged account was compromised;
(2) revise current methodology used to identify suspicious activity that indicates unauthorized
access into privileged accounts; (3) track compromised accounts and PII and the date of
compromise, account deactivations, owner/borrower notifications, and the date and results of the
account log review; and (4) implement two-factor authentication on any system where a user can
log into a privileged account from the Internet, with an emphasis placed on financial systems and
systems containing large volumes of PII.

As far back as July 2007, OIG reported weaknesses in the Department’s and FSA’s response to
compromised privileged accounts.          Although the Department and FSA have started
implementing two-factor authentication for some employees, to date not all Department
employees and external users who log in remotely or through a Web site to gain access to
Department systems are required to use two-factor authentication. This includes privileged
external users at guaranty agencies, lenders, servicers and post secondary institutions who pose a
great risk to Department systems. The computer systems owned by external partners are not
secured by the Department and are generally not required to comply with Federal and
Department standards.

Based on our review of documentation and discussions with OCIO officials, we determined that
the EDUCATE network software that controls remote access settings does not comply with
OMB and NIST requirements, because the Department did not establish controls within the SLA
to require two-factor authentication or to ensure Perot complied with NIST encryption software
requirements as changes are implemented by NIST and OMB.

Without effective encryption process communication between a remote user’s computer and
Department servers, those servers are at increased risk of unauthorized access if the connection
is established with a noncompliant digital certificate and bit encryption. Additionally, the lack of
a multifactor authentication to the EDUCATE network increases the risk of an unauthorized user
accessing the network remotely and misusing, altering or destroying sensitive Department data.

RECOMMENDATIONS:

We recommend OCIO:

   4.1 Require Perot Systems to change the digital certificate and bit encryption for remote
       servers to the recommended settings that are specified in NIST 800-57 Part 3.

   4.2 Expedite its efforts to work with Perot Systems to address the issues cited in the IPAR,
       Weaknesses in the Process for Handling Compromised Privileged Accounts (09-220005),
       Control Number L21K0002.

Management Response

OCIO concurred with Recommendations 4.1 and 4.2.


                                                                                                 13
5. Perot Systems Network Operating System Controls for Identifying and Resolving
   Vulnerabilities Needed Improvement

We performed vulnerability scans of the EDUCATE network. Based on our external
vulnerability scans of the EDUCATE network, we identified a Department Web site that is
vulnerable to Structured Query Language (SQL) injection4 attacks that allow an attacker to read,
update, or delete database records from the Internet.

We also performed internal network vulnerability scans and identified the following high-risk
vulnerabilities:

                  Five Terminal Access Controller Access Control System Plus (TACACS+) devices
                   send authentication information in clear-text, which can be captured and used to
                   logon to network devices.
                  Nine network devices allow console connections without timeout settings. An
                   attacker with physical access can connect to the console port using a non-terminated
                   connection.
                  One network device uses an unsecured service, remote login (Rlogin), which allows
                   network administrators to login and send their credentials in clear-text, making them
                   susceptible to packet analysis.
                  Nine network devices use Secure Shell Version 1 (SSH-1), which allows data to be
                   exchanged using a secure channel. However, multiple vulnerabilities exist making
                   SSH-1 susceptible to man-in-the-middle attacks whereby an individual can capture
                   data without detection.
                  Four network devices use an unsecured service, Telnet, which allows network
                   administrators to login and send their credentials in clear-text.
                  Insecure library loading could allow remote code execution.
                  Vulnerabilities in Server Message Block (SMB) server. For example, a specially
                   crafted SMB packet sent to the affected system could allow remote code execution.

Detailed information on the vulnerabilities was given to OCIO for remediation.

NIST SP 800-53, Revision 3, Appendix F, Remote Access 5, Vulnerability Scanning requires
agencies to conduct periodic scans of the network to identify vulnerabilities and to establish
processes to remediate vulnerabilities using a risk-based approach.

Perot Systems has not updated the operating system with security patches for the various devices
noted above as recommended by the software vendor and as required by the NIST SP 800-53,
Revision 3.

Failure to perform periodic scans and other tests of the network operating systems increases the
risk that known operating system vulnerabilities for various devices connected to the network


4
    SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.

                                                                                                                                            14
may be exploited by unauthorized individuals leading to the theft, destruction, or misuse of
sensitive data and Departmental assets.

RECOMMENDATIONS:

We recommend OCIO:

   5.1 Direct Perot Systems to take immediate action to address the vulnerabilities identified
       and report to OCIO on the schedule for implementing the remedial action.

   5.2 Direct Perot Systems to enhance its current operating procedures to perform network
       scans every two weeks or more frequently as necessary.

Management Response

OCIO concurred with Recommendations 5.1 and 5.2.


6. The Department’s Incident Response Program Needed Improvement to Ensure Timely
   and Appropriate Detection, Reporting, and Resolution of Computer Security Incidents
   to Internal and External Parties

The Department must be capable of properly responding to incidents in a timely manner and to
rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were
exploited, and restoring computing services. FISMA requires Federal agencies to create and
operate a formal incident response capability. Additionally, NIST SP 800-61, Revision 1,
“Computer Security Incident Handling Guide,” dated March 2008, requires Federal agencies to
report incidents to the United States Computer Emergency Readiness Team (US-CERT) office
within the Department of Homeland Security (DHS). The requirement to report to US-CERT is
essential to safeguarding Federal IT assets from the migration of IT threats, such as viruses from
one agency to another, and to informing Federal managers of identified security breaches so that
Federal managers can institute appropriate preventive measures.

On June 14, 2011, OIG issued an IPAR, Incident Response and Reporting Procedures (10-
1102832) Control Number L21L0001 to OCIO. OIG determined that the Department did not
detect, report, or respond to incidents in accordance with the Department’s OCIO-14 “Handbook
for Information Security Incident Response and Reporting Procedures”. The report cited
specific instances, dating back to March 2009, where Perot System did not follow OCIO-14 and
NIST SP 800-61 protocols to collect information that could aid the Department in identifying all
compromised computers, the actions or vulnerability that enabled the incident, the objective of
the incident, and the source. Specifically, the current practice by Perot Systems once an incident
is discovered is to remove the infected system from the network and attempt to clean the system
by running a virus scan before there is any attempt to collect potential evidence. The report
concluded that the deficiencies have left the Department’s systems and data vulnerable. OIG
also made recommendations to the Chief Information Officer to enforce the contract’s
requirement for Perot Systems to comply with OCIO-14 when performing incident response, or


                                                                                               15
develop a separate capability to perform incident response in accordance with OCIO-14. The
incident response capability, whether or not maintained by Perot Systems, should include:
(1) providing incident response personnel with the appropriate training and tools to collect and
preserve evidence in a quick and forensically sound manner; (2) analyzing information to
determine the root cause of an incident and to determine the extent of damage; and
(3) implementing appropriate hardware, software, and procedures to activate full content
network monitoring in a timely manner to support the incident response process and to assist in
discovery of the incident’s root cause.

To determine whether OCIO was compliant with NIST incident reporting requirements, we
selected 15 incident tickets for testing. Our tests disclosed the following:

        Two of 15 Operational Vulnerability Management System (OVMS) security incidents
         were not reported to US-CERT within a day of the occurrence. Specifically, one incident
         was not reported until 28 days after the incident, and another incident was reported 16
         days after the incident. Both incidents were categorized as Category (CAT) 3.

        Four of 15 OVMS security incidents were not resolved in a timely manner to prevent
         further damage. Specifically, 3 of 4 security incidents, which were CAT 3 EINSTEIN
         alerts identified by US-CERT, were reported 14, 16, and 27 days after the incident, and
         one CAT 1 incident was reported 14 days late.

NIST SP 800-61, Revision 1, requires agencies to establish incident response procedures in
compliance with US-CERT reporting requirements. OCIO-14, “Handbook for Information
Security Incident Response and Reporting Procedures” dated March 2, 2011 also defines the
reporting requirements, which are included in the EDUCATE SLA. NIST has defined CAT 1, 2,
and 3 incidents and requires agencies to report within the specific timeframe.

  Category        Incident Type                         Description                     Reporting Timeframe
                                         A person gains logical or physical access
                                         without permission to a Federal agency         Within one (1) hour of
 CAT 1         Unauthorized Access
                                         network, system, application, data, or other   discovery/detection.
                                         technical resource.
                                                                                        Within two (2) hours of
                                         An attack that prevents or impairs the
                                                                                        discovery/detection if the
                                         authorized use of networks, systems, or
                                                                                        successful attack is still
 CAT 2         Denial of Service (DoS)   applications by exhausting resources. This
                                                                                        ongoing and the agency is
                                         activity includes being the victim or
                                                                                        unable to successfully
                                         participating in the DoS.
                                                                                        mitigate activity.
                                         A virus, worm, Trojan horse, or other code-
                                         based malicious entity that successfully       Daily Note: Within one (1)
                                         infects a host. Agencies are NOT required to   hour of discovery /
 CAT 3         Malicious Code
                                         report malicious logic that has been           detection if widespread
                                         successfully quarantined by antivirus          across agency.
                                         software.


Based on our review of documents and discussions with OCIO officials, we determined that the
control weaknesses cited were caused by ineffectively designed internal controls. Specifically,

                                                                                                                 16
OCIO did not develop procedures for reporting and resolving security incidents within the
required timeframes in OVMS, or in OCIO-14. Additionally, Education Incident Response
Coordinator (EDCIRC) procedures did not require following up on Perot Systems’ compliance
with the US-CERT Federal reporting timeframe for CAT 3 incidents, which should be reported
daily. OCIO monitoring procedures were not effectively designed to monitor Perot’s
performance specifically with resolving security incidents in the required manner and timeframe
as specified in the EDUCATE SLA.

Not properly responding to computer security incidents violates the containment procedures set
forth in OCIO-14, hampers the investigative processes that is part of the detection/identification
phase, and can destroy the potential for determining the root cause of the incident. Because
malicious code (as defined by US-CERT in the above table) works surreptitiously and can
propagate to other systems rapidly, early containment of a malicious code incident is needed to
stop it from spreading and causing further damage. Additionally, if a security incident is
identified on the network, it could spread organization-wide if not resolved in a timely manner.
Further, not developing an internal timeframe for resolving incidents may delay or prevent
eradicating an incident within the expected timeframe and holding responsible individuals fully
accountable.

RECOMMENDATIONS:

We recommend OCIO:

   6.1 Require Perot Systems to comply with the EDUCATE SLA for resolving incidents
       within the SLA specified timeframe.

   6.2 Continue its efforts to work with Perot Systems to address the issues cited in the IPAR,
       Incident Response and Reporting Procedures (10-1102832) Control Number
       L21L0001.

Management Response

OCIO concurred with Recommendations 6.1 and 6.2.


7. Account and Identity Management Processes Required Significant Improvement

User account and identity management is an essential security operational function that restricts
access to mission critical systems to only authorized users for only authorized purposes. Our
tests were designed to determine whether OCIO had designed and implemented effective
processes and procedures to ensure that only authorized individuals were granted access to
EDUCATE and that any unnecessary accounts are either removed or deactivated. From our tests
of the Active Directory user account management functions, we found the following deficiencies
within the Account and Identity Management process. From a population of approximately
6,997 active accounts in Active Directory, we found the following:



                                                                                               17
         71 of 170 accounts established for training purposes had not been used since January
          2010.
         1,000 accounts had never been logged on to the network. According to the EDNIS and
          EDCIS System Security Plan (SSP), accounts that have not logged on to the EDCIS and
          EDNIS for more than 90 days should have been deactivated.
         221 user accounts had their password settings checked as “Do Not Expire” in the Active
          Directory. Of the 221 accounts, 53 were Service Accounts. 5 The EDCIS SSP states that
          password expiration should be enabled for all users.
         80 active accounts had not changed their password since January 1, 2010. According to
          EDCIS SSP, all users are required to periodically change their password.

From a population of 37 voluntarily separated employees, we found that management had not
disabled the accounts of 8 of these employees within the required timeframe. According to
OCIO-01 “Handbook for Information Assurance Security Policy,” dated March 31, 2006,
supervisors must notify system administrators within 2 business days of the departure of
separated employees and contractors, and system access shall be terminated as soon as possible,
but no later than 2 business days of notification. Additionally, the SLA states that once notified
by the Department, the user account will be disabled within one hour.

EDCIS and EDNIS SSPs, dated June 17, 2010, and June 19, 2009, respectively, states:

         Accounts that have not logged on to the EDCIS and EDNIS for more than 90 days are
          deactivated.
         Password expiration should be enabled for all users.
         All users are required to periodically change their password.

OCIO-01 states that users’ system access for terminated employees will be terminated within 2
days of departure.

OCIO had not developed policies to provide guidance to ensure that Perot was compliant with
NIST standards and OCIO policies for account and identity management. OCIO did not require
Perot to provide a report listing changes to active user accounts or to ensure that:

         Active user accounts within Active Directory have been used within the last 90 days.
         Accounts require a password and that all account passwords must be changed every 60 or
          90 days.
         Unnecessary accounts have been removed.
         Accounts associated with employees’ terminated or separated from the Department have
          been removed or de-activated.

Inadequate account and identity management processes increase the risk that temporary and
active accounts may be accessed by Department and contractor personnel to perform


5
  Service Accounts are software utility accounts that permit the software to automatically communicate and authenticate with other software and
computers on the domain in a secure mode. Service accounts are powerful and highly useful accounts that must be properly secured to prevent
exploitation.

                                                                                                                                           18
unauthorized activities, such as modifying or improperly releasing sensitive Department
information. Additionally, accounts set with passwords that do not expire increase the potential
for an account password to be obtained resulting in the use of the account by unauthorized users.

RECOMMENDATIONS:

We recommend OCIO:

    7.1 Ensure that Active Directory is annually reviewed for access privileges of users.

    7.2 Configure the Active Directory account management automated tools to flag accounts
        that have not been used and ensure that all accounts are configured with passwords that
        have an expiration date.

    7.3 Revise the SLA to include a performance incentive or penalty clause to enforce OCIO
        account management policies such as disabling inactive accounts and terminating
        accounts of separated employees.

Management Response

OCIO concurred with Recommendations 7.1 through 7.3.


8. EDNIS Security Plan and Update Procedures Needed to Be Revised to Ensure Full
   Accountability of Internal and External Connections and to Ensure All Connecting
   Systems Are Compliant with Federal Information Security Requirements

Our review of the EDNIS SSP showed a list of 138 internal connections and 4 external
connections. The SSP states that 109 of the 138 internal connections have been validated and 29
of the 138 internal connections have not been validated. Further, the EDNIS SSP disclosed that
the 29 systems had the following deficiencies:

       13 systems did not have an Interconnection Security Agreement (ISA) or a Memorandum
        of Understanding (MOU),
       16 systems had not been reviewed within the past year,
       10 systems had not been certified and accredited,
       19 systems had outdated certification and accreditation, and
       2 systems owners were not known.

We also determined that for the four external connections, neither the EINSTEIN6 nor the
Managed Security Service Provider (MSSP) intrusion detection systems had an MOU.



6
   EINSTEIN is the US-CERT automated process for collecting, correlating, analyzing, and sharing computer security
information across the federal government to improve our nation's situational awareness.



                                                                                                               19
Additionally, the Treasury Financial Management System (TFMS) and Department of Justice
Cyber Security Assessment and Management (CSAM) MOU and ISA agreements had not been
reviewed within the past 2 years. Further, OCIO certification and accreditation documentation
for EINSTEIN, MSSP, TFMS and CSAM did not have a date to verify that the security
authorizations were performed in the past 3 years.

OCIO Handbook-15, “Handbook for Protection of Sensitive but Unclassified Information,”
Section 4.3, dated March 2007, requires system owners to annually review the ISA and MOU
agreements. Additionally, OCIO requires that ISA and MOU agreements are reviewed when a
significant change occurs with the system.

Based on discussions with OCIO officials and a review of OCIO controls, we concluded that the
deficiencies cited above were caused by the following:

      OCIO had not developed and implemented effective controls to ensure that system
       owners in conjunction with Perot Systems identified all internal and external connections
       to EDNIS.
      OCIO had not developed a process to identify all systems interfacing with EDUCATE
       that would enable the system owner to obtain the required documentation to support the
       various individual SSPs comprising EDUCATE.
      Although OCIO had established internal policies, it has not developed procedures to
       ensure that system owners annually review the ISA and MOU agreements with each
       system interface.
      OCIO and Perot Systems had not established effective procedures to obtain an accurate
       and complete inventory of systems interfacing with EDUCATE.
      OCIO did not have procedures to ensure that system owners perform re-accreditation and
       re-certification once every 3 years as required by OMB Circular A-130, Appendix III or
       on an annual basis for mission critical systems as required by OCIO-05, “Handbook for
       Information Technology Security Certification and Accreditation Procedures”, dated
       March 2006.

Without adequate controls and procedures, the Department increases the security risks and
vulnerabilities to EDUCATE that information transported and maintained may be subject to
unauthorized activities. Those activities include the release of sensitive and personally
identifiable information. Additionally, there is an increased risk that individual system security
controls connecting to EDUCATE will be insufficient to meet the requirements of the highest
security level based on ISA and MOU agreements. Further, without accurate information on the
number of systems connecting to EDUCATE, vulnerabilities associated with the connecting
systems will migrate to EDUCATE and thus jeopardize all the systems.




                                                                                               20
RECOMMENDATIONS:

We recommend OCIO:

   8.1 Develop and implement effective controls to ensure that the EDNIS, EDMASS, CAMS,
       and EDSOC system owners in conjunction with Perot Systems identify all internal and
       external connections to these systems.

   8.2 Develop a process to identify all systems interfacing with EDUCATE and provide the
       information to each of the system owners that comprise EDUCATE to enable them to
       obtain the required documentation to support the various individual system security
       plans.

   8.3 Develop procedures to ensure that system owners annually review the ISA and MOU
       agreements for each system interface and update system security plans as necessary.

   8.4 Develop automated tracking processes to ensure that system owners perform re-
       accreditation and re-certification as required every 3 years.

   8.5 In conjunction with Perot Systems, establish and enhance procedures to obtain an
       accurate inventory of systems interfacing with EDUCATE.

Management Response

OCIO concurred with Recommendations 8.1, 8.2, 8.3, and 8.5. However, management did not
concur with Recommendation 8.4. Management stated that the Department uses OVMS to track
certifications and re-certifications. OCIO Information Assurance Services (IAS) is working with
OVMS developers to create enhancements that will allow for the automated tracking of
Department systems re-accreditation and re-certification. This enhancement is scheduled to be
completed by March 31, 2012. OCIO IAS currently maintains a dashboard to monitor the
certification and accreditation status of all systems within the Department. This dashboard
includes a stoplight chart to provide indications and warnings to IAS and ISSOs when the system
is getting close to or is out of compliance. The dashboard has only been used internally by IAS
but is shared at the monthly ISSO meeting and quarterly IA Board of Directors meeting. Also,
OCIO IAS has budgeted in fiscal years 2012 and 2013 to implement automated continuous
security authorization in accordance with NIST and DHS guidance.

OIG Response

We reviewed management’s response. OCIO reported that it uses automated tracking and
monitoring tools such as OVMS and the IAS dashboard. Nonetheless, the audit found that
systems still are not properly re-certified and re-accredited in accordance with OMB and NIST
requirements. Thus, although the automatic tracking tools may identify needed re-accreditations
and re-certifications, they are insufficient to ensure that system owners actually perform re-
accreditation and re-certification as required. Therefore, OCIO needs to develop automatic



                                                                                            21
tracking processes to ensure that re-accreditations and re-certifications are performed as required.
Therefore, the recommendation remains as stated.


9. Federal Desktop Core Configuration Security Configuration Management Process
   Needed Improvement

OMB Memorandum M-08-22, “Guidance on the Federal Desktop Core Configuration”, dated
August 11, 2008, requires all Federal agencies standardize the mandated security configuration
of approximately 300 settings on each of their desktops and laptops. Federal Desktop Core
Configuration (FDCC) seeks to leverage configuration management by creating a standard for all
Windows XP and Vista computers. According to OMB, the reason for this standardization is to
strengthen Federal IT security by reducing opportunities for hackers to access and exploit
government computer desktop systems. As part of the review, we conducted tests to determine
whether OCIO had established sufficient security controls to comply with the FDCC
requirements.

In 2010, OCIO reported 15 FDCC deviations in the OCIO Annual FISMA Report to OMB. We
judgmentally selected two deviations to examine the authorization documents to support
management’s decision to permit the deviations and found that OCIO was not able to locate the
authorization documentation related to either deviation.

NIST SP 800-53, Revision 3, Appendix F, CM-6, “Configuration Settings” requires an agency to
identify, document, and approve exceptions from the mandatory configuration settings for
individual components within the information system based on explicit operational requirements;
and to monitor and control changes to the configuration settings in accordance with
organizational policies and procedures.

OCIO had not established procedures to ensure that documentation supporting management’s
decision to permit deviations to the standard FDCC is retained for audit. Although OMB and
NIST guidance requires management to document deviations from FDCC standards, the
EDUCATE SLA does not require justifying deviations that may be caused by hardware or
software limitations.

Without the necessary supporting documentation for the deviation, OCIO cannot properly assess
the deviation and its impact on the overall EDUCATE environment and cannot assess the
associated risk presented by the deviation.

RECOMMENDATIONS:

We recommend OCIO:

   9.1 Develop and implement procedures to ensure there is documentation supporting
       management’s decision to permit deviations to the standard FDCC. This documentation
       should be retained for audit, to demonstrate management’s decision making process
       authorizing the deviations to FDCC and to demonstrate its performance of key


                                                                                                 22
       monitoring responsibilities and compliance with OMB and NIST standards and
       requirements.

   9.2 Require Perot to justify specific deviations that may be required by specific hardware or
       operating system software or application limitations.

Management Response

OCIO concurred with Recommendations 9.1 and 9.2.


10. The Department Needed to Update the Security Assessment and Authorization
    Documents

NIST in partnership with the Department of Defense, the Office of the Director of National
Intelligence, and the Committee on National Security Systems has developed a common
information security framework for the Federal government and its contractors. The intent of the
common framework is to improve information security, strengthen risk management processes,
and encourage reciprocity among Federal agencies. Authorizing officials make risk-based
authorization decisions using the security authorization package, which includes key documents
(security assessment and authorization documents) such as the systems security plan, the security
assessment report, and the plan of actions and milestones.

OCIO and the system owners for CAMS, EDNIS, EDCAPS, and EDMASS should update their
Security Assessment and Authorization documents. During our testing we identified the
following deficiencies:

      The CAMS SSP was outdated and not compliant with OMB “Circular A-130
       Appendix III” and NIST 800-53 Revision 3 requirements. The CAMS SSP, which
       should be updated annually, was last updated on May 14, 2008.
      The SSP’s Privacy Impact Assessments (PIA) for EDUCATE, EDNIS, and EDMASS are
       not in agreement. The EDUCATE PIA states that it does not process PII for EDNIS and
       EDMASS; however, the EDNIS and EDMASS plans state that they contain and process
       PII.
      The CAMS SSP is not compliant with NIST SP 800-18 “Guide for Developing Security
       Plans for Federal Information Systems”, Revision 1, dated February 2006, for
       documenting ongoing maintenance control system architecture, additions/deletions of
       system interconnections, and change in security authorization status.

OMB Memorandum 03-22 “OMB Guidance for Implementing the Privacy Provisions of the
E-Government of 2002” states, “Agencies must update their PIA to reflect changed information
collection authorities, business processes or other factors affecting the collection and handling of
information in identifiable form.”

NIST SP 800-18, Revision 1, states that once the information system security plan is developed,
it is important to periodically assess the plan, review any change in system status, functionality,

                                                                                                 23
design, etc., and ensure that the plan continues to reflect the correct information about the
system. This documentation and its correctness are critical for system certification activity. All
plans should be reviewed and updated, if appropriate, at least annually.

Based on discussions with OCIO officials, System Security Officers (SSOs) and system owners
did not ensure that procedures were properly developed to follow NIST SP 800-53, Revision 3
and 800-18, Revision 1 guidelines for updating the SSP for CAMS, EDNIS, EDMASS, and
EDCAPS. Additionally, the Department’s Privacy Office did not develop procedures to
implement the OMB Memorandum 03-22 requirements for implementing and updating the
EDUCATE and CAMS PIA. Further, OCIO internal operations do not assign responsibilities for
reviewing OCIO policies and procedures as changes occur to the following NIST and OMB
standards and requirements:

      to determine the need for changes to OCIO policies and procedures;
      to assess the impact on the Department’s information security program; and
      to identify changes to the Department’s information security program and OCIO policies
       and procedures.

We also found that the SSOs did not retain sufficient documentation to support the data
sensitivity classification as part of the PIA assessment required for EDCAPS and CAMS SSPs.

Without an up-to-date SSP, system owners increase the risk that security controls may not be
suitably designed to effectively secure sensitive data that are processed and maintained by the
system. Additionally, Department management may not be aware of the risks introduced over
time as a result of changes to the IT infrastructure and operational control. Further, inconsistent
or improper assessment of the data sensitivity processed or maintained by a system increases the
risks that PII data and other sensitive data will not be properly secured to prevent either
unauthorized access to the data or prevent unauthorized release or use of PII data.

RECOMMENDATIONS:

We recommend OCIO:

   10.1 Develop procedures to ensure that all SSPs follow OMB guidance and NIST SP 800-
        18, Revision 1, guidelines for updating the SSP to include the SSPs for CAMS, EDNIS,
        EDMASS, and EDCAPS.

   10.2 Update OCIO-15 to ensure compliance with OMB Memorandum 03-22 guidelines for
        implementing and updating the EDUCATE and CAMS PIA.

   10.3 Update OCIO-15 to bring it into compliance with NIST SP 800-53, Revision 3,
        Appendix F-PL, PL-1, Security Planning Policies and Procedures.

   10.4 Develop procedures to ensure that the SSO retains sufficient documentation to support
        the required actions for the CAMS SSP.



                                                                                                24
Management Response

OCIO concurred with Recommendations 10.1 through 10.4. However, OCIO suggested that we
revise Recommendation 10.4 to say “Develop procedures to ensure that the Information System
Security Officer retains documentation used to complete Privacy Impact Assessments.”

OIG Response

Based on our review we do not believe there is a need to modify recommendation 10.4. Because
a PIA is part of an SSP, retaining sufficient documentation for an SSP will include a PIA. OCIO
stated that it agrees with the recommendation and will revise section 2.4 “Security Authorization
Documentation” of the Security Authorization Guidance to include procedures that ensure
System Security Officers retain the documentation used to complete the PIA. OCIO states the
revisions to this guidance will be finalized by November 1, 2011.


11. Contingency Planning Program Needed Improvement

Based on our review of EDUCATE supporting documentation such as SSPs, risk assessments,
Business Impact Analysis (BIA), Disaster Recovery Plans (DRP), Continuity of Operation Plans
(COOP), and Business Contingency Plans (BCP), we noted the following deficiencies related to
the contingency planning program:

      OCIO had not documented an entity-wide BIA to support the EDUCATE contingency
       plans to ensure coordination of the recovery of critical mission/business processes and
       services in the event of a disruption.

      OCIO, in conjunction with Perot Systems, had not developed contingency plans for
       EDNIS, EDMASS, CAMS, and EDSOC.

      OCIO, and Perot Systems, had not conducted disaster recovery functional exercises such
       as table top exercises within the past year as required by “OCIO-01 Handbook”, and
       “OMB Circular A-130 Appendix III” as reflected in NIST SP 800-53 Revision 3 and
       800-34 Revision 1, “Contingency Planning Guide for Federal Information Systems”
       dated May 2010 for EDNIS, EDMASS, EDSOC, and CAMS.

      OCIO had not requested Telecommunication Service Priority (TSP) codes for National
       Security Emergency Preparedness as required by the DHS. These codes are necessary to
       permit the resumption of information system operations for essential missions and
       business functions when the primary telecommunications capabilities are unavailable.
       This condition was previously reported in fiscal year 2010 by the OIG in the audit report,
       Department of Education Virtual Data Center ED-OIG/A11J0006, dated
       September 2010.




                                                                                              25
Based on discussions with OCIO and Perot Systems officials and personnel, and our review of
supporting documentation, we have concluded that the deficiencies resulted from the following:

   1. OCIO management did not think that the BIA applied to its contingency planning process
      because it had developed an overall DRP for EDUCATE.

   2. OCIO management felt that Perot Systems did not have to develop COOPs and BCPs for
      EDNIS, EDMASS, and EDSOC because the information was covered in the DRP.

   3. OCIO stated that Perot Systems did not perform functional exercises on the individual
      systems because these systems were covered by the EDUCATE contingency plans.

   4. OCIO personnel stated that they were only recently made aware of the TSP code issue
      but stated that the TSP codes will be established by December 2011.

NIST SP 800-53, Revision 3, requires agencies to develop contingency plans for major
applications and general support systems to address recovery of the system in the event of a
disaster or other significant disruption to service. Further, NIST SP 800-34, Revision 1, provides
additional guidance to agencies in developing contingency plans to identify key information
needed for system recovery, including roles and responsibilities, inventory information,
assessment procedures, detailed recovery procedures, and testing of a system. Additionally, SP
800-34, Revision 1, provides clarification and guidance on developing a contingency plan for
information systems and general support systems based on an agency-wide risk assessment BIA.
NIST SP 800-34 requires the agency to incorporate the BIA results into the analysis and strategy
development efforts for the organization’s COOP, BCP, and DRP documents.

OCIO-01, “Handbook for Information Assurance Security Policy,” dated December 2005, and
OCIO-13, “Handbook for Telecommunications,” dated April 2006, restate the NIST
requirements to develop and test contingency plans and to obtain TSP service.

Without the COOP, DRP, and BCP based on a BIA, the Department increases the risks that it
will not recover mission critical functions based on established recovery priorities. Additionally,
without the COOP, DRP, and BCP designed for each of the general support system comprising
the EDUCATE environment, OCIO increases the risks that:

      Unique recovery requirements for these critical system operations will not be identified.
      Areas for improving the recovery process will not be identified without an annual test of
       the contingency plan at the system level.
      Corrective actions will not be initiated prior to an emergency, thus delaying or preventing
       recovery of systems supporting the Department’s critical business functions.

Without TSP codes, OCIO cannot ensure that critical communications services are provided to
Department senior management to enable them to carry out the Department’s critical mission
and functions in the event of a national disaster.




                                                                                                26
RECOMMENDATIONS:

We recommend OCIO:

   11.1 Develop a BIA process and conduct a BIA on the EDUCATE Infrastructure.

   11.2 Develop and maintain disaster recovery and contingency plans for EDUCATE’s
        General Support Systems: EDMASS, EDNIS, CAMS, and EDSOC.

   11.3 Require Perot Systems to perform functional exercises and full failover and failbacks
        on an annual basis for all of the EDUCATE infrastructure.

   11.4 Develop and implement procedures and processes that ensure the requirements of the
        TSP Program for the EDUCATE are immediately met and ensure compliance with
        DHS requirements and OCIO-13, “Handbook for Telecommunications,” and other
        applicable guidance.

Management Response

OCIO concurred with Recommendations 11.1, 11.3, and 11.4. However, management did not
concur with Recommendation 11.2. In its response, OCIO stated that it has established
contingency plans (CP), referred to as BCPs, and DRPs, for EDNIS, EDMASS, CAMS, and
EDSOC.

OIG Response

We have reviewed management’s response. For Recommendation 11.2, during the audit OCIO
did not provide requested documentation relating to the CP, BCP, and DRP for EDNIS,
EDMASS, CAMS, and EDSOC. We provided system owners and OCIO with sufficient
opportunities to provide the required documentation to demonstrate compliance with NIST and
OMB requirements. Therefore, Recommendation 11.2 remains as stated.


12. The Department Needed to Establish an Organization-Wide Risk Management
    Strategy

As part of our audit tests we reviewed the SSP associated with EDUCATE, EDNIS, EDMASS,
EDSOC, and CAMS. Although OCIO and the system owners had performed application security
risk assessments as part of the SSP, OCIO currently did not have an organization-wide risk
management strategy as required by the OMB A-130 Appendices III and IV, and as clarified by
the NIST SP 800-39, “Managing Information Security Risk”, dated March 2011. The Director
of OCIO Information Assurance (IA) stated that OCIO IA was currently in the process of
developing an organization-wide risk management strategy.




                                                                                           27
Based on discussions with OCIO officials, OCIO had not developed processes and procedures to
conduct risk assessments at the organizational level or system level because OCIO IA has not
assigned the formal risk executive function to anyone.

NIST SP 800-39 states, “Risk management is a comprehensive process that requires
organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess
risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using
effective organizational communications and a feedback loop for continuous improvement in the
risk-related activities of organizations. Risk management is carried out as a holistic,
organization-wide activity that addresses risk from the strategic level to the tactical level,
ensuring that risk based decision making is integrated into every aspect of the organization.”

Without an organization-wide risk management strategy, the Department increases the potential
that known and unknown vulnerabilities will either not be identified or improperly categorized
leading to exploitation of vulnerabilities and potentially compromising the confidentiality,
integrity, or availability of the information being processed, stored, or transmitted by those
systems.

RECOMMENDATIONS:

We recommend OCIO:

   12.1 Develop and implement procedures to conduct risk assessments at the organizational
        level in addition to the currently performed application risk assessments.

   12.2 Assess the potential impact on each application of any organization-wide security risk.

   12.3 Enhance current risk assessment processes and procedures to incorporate the
        requirements of NIST SP 800-39.

Management Response

OCIO concurred with Recommendations 12.1 through 12.3. However, OCIO did not concur
with Recommendation 12.4 which required OCIO to assign responsibility of the risk executive to
an individual or group to coordinate with senior leadership of the Department the risk executive
requirements outlined in NIST SP 800-39. In its response, OCIO stated that it has a Risk
Executive that is the CIO and has assigned the Risk Management functions to the CISO.
Additionally, the Director of IAS has developed an IA Strategic Plan that incorporates the
requirements of NIST SP 800-39.

OIG Response

After reviewing management’s comments, we removed Recommendation 12.4 from the final
report.




                                                                                                 28
13. Documentation of Security Awareness Training Needed Improvement

OCIO policies require that newly hired personnel take security awareness training within 10 days
of starting employment.        Additionally, personnel with significant information security
responsibilities (such as System Administrators) must take specialized training annually. Our
review of the training records noted the following:

      OCIO could not provide supporting evidence for initial security awareness training for 22
       of 25 newly hired personnel. Additionally, documentation for 3 personnel from the 25
       showed that the employees did not attend training within the 10 day period.

      OCIO could not provide supporting evidence of training records for all 25 employees
       selected who had significant information security responsibilities.

NIST SP 800-53, Revision 3, Section Awareness Training (AT)-2, Security Awareness, requires
agencies to establish and provide basic security awareness training to all information system
users (including managers, senior executives, and contractors) as part of initial training for new
users and when required by system changes. Further, NIST SP 800-53 Revision 3, AT-4,
Security Training Records recommends the agency retain individual training records. OCIO-01
requires employees to attend security training within 10 working days of employment and
annually as a refresher.

The Department’s process for capturing training information for contractor personnel does not
require that individual training records be kept to support the actual training. The current process
requires only that each Information System Security Officer (ISSO) keep track of attendees via
an Excel spreadsheet.

Without an effective process for tracking employees and contractor personnel training, the
Department increases the risks that employees are not made aware of security vulnerabilities and
not adequately trained and educated on strong security practices to help reduce security
vulnerabilities and risks.

RECOMMENDATIONS:

We recommend OCIO:

   13.1 Develop procedures to ensure that all personnel provide documentation to the ISSO of
        training attended and to ensure the retention of the training documentation.

   13.2 Enhance the ISSO tracking tool to include contractor personnel and to store the proof of
        completion for all users.

Management Response

OCIO partially concurred with Recommendations 13.1 and 13.2. For Recommendation 13.1,
OCIO stated that NIST 800-53, Revision 3, AT-4, does not explicitly require agencies to retain

                                                                                                 29
copies of training certificates as supporting documentation. NIST 800-53 does state that the
Department’s Talent Management System and Security Touch Learning Management System
retain training completion data, and reports can be generated upon request. In addition, OCIO
stated that procedures fully defining how documentation will be retained will be implemented by
December 30, 2011.

For Recommendation 13.2, OCIO stated that OCIO IAS will issue a memorandum to the
Department’s Principal Offices requiring contractors to take annual awareness training using the
public facing Security Touch learning management Web application for the FY 2012 training
cycle. Security Touch will allow OCIO IAS to track and store proof of completion for all users.
In instances where vendors use their own IT security training program or products to train their
employees, OCIO will accept a certification letter from the company’s authorized official that
contains the list of employees who completed the training along with a description of the training
provided.

OIG Response

We reviewed management’s response. For Recommendation 13.1, if the document retention
procedures that OCIO stated will be implemented by December 30, 2011 contain a provision for
producing the documentation upon request, this corrective action should correct the deficiency
cited.

For Recommendation 13.2, OCIO stated that Security Touch will allow OCIO IAS to track and
store proof of completion for all users. Additionally, for those vendors who use their own IT
security training program or products to train their employees, OCIO will accept a certification
letter from the company’s authorized official that contains the list of employees who completed
the training along with a description of the training provided. Provided that both of these
corrective actions are able to produce the training documentation upon request, these corrective
actions should correct the deficiency cited. Therefore, upon further review and assessment of
OCIO’s responses, our recommendations will remain as stated, and OCIO will have an
opportunity to proceed with the corrective actions proposed to resolve the recommendations.


14. Plan of Action and Milestones Process Was Not Adequately Managed

Plans of Action & Milestones (POA&M) are a management tool used to identify and manage
security weaknesses. These plans are designed to be used largely by: (1) the CIO, program
officials, and other appropriate agency officials to track progress of corrective actions; (2) the
OIG to perform follow-up work with the agency; and (3) OMB to assist in its oversight
responsibilities and to inform the budget process. OMB FISMA reporting requirements and
Department guidance in the Department’s POA&M Standard Operating Procedures (SOP), dated
May 2010, requires that the Department’s POA&M process include the type of weakness,
responsible party for resolving the weakness, estimated funding resources required to resolve the
weakness, scheduled completion date, key milestones with completion dates, milestone changes,
source of the weakness, and status.


                                                                                               30
Based on our tests of the POA&M process and procedures, we identified the following issues
that indicate that the POA&M process was not adequately managed:

      OCIO did not maintain an accurate inventory of the number of security control
       weaknesses identified from the monthly vulnerability scans, the number of previously
       reported security control weaknesses resolved in the period, and the number of actual or
       proposed remedial actions that management is currently working to resolve.

      Although OCIO provides reports to Department management on the POA&M status of
       weaknesses identified during audits and reviews of A-123, Chief Financial Officer
       Financial Statement Audits, OCIO did not provide management with all security
       weaknesses from its dashboard, specifically, contingency planning, annual assessment,
       certification and accreditation, and vulnerability scan findings.

      OCIO did not monitor all security weaknesses in the POA&M reports and audit
       dashboard. Currently, OCIO only records and monitors security control risks identified
       by the OIG.

      Security weaknesses identified during monthly network vulnerability scans were not
       reported in the POA&M OVMS database. OCIO Information Assurance team receives
       these monthly vulnerability scans from Perot Systems and then analyzes them before
       inputting the weaknesses into the POA&M OVMS database.

OCIO POA&M program is not compliant with OMB Circular A-130 Appendices III and IV. For
the POA&Ms we reviewed, OCIO and program offices did not identify and report the security
resources (i.e., tools and personnel/contractor hours) needed to remediate the security
weaknesses and report the resources in the POA&Ms and on the OMB Exhibit 53 (Agency IT
Investment Portfolio) and 300 exhibits (Capital Asset Plans and Business Cases).

The Department’s POA&M SOP states that all findings or security weaknesses (including
those identified as a significant deficiency or material weakness) must be included in and
tracked on the POA&Ms. The SOP defines security system weaknesses resulting from:

       • OIG Audits
       • Risk Assessments
       • Security Tests and Evaluations
       • Penetration Tests
       • Vulnerability Scans, and
       • Government Accountability Office (GAO) Audits

Based on discussions with OCIO officials and review of documentation, we determined that scan
results must go through a two-stage manual process before being entered into OVMS. OCIO
personnel stated that the OVMS manual updates are behind schedule. Additionally, OCIO has
not established a quarterly reporting deadline for the contractor to update the POA&M
population. Further, OCIO stated that the system owners are responsible for updating the
POA&Ms based on updated systems’ security plans and re-accreditation of a system. However,


                                                                                            31
OCIO has not updated the POA&M standard operating procedures to provide guidance for
linking resources needed to complete remediation to the OMB Exhibit 53 and Exhibit 300.

Without the proper review and maintenance of POA&M activities, Department management may
not be aware of the security control weaknesses and the severity of weaknesses within various
systems and the potential or actual impact of such weaknesses on other systems. Additionally,
without adequate monitoring, management may be unaware of the status of corrective action and
may not be able to assess and prioritize the resources needed to implement corrective actions.
Further, OCIO lacks procedures to identify the resource requirements necessary to implement
corrective action which increases the risks that insufficient resources will be made available to
resolve the security control weakness in a timely manner.

RECOMMENDATIONS:

We recommend OCIO:

    14.1 Develop procedures to ensure that the POA&M program is maintained so that it always
         reflects the current status of open and closed POA&Ms.

    14.2 Develop procedures to monitor the remediation of all actions within the POA&M
         population.

    14.3 Develop procedures to estimate and record the resource requirements for implementing
         proposed corrective action in accordance with OMB Exhibits 53 and 300.

    14.4 Develop an automated process to identify, track, maintain, and report security
         weaknesses resulting from the monthly vulnerability scans.

Management Response

OCIO concurred with Recommendations 14.1 through 14.4.




                                                                                              32
Appendix A: Objectives, Scope, and Methodology
To fulfill the OIG responsibilities related to FISMA to conduct a comprehensive and
independent IT system security audit to determine the effectiveness of the Department’s overall
information security program and practices for the EDUCATE system the OIG contracted with
Williams, Adley & Company LLP, (Williams Adley), to conduct an independent information
security system audit of EDUCATE.

FISMA requires each Federal agency to develop, document, and implement an agency-wide
information security program to provide information security for the information systems that
support the operations and assets of the agency, including those provided or managed by another
agency, contractor, or other source. Further, FISMA requires an annual assessment of the
agency’s security program to assess the adequacy and effectiveness of these controls. FISMA
requires the agency inspector general, or an independent external auditor, to perform annual
reviews of the information security program and to report those results to the OMB.

Additionally, FISMA delegates to OMB and the NIST the responsibility to develop information
security regulations, requirements, and technical standards that all Federal agencies must
implement in their information and information security program. FISMA, as well as OMB
Circular A-130, “Management of Information Resources,” Appendix III, “Security of Federal
Automated Information Resources,” requires an agency to develop sufficient controls to ensure
that contractors providing IT services establish and maintain information and an information
security program compliant with Federal laws, regulations, and standards. OCIO has the
responsibility to ensure that the service provider for EDUCATE establishes and maintains
information and information systems security controls that are compliant with Federal laws,
regulations, and standards.

Objectives

Williams Adley conducted an independent evaluation of the effectiveness of OCIO's overall
information security program and practices for the EDUCATE system. We also evaluated the
level of compliance of information and information system security controls with Federal laws,
regulations, and standards.

The audit was conducted in accordance with Government Auditing Standards, July 2007
Revision. Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our
audit objectives. We believe that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.

We understand that the results of the detailed test work shall be incorporated into the OIG's
annual independent evaluation of the Department's information security program and practices.




                                                                                              33
Scope

The scope of the audit included:

        The audit period of October 1, 2010 through April 30, 2011.
        An assessment of OCIO management oversight controls of the Perot Systems
         information security program for compliance with FISMA.
        An assessment of the Department’s and Perot Systems’ policies, procedures, and
         controls in place during the audit period against OMB Circulars A-130 “Management
         of Federal Information Resources” Appendix III “Security of Federal Automated
         Information Resources,” A-127 “Financial Management Systems,” and A-123
         “Management Accountability and Control Sections III Assessing and Improving
         Management Controls, and Section IV Correcting Management Control Deficiencies”;
         and the NIST FIPS Publication Standards 199 – “Standards for Security Categorization
         of Federal Information and Information Systems,” dated February 2004, and “200
         Minimum Security Requirements for Federal Information and Information Systems,”
         dated March 2006; and various NIST Special Publication (SP) Series 800 such as 800-
         53 version 3 “Recommended Security Controls for Federal Information Systems and
         Organizations,” dated August 2009 and 800-53A “Guide for Assessing the Security
         Controls in Federal Information Systems,” “Building Effective Security Assessment
         Plans”, dated July 2008. Additional NIST Special Publications used in the evaluation
         included: SP 800-128 “Guide for Security Configuration Management of Information
         Systems” (Draft) dated March 2010; SP 800-63 Revision 1.0.2 “Electronic
         Authentication Guide” dated April 2006; SP 800-61, Revision 1, “Computer Security
         Incident Handling Guide,” dated March 2008; SP 800-37 “Guidelines for the Security
         Certification and Accreditation of Federal Information Technology Systems” dated
         February 2010; SP 800-30 Risk Management Guide for Information Technology
         Systems” dated July 2002; and SP 800-18 Revision 1 “Guide for Developing Security
         Plans for Information Systems” dated February 2006.
        An assessment of the effectiveness of the Department’s management oversight controls
         as required by OMB Circular A-130, NIST FIPS Publication 200 and FISMA.
        A risk-based approach to selecting the key management, technical, and operational
         controls for testing from the NIST SP 800-53 control families and for testing a
         sample of key general and application controls as identified in the GAO’s Federal
         Information Systems Control Audit Manual.
        Using a risk-based approach, we performed detailed security reviews of designated
         information systems and applications by conducting vulnerability assessments and
         limited penetration testing of EDUCATE. We tested to the levels that determined the
         adequacy of the Department’s network security controls to prevent or detect
         unauthorized activities such as hackers. We also tested to determine the adequacy of
         the controls to identify and prevent viruses and other advanced persistent threats from
         entering the network and agency hardware. Before we conducted any tests, we
         obtained agreement from OCIO and OIG of the specific network vulnerability
         assessments software tools and penetration testing techniques and the nature and
         timing of the tests. This is commonly referred to as the “rules of engagement.” We
         obtained a signed “rules of engagement” document from all parties.

                                                                                             34
        The audit location included testing at the Department’s headquarters in Washington,
         D.C., and the Perot Systems Data Center in Plano, Texas.

For the Network General Support System and for systems and applications residing on the
EDUCATE network, we selected a representative sample of the EDUCATE subsystems:
EDNIS, EDMASS, EDSOC, CAMS, EDCAPS.

The audit program covered at a minimum the following NIST management, operational, and,
technical controls.

Management Control

   1. NIST SP 800-37 Revision 1 “Guide For Applying The Risk Management Framework To
      Federal Information Systems” (documentation, process review, requirements, and re-
      certifications)

   2. Risk Assessment (periodic reviews, categories, and magnitude of harm)

Operational Controls

   1. Security Awareness and Training (rules of behavior, annual training, and specialized
      training)

   2. Configuration Management (life cycle methodology, documented policy, access
      restrictions, current inventory, and proper configuration plan)

   3. Contingency Planning (properly documented contingency plan, testing the plan, assigned
      individuals, and alternate processing site)

   4. Incident Response and Handling (interconnection agreements, user support, annual
      training, and capability tests)

   5. Media Protection (labeling, storing, physical security controls, protection, only
      authorized access, approvals)

   6. Physical and Environmental Protection (protection commensurate with risk, fire
      suppression, fences, granting physical access, monitoring, and review of visitor logs)

   7. Personnel Security (least privilege, individual accountability, and background screenings)




                                                                                              35
Technical Controls

   1. Access Controls (least privilege, user roles, segregation of duties, termination of
      accounts, password conformity, and appropriate agreements)

   2. Audit and Accountability (virus protection, integrity and validation controls,
      authenticated passwords, and logical access controls)

   3. Personal Identifiable Information (safeguarded, and need to know)

Network Vulnerability and Penetration Testing

   1. Using a risk-based approach, we performed detailed security reviews of designated
      information systems and applications by conducting vulnerability assessments and
      limited penetration testing.

   2. We tested to the levels that determined the effectiveness of the Perot Systems controls to
      protect and secure Department data and to prevent potential advanced and persistent
      threats to the Department’s network architecture.




                                                                                             36
Appendix B: Office of Chief Information Officer Comments




                                                                              SEP 8 1011

       TO;                  ( Jnu::~!> E. Cv.;. Jr.
                             '11i£~c;•c1 llu~-.:u>:· G\1.r:t11l
                            b!OJJIULit>Jt Tt ..tn:vktli>Y ;\u.t:l:; ani C•1 mp•a .~:r C: '"ines Jr. ·:~-tlli~ ti ::n '
                                                                  :""...ifi
       ?ROM:                Da~ m'' :\ . ll:ur.e., l'h.l>.
                                   .                         .;
                                                               y "•'·~·I: •..___
                                                                            •

       $G l\J.t::l' f :     l 'rLt .•\u.:ti~ !Wp:>:l
                            T:o!uo:::•i<:<~n ~:1:-nll!roll lrrit:,: kw( ,,,\mnn:if~rj.:·M, AJ·pliutioue. Me J<>.i.IJ)I) ••,;,.:t
                            Eu...ii~.b:•~uuEDt;C;..TE;';. fn.Um.:l!lit ,n ::io.o.:Uf!.r AuJi.
                            CnmV~I     f'hl\'l!)::r ~\I)J..n.~/.'\ I : Lfo(ill

       T.)ad ~'(/.l ru. lltV•,lJP·*Ih!.Ui'.;-· tv ....mn:I~Ut '.11111~: Ji:J1 O .i.·~:\' vt' lo1}:~l·.:r Gl.u::la!'ll ·~0!0)
       rr.'J"', rt, £;.lt'lo.; ;+til".1 DtP."Ili:J:¢ru t:1:E~· :lot("MllOI;J6:-.·(ti;,u;.. ;\')J~li~ilti~n,, <~:Jt T~du•'l>::ro­
       ~~~·iM-t«<t ~W.lUi..:.'• I!.!) .Wm:MJ.ivn                  St::a.nty /,ad ·.l <.:'<miNI Num~r l:.U ·t 'l(i:;\ 11L(•) L•I.
       Y«~r t N.t: $:.14it t~~,.,u pr.~\'id('-$ Lu~.< :.rtt~ 11:.·~ ::ff(('ti\·~;(>f :b~ !Jlfou~lldcn: sy&.¢JU~U«\!..irf
       ~untmi>. in rlu.:t !I>·~~~ lhe ROIJC:'.~ t:l'l':' r.::nr.-u:r l,$.11.1 m:~mat<-1~· iJ<:nl i!i~: :;t:'IC".Il ~: nl'
       0:¢:1cc1 ir.:ptt~'ittl:C.U. 1k Of~ ,.f~ Chicftnrou::.t~tic•n (lf~l (OCfO) 'iu~~~~l;: \lppt«-~
       ! lt<'l;:ll trm irot~ J:n>Y»k<l ' 'I 1h·<, l!rfi'UI.md k1•b hn•.•:l"\1 1<1 ~h'l'k n.:• v.i1lt )'•'•!If .:!Iii:-.. ::•
       3pt.WJ:ti:dvl; :dW~:<: til; ~~~v1 :11 um.W.i·J1 Jil. Hv·"'\}'1'-'. il i.t alS'.l if!l~~ll.!ll>! h :I:OI¢ ltml !I:.OJ~' C>f
       lh..-::d:,;lllnli••..- ~r·l•ltmnl il~uJ:.h: f'I!'C.'e >:: itr llfW:cfiiC'"II.i il-or!ru•~•tc\J ..u.·ir t II.< ::tlUI:W ::fll w
       lniJiJ \ICil!OIISii~.te S~1:ifl~:.1:: il;;)j).'·)\~ltl~l:! .lllb~ ~nfOIII).'Ifk~l $fll¢!1:. 90¢U,'il"/\Oii:r(·IS r\"PI' n' n~
       1<1 lh.: !o,J)I :<'!.. J'h ~TI ~'h'nnll:fl.

       0('10 \._\ II n$:trc$S~~:h tbi inl.:'l0: row'>mm:r.d:oriron,. .~tir-.11.~ ·n                               :h~ pl.t.1 ?1<.1\·i(,h: l.!. :.n:l ~
       llgt"*1'.1())C.l•y yt<n .,:'f•~~.




       "ri:ll' n llw. iQ/11:1.1::~   ·•f
                                    .t e ::r,Jil l'l:'f!"'~ CX: IO h ri•nnutinn ,, ,mtun~t ~~·. i~t:: (1:\S) IIUJ
       d.......,d.~~d '::a~[I:C ~~,ft~.w:.ti.:>n$Ui<'.~l il,;s ful ~\le:. <.·~<t~a:i.)S ~}'~~m $.A(l ("'..liC.-ptiie·wi(¢
       :1rFii( :lrirm:: in IN: i1l>l.1f::\' '1: ,...,.,.inv11',1~r,l    l::1~t.<~d   <1n Ill.:   lle~rlm~11 <: f i N.IC:rl:~ S~curity
       Toolu:.ie\ll 1ftl~·kLnl.lll.li1i.oo.:a Glti<'.;;lil:..:ll •.H:~,. AJ: ci)~¢S ill;; ::aaa-;le :'-·1M$)''$~!.;, ch.:c1o
       !'Y.llnl)' p.,:c!Y.-,. ,m.!:~,r ';.u~ Jho~s. Li~ b:Mli:w .;..o~lil:':lliW.iuru d<.d l t.,:.U?e,a-:.::.:1. spxifl¢
       r.ol';lfi !:J1'1'"1'V'l ~ine.c ctmtil'ne:l,;,nd o:"r lij!.lr.trirm it!!nl\ lr.l.:·~::::, veri l~tll lln:l '.'tporrt.:C.

       Gn ,•,~;;:un2G. 20l l. :he D¢f!ll11UCil'!' ' r.l:.id b:(lrfU<\rj('l.l ~et:-l•ri:y OJik.(':.·{C:SOi i $'>111~<1 ; 1
       mtmC·Rnolw:n !u lkl. S~·:.tea1:: i l~.>na~Uy b~·..,:n S!· "l'tre.: ~y:ltr::'lf:'') Joi'e:m:<tt~3.l ~Ju~:(\~~·
       CJj ~lr.it;.· ).h;l!l~r rtqtil'~ r:,,. fill !Jt)'<Vl01Uif f c-,•iro: ):: ..-...r..ti!;llt\'(1 '(} fh:- n:!~·/ y
       t>.ahti::h<\.1 ha*'l in.: ::.:.l ir~ :u·d !lt:1·'t:Jk ~ lly .:'1ed~ b• l!f<·IJT<= ~••mp'i::.u~~.
                                              ..:::; 11.-..:: 1 ;.~,, .•~r.;; •:: , ·.-::.s•l:in :f.. >:..!:X.!
                                                                      ....,,'IJ,'.O#I ·

          llo:   ~.w:-.u;M t;: IJ::.,h·•', ,. .~,.~ .< ~l': n.~t:-)l; o~.:(l o~. ..,.. . :. ul "'I•' ,u ,, .,, 1Jmo. ~ ,..,. .•, ~•~»"
                                           r?.t~(Jll :..:.t:-)to"'••...,. Nln: ,. " "'    ""'1":
                                                                                            "':'" I '" '..,




                                                                                                                                                         37
OJC R.tNWflltls<lacklfl l.1 "'~·lse dll:' SLJ.. :u tt<_U:It :>: 11 SySictl:S :<.· taJ.:ea~PJ ':fti..ue liJl:.:ly
mrrr•·ti\·~: adf'lr1I() f\"o<(ll\•e lll'IWrltl( ~tf.t:: ('Qrt:i~rvti on .,, tlr('m;iliti(\t; N ju:;lif;· rnt
!Utplo: :tt~:llit~ ~u,r~;;.~!o;J ;;,o,r.:o:.iv;; ;,.;b1::11:~ J:uTttil (;{;li) II• a.~w.~:> lho: p:~l~uti:sl ;;((.;.;\ ;;.( l!t;;
\'IJIOO<it;ili~:,· \'t;NtiS Ill¢ (:0;{~-ll ~~>ci:;.u:(, ',\jth impku:c:Uill~ lb:; Sllj!l!~;.t:;d 1:0JT~Ih'¢ uni~'ll -


'\hn,scrnt;nt R t!{I'Oll$(': ( 1(.((1 Q..~l~\:U W.tb t.h:~ :~:~i.~t>~.nd:'ll'iOJL OClO 'Nill ~t1tr itto
 11::o:ttildi,,,~. wi!h J).;l. :-iysk:no J> ~o:•+n: X~:·d~ I <.t~u :•. ~-:n~n l (SI.t\j " SI'-'i, ih tapn!4'
 v~,~ro~ritt-:li~:>; >hr~cU\\'nt Scr::~" t~ iuclud~ J.'~~:n'.t.:•tt s~:u:da~(~ ttl tt:l$\llt -.'>)llfi;:.u.;oll:~o
-...~tln<'t!lbili•.i~:; :dunli J:rd.d:~r".ns m<'n!l-.1~· :r::nu •·~ r<;!n•o:da~d "1th1r: Lte -:im~ p:ri<•d t!.t:sblis:1:::.
 in ibt T.l~f\'~Tllnt":u·~ V<tht"r.t)il:~· :t;1f Pi!t<'JI :-otw~m<'ut O·.tidm:.ct. t)(:(l) (A.'S; 'A'ill stthlt.r t:.)~
 J.'fVJ.V~-.\1 SLA t t·•·i:~io.J~:, :v tlto.' EDCCA'TE tvntt:t;;tir.l(. ()(:':("' lk;tn:-l':t:ta~.i•:;; (a)'It) b:·
 l)«tm',er l. ~Iii· .

UH: R«-••mmfrHbttil11'1 I :1 '' R.e·,i ~ lhll :0:1 :\ 111 "~JIIil\' n r:l 'r.:wm~ l~o u"'"' ~<'l(rio lt!!' .::!:1rn'nH
,..,,:lwatt: :;u:lt "-'> S'fl(t a\ll::u~!t:J ~~:,ob Juto:.tc> ;;t.•lllpli.:.lll "'ill: N"w.i<m:tl h :sti\111~ vi l'i'.;mJanJ.,
t~t.:l T~:b.wlot}' (N!ST) H ~·:U-l2S <'rerl to i·J(tlti:"f :WJlify -.·ulJ~~tnNU1ics ·,·,i.1b t OIIfi@,m:ttiCJI'.
•i<:llin~:; flY.' d il!nl:: wm "<~:'IV«'.<, d;: t:•l\ •·~. •~ not r.~IW!'d: 1nlh<'lt.<:lur~ oir \iO:to:< (liiY.'o'l:tll•;, rr>n l!l>;.,
:11:J ~··:(tclto.'lij l'I!{'J:O.•ttin~ £(Jl)CA IT.''

Ut'IU )UA~b tbaet)l.i•IM llli)' fl:(IJQUett:llobo( iut~ Itt: Ol:vd!'.l' ~Jttl i.;.np.tmeOI p.oiJtl·:~ ~Jtd
prt w:h;res wticb mp;irt; tbt tt$CVf:. $('(:.ni1y CCint~r.: At'1Qln;ttiC~n PrC':~"Wl ($(':...,~. ;o...~IT:,Ii:.l'ol
1::..•! b• iJ~nt· !';, ~~~ur1 l;-· 't.!n:t:~btl iti,.,~ ,.,j!l-: ;;mtr.g.u•ah•>n M:Uit.;s ·., itlt.itotl~o:- vp:t:~li•~ a;.~l,;m~
fot cUtUf$ aoJ ~C!.''¢1'$, <lnt--:it<:':', -.;Ad lloCl'A.' t:i-: i.r..fr;.jU'ltCf\:.1'¢ ievi:::o; (·ir~w.ll'.-, nmt~.-., :11:d
lt.,..',ldtr!>)   <7Jpp~rtir~   J.: l)L <..:A'I U.

lh.tii,IUIII': l'it;; Do:p:~•t.:• •:n1 il' ,...,, :Ctk t:lll} l :.'lfu:Jut ~ 1.:. c.:.n:al)h' with Dcl¢ns: l:afwn.:;;tki'l
8~'$1tl:.lS i\~<'001'' ~(ll':'.".~· STIG;;. I ll')we\'l'f': thr UllH X'l l(i~ ::rt: :1 :Jx:..J to ~c>•mur:g. Cr- l:v.di n.:
::ntlth:! : )tr~-':Mi:-:'11 ill C.tl\j: byi fl~ d:ct~: !'l!I'.O.' dl aSc NlS'T a'J I·: tr.tl:cd S( AP ¢;)!Jt)llilllW\: t~:o!;.: ,:,;
\':'lti<\"'lte v.:mti;w'<ll'~11~ .

Ali<~, :'ill~ <ll!.d tl'.c (~d ~t!ll ~·~~~J'~neltl !'l l't m~-.·bg ,., .)',ll~lll>~ :o:oi SC.\1-' .-~o:npli:!o:::: llto tl.< ft>
.-c;n!'notll'.l<;!y m:'Tii lur ltl:l:'lli l~· HI: ttO:."';:b: I; ti;;~ ::mJ ,;o,or.fi~;-lln'Ai"n"

Mtmuacnt,lll Ke.rwult~: OCIO ~<\IUO:.'I&:~ ··~i!IJ tlta ~'\!Utit:O.~;I\:~IJ''"· U:U :!}'SIC.:liS C',tU~ot.j'
OOI),ilt."'T$ l.' (';lll.'ll 1'CIIl'tfl iq~ ll$iOIJ r o)ltn :l $1M!t' <o:mlroin;!. .-.:1< .'1'11\i Fo:Te~:' f) ~~\1::11 C:\'tn:
('(:nlit•ln.ti~•" ir ;x:q :-~I:Uu:o.:~> . A:!Ji tlt•:•~ll: Ll•:: U.S. D:p.\.11!~.;-:ot :>f &k~!lUCU1's C•>tUI1l1W
Llc:Jcul R¢~ )~.)~ (:).)nbili-:: (3DC1R<':• b::ts pur:l-~t O and i!; i·TIJ'Ih:l'lltntios -L'<t:'l:·lr.'P-\':t fvr
nd','"'ll: $i::lnmn! .

To· a:IJn:lt< .!.Uklnta.!;;J c.or.thu~o~U:'I M..uit..::ri·~ (C.M)         t•fY.ILIIX~:;jJ:t:~$ ;u:oj oouti~~::.1tiC\lS, (:(:lr.;.
l'\S j$ .;l<:t>l•>Y;~ 1h~ Ro.i~cxJ I'Jintl;!¢'.i~l!'ni<'~r 11'1~•1, t::;i n~ t:tnli!7•r:uio'oll : i !~)( (o•m IH I.!CAT I':
;m,J l'tl:.:7.d ~!IJtl.;'ll /uJ' ::II SA't \'irlu~IIJa..:t C~r•wr (\.'lJC; . 'TI:ilt l·.:vl .,.. j:l \;e -uti:izo.>J ,,.
5!<'!m:.fl: tm iomiii.\it. n~lW~·r~ m~ 1~111 :6~·'·'1 u..:..:<t<s PJ; .b ~ tbr;;ui(IIL•I!l ll!" n~!w;;r\.. ~u:.:l: ;:;r.~b
i:ll!:d<•ll bao.:.~:.jU:tk t..:l..,vtt (~:!t.i&.:tlllivn. auJ •:du~t:lbililf ~<".':I';'Ckdo... As 11lt 1\oJS~ Pf''J:-..'1
¢'.'(11\'~S. il will ~l\e ~ne~ftb~ ca~i~~~s<>:f6~ ('Qot.I\U(rlt<; !o:1olrit;K'in;: l''\1l!"'~rl (C\11')




                                                                                                                                          38
Un.>'J I/Jl tr:.cl:ir.s ..-. nJ a~pr.Vt.:t~ ~btiiiJ~' rQ tb~ R¢to>.' ()"·, Oc:~ict:l; ::e~ i19•o:..l (.(: ~ ~~J·,t~ Jl«\\'l:ltk
i:teJtii~· <:>~·fd,tltllllti~'" wl \1l'mhili li:!~ :mJ .::.~uri l14'(.;," ;1pl..:.1~' 10 tl:t;:clu\C t -Oeltr)}'
;:r.n :i.~IJI'.ll'u~s . Red.~! ·.~ill t.~ i.tU~· 6~p:·~}'~d \1).• :111Y!l~(}' I 5, 7(117.




{)J( ~ Ut~IU'IUI'Itl'nlati\1(11,1 l kNIVJ~ -:.I:J :.oj!·l~llirnt r-olic:.¢S<md J)l;;<(':bno:; I.<! l'tal l~· al:tvu:'ll               t':t
s::t·A'ti'C ~·Itll\'lwt~T<: ir.:;l al)~~ 1.'•11X11ri:I.N .1) Ill:' Ll-'>~1.'. ::.'ft ti:C bllUCAT£ O~t\11(1(\:

4.X:IO ~~~uu dumgbtg ibi~ Mlll.!nm~:tlllu.tiJ•n u•: l>....d.,J~ 4tu.l illiple!'l;Cftt J)):ie:~~and
prrud• rr~.· ... :i: b)< .t::::t•ll:tl f:•r ,.;t[(·...t., . 1)1 l i<~.rd>-:41 ~ :ll.stt.ll'.i .:-ll tM: (.D\...(;:\'1 r r ~lw:·i, ,


~ti~1uJ~:         Tb D:r~nrn<nt' ~: E.:no:rpn:~ ;\rC!t:\oX.t(\1•: ltt ~·ic.w Bo31\i (E.o\BP.J rr:·.int:•'n ~ un P.n.J
IJ::: 1 (.'a.t~h..&of Wfl wa~'C , 00 llaJ.'d'AlJ¢ rMt $1\" J<'trn ir.~-J I<! ·~t iM111l1:d 1-.n th; !·:l)!.:(;..o.'r£
nt::vo--ork. This p;~c«<u~ i<. u p·t!T(:>;I in the Ot[WI'I•;nl' • 1'.-:•t..·tj lt:, . At·;l-:tu..'1Ut·~ P.c'\'i¢'.o; Do11t'C
( luiJar.:...

M A"lli~m~lll Hti~t~ 1)(:((1 ~l~l.'t.; ,_.: th fbi<. f:::~:·<Tom::uchll i"" · OCIO h~,; in:;:...:tu,.ctet.
fi'Y:oCcd :ln:~ l·'l :lt:J(lo:!WU !:~., .;II :;:, r.....'.Jf.: w-d hw\1.,.'-'!<' 1.111 tiA< b.U VL'.'\T£ ll~f\'IOik ( )¢1) $p: ::n'i
r.~rfl.•u :t~ m~tWtl}' ;-u·J•:I of ;:L( !c\':~~ ~) tl\en(':'o\'Ol1; an..1 c-r.t'aJ'I:tn-ll it .1~: ir...t lh~ t::xtli ¥,u:<tl.i: :t
Mtn:z ~mrs'lt D11 t:11\,_~, tC\IUit) l(tr •Ji .....-.:.z:lln::i~ . 1 };\·i~..:.. d1ill tne n~l l~t~6. in tt.e CM:>I.l nr~
::l!>l'lllfl d ;s- :v\>w.;. ((V!l,Ut:· Jt: ,.i..:~~ fJ¢ ~bjW. l~ S~~Jitr IJic:Mlll~ {~I.A I'll' I, "b\'WI.' ;r.~k.CIIt
N\lti fi~nf<::l'; 1\"11~''1)1\i! :mo.l i~l:.li;»t J\ :o u ''"' t.d...::x-::. (SL:\ St'·2. '"IJ~t..-d~r.t ('oo1~ir.ttte:ll.'";•.
0::10 Itt imual!vn T~o;.;11 do~y SC:\'~! ·~H !S.:· w ;J: (I(IC11otel'lf lhe prt't'~tbno~: f••llt••w•l kt n.':>~>l \...:
IC)XI~ti.l& '/1l'h'llt~;. $\J(b $$ •.wcltt~rliJ:I'•i ol)"ff.: li nz ,;;-~k tr:- ~·otJ t.m :<.n•t".'l t b,o$. lt3J)I(.$ by
h!hrll:l ~y •• 21:.12. ;\ J ;hti,tn:dl;, ()('(() [.'\..<; 1.:.> ht~W.l ('O~I:OXIiu~ ;'lr.;.il)'$i$1!.l '; il" 1nt tW(lrf:
u.:t:.:li:-..X:ol.roltl'A(} soft·,\U¢ wh:.¢h is ;;chedul«< t ;) be- fu.11." :mpltOMtt..' J ~· tl'.c ~r.d of 'P'~i':~l
Y::.r •Y'(I 2·::l ~.
011';   lbt:ttmm ~tnd:ui•tn 2.2 lt...·•.-i:~~..· tlt: SlA t~(ll:.t~t:l('tr5 to          !C\Wi::e ~11 Sy<.·..:m:: 1~:       imrl~ll.nl
pt<.-..».llW~ 10 ('fll\1' or: it;; remcnsi )ilh~· ft" ~:ruurhg INt ~:nly a.~l lt•••i ~.'.i ·,k;··i~<.l..: 1-~tllbo,.'>.l
t1• N io• .:•1 1~:11 •:n :t.c r.ct..-;r.:l: and t:) •;erifr t.h(' nwt.tu'¢f;J.-,·ic("_: ·;emittJ:J loll lh ~            !·:OI:c.-•:n:
1'1('1".'•\'o'l'l: ,'\r :r. rhr:rin tl Td iuhl.: a :co>unll!hil:t}' •>l'btd...,.att .


M:'lnn,;~•n~:nt N~r nn~e: t )( ; l() U!t.tll~.< \~i !h Ihi: :..V.!UUI.o.,t;l..·.:llk·Jt ocro                  will ~.n:Cl :n~c·
n.;-e-;.;:tia\i,ll::t ·~·i :h (.Nil Sflllwl$ u .. l ¢~'i$~ SL.'o,.~P-t. EJit¢1~,-:se J::.u! '-.:~: l ).:~):::l' Se;;lJ'Il.1
Vcasior.'', ro im1-•lco:em metrks I(> <t~li>Yf~ llodl !-.;,liWtr.!..;..mie-$ 0\!.t ·J:cir MpMSi'~i lity                     :c.-
\·~.r:ti •~s lha:. vu l~ lluth~tiJAAJ d~<-·im h '¢ J.'(:!J'cidcd :~· te io!:ll!l«l " r.t\!: nr.t•.\,,1: 11t:d 1:> •,t: ~i .'~
1ll(' IYIIOilxl cf ti¢1.--:C('S l'~lnl:tt~d (m !I'to. r-.m'f::\ T~ r.c;t·,•:: ~\ •.II 1:} ::itllsirt a ,._·l.ai.Jie f.o.'\.Xn\f.titlf: tf
h:•·•.h:u1.· . OC!O !.-\:- ••,ill ll~t'::w:t ~~ ~ ~•»::l~t..l SLA 1.:-visiWIS t¢ tb~ :.IDt'C:\1'1:: C(lR 1:~·
L'OO.:ti!bt'~   J. 2H J.
O l(, f<t~..omm Mu!ntl~fl :L~ R1~o111 in: TJilll S;;~:!t:'ll ,; u• ''-'~•·h-~ II ~ llt\ldil;· t o:,:om!.Jl~ ··~i&tt~$,
Mn:h :;,    urtk'.t.:tr:tit:o,.\1 ''f-..·tati••t£ ~>'.s.eu.s !Ill~ \J!lb.)C•\~U b)~ nrme •,>:il.h.:n; \\"'Orkill:; d ;t::-.




                                                                                                                                             39
\h,J!:.I)!('IIltUf Rt,piJ.tu~;       ocro
                                    COJICJ~ \\i th ·hi:: n:n•mml:t,(l:t•.i,m lt£.d Uri.e ~..:-ti~o bnt l:cco
cc.r.lpl~ o.x :10 I;\~ h.:d .:11 ind•:p:n J·"ut :r.-~:;: $:in..-;•t ('f()c EDl'CATr: M'.~·.x,r:;. (.i:\ L>iS{'()\'~c}'
l"':tjo."n ;e:rfl)tll'~d. <l'Jri.n; PYl l \•::»ch J\,:.il tlltll iu a I'U:I N pvlt.,:>f 1cvk~; with tu~tr:'!rrli n~·l
Or.:•n; ti'~'1 : S~'l't::ns (O!':• w•t:. ht~l• ~m..."£. Optu :im:<i<l F'1~t6'> A?rl~c:tli•·ll~ Su:t~.. ~~) I'ASl. I~
U~a Sy:O:I:IS· J.'«lj)fic(:'lt}' ;•m.ion.QfJh.n!!!ly Tkb< ~Y...I.l:l!l. Lid .-;!$ h~V¢ J:.o~n Qp~r.(d ·o ;.tloin:•;~
100:t tiOOi.n;}S- ·'dtlitl:'..n:t ly. lh;: C IS() lt:r~ i.li~U(..:) 3. tl:.~ll~~.n(lt:;n dirt!t:b ;; lr.ll Sy:.t~ms 1->
~·•h<t: tht :lt~tnbl~· N p.ttling •.:ujou.,~~. w eb ll$1,)11<h:~rmind ::pt!3:~ ~"'1.'\'11H T1oi •:nl:nfi'.\Tl
I•C>~ .:£.100 •,o.•irJtir. th•e WNI:in~ day:..

Q)(; R('('.Ol_ llllll'f1dnil•n 2. 4 R:::: u ~r~ !k ll s,·:(.WIS ·~ 1C.otifl:t!e1be lielWt>TI: ::::nr~,;lt::1l~ :rt:J
1111 h.'niz:o.Jbt~ ft•: h:Jv:atc l:~b;IOO ~ "'ttl.)~·«~rnlinttl."

~hllllll'<'fl'l:llt R6p0hlc: tX'IO ~N\ttlf!l wjtb lt.is r::.:o'll'lllltr.d41ivn, ;.-.o.;li:'kl 00l~pltl.¢d . Tl:e
-Nparun~tt' C L~(I 'n1111 iwt:-:::1 fl rnl'ff';!nuld Jtn Ji :<>:lm~ D:ll Systt m.s to l($'ni·1:11~ 11r "t!:h 'l\111.
.:o,nnoclit "l~ 1'1>: h! f(h·,.:rl;: iJ:t:.1it1o.J liS ·'l.tr.d«¢rruir-eo:l" 1imi n~ •h.:. I,\ Di:-1\::l\'t r:'' P:vjv.~.




OlC Rttommcnd>~lin n :U .'\'tt<'tttl 111 ~ S l ...-\ ~~~ ..·:.!.Cibl:Sb ()..~led t~ctf\'>rr.lan<:< N?WI:.l~ h ..::~t~
th:rl wulll:!.d!:.d~>c :~ ll\ln:1-c~~f ,,.,..,1rity I\ .t.:h ~~ te:!~'::'- t..y ·,~:.:Ill'S 'Nithiu W fl'l>" 1~1rtir,c
~.~1. 1b' criti~;~l ity       ., .-,he
                                    s~ ~uitt f.a'.tl:,tlw mll:l~:'! d l:ct'.\'·-r:.:. (l~>il'n: .lll(o:(;k,ll-o} th:
~Y'J lli l~ rrrt~t~ lh-r- nuottbrr v: J ~-;.·j.;.;:s t):ttcll«'', 3~1(l lhe n•: m~ r: f do. •:1..~~> r;:w:i.n.it~ :~ 1:c
~l;:h.~ .

M .una!>um:o ( Rt llt)O!I)(:: OCIO C!)'II\:Ottl '•' ilh ttiliiCC('fr.t:'itt>:lt(i>'n OCl(; ·.•:ill~:r. h!r ir.lt.o
~•\•tbt it:m: ·..·1tl• 0~11 S} :;;~ms ,.., roo::..C'.<m t:X' <'i'lf. Si ..\ o:• •uan:t!!o.: •~·c potdt.i~ o:· ~·r•' ·~
·.•:i.j ~ spp:ict(i;)ll~ ~noi ol::·.i.:\'l<.

OCJO wiiJ eo,,,~ bt-~ n~~>tt!tll<)tl3 wi:l!. L~l Sy.n..::nw '" ''-"'i:'e ~1.:'. "SJ• lC s.- :u'Jt~· P.o.1tb.io~
 \'/:noJu wio~ t.:.t C1l~.btist: ~«nil.:rl p::'l'ftvrmar.._'(! n:p.u1.in;;. !'o~:W1t: tl•3t will d i~lo~ 11111 norrr h«cti
~ttt'U'it"f pm<!h.-.. re',em: ~:; l>y •·::rdo.n:: wit1t.it! il~ !_)!IS: Je)C•rttn~ pm(lot. 1k tr.ht al il;t d II X>
.•.:ntrh:r p& Lt·b, tf•t-11m:lll:-! c.l l).'t"•'i'O.tk ..ie'\·k~· .t ll~:t.:cl h)' lh;: ~;:~ut i·.~ ,.,,ttb, 11:.¢ tu ~·~er ('i
                                               •.'r
J.:dt~ !)iltc.h~f.. 3!:1.: tAt m •r.lber ::(';.,.·c.::; ,;:,·olti ll .t~ '.·~ 1:e tatd:~        oc:o ;:\S wi!l ,;-.tbt•1it Lite
rrot:.,S<"t:i ~I :\ rr.·oi::iur • , , t it.; 1-..UGCAn; COR b}· DccernJ: •: l, ~(11 1 .
 (lTC: R'-<tUIII11t llduliull 3.! ;\n:.m:l til·~ :)LA iC• bd u~ l;.n>'l.:t."< :-uth al> "t!n.: v.:uUllt:!H Ol'' "(
 iuii.-J\1:· tOO L'lsta:tci.>m ot' \'tltdor !;:o:::n-:i•t ;.:u::h~ wi lhin a:f.t.,)f fAA'i~ f:~n: ttu:• \'en:lm ro:'e1:.:.
 (~1C "' ;u c!\•klr. (1(;1() wi th ~tj u,...ifi.:a·.W.:: ((:: lto)l b~11:J:ns; 1ho: sto:.ur:t:-· plttdt. "


 M 11111al£tMtat Rup<ta.-:: Ol:lt) ('0:\tlll$ •),.•irb ;hill n:o:o'f!nntnda.i.tu. '.";to: D~pSttil:Cilt •.l: jJI ¢ ,1\¢1
 Uu:, 11t~)(i$:iol:.€ w'th n1111 ;.:;t~t..-n.. b•' ~..·i:t~ SlA "SP·S ScC'.Iri.t;• P;11.::ti"'~ \\·ir.<l•-''-"'·~"
 rer:{:n n .:tt<: :.t:.nJ~n:. t·) A'Q'.Jit¢ Odl ~::~fUi$ f(l ini •i;: 1: 1h.: i :t~ht..b..icm v( t l: lkol ~lll~'
 p!tl«lt$ w)tli::l \\ ) ..;tny !lllti:oot lhm11h.: ·te:IOO: t~lcast d:lt¢ t·~ ~-;.·.·i\te OClO v:i tl·. :l,iu.'llili~.'.ll~




                                                                                                                                  40
:mno.•l ir~:-t:ll h:1,.; the lii.:~Jii t;-· (<:~Wk         Ot;lti I .'\~ '"'·.llllubu.l lh;; !'n>;:h-ul ~I.A 1.:• i:<iv1 ~ t1: !h•
EDt:Ct\.TJH:OR t-)· Dcc<tn'eer I, 7(111.
OlG R KttmMf:fllill lioll'l.~-~ P.rov !fr.: rw.n~~·--ttm,; I:> l(';f.•ll1 fill "lilt ly :111 I ~~~ ~~t:CIII":I }' f1lllo:'11:S
l: tti ..·t( by d.o.• ·,.;<;11::a: l'\ll. u.:: .n11Wib.t. :l•.11i11~ tl1c i>e•io.Ji. u•.J i• •:l•.1 ~·u :K'h.•luk• t\:: i:b'.3ilill~
(1(' !);tf(h.

}T•n•gt<JlU'l'lf f{tql~ll!t~ •:X:'(I) ~NitlU$ w)b tl'iSc t:~Hr.ru:t\llltion . Tb~ D(:~'11lt( :'ll' v.ill iX''i$~
ta< Vu!mu1:Hity and Puu:h Mnn";";~tr..e:n . 0 11iltrnc" 1>1 'nc h:ch: pux::::bn:,; io~r J::ll S::,.;tenm"'
~C!):kl mwal::r oo lh.; ~u:it;- vlll.d11.~ .:v.A.:i•-.'d 1:: tl~~.< .,..:uJvdJut :1u1 i~.:.iiUtd dw·:.~ I.Jtt ;:tli:d
<:<l:thl··mtl: in XI ,\ "S' '·:.i :'orx:11.,1) l';~·.:hia~ \\·1r.:lr>~\~.. 1111:! hd11ok ;1 :<o:h1:1~11l:: li" i 'll::l,t lhn~ ·It<·
Jflh::..    n~ D~~.:i1!1t:ll ClSO llll:- iasw::d ::~. n:V~r:tJu!dum 1«1_.1i 1 i1l~. IMI S~ ~~,.,:,,tu w ~t:.bl!(t f .
Ri:;~ A\.'(.'1tp.:u:.;~       i'on:• (lt.'\1•') !';;(' 1 :1i:>:,;i u~ r.c.t d ·.e .Jt!IJ i :knli.~ ~ul r1:ndoiliti~,; au a ll'>.tr:d•ly
'm i$.      lhtt~ k~Fs will             !:'¢ ~Jt,rui1(¢ J 10 l'lSO :ot IIPf\.'O'ltl Tht J>:\l(h },f;,~~umw Gvio:hn¢e
W I !I   !'.< fC'.'! •<d toy I ldt >i:l'f j 1. 1 111 1.




 OIH lhtl,l'llltnatb tic<tf ol.l lt-.'JUi r~.· Udl S;:-t>:tr,, tl.• ..:hu1 1~'i: \l.o: :i.itdl.:ll ~·•1ti t\'llt•: :1uJ !Ji·.
.;w:,:t;tio" f<l~ r-:ro1>:t. s:n~ts 1.) tOO rtcOJUI::l mJe.:'l $tr.ln;!:. tl}l\t ; ,r e o;r(;( i fi~( il'l Nlsr !<(JI).~ "!
r.:m :,.
Mll tUIJCm<tnt RNIM!J!l!C~ OCIO O,:(or.:..w.; wi.l: t:li.~ n:\XOI:I :!!I:Uil.~!:l: ll. (X[                   s_,•:::~:uol i::t'.....:it(; ·~:'
1b~ i.o~t:.C ~.tttl i:: :'¢3ttt~itr~ b:-w:c-l-c:;t t (>JI)p:r •.\ithNI~T $P ~(>1.! · 57 . ''R~·..:;m·~n.wtn 1;..r
" <-YRtqnlrtr.,ent~ l ';t- ! J: :\f.?litali,, n-':'>f.&:O:IIio:. lh ;y ..,lt:lli:O.-'I ~ttnl OuiJ:n..v;;". Z..\(ui;.:;I:-.J~tl.: .
•.}:::1(• L·lf""·••:ll~il Tcd llt-\IL¢l!f S~t\'icc- :T:'S) wjiJ :.11.::~mit ~ plnn ~-.,, in1p!tm<:-,tl•·,!i ~ :sr S()I.J·S?
l':ut :l    i(l.lh.boto:~   by l''o!!:l tl!ll } :!IJ::!.

OUY H«ettn"'"t'Lv.tit,,. 4.Z l·..o:rc::li~o.· i !:~ ;;Cm l'l tc• ,.,,.Ill ·~:lb ht\ll S)'-st :IOS t·' aJd!~;.s dte iss.-.t~s
eikC i:. Ute W.J....T{. 1i:'v lkiii:'$ $W ill the P!XC'U t~l HJ..'1dl:.n_~ C<1n11~ro:n i:r.d Pri•:il<s,rt:. :\(.C.(•\mh
fi)'J.ncooo~~ (:.mtrol .'1um~ ::~ : KC11)::2.

M;~ n~ ~ent            Re•('nJu<: r.<:ln ut,~l lf<. •.• i f1 I hi-. 1\.'(.'l::lltr.o.·nJatio:>u. 'fl:-.· f>:t :t'.r'.IU~,-,, ~~~.:.
r;::!•:r..l S.,~.h:ul Ai:l. iFSA) b:h .:< t~td dte illta.wci~ :in~ sb~: :ltc isSlllllltt of :ltc lt:•:.,.Sii::01ih·e
l?ro.:;rnm ·'~ '·"·'"':: Rl'p::ri.;II'.'\R) 'Nt:ll: n~~~· i n 1h¢ 1'111~~!. ·:}J l l.:tnJhr~ l:::ir.r.n.•ou i~~!J
l'ri\"JC~.OO Att0\1M" ·>~!l-.;.2•)(•~!. ('c~w~: :-.h;rr."b>.'r l/. 1 ~().1(0, 1n ncquh• \"11'1 , re;h l' :ldw·.
ph•n:, ~ur:: !'Jr.li nt: an:! :.lf'llt\''t'o.~l t t>lll.:o.ln::;·. d!l' i ...\ l .ot:> d k\1 111 tJ•~: :.:f:VIl. Ot:ll' b!l~ !:tc.:l
·A'o)1kiu~ dili~tl;o ~·AP~rrou.ll I·JeNj'}-· \.'d tkt.1i.;il (PIVj \':' fd rleplo')',.C':II1::n:: h:< ;:
oktn nne:n.ell : 1 r.'lltotr:"' G'' ~'1\'11 · f::ctl'f lllllh;;dit:.;lf.::u I\or bad~ (iv • ;;111:1!-.;1 ~ f~11 ~JtU E:t•Ji._:;fii(IJl
l(rF'EI Md lt')l:r-GFE \•,hid l "''ilt OB*i1: j1:. tbe ck<;-.:Je c·f1ht fro:l ')!~~n. l<;;,fl1nlcn:1:11i.:on by lit<·
~lm¢nt Navt-ml»r 2(1; 2 d·JJ: dall'.




                                                                                                                                                 41
Dd l S ·;:<l::wll ~.;·tw!J~t-.:91l'..We S:·ts•I• 04®oh fol J<knf f:i&<: ni Rr.sohtw Y•llnrmhili'ie<
Nmk4 l mrmwcnxm

OYG RHommw<bli~tn S.t Dir.:ct D~ll S)•stcms t·) ~~~t.~ imm~:!iul~ u..:•.i•JCI t>: .;.:h.IJ:~* .t.c·
·• !!I llt'fllt.i:itict> 'Ak llli li~t.l :uiJ f<:T',!fl ..I ( )( ]() Ull
                                           !b~· :~:fltl.luh: 1\!1' i1 :1pl~1 ~if.illf, l!te.ii:'JI)." \Ji)l
at~.lo.:1.


~hii~W&I:Cd R~sp~lU!t".:                o::ro
                                           :(•JI~llr$ w:th th is 1~¢NlliU~t.Jotil)(, 11)~ l'e\'kwof
·.·ui Mr.tbi !i ~~ i.kntili.ed toy th: O:Ci '"'~ .;(:mrld.td om Ad:-· :!1'.                   :wt
                                                                                           I. Ua!'d . XI tM ftO ~.r~s
:.Jt~tifitd Ut 1b~ ~~.~.t lr r~~\;rt, 'lb~ Def'<lttlvterof •.\ill <IJ:''OIIIr>p;, timc1:1t.lt lhn:t:rq:·.:~.. tl:ll'll:lti:••i• •n
b:, 0 ::1o.rlx·1 13. 201 1.       rlto.·I.A·Jiil:.l:l~ut •.• Jl   t:llo..: i:un.o.-d.ilto.; :::t·.v.:-1 !>.~ -:l~tior. <)!) aJ icl~n:Wtd
tl:t:~~ ',.\llll~Hlbititi~.


OIG l{f)tOlllltnttld~tJolt ~.! [)L~ Ddl ~Y11'C.l\O 1C· ::•:.lma:!:: '~ ···.mr.rl :_t(\l:rmin!t ¥'•~::::1•1'1.':11>:
r ::rti:'TI'I 111'1 'AXofk IIC.ltl'fl ..':<!!'.' ' "'\ ! >H~O:l:<; { t • m:;n, if<:i! !ltnl':f .!' llt'l:~ll.JI ~ •

OClO '"-'~($('s cllan~~ tMs f'«OIJll»(lJt4 nfion '0: (l('J.:) ;.;t:o~;l(! (lhw.~ 1~ w mrlor "' «llt;:no:r.
C l"l!'lll ·~·~li ll~ fll!'~h•r-.::~1:~ p«f.:orrn ' lt l\>>lrk ~..:.rn!l t~'>.:l'f lvm \•,...;L:~ tor 111"1:: f~u.:11tl •· llll
t~:ee!tt~:".




flfaoa~CLII~t RC,JI'OUfC; n l¢ D~l.-'tu1.:at(IU ¢('A¢1,U $                   •;..i t:h 1hi~ fW:O:I'IIli:IC ~ld.lt'.n:l. !:l:   l)rpst!I:IIO:~ll
i::; :-UI.y c(lr.w,, : lu:::.l(t W'-«lini o :li::e ..,( .\t~..~~~m~c.l aid !3r1~~n(O.•,J)j}lcqu ir.mc•m fr.r
ruairrujoiu~ or.qoin~ to'"'•"l:'lle!$ o:"nton·.,:d<:'!n -w.mi ly, ,.uJn::rlll'>ilicio: .• , ani l.l1~~.::tl~ 1-:~ i'-l~•::rt
:lr',:OIIr' :f:dil'll;ti ri~·,. m;:,n~:;"ICfll do.-...:i:~ivn~. '" Jc!.:!i:::t. iu ~fo::rOO.$-.<utum M·l 1·2:i. 1be
0..-:•tl•"'~ ~~~• ti iu i.1~ !it:.nl ~t'l):.·~ ·,ft~·N~rdi.nt: 11 :n$}; c:~n'~ '"' r.-:.,uh•., C\1 ,; tl:: u:ll..,:.~;tfl hu•l
nr. d i)"'Ni,(le 0('10 lAS ;1:-:•:i.~!~no:<! ....tlh !li:l•ittt. lhat mtf!i:.."~tt lbe.dt·.~l\lp.,l:l:t .,: Ul t:roilil\'l.'tu:>:
~i1J*.::U:1;: I·) pt~\.:.d~.--l!!Oillat«< ('M vf s ll ef 6:: Tl.,"f.a'!'tmo'OI ':• nl'l'.\"rh in u.;.;.,nl.Jncl: , ,..,lh
OM~ r..f::m•r~r.do:m r>:1-10 -L; I;\· 1(•1fl, NIS r ~p~~ial habl..:aliun (SP) $((1.1':'. ilt>j :-JJST SP
&1(.. 1~':'. Til.: v~OOV1 :>dM·:-J 10 p~tf.:-tm '~ ;os~ \\ill h~ lt:lJ'(Ir~it> e lhr IW-:trntn<':'l1rtin~ .'fll
err.~rJ'rh~ "T~I II til)r Umr nl.-.!;l ·n:-:::1 :~ fit\·J:mmer.. ""<JUi:'\:nto.•ul.· a ml i11JLJ:lf'J IAA~l l<'(U;li ;;.;:.
ICL•IIIillll.I.'I.U ..\~·tl f:n •.u.rCm1. Silu£tt.t>:l A"''('l:'~lU:ll~ llt:.·J Rilk S~Niui! {Ci\ESARS~ R:t¢rc:nc~
:'o.~Ql:t«liJ;.">e:•. Tb: cw~nt lm',.::l d.,ttt l<trJtplv~ il t:t .hi:; C\t IVI: l .:. l.'h».~ml~ '!•J. :O:Ull.



n~ :Ql:.,:<Mflltr:lt'5 lr£ 4-+111 &'!J)O:'lS Pf{:N'l1m Ntsd£ll :npr.;:\'Cnl~1l to:'l l:r.~Uf4:
Titn~!-t~nd :\r.phlT!I:'.:do: l>ek~~ian. J~..,,lir,~ . "'1"1 jl.o;.s~Jl\1:~:\ of (.:llllp1!1~,1-'~~l dlv
Jo~i.;!:I:H to lr:lt~'ll3: :'ll}:i 6):(¢1JtiJ.~


oro RL'i:IIIIUI$('tUiatluu G.t Ddl 5}'!1t~:ll3 1C· ~>mt!:.: Wi.lb w £DI.:C,".l'U SJ...". l:?r l~<nl•:int
WZ.:I<"JtJ whl:.ill lht Sl ..,\        ~r~·::iti:-:o' lin..&.:~ .

'\-f11na~rnrnl Re~~pon<t!               OCIO O:•'llo.".u-,: •,t;l!b lhi:; ~O:•••romom:lhli mr. (JC IO I ;\~ lioo:. !Ji ~ ;J :1'"W
c:.i...t :-:!'Cylx-• Opo::•:,,l;~~~~ wlw ~r~•!!&~~a11d crtCJl«$1he EDC£RC.Md th~ lr.citien; J\t$p'na~




                                                                                                                                                  42
r,-....          oon•A'~•w~                      "'-¥ .-a-o .t..,.OKOO '>,....,;.• •::"r""-V'f'~·'le
3t..A -ka;l....:b·.di:).'Jti "O(':tib&lt~;~nrn,.r:K I' , • ..,.d, l• t:..,._., .. ')Ao..ll •
~rul 'ftr~....,,~" k:r..:: i::t!'l ~O:fo...li. • ""' lr.nr-4 ,.,.J•;o.tro.t t:Ao~_ti,Jt.~~..._ OCIOlAS <:\1~"11
e«tl~ :11~·~ b l.lu1 ~II.

01(, :R<OI"tml'Mnl~tfi.., ,,t ne'l ~}'\.,rl'ftll ID1m'11CII" ;:r! m."t<1!1MUliUI ,o;•~~to ~ 11.'1.1 fl ll_.,.
11 ,~~~" l"rJtir~• a Al.lv•..:a• JW,;Mt-l..e:oilka R~.l.: ut ~\.~lN. 1tNt C.M• II (I:;.
Jl•)laJ!\to.lll.l'l r.Jr.t!oa UILCOOI.
~~f'QIN'f RCKporrw:: nrl(')ttfl', _ .__.. , ...,. "'-\JI.Ir'W111....&.. ..... Ju ~ ... (.:~at-~
r.;::rc,.'d.nlil'at. ··,~t_ci•..· P.Vf:....,AJ•-ii.o:y ~ lr~ ~no~ aM tu:.,......r
P'l..(,c,~ (.(o..l: C:tl\ C('!Wfl ~t« L21L~I-, t-                                     unc: ~ h.t.lo~•tHU.-IA~ul
lA '(11,(X:I01l\.< '-~ rt"-"f'l'l-a-to o ..,........_,..~ki:lf~i~dlocta tr: ~' .b
IA.?;MtraJ~•, ;o.::i&c:t r.::\~ trti I:J!0;.1~ !lrf?\irk-&--

          ()('I(, lA.~ o;.iJ ~.dlub W ia.4.11:Jil ~Uj:Of'.ikl ;nft tlol" wtll Cff\.'1ty ,_.Ill" ••• ,.- 1'11111-J
          \et~n-ifk~ f1i1!1oe ~~....rwnl f"'l"'p t:!IL'I lmi.l ~ni......:blf~ lfl r..I..,_IV~JII.Jtl tot li.N
          ~~iJ 1n•mhtn1~.;~1t 111\, tUIII~I .:LI.~•• Uo:Wcut                          br I.'>ttt~r 11 :.•ll.
          OCIO JA:t ',(tit lh:,ta.y tlJII» .:\V o.~ rm"~·         ~              ':oo'"""' ,...,.... .._..
                                                                                t. • --= :JmC.:A' .'£ auJ
          \-"..Tt.,.       r-.ar•
                             ¥t1Vl)('", ~G...·ltn~-1'--""~ tOtttZ• A~\..,. ~ It                                              trN,.,,
          ... l ~ ('ba;W ~illiA tou' •cbi'..c,,..~ ;t .\On. .'\ll 1of'!IU!I ootUl b.; h·J'=!'t4 h
           ~c.                   I, l-)11,

           OUUL\.S•.JJ~~ r~..,.nl~..-l~ !lt,.,._C10~A
           ~~r-+•s:Clpli.N..~M ..lo ...,~~··• x·tu ~ ~--­
          "''' ~ta~uuOb :NtAI1'J' lM"·¥....utb "'r n                                                 hf,,,,u.J '-'
           k».nw1;.,. h) C\t NW 1),1'11,



OIG Rffo••4:fttllltl••• ':'.1 ":llil.t•lll:& ""'1...,."' Oj,cttJI.~ ..ilJU'IUtlty MN'i'.wll.'r •::1:1:""
rnl\ 1 1•11~ i   •, ;   ~.~-.•::..


,,I! IU~m· nt K 1111(11111~CI OClO tOI:o'Jit Wi\l'. tllillle.:ronm..n~·.ll ::r• . l)I.;IU n ~ l ll~n d .n,g 11'1
ACII\'0 rrir:o;•!.:tl)' '•o:"uuro u r "' l'>fl.t;..:t 11oi1M 1 wl.l l tJhl\ ldt I Qo)IJ\J)Io:l' r.rtlr'A.' ••l' l'll'h'I1~UU.I llo.'-'-:O!I
,vi thlu l!nr t:DlJC,'\ J'~ CJI'\Ii!o)UI~Ot

1<\t; c""ott llr 1r ,.jo,~;:.iro~o ~ .id ~ r i;Mli o•i.JtK.I.I wilb tcuwC..lJ) a"ld r-n'1llt'A.'III ;'n.\'.k.fc4 tcCCt!
":4. SIX..'CATE !a:J:>.tr.=:.to <-)'Q\11 !<.t Cll.n'k) Ol1io:a- o' .I:!~J --..U X~ MJI r'wlo t'llh 1i•
.,.~ t-.A::rw-1.)-~·.M)' 'AV ' ~' qnr.n:..v,..~~~ ·'l:f7"'*l tw 1· • ~""'" 'fYl!.




                                                                                                                                              43
PIIJ!t-8


Ol C k()()(;llll111':nftlltim• 'i.l C:o>nl\;•.tlf<' ltr.: :\::liw D i1::~h:ry ;w.;(ll.Ut lliWI~i~ltl(•l)l ~Jt~ll'.t.({'{
'""I~ h! nll!j. J:: ~:lU:IL~ d ~l ha··.: tlfil l"o{'tl) ~ ooJ ~fl.sne 6nt IIU r(.«<•Jr.::; ""' <"•1nli~u~l Wllh
p;1ssv•ot~~ d1J1 bil\~ ilO t:--rit~li<:'ln d.\1,.

 \T:tn ot~:"mrnl RC1:pl>tt<iol'.! OC!() o:unwn: with !loill lto:umi!I('I)Jati•) lllll)j Ju:i Jt:iti3:t<f ')C;'IWJi1Jo'
:u.:ti,.,L Un ;\ususl l . l:Jll. ~1. ~}'$:tt11S irupk mtult'(l ln :1111or.l:md pn:r:n, h -..,.l:idoa v,'\.·d.l;
l't\)~ft h ~r:rtN.I il.' id~tri t~· v•<'" ::b;"":t:-: 1:,, n:rll;r,-d II· ~t..,.o:ro: u o~.:li •'.: i1.•1 1:'>-.l~,·t thtlu 90 <lay~
wilt in 1111: EIJIJCA ,·1·~ 1·:.. HiOV Af> O.!Uit.in ;}ll\'lii>lii~{'U1.
Or. :\It!? I\" l K, :O:: r 1, 1h~ ll~:ll'\m<:nt i ~·•.x:d n••ti G ;;:~Ii::11 t1: I:A:Il SyH~111S U.at f.)l(' 272 n.,.'tj•;e
Ji:w:my W"J":•~mt:l iJtd ifi,;;J t1:.lnwiil~ _l.V.:swotJ miut$ C>f"Do- Nc,t l;,"'(pi~~ be :I:.:..,J:hi

b ad j.lk•ll. I)(J(I ,•,iiJ ·,.,w k wit::a J){>U $y~trms 1;, impl<'l7n::I1J :1J :ti1i••n:ll ::n·~\.vJuu:l' lo.! o;.;,~uw dl
'":•h~ Di~o:~<:ry ::o.\.'<tt.m.~ N·i.: ~IH:~pi r.tli.:;.;l J ~to.· ·..i1~l1 ~ll~ll~wjth tl~ ~~-'!Oit :lt'* Pc*sw·m.i
'Sv~Ul.:ty G'11:4tliJ~J:~ 'Wli~:~ q;oe~if~nlly 6J~t:~··'0.1               t;,r .:.n ~co!pli:m •::-.1 :a R.I.Jo'. tho:     p:Ot{'d\1~ "'~L
.~t 111tpk   r.tt:-.lo:d   b~· L,A:.::..;or.-lbn   :.;.:;., :!': :I I .

Ol(i l{tttonloo~:coJ"'tit••• ~ .3 R~... is-: tl!C st,; t o) jll¢)udc <l p.~n·<·:Jt.ilr.te i,M(::.tti\·e N p¢lt.~ h)· ''.:1u::r.
to tot;,l'tt. OC.JO iiUQ1.11\t lT.;."I'l1<1~ti'Jl(1ll r;<:~litiC'. ~ :<l .~h ~· cl· ·~!hhro~ tr.:.::ll•·c: :ttl:,•U!Ih :::.m:
!oll""''ir l!!iul$ :t::tl>ll, l:< •1i ~O:f"'~r:tt;:.l t;lf!F!•J:O'~:t..'<.

M•~tu~''tn<:<11 Rc~!l'(liiXt.' : (loCI~) .::::t1::~1~ "':th tllll· l~~:xl .:l t:.'lloJIIU(•II. OL'JO '•\'i.l ~'<0!) »~
1 .:•i::i~n::   w Sl:\ HD-1 ..Di.;..3)k r_.·s:cr Accort.U>... t•) ~'C'qttirt :he dislll:lli n;: ol nrrcoo:n1• tlvll h:t\•::
1:«11 irwth'(' ti)• ll'"'' 9:: .:J;::.•!;.

OClO will (.(',Cc-1:lte wit.Jt Ddl Sy.:I!IU~ ro :.n.t~~ -~·::~i~.Xtr; t.., Ill> 1
                                                                               tl• ir.o:,U/Jc "'p:;,alt.'· d :tils: t:>
t J: tUn:c UCJO attvu11. l)•a.'lfl~''"l~t:.l_colcic; ·.·.1tk b t'((jUltt tenroml"ll,; nc(ll\:111.\ <::f <~e~vn:ttt.d
!!npl•'Y""" v.-i'hin !Vl<' ·-.o>lrr :>f r.•tl ili::~l itln fr<t m lh:: !)q:.,.r!I!!Uil, ()(.'((> !.o\.~ will s.tb.llli•. li!C
~up:~~.::i Sl.-\ tc•·hic~:. W :11.~ EDt '('AT£ COR by Dctcm'ttr 1, ·¥ Jl I.



 r..n !:<':\TI' N~.v.xd.. tu(.,unaai,•l1 S•rl>km (t OWS; 'WM:il,)' }>la·· ar J UJ)jjill' PucpiwN Nrrth d
.t ..:: Be R.N .is.<J f(oi:.Mu ·c full .o,e£Ct.!Jl!!jbjljt-· M' jrltmn! :trrl l '~lt'lll'll r:,,nnl';:lio>r:< ;1,1: h• l':.IJ~I."~;:
:\I Co' l1M::I'I» ~\'<; .llm.< All.'i :.:Tp hnj \'>jth lo'o;;~,J::nd !r!f1: .'11 :~f.1•:1 hv.;u.-ity l<-.>:juiW.:.I.~


OIC R<I~UJQIIIt:O\Illli<IG S.J O;:vdtov~m.l i •ttp!tllll! :!l~ll'ccth~ t~.>~l1.wJ:; hi ot•l!ll.l..<t< LUl t:t~ J:::l.>:-J!S.
1'1);..1,'\SS, C:UtS, :·.ltol ~IJSVt: ~·~·f.t{'llt .;, •,>,'I~S in ..:C.:tlj'.ll).'1i:>'J 'Ni1b (:~II Sys:t'O\S i:J~ :)-· nl'
ir.umal nlll ¢Xit'to."tl ~ul):):-,liMt$ •::- "~'.t' \)'\ll'nw.

Jritulfi~CIIl\':lll Rt3J)009C:             OCJO ~OI:.CIIl":> v:i:lt 1l:li ~ m:~r.ll'ol<ruUtii:n. l:k-111.ili~alivr. <:fioto:m31
:.o.rul t-:f.o::rr.O:•.Io;..~l~ll:i:·::o)0$13: P,'lll t>f('l{' l<.isJ.: :'otan~;{'UU'ut FrMlt',o,'():i: 1."R.MF'; '"'ni!l ir.tn ~1ST
~().). i? :n:: Nl~T Rr.r. •         .s:: .... •hi::l', tll~: O:rnur~• .i-ll:lwll. Tl.;: C!l'iO l1:a> .::ll:ililil>l..:d :a
o.o. rtifh:lllivl ~ :.oil.! ato.:.:\."\liit.t~~) (C&A'I Titc"~· Tro.n l•) cm:.J11~ il PJ'V!;Iillll r~·.ie·,.: r>f lflll wn-l'rol
('/..'..'- ru::-e wm .m.-i N:;:ke -e-.:·::rr';l¥.!1!d;llioon~ 11• irn£lt1"<0: !{i~l. \i::tl!lli!.~lllo.;:lt bu."~i :1t~~ JII-O.·..V:..'I~!- ~1
tl~ r.a•x·>tk :wd $.pptit'!'ltiot. lavn~.




                                                                                                                                                 44
A·j.:liti·>•Jnlty. f:!rN•e,lt tl.l~ 1">-:nfnn(lll ~ rMril::t"n;:.: rr~:r:rum 1:.11.; t:n: in~.:•l~n ..:111atiu1: ~1' 1~ Y..t d*:.l
•-::nl, f1: F.r.ORC will l';, .,.o:: .,.i:;,bUI.;, (!!';.l u :..l'.i'l.l!l.'J a.'l(: ~:<tttll!ll ~tu>~ctiNtS, A6{1fll\ i1>11111y
S~·.1t~- t11c R.:>JSC$] :~)i i; ¢ \l ttttlf.ly iJI ) :l(lt •.\; lh llli'i.~>l ( lr!!:uolir~ CtpMiU.n ;I( X:' :.>.J1.:.duld .
 fur :' r~r '(":'"~ FY E .

OlC R~:~~AH11I:Od~tiva S.10c•~lvp J                 puM<:>il w j(,o,;~JitjJY aJ ~~·~:~1.1\S in:Nflldr;J with
l:iUUt:.'\'1'.1: 3!l:J J.>:"O'ltd~ tl!·' Wo.ru,,•.ion to t'!l(h ,,f Ill~ .<;'.<l!!:n •)'A,I<'r:l l h o.«m•;"l:-1: t:DUC.~TE
t\' ~r*l)!t: f \I'm u• t>~1;1h 1-~ n:q11;,rt: ::..u:o.~om:n!111i1•r. 1<1 :ocu.;:!AIIt ll1c vu:(JJ~ lft(li\'i·JtJill ~~~:~JU
•O:O:Uiit:• J~ ::1::-c.

t.~' Dfl ,tC!It':tU U.t \poll3t : (•( )0 ('<)I'A:'<It'S .,.:ilh   lhi:: 'W>,rnlll<!1l:f:ti:n. ( )(;I() 1.\:\ i:: •,•.~orl:iu~ ....; CI
I":'S ,mrl n :-:n ~y.-1::1'0111 t•: dl't'll!!<::t a ~urit:: 11...-q•.li M I.o:'JII.;. 'ft*.ooal>lllcy M.."t1fj:( (SRTII:Jj ((>
t'a~:ili 1:'11·~ ~\·:octtlll .:WIJ.'tiWi lSSO visi bili.ty tt"~-.r;l in.~ ::t'r,nri·'J 1:.:a1tu 1·: \• nkh a111 l:o;. inl!..:.:itvJ
:i:o:n) I':.Ol!(';\Th ;,<; tho: :!1''11:1:11 •:urr:•' ll '~."11\l;rll ~~~J wind n..k:~ ~~~ ~ ·!'l~iJ1;: 3tOOtt~J b;· tllt (ier.er:.l
:\Of:t'lr.': S:-~:~n'l {GSS)to lil';pt>;; t~ b :tl<v.in;.: :nJ:)r.m<'.,; J:::li;ctu •rJ r.:.l. ..h:o;.:.k..:l:<. A ) .fl$1('
S~TM willl:.• .;~rnp1<:k•l h~ .l:.~:•u:11; 1(1, 11)12. but,L'A'I ti'l•:ill ~c ~o.ill~ llwltGh ib~ l]irn ri;,l
(;l;,'.. p!:oo;~:,; dJi iJib t 't 1:: o.t•:Ud: WlU OO:'Ibk Jlt$(~l ( ~t" il to'l hl! ::·1:11:-:-.fil ;en.! :!:lo." JI"Iti!II.J .

O IC; 1:~enmnu:nrlatian :i,J 1)1:-,.,;lv t) JH\•t~o:l.iun..'i t(l V.•KU:¢ tb!lt ~;:sum ;·wn:rs :m~n~llyn"tlO'w
'.h.; !~.\ 41!1.! t>.·10{J .,.;1.), O:.."'CJ1 ~Y$11:01 iot,"'''flo¢ nn;l 11pd..t:; \i)'VIem ~;t'('Uril)' p.illl ~.~ MtCt£8:~:.


)1wtllgl' lll"lt Krlpo•~t: OC::O t Olt('lll$ •Ailil ·I- ill n:co>mr m·..la.i<!l'l. OC:O 1.'\S v:ill 1.:·, j;.~
$«1il'ln ').... ·· ~~m'il y Aut'1t'filr.>~O:I 1)-'..:·W IIW hf.ivll•· (•(fht. So:'l.""l!t'i-:,• !\llti:a(>ti?...-il'lr· ( i~lkl:!!ll:t: 1::
irdJ:k ptuc~d•J&ts Y:h.itl:. to~·.lrt S::SI~~n (h,.,.ner<;("O} wn1:.dlf rc·,'1t '.\o'f.1h: lmcr-A~:r.c;.·
S;r.i~: :\jf'«lr.en\ ( ISA)® ;\Utt.X.l;l.t 'JC:n ·~: uoo~~.,.,~n <iint~ (MCJT r:. •:..i lh ~h :-y> .~r:l
i!'ltu&.oo :~r.d te> 'l?fflt( ;y~rn >'l't'llri 1;: r lun' .., ttco:~lN:.t)'. J'lw ·~·, 1!1>.'\J ~uWau~~ wi.JI t~
tinnli;;~.., t>y ,.o\·.:rnhll!r 1, :!•~I l l. Tl•i~ I C(JU·:r.l~li: wil: 1:1e comr.11r1.,-:>~l<'>.i ::• Dq.an.lfotl\1 1 ::;..~0:. at
t!•t · h l Qu;c:t~ FY l1 :SEO n:~~lir~:

Ul(i ftf'CflfiU,ttudsrlo~a S.i D~'.'Cli.YC ;IIII :KJ~;ull. L·~:lil ~ yi! O.' is-:s to> t~lll't'! lb:'lf · ~·~.:n •own~n;
jXtrt:-;m~ l<:.:ll:l:r::: il at i•'" c oW :~: w• t.tio.t'll.():l 3.11C(j\dt~( ~'~l'Y tbr~t' yl!:orx.

 :\I:m:JS$lU~I)t RQ~p~rt w:: ( ; (: !( ) ro::n•::t'tlo:uo ,....111d :i:< Ctm.lill~ Tlto:> D,~~~Ul.(tlf: n~t5
O~· · i(•r.:l Vuln ~r:il•i .i•.;, r.·ia.1~~~~oou: Solutior. ;QVMS) ..., tr.l :' k <:erll lk:tU~JIS ao~
tX:O.'t'!:ifkol.ie>JI$, (X(t) 1,'\S i:; ~~o;,rl:fn g vti'. b 0 \· ,\,fri dC,ott.>p~r; 1(1 ('1\'<llC<!'·lhlrn.'Xm::r.t--. whi..-'·1
will :>1:1><.,. Jlllll•~ ~u·.c·JU:'I~ :n1ddll(: (l( f:q:mrr.t~:nt <y<r<:'lfl" r::lll.'to:Ji!•tiuh n1.J :o.-.>.'J i i(to.~l•)l).
This ~rh:.n..-~ l:r· io; •d 1.:ob:h:tl t(• ho; o.t•n•;•k!::i. loy >,fudl 3:. 2(·1 ~.

OCJO :::\ iS :;1:1'\'t<mll;: ~ninl:,ln~ i    C.i!~oiJ..Utcl t:. fl'.<l~•i tc·r lhc C'&-'\ ;illiiJ~   ..-r
                                                                                                      ;~U t:;:,t~m~ w.tbir1T,b.'
l tepa.1mt'r.t Th.is ;!~ •'11).,111\'1 'n.::lt~:i<"".< u :<t-::plilhl d~.111 :u pw ··iJt J.:.J .~.-.tJ(IJIS :11:1;! wr,\ine<; t1•
 J.',S .ttll~ !!'S0.1\~hc-ot lh~ :.·.~t ~I'J'l Jil ~tlL\1'! ~lo!» ft) 01 ~O::llt ~f('~lllll"li:tnc.:. l1tis da.~h::1..wJ           :.u
.:toly 1».•11 •JI.il.i.zoJ :nttt:lill1o L~S btll i~ -:;~:r\'cl :tt 1h.: tn::-ut:ll )· lSS.O 11iCtli1l~ ati.d cp; Mer)>· L')
 lk~ni (lfl)ir.:.:·::-1:< ·ne:t1r:-,.




                                                                                                                                              45
      Ol: ln 1.\'\ tw, h11l~:,.:u:ll i11 I-'V: 2 ;~nJ f)' 13 1(.. i..upt¢1U¢ni o''.lt<;rr::ll'o1.:.mlinu::u:- ·1:1:.uoi.r
A:'$>) ,
:m!t~or'·.-.:~t!•:• .u .:t~.'(~~t·.l:mcc w:tb :->1ST nOO Drt:wtoYco.nJ 1•1'1 l<•noo:.!::tr•J :;·.:.:l.:it:r ·:TJY.St ~C.;.n~c.

01(~ ~f:l.urnm ti'MIUti.,ll N.~ '" t:Mjr.n«ion               ...-;lit DcUt-}· ~.~.:m:;, ~l:ll).bh aud ..:~li•it>.'-: pt·:ccdureo
t~ ~b1~ir.;.n $.«-m~:<: jrM'nt<•~· t>f ~:;r~:krr< il oW!'Ii~o:iq.;. will bllL'l'.'\TI.

:\fllm·•a.:·eiJelill R~potw~: OC!O (Mt('ur.: wioh !hi.~ n:l:l'lllr:l.:led<t~:.J.o. (;(.10 lAS is d;..~k·J!'ng
~ nl'l irr·i~ti n;:. rr.-::o.:o.••.hm::- 1,, vb,a;.n llll f •..X.'U:&~~ lll\'~11!01)' .yf.•::suwm' :n to:dlwir:~ \•,11b
bOUC..:.. J'F: ·.,}i'A tl~ R~JSteJ Uet\"\"rk nnr-rinb w..-.1,~ltd Jls~Co\'U}' t~lll ::~m-:o:r1l ~· ir. f'\1<11.


F-::do:r;:·. I):,J..t.or Cu1.: C\.o.:.aigl'.roi t•l .~oonin• Cnrti;nmni<1n r..•1:1~t~tr.<:1t. i>No~~il:. Nroj.;t
LllJ.';yy~~.0'.; ru

OJG Uff'Otllii1UHh ri1)!'1 ?'.1         nc:o..~· •:ro n n•l i rr;:k~nn• · l"':..;o:.l>J•e~ II) ¢toS\I.'¢ tit(l'e i$ l"/J('.III~n!:ll io .n
'>uppm' n;~ rn:niiJ-pn ~r.f~ J~d . r.:tl tf, ~:ldt 4:-\-i rrtk             ns t•'   :t¢ S1arwl.nd Ill)('.('. I h 1 ~
ok~u.. o:ot'.:.l iu u st.::uld ':c t~!li~ tOr ,;u(lit, :(' :ft~fl'.<n» r:•l ~ no:uu!>llll l':ltl'~ J ..;;i&i<lll e~oWnc.
t)l~<tsS 10 ilt~du 1h!: l:t:·ti:uit~r:< J) !Ut:f: NoJ b.• ~fl~l$111?..1~ :u )~r:Ormn•:~~ ofkt-)'
m•lr.ll<•rn&r.:~~tl'•ll~i :-: :l!tks 3Ud. :l);n]:!i~me..:     \~ilt O).Ul ur,:! NIS'I       :<l::.!l..!:tuh ,'. lid ~C(JIIllt(l(':.liS.

M"lllli(l:lllo:tiii{~I*VD>'t: (J('j() COilC'!It'$ 'o\•irh thi>' '\"<.:<onmwu~~o:l. (>('fl) ....,U N\'i.iC :~ Pltln
z)::-~cticms flllli ~1i ~~lome-:< ( I'\M&rv1J \ iuiJ:.r.v.; I·; i!!~llW¢ j:~'O¢Cth«ll f(or ..:,:,pJTit~!1 ·.~ :lptlt>Vt~J
d' l•'('!(h:,..~! l N·kt..or Cv,,; (\)fll~l:id~O>.l •.FDCC) dc•·i.d (!ru.. :Jel l ~~·S1ctl':.1 v.:.t 00 n:q11ir:::: 11'1
>'.1t1o:it t'\ls.i~S ; ustj fi:-;!ri~;<n fhr :.IJ :•liL'(.' .:le•:J:ttiOJts tC·lh ¢ 'RARI\ il'l llf'PT<I'':!I. If a :k~i:.d:•)fl i.~
~ror,e<J te-"'"i!tl< a K.\J>' wiU be wt-.nitt.,;l rQ           ono       J.\~ r,,, i.mtl a1tl-".::'·ol. Th~sc p:·ow.tw\":1 ·,•,•ill
I:I::OI'JC l:l~ dOO'.Jinel'lt<'lf.<:n ('~l" •dr:t <k•·i:t.i<tt• apJ:;'I.I·ialS !II¢ ·)(Or « : :.- Jt:'f,'lime1: 1m l.tu,.;; l!O.tilx. :o:-
( em:,u\<HI¢ mlr. ~ ~·"'..:nl' l' :lv~islo~ 1~kiui! t'i'(l~(''i$ :,, '11:11-\(:,tl: h : d·:'t::~tivna u , FOCC nnd ~
~·.. ~::m .• uk it:- _  p:.tfu;tt::l!tCe ;;f l:ey lll.,11il:t:"!r ~rwrtY.~~ibili~i.:::: a.'td c~vmrli.m~~ •;.it:• OMtl a.K
);(Sf au.nclmC;; .nc. n:•ll'.1n:nldlll H.c fin.'ltiw.'l pr-:;udo:r~ wi'll,.,. pvbJJ,:m. b}• l :tllil3t}' t(l,
2::1:!.

OlG R ttOllllllttt(lnlon 9.'2 R~1uh• 1 ~11 S)-.~to.·:u.. b.• jw!li:} op~·~Ltit ,j(".iollj("l:l that may boo<
:'«at~i~.i !,;: ::~"'i lk h:mi.,..t.:-.: f)! ~·J!U'f.·.i.;,~ S)'$!C!.'I\~O!h~ <or ol·,:pli:;:!li~lllil'!l:.l~ti·)l'l;

 \t~ttllj:;:l:•tt•ot Rt':ltcvcu ~: Ot'Kl 001>:11 n ·,•.ilb tt.i:< ·~n•mo:-.tl.:.th to:l . u :ti1.111 ..-:!l:up!c:«<. Ti.J~
 L.lt?ll.l .:n¢.:~1'~ ( ~I) l!; :< i!><U!:l; II rnnr~mu-.d.uu ll> Od : s)~l~JI.)' I~Qill.rille lhl'm Ito ::lllllni! ;: l{,o\1-'
 f:·t'<'.~ ~h III)CCdo;··i.dr.:il ii...:m:i.fi~<'. l•:; rrs. Th~' R_:,i '!; '•\1U ~ V.l~,.l~~r 1•) ;b Ovjlll'ltnlcn!'::
 CfSO <)j:}I()WII.




 OIC R.ooommtn!lntiort 111.1 1)1?-\'C!..,r r•·::C~·jurN to co:ta:: l.b:.l. I:JI S:)l'l: !\•ll~.o•... {J.Mtl ~uid;ll:.ve
 an:l NISI' I!':Jl)-IS.l<~i,ior: l. t~•'d,•li nt~• i1r u1:J:Jtit•!; tl.: SSf 10 ir.c.-..je. 1b~ S~P~ ~w('t,!',.IS,
 :f.(NI~, FOM:\1'.~, a.·•c. !z.DC :·.l~.




                                                                                                                                             46
P6~     II



:\Jnn.t::tMtf'lt Rl'. l)(tft'llll or:tf • 1'1'0111!'~"'     WI!"
                                                             ' hl!l rt:O:I'fl>lll,.'n.latfuu. s..viJ.: II :~.S.I . "<.lt:ultt:y
 ll::....:uucn!.U. or. IU:v..:w*' " : OCJO ~ ~itt AW~ iu-JOG C·o~i.S•m::, t'-hicll wa-: pllbl:.:hf.d. Cl3
.lt.nr 9, ::61 !. ~i."~~• lhc ;.~tbJI.."ilf liJr ~~llf.al U."pp..ttnrut !:i)t•:o ~--wt.~· Plw-" ~
 \oto~ ~.1111~1}' AOJf(if 'A'JKu:~"U dll:\.""t if • ~t,Pf\r.JII"I c,'~ lt11lt.e f7 >.n~:m ._. \.:: 1h:
irtiM'tl't'\.-.:ri:-., n.!~ ..qa J'#Q';A to-loll be: ''-....-:ii·illl..-..\1 "'~tiXU1 ISSO'\dl.willf. fw .1•
W...~to· l:l: ~ a.«e,;au .._..., l)l("f.JN ~ f_.. lA Jlt-w! ::1' l)irntcn b)- 1bt 1.:. ~-M<:r t Y I:_


Ott; lt~totbn•• 10.1 :·,.... ., (l('lt\.1~ "' .,..,.._ ~~...· t ..n-.1! O).fB ~ao).o
Ol-1" tpi.io-11*" h lqot:r..-.ir~ .-.1 ~« !I.a.• EDt.:CAt! tn1 C.'\)tS PI '--

Mlte<a~ltntMtUI': f)CIIt~&thlln-c~....-....JA.it... V.fdn::lrn"~,;t.JI,IIM­
(,"flirf' A'" \~-I"'CC''l(_(J\1) r.bNkilcd '~-d v,.-;.Ji,ticd rg;;IJf)JIIPQI K 'UIJ "'ud.ll!~
t::Wlpti):UCIRCiirto['Cp~l~.~ n« ..... ~~- ona..k:n~~.~~
 . ~5v; ~Mln'llf«<l r..ctw.ot~~nN ttti-.r~·IIJ£ OM8 ttl..'OIOI!IDtll!l o:;:;,. "'<O..Ii..t.-" (roe:-
h;*.n:A.l~"' ll.: J\.~y PJMi:J.o.»frt:w l"-(;tr.~- ""-'•111                                    -;oo:-·.
                                                                                            lr.;t•.:.uliulilltl~ ~
:t:e O~l. OCIO 10'\..'i ""ill ~II':"'• f'l"'"t:Mo. •l"i" ·" UC•.O.I S .A. iw:.bW.J.)l•tm: ('o;r..n-S~icdcn
"d~lr.r• ,_,.. (~ C!H'"'tJ')) lk _:•• ~._ FY                                  :l.
()I(; Hel.:utlltlll'll(bll!ill 11,., 1;~-w, IYfn.. f ~ I"
~·ltmn
                                                                        hf,..    iL   nl!> "'v""''·.;:li~t \\. ,ib ~l;.J lo1(o,-'01,
              :.\, A"~l(h) :"1!"1.. PI ·1. !I.... III'!&,.V n ....uq. Poli~~r.nd f'm."I'U""<.

P.(u~~ llttlU Rnpo'fl.t~ t )(: l() ~•<cNrl wi"JI.lbiJ l"«OOm(NI; tK!n, lr :::-..mliu:.~.l.lv•~ .....ttl OM.
OCtO J.\~ will 11.1111.•~ lh:! t::aletm11tlon \yrt-..,. "•~:•.rl'> •«.l"n vr 0Cl().l5 tt iu;bc-e t!at
~~il!IJLAII:' ~ i(C';tfi.t;.• (11..111,1111~ f'«IO:(..I.--.:.t. l'tu: 1\:lli~o.ttl.'l 0) :lab ( it"~X.:iYt ~-..i ll h:: fimdi;;,.,\,( :Oi
~"\~11-l~ft' ' · ' 01 '2.

OJC Rtt(Uwtfl•ell rlutltofl 1!1.4 I)Jvd;:(l t'f!:ccd\'.101 1\) ~Y.JR 1bo1.t \11<' l:i::iO 111::1W Sllff~irnt
dU~ I&fiiO:OI3:io)~ 1.;1 I'Jf~ll; :I'a rl'l' ,Iilli!! lllllh' ll!l ''" lh~C..:.\:-.1.!! ~.,?

OC'IO i'llt!hfl tl! lll'l<h• Jt: thhc ~!f!llt!lt! tl~ lillll tu:              0~\clO) urC'te\lurt:: t.: ~::tN tMt l :t~
h"lliYm' "';~tl S,''",(l'l S~!oilitj' l) fl'itt~ N1ll:l~ dOC'II ~~WJtiCI \,~1 \t ~a:.p .~ ('rh•t~o:y il'li':U:I
All...:llo.lld ll i .

lt.l110tt 3J~; '!1.l~ ft\·!~r~ ..,.,., ll'ollll\"111!"1:~1 lifli.VI.1C!ill)' ~~~~".'~ ~ ll'le t'.l~no:t o l'lh 1: ,;,;fi..:.i~• .vy
ntuffl ir !l'r. 111.1l1t r<:tM•I••vH.;i. I!JIL'\IU~J j:,i._,.C.) '

M.tU!lj!UII~!I! It~t'~'fllll! ot..IU O:ll NJt wl.lh 1h 1" '!\'l.'l:trn •l'loo'ln!l~t.l•ll. ()L'Il ' J.'\~ will l¢'11~
:<."(.li!ln :!11, ··S:cwlt)' Awllt~•1 ,.,,_,,..,. n,,llMI'"'''"'"::I" vl'd:.o s~~uity A\t•) Ni>·.v:i:.:• i om:h:.t•..:t .:>
incht& rv-nl'l!l~ll '\' • \~I d.:'•• o::1 ~111V S)ill.'lll Scc.t.ul:)' t)ttit r •!lll!!:fln • h..1 d.u.:t.n:•tul.ll.ti·.•llll>Cd N
tl)llop .:w !Lo:t f'1i~1'~;.· Lnrtt.l /\i'it'<N'r''""', '1'111 N\'tu,:••' lv l11i11 P. ·-•i.JIIU..~ .,.,iJI ~ th:d i;;..:d by
~:wmN>v 1, ~·:•11 .




                                                                                                                                            47
IIHY K«flm m t ndutil)n I I. I Do: \'o:l¢1' a J)JA ',)r~:..,; <O:l :;,n;uct e Ill-\ (1'.1 :1-e I'DC(,':\ 'I h
(r.fr<l>tl \lt:u ro.

Mllllitt;!:ti•<'t~t R~!j)t)!~: OC:O et'.ll~~.:un< wil11·.hill I I:~Wullll:l)(b:.ivo. OCJO ITS 113.'0 J~..X'lC.j:td
a ll u~i1m;; lriiP>I::t :\.nl(~~;$ :.Gl:\~· Mouilef'~tr...n.t Y.M M<l DL\ t c:.np!.;.IC' b.:::Jed to;1 NISI ~J(I.~.f,
··t:..or.tin~i::- l'!..~:.in~ Cuick fm F.:..J ~rJ.I :r.lit:uti.\li::n Sy:.ter.•::". '~hrcll will boo< C.nalizo:d bj
SC')fntb~r 15, ::!i~ J I The l't<l.k<T plllU'" tor.\ltt..'1 rut ~n:~tpli~··Ai~ BJA wi.ll b¢ i.niti!lf.:.:! OR
S<"::t< miu:r 16, ! !: I I. OCIO will            ::!mo:1 r.:~. '\JIST IW0.1.! h'~' l         iliA ..:o::nli nt: 1:111\lm.t.a.tm~nl J:>IIJ
pst'jM p:tu:sJ;t it:.~Ji:l.<VJ!l(d. OC:IO ITS w:t ~;,:dill·~ pro<'cdr.:cs :" t~DJit~ a BlAt~ ~ :"(•dum :i o)j)
:tn :mn•n l .~:•::i::   1:~r :dl   rt.il'1rnl lr.lhmrat •n S~ri t:-· fv1:1f>.~~....-.m• ·\::1 (r!S''I'' j n-(1Nilthle
S~'4t:C:U;;.


OJG RcCOli)JllCO<IMOOI) 11.2 Devtk9 toO Jl);!i,n(,lb (liu sttr ~\·~r:' til)~ ¢;~'!f:i ..grot;; rhrl ti'lr
I·:IJUC..o, l 'l ~ · ~ lk1~~. Hur~•rl S;d·.:ll'l:l: !·:I>MAH5,                  I·:IJNI~t   C.:A \I ~. a.:11.1 !·.DHOC.

Mai\I!Jl'mt at Kii'1'J!CI0:51!: OCJO              n~'1H:Un.:-Jr.': ·.dlh       this rti:Un\Uii::'lt.&::().'l. L)LlU lras efla~li!ht~l
oom:.npnt.~· pl.lltS, t'C:fe tr<d w          u   D\ISii)~SS (onl:,r.lity PI,J;.1S l!iCP:•. ;rOO fi.~:.t~ ~t(ll'.~\' f'l:!n~
(TfU")    l~~t   r ON I~, r..O'AAS~. (':\\-1~, :.r d f OS(I(' .

OlC R<<OilUUt nclacion 11.!- Rcq,;ia'C" Dd l S}'St¢lt.; 1(' perf:.J~.m fi:I'ICti\lr.:l e-.:o:rd~· .::n~ full
f:Ji.I>Vt:r an:l. lbi :b.·,,:b o.m ;,r.   :tl'. ll'••:tl t:di.~   fvr {•.l <:f lh(' J.(LJUC:\ :·~JI:ft.l::'.tl',¢1\U~.

M "o~<:1!1t:l'll  ltt:,)IUil:tK: 0 -:":'ll) ..x:ucur. ,·. ido l11!, t...>.x:uu• ,~uJULk'-11. !ltlivu<'t-J't:p~. 0:1 :~it>•
14·l5, OCK• lTS COl:Jl1~(eJ ll e fi.tll ftlllt1kl'li'll ;~ruw; l :t'Si <"~r'th•. n t:rwono:r. Tr.o:hrnl•teyt)e~tc::r
rT rq. 'I ~ ......~. II::IU ,L~ wcr.: lb :!lito;U :ud ;:p(J...::l. ll.•lh; b OUCA l'B C&A p:l~·kk~c •.)U lull~ !<i.
l OU.
01(,; lh'C',l)n'HWit:nCIIItiol!\ 11.4 Ul'\'::lcor ;lr.d inrkm.:trl rn•ccoJUI.:- .sT!I.l pH:<.\':>:1'.:,. blll-:11:11.1<.: lllt
l.:'l.ui.N.•,.;;r.,.,,.f 11..: T<'lv.>e:I:JilWli~;:li::-JI S..V'::.x Pa'.,·:~· (I'S?I Pro>;:rllll\t~: Ue £DIJC:'. n : a·~
i:m n!-.1i01klyru:t Md <'MC.:'e t:Qn'.r !i.;.ncc ....ih Dt'pi'l'lm«ol d'll..,r.1ch n..J S«u..--lty \ Llll:>)
~~~\IUI.~Jn.'n:~ ~•ld <x· 1'-'· u . ··. 1ruto.1l..,oJ: t,,r 1'ct~~c.:.1wt:ni¢1ii.o-~-'. ·· ~oo \'otb;:r uPrli~'eb
l, lkbn:)!l.

)olnu~tllt Rt'J)Oll$<::          •'X' iO ~<·ncms w:rh this rw:Jnnm;.inri(ar , OCIO ITS h:1!o "'elio:: l~ l
p'lic.: (luoWJ l(•r T~il' Rt:·l..,r:ltivn Stn it.:t:il :'1» b ULtC.o\:r.::: ~pp~rt~d ¢ir.:Jits. f'SA Jwsd>m:tt~:l
J>HS r l'(ovj.ja t TSP 'R~!('.K"ft :F""l\$-1(' 11\f Sec1rri·) ~~i~l'~ olh•it>ic1n fN (Ul '•.:l:~·!ib!l,. (Y.' IO ITS
pla~l> J •l¥1\'t .b:' l ~tuil ~d f'l\:o:-.Jut.:,; ;mJ ;tm.-.:~N !.mpl ~un;u\W iJ} M~ttb f, 2012.




                                                                                                                                            48
........ )




th.: U..1>~~•l:n.:nt ~.:6.-J tv 1-::0bbCi:O u (:Jio~w:nt w... wt..k:- K!'d. \lJrtt.l'(ntor.:'ll
~
0 1(; RfrOJrJDH'IId,.{tofliU ()..•,:eJo;: f-.\( ixp~mtlll }tOC'<'d',lr~ wo:ud'\1(~ ut• tt~SIIli:Jt:~.ll
,hr.: lr.ll'l/lll;l<n,tl ,1(\~l in :~ol:!ili•'r. It> lh: ::l:r\'TIII~· ~f:'nll'"'l ,"!'l"h:lllit'¥11 lhk !IS<tlt.\lr~!.\,

,\11&11•~..an.t     t«·Jrc.• lle: O CIC) C(')r.c;-.a·;'!l ·.-lith ltli$ "CCOIYifllf'l~~ Ctl, 'J'h• Direct\K' QfiN:i hill:i
d:O\'>liOJ!('d 110 JA $ •1:11\}$:" l•b otMt b-uJid3 itt-!1:. !IU Ill..,'\:' p:-npoecth·e, e ll be JCJJi:. M!llll~.rt'let:.l
trrO;n.._.,,,.,k \ ltMf) .._-..tttM!~Iml in NlST ~(lo1 •.1? Rt:'li\il., I, ..(j"l,to: 1:,r •'J~1~ i"J'. Ihe! 1\',.1.
).{nno;.H.w r.-FJtJIX"'.I.)Ik ((I F~t..:stal L•fVn!1ff.iv1: ~hiWmf. .... S-.w1i1, l.iiv C)d'" AvJ.Wa\·h".
{ 11'1:.1Or-: aedrc~~o~ ~l'h\rnitn::l.' ;md (i(:l! •, • .-...,.,,, :m:l 'l\ua: l!tlltNI~ I'll: I' t-.u:lnf!•:• .nr
lnfl'("'ll,t"lf1r, "Y"n'""' ;;,\:,, The p:.t111 i t};,<f")NtJtu 11 Etf:tlr.J'Ord' tlo l'r.tJIII; tll'lrot t~;,r~ with 11
l'l!.ki'W.ll. tl'\t'lpri:;: ~pvt :t•ao;~ :;t:vo:lll"'t" 1•1cfl•.on: lh,. '" '''' ::ril-:u! rh.ll• .til tl"'i!ll'l.\ tll., a..-..Y::I<d,
M~ U111ir.tr.Wd 11P$fOJ-'Jia:tl:o' tbr1i::~ D-~1-~111nrot's dsk ttrlertn.·~. Thi.o1·~b tho lA ).n~1.<'&.it ?b~:
1111 m.1 u.,,_... h:~el'l.,.;ill <::'11,;!1,.e ''' ,t;:~ rnrn1t 'Yil'>.,.;t

Tit~ : 's t('llll .il tQ ~JL.m ca cif~~"C mruc.j ;o cMdl:n !J~ t~tcWJtut u tb: «~;llsOlll.
kvd. Kill. \l.ollfalo.~l••mt boon¥< ~ ...~l io!'to:-.:l..w lt..b                          t-•
                                                                    U.....,.,. '"~uv ...._;~lWI.
~~:-!A fuoc··....         -wt ~)QI!izi~ tU .~die au h.. otca t ..~ of }'1('11.'1~ !l!f'E
kl ~.~'d and r.u~..- ,,., =.1 fldiro'l:

     lhtd,:;r* ~ G'lieffrS~S~:ie<~ (), liecf iCIS.OJ w~cnu :biA
     1\~JC\ uc ~ f~~ pi.j1:1Wf' f;)r ~-"n Wl;lr!lnOr:, f~ --~ . ...,-if<
     r\111'~.-:-.:nL
     (a.,._'Jf.(:."'!itip wr.t key Da>lltlr.:t~.: S<:Ji.M Lttekrs,. nrul'lll.,lwrl d:' II\
     ll<Nnhr 2JJ1•1. r~~oeo r•11o:til<n dhi~ ellart...,. .'1. !i"t\4'1111",::: ~ h 10 S"JUc orA d~~ die
                                                                                                        '"'l"d   e-'flite.."W•, n

     A,scr>evw.i.-tr ri,t; ~r r,r fl,'!f'T'ent 'lim' :!!':>': rn";::.: ri.<ll n•ilipJtli:·n ~~:ulc!uw•. 1and ~Ubr: ri:;l
     ~:d~:r.mo:r: 1\!r !ht l) ~fl'l>ll:l)<'!tl. lln: lA J:!.•:.n. L>fUia~:o!ll).'i 11:.."1-"''S tJW..ourtl!,;y, It .;>C'N.ill'JC$ ( ~
     "'>JW i.1••~\uit;· 11s f.lt U... Stn.I~Qc Pl3u ~ iu1pl«r.cr.ned t~~~tl "" Mol :tn•' tiiMt• ' ""'~:a""!!I
      l'llrnoto: :1r.:l hn>~a~hl b' II:~ hn:ll~tr.t .
     l ln>(-1:)(.) ' 'WI uJtiut·N.·· Tkj.'<Ub.l!Uil_-.,:.·:d~ S,}CU:itv Au:J.h~CI'IIfO \Volld,ll). Vt~,l~' wi.J.ic]l
     ntlctlef cut<rnni~ ~(Oir:ry c"J:..:.-ili1:~. Th)t. ~·<~ckii11J v->Cfi' " ~''IMt~i "lF 1,11.: Utp:ttcn.·:.nt
     VI ~~~.\bC1.i t:utt!pll!c s:~rJlt:t At'clli:w:u:c

l"wwo: l •hw.'l iu ..·ul•a•h.tiur. ':"1t1 I 0 •¥,:11:.a.tiu.na.l R.isl: ~1l'J•tl!l~l .ltl•1 l1WI'J (,} (\,-vok~i.n,z
01\~!l{lll\111 Jttlritll t>.) ;m:IVJI'e r it,;l: .1'l!d J'f:f~t I~ tl'.t- 1:\ lliU'1':1 :o l' D:rt·~•:-•, il'llpl..'m': ntbS :-or.
''•toi!'IJ :~ J<.it.k *Nio~ ~~·stnn. sut::. 93 rhc [l(pllror~'" (I(SIIllt~'- IPM · 1.,..,1, ·,dtHr.lho:
l'r(\OII'trn!ll!'ll Th• D.!p:r.l11!11':11 .,.i'l intfll~,...nl :an a>..b.••t•ulo:J lli:~l Sl••,.-iu,utMall.lf U)' F<i'l:waa~
J. ~OJ : .

OJC RtrQIIUilcoda.c:MJa u.l A>t~:ll: a:: f'OI.OI.iul ir~t.:.o .:m:b lll'l': k.Jil'• "' .nr
'"l ""'..t¥Llllll ..w.. !~«.'Ufit} rM:...
l!fJol'~~· .,.,,~ O(](l MI"'r$ '64th ••• '\U....-onr..dta'• Jn ~ ... lk

~~~--• ~..;tr u.t:-U>Il.c:a. ~ lkp.L-IIxot is d."'"-lt...,.-. -..-J •l.fll~-..:."'-., aO(




                                                                                                                                          49
u ptl'k) ...., \O WI.,..,..,t-.: a r110a.· ~,:-.,~ - •.: ~"li'.} to as:;c:n (~ cD)..,~'C~ •..d fi~
at ......,.,,...u
             IUJ:dc-.1 J«W~ ~..-.J.:·h.tttli¥ r ""'~ ~ -.... ,,..... ftdl .... a C'aV
ti:;naew tw,;,. ,...tirh ·.-:ill ·~tn ~ u ,b--r.: .t..: ~_:~'!'ol;.:m'• ~,~~aal, IIQI."';(jty ~e The
l >l;ptll:n.:tK will fi::ul:i;zc. (1.: ictplar..:ot;Jtj(.!1 •):· d'..c t'J~oft. fliUtlb•...t ;,, 1'\ISI' !I(It;.-3'7 t-~
r.tll•u·, 11, i.lr 1.
O U.; U~:r-llmmM;Iutio)n 12-ll•flh,rno;e~IUTI.":Il ri.d1. :.~,o;~utur~ f,l."\10:\.lllllllit 11111.1 1)1 ..\.\.\lut~!             :o
11<,),1' t:Vr:rt-. llr.: '"l'!il'\.:;r:~r~:s t-fl\1ST SP S()J. )9,

,l11u111"'"1lt~ll l         .K"pouu: I)(:{I) ~C'.lWrs 1.1.iT)      ''*n:~:rrnm~r. t:ul•'" . ()(:to 1>\:-o ,.,111 ro;•llll.· ar;
o"'lrt~"11 MI1tl'1 ••.\il~ ri.•~ m;: mre::r· otrrl ~lralo;~)' kl l.tllluro; tl mt \1\11 ll.:sk AJkfJJI) ~r.~ ')1(<'.¢N~!o \lfe
 t,~ll) '.la.fll to.'.\1 ~~.:r C iu:pk r:u::rtuJ h D..'\.-.:m~r ~·), Z.lll

UIU llw!i61l11!h'edalktll l!.oJ Al~ J~f.tC.nBibiJif}' t·fltlo; rl\\: ~'~''' ll l ~·:r Iii -'II ln:t.'rhJ1111- tol ~,tut:
~(+. teord it:.tlc wi.lh t.~ri(l'f :<:ntk!ni'.ijl.-.:· • h~ fkt!unm~r 1 .h. •i ~k w.ct.:r:.l-.o r ~uiJ\~JrWllt <1.1ll:.0( (1
It "~1' S I' KOI~39.

MW!Uttr.m..-nt llrnJMUIIIt: U\.;1\) liQII~•I-4\11.-"'4 .,....j·,l:. l~i : r<:O)I!IIi'.O.l( lli1NI V/i1bitl th<'
Oo')DMD"An.. the- R.b;l;. E..~~Jti,·:, ~ de:2~ .,1 NISl' SP MIO )'it, Y.llll.l.til-•1¥ KJ!l.I.IJOU•
l11lltm•lllh<Jr SY'-1at~••'\pr lV::~ Js O:$Cl\J :.:lid Ore futx1:tU it ne:..l"nl t-)• 11-.e \1~. Tire
UC)'JIIIIAXIn 1n-opltt!. t~ $i,..'"t-if~.:lr4 ~.t t.":r.-.;-a .:t.~~ ~c~"'h.- Ch!UI· _,.. d.a.· •~v ~.
~· al l'oo.:~r.f:~no:pt.~ tt.~~d:c..-. ~Ni:ka toe cc·•~irl ~~
;a,A.w..ww a:.:uiQ' Qd b
                   :JUt~~ ~.,._:a fC...149J AWl~ tlJtt

-n.e.Hlbllb:O. ~~I,...._,.-t\K\tllur;hJ~.!:t:(hW.:Ib~~':M:rd'-r
~II:UU Ulf.t,) L'<.ktf.J irif.:t<~03~~ 11'-~~tJ"¥) •k llfll!Jk-.. &.~n •~'au• t.rt.:..·.. .t.'tl:.!'
t'IW:;11111:1'Ct:lll, ~'lll•••11r', ..1eal •d~ >K • i .y I:U!'.t••~ \ '-) i:;~lt.~ ·?:l'W ~~~ nf rUo:
lill:l.ril711l.ll.tr\•.' .taf.-r:•:.li;;.r• "}~t~l:lS t.ll.\1.;\0"J"
                                                                   ~ tnt. •l't~tt:.f\ rl'll!:rt~~~"ci.J tlklnll.l:. ,.,.
JL'""~; 1100 (iii) r«t"idbr; :'...<.-nt:ll h llm:!:sllf.'•n J • :...!IIlii' h,llli:,, W G,U:i1ilt.: ~<Ni;O~?I:Ii
"'~an~ltlt .~ lll:t;q~Wmo:t.. ~~r ri01:k wur~r.:.!atio::sl o'"'ttdQI.UC.IId IIIS,•tu. frd.'.'o1:1.\\0U... l)tt.•r
ou:;r.n~t<Y.U. IIO~ ttw Yllli!;!ll uri:,;i n:~ fn·•n lh~<lpt:laliull .u.J '"( .JI IJ(CIIAWJ0118}'$fer 1\ ,.

Tb(o r )lft\!\(1\' fl r 14 :0:: h.M olt:'><'k•,..,.:l .-rr , _., Slnll.q~io; t•b.:• (f',,w l • thill b·,til(h t'w . n 11U :I'Jftl
J:I;I'!IJ:~r:.i ...::o, Oz.~11 I •.Jo.llc,;e:s ~1>\'ClUillt.ee 111:.,1 G eo.1l!l), 11M \ .1/l.tl'll~ hull'. l-11!dtl(!1~ ~lie
 i lll':t\ll~!oc :l)':r.em:; ·hl:::. 111.:-pt.:.:n irr.~.:rpO::lt.l~·' a SIJ~tl~ fOIT{.)IIO l'tlf n~:~:•rno:nr l<f.jlflll\0.1~, v.-ilh 11
 (~'4~11-tCC ~r.(tlj.'ti ,_. ~'''':'J'IIII)..,"\: Sl'11olt,l'\' !ol 1!r.<'Jrll lh· rnr~·l 1:1 i1,..:11! • il·l~ 111~ 1 \I ~I~~C(., $CC.C}t~.1•
.tm<t mn\m llintllllf'f.I"P'hrld y f.tr tl1~· ().·J.n llliCUI'S 1':s): tC.)tfM~,




                                                                                                                                                 50
-<Jwf 1; Of'!~AI~~tl<ar Ul'llty                    Go:~l 2 : o~.;en ~r ll S~eolt•                       Goal i1:8uihl lll ftiD~ m:l"V'._
" f Pvfll~~                                        CM•Ip!tH
                                                                                                        (1(',"1\Willl~··r':=:::c==:--~
      l.l , . ....., •• -" ' '" ' "'""
      ~,o>:m\: lf ~.,.,..,_,

            !~ :~·    : tml'p1:.t
                                                        ....... ..
                                                      1.1 ritlun:tw •IU!l< r..."'!.....,,
                                                                 ~
                                                                                                             s tt ........... ,) ..('t•~" .....-....
                                                                                                            r....._.;,)
                                                                                                                 "'' ,..,,. :r111
           ol•••*"
           ror.t• • :• ,,,.., cf
           ''""-u'!;O"•     ·~btl•!
                                                       .....
                                                        1.~0.1\tf H(II!IIVI"'»ft~'"SI'P

                                                            t'() ?)'l'llt t   • ~...,..,!..
                                                                                                                 ~I Mf(IV.
                                                                                                                  ;,, .1 n kN u ~•:• ~o~

           ,,..,..,,._..,,K
           --··
            C." - -'l!aon.l
           .......
            ·~-t
                 ~
                                                            to1. . . . ....t aef..Je




                                                            -.........
                                                            .., ... .. ..
                                                            .,.?,....,. ~




                                                            Pi:::u
                                                                        ~

                                                                      ~c-ot~-.
                                                                                  ~          -
                                                                                         ........ t:r       , ,, ·-·-~- ........!~.
                                                                                                            _.._ ~


                                                                                                                 t:'w.o c.• r-)~1~
                                                                                                                 ,-'lr,lllt(
                                                                                                                 .,_
                                                                                                                   ._.:-.au.-.:. ,;~.,.
                                                                                                                                                       l!r ¥4

            ....... ~....,.."-.. ~!                              ~                                               _,,...... "'...
            :>I!I~~C'~ ~u-•,.

           1::01... 1!1.0: &                       . ,.,-................ ..
                                                       !lltlr.'J~~ l;tlor.;l:v ,..,~.,--·
                                                                                          ~~.;,
                                                                                                                 u.,.'",.. ·"'o:-•.,.
                                                                                                                                  ~:
                                                                                                                 ..... ..;... . ~,c... ...., .....
      l.l "' "•lr. r :-,..lt,.titll                     V/111 ... \tll>!l*tfl( ~~fllr':('                    u "'"'"'4 ~· lh!•: •.w ;klf$ tr-:m
            l rt·r~~:t -..-t                                 ' Ill' J· U~~III;II:l                          er-e••
                                                                                                                  ) .lt(.,l :l tll ~ ,,.~ ··
           ,.,....... ..
            t(l :    l}:~em ven                             :n:~r:f ~t l:tr':t l
                                                            \l o~oor.;nl                                          h• l "' 1•1\h .o ol o d ...;••,}

           ....,..... ,.
           IT )I~: :.'. "t<'1 ..." " '•'
                                                        I.* (olollhlo "' '"''''l'oli': Mti..Oif<
                                                                                                                 :.Cnll~tl v ''"~'~ ,..,•.,,. ~· •
                                                                                                                 lll~ !((~:tr.tt'IIJ
                                                        Ot'ftnolt   ...,...,11.-t•••
                                                                                                                                aa-::c•-"' •-
      ,uc-.J
       .• ..,IIt• •..
         .,.,~,.
                                                            JIIM!I:lll .loW·It!'~ ,~ ·~
                                                            ' " •!·    Att lti~.IIO il
                                                                                                            ,,.~~,,..,,t,,
                                                                                                             ..,.._"••e•,. ..
            E:J.o:.olo: • .S •• II. ' c l!.
            ........<'«:•
            ':':nl~rtt'>~ ....~
                                                            ·~:·•$! t;· '":""'·
                                                            .....,
                                                            ...t.o ~oA..of(> lir,w 0'\0'                         ........
                                                                                                                 11:~•1' o*cc.

                                                                                                                 ()'RIP' ~rl"~t-~ ••••u
                                                                                                                                       m=":-:"'""

                                                            (.t~~ ~--                                            '-l~l ::~

-n.~--...-.~..:~.:-cn
 ii!E;:;;:;i;;:;;:;;;~~A:~~"'"""""'llt.ili!!E.J:!iiOi!i:ji;;p;;;:.,!        ' ~;--!'"-'"''"'"" ....... -
                      t.fS.X ...b. A'S'......., DtitiT t bln: h fll•<.... tti!Uil                                                              ' ...
 CJH; H""cll!l.rmt¢.timt tJ.l Or¢~k)o C\~CR;.~ to rn.~ l.'l(f', :1!1 ;<rtMC:l (II~~ tn
 r :o'\iG\1 fu;!.:Jt.<:ft.IJtiOJit kl ,t., 1~::«) vl \1~ artcuJM :m:!: M t'MIIR                            .h.: KJ:t:~" "''Ute
 lr..ir,ifl~ .Jl:'-'w.no::lli.be-!1

 M.u n:~Jttfru:o( RtlltJUII~:                 OC!O 1\'ltlbUy<;.;'n•:ur"' v.•lll tl'i!lt.!t~nlmct·:l:.doo.               N IST $(~1.~.)
 E\c··iaiol! ) , AT-4, dN • ·,11'11 txr,tl..,. ,ll>' •~q~••C ~~''b.~ts t·, "'~t11in <l:t('!i...,. •t 'tn&!um4 O:.lh£iet:.!' !IS
 51lP)X'rtirr'.'! d::wn•<·:'IISiil>.:l. (hJtlnJ ~I:¢ C('lii'\U: l'l' lh.- ~u.JL, OCIO v,.:til 9(1«J:'...~I)y nU:e" 1(1
 t\1 ~\'id: COJ·i~S >){1h t' lttl' nii\J' ~\\1!1\"'1~~~ -.>.:!IIJ'l.;:~t~; J0.. tllt C.1)J•)(')'(~ llei.-,(:1\'•J I;,, II.:U,IIl )'
 nw'1tr.lll<'.<" lr.~inin~ :.rJ lll).).:ilLli.ocd IIJt-1 U(Ji.n:.nt; l~!dnt. I b•··"'w.:r, dn: Ucl'!nL'll>l-llt1SloJ:u1
 \1~1ll¥,•:.n:·..:.lll. s ~·s:tC.l m-il);) n:l d ~!'rlti l'l · ··lll,...h ·~• r.iut;. J.{{ll!a~W'.C.lt S)'UCI\'I r.ULir. li";UI'.llli
 COI:lplrlinn :1:1!~. tr "'hlth n::p:'lrU f~r. ~ ltC'nmtC~ tliiWI ~.jU.O'-L t•n).~j\I:U lht~ dtf'1.o1r 1'1:"\~·
 ,jo-,.."'1JI)'I('Uit:ioc 1A;·1'he tclt:vu:l       ""'Ill'!, liA I~ "~ Slid i:upkmnt~..._1 'I')· ..,::l:l:flllt::f .111. 2(11 ) •

 OIC J«ro-.,..M•iMI I.U • .~~~~-•sso~tool to ir.C..wtr CMII~dw ""-~ ad
 ,, ~._.11£ Jtf:'A.. uf"-"'«.,.i..-:.o:. ~ c:.l 1lf.n$.




                                                                                                                                                                51
Ma.~~~~· .a~:a l        nuv'•ILM.': ocro ;:4-1id :~ ·.•.:tt~.·ur. ,·,i•b liC.l'-l._..._,~:JI}:J!JoUo.J.. OCJO l~.s ·•·:U
i ~1 :e z nl::r 1r>r,m.i1ml r~ the n o:(\' nrr~v•., Prino;ifll I ( ~11-i.:.-:: (10.: )!;) n:o11:irinf .:·~ntr:t.:• l:7l< to ttl<t:
lii!II'J:tl ~\HIJU'I:.:~ ln~.u~ill',l. u.,i.;lb lite J~<.IL-li._. f:~:.:i.a;,. S~.:.:.ui'.) :'v•..:;l, lt~.1:tq:: tl:.(.'l0~~~~lCU1 ·,·,tb
ttpp~kt:Ci{lll l~r tle FYl ~ ln;jnbl! :.:~·~:)1:. Se~.:wi.)' 1 \,..._:.1 .,..ill a:1., .... CCIO J.\S '"' ' ';,d·. :~•t..J ~11.•1 ~
plt.:~f or ~().:up~~tk•ll t~.}t' ~LI '.J:}:t;;,        l:l i.:tstuccs ·,o.·hc.·¢vc.:a:!)t'S me •~L· ~w.l IT S<'<urjtY ;tainins
P'J.:!:I:ml (If (U:xli;C.-1$ \(: ft'Air tb~ir co·np!Qy~~:'>, 1/Cfl) .,,ill ::•Y'1!1 ;, (~'l' tiu lhVl W.tll'r                     lil:tl'll tr-=:
tl<lllpi!.ll)"~ <r.uLit,,rl;..o,;:J (I ffiti ::.:1 !t1 ~ '1.'1:·!!1~ill:- th.: .i~tir.~ ,,:   u n;:k)'.:l:~ '•' !tv tV1 :1piV.~d. l11C II !liiliJt~
dc-tll!. w) b o...ics~ipti~ '.flhc lt'Cklu.~ $fO'<itoJ.




()I(;     lt<'.:<)m""l'l'l rl4fim• 14.1 ll:!\<'lll'f. r:n>~:l'ihtn<:'l !<: e!lilu n.> I 1111 l'le l'!fm{ 1'1' :\o,";li:ln an:t
Mil::;:.ro~3 tPOA&.\.{) J'l'~fl'lln i'                                           :t
                                              tMJnlll:n-.:1 d\st <IWil'r'$ l'~fl::c · ; li'IC rurrrm ~ffl'.l\1 r.f~:1::r
::.11\J t!,t:lt:'(l P0:\&1":1::.

)'.{l'I'!UI~~W~t kUp (ltl,C: (!(:1 (1 OOI).)U:'.O ·,•,i tb thi! ~'((l}UUI".¢'.1( ~tiNI ( J(:(t) •.t·iJI Ii;lly l~lil17o: 11'<':
1)~(\l!IITII<::ll'.~ !'(h\& 1'.•1 x:p.1sh1::::. i )',.'M S . lo.l nt:tirL'1in tt.:: turt.:t'l :tl::tus :~f :>,:t::ro a.J.I dt~tJ
I'OA&M ~           CoCIO C'.l ue'"IJf         ~'J!)(ll»..~~ t. ""-~}'J:; owtU!f,l•t ebn:t lll<"'rt ~o-.::at,,b, tlll OIX'!l PO..;&M
it.:ru~ \\bi'h nrc ~tilt l<' t~;.·; h Prin,ir:~Jl Ot'lic.¢ lbilt 1-~ OCJi' l."::~:o V0:\&~1 o;>r. ;a l'>i ·,~tcl: ly 1:-l<:.u.
'l't'm :e Mpt>1U ...:Ill ~oolim¥-1.0 b: !ttl(>raw.J fr!'ll:'n (J\'1\•JS:.:, tn~ure :b~ :::aru ~iJl~ t~portd i1
i'JC~II t'il:<" m:..i up tV-:It;e. ~ .JQ.(.:)-9() J;~t• (•V>{~ fOAl.:;){ 1\"{~S ~i'l                                be': :li~us•M ':"::r a :}'
~t lh:: IS~O ne~ti n! an:J tntl'i~~ v,oi:ll~ ~l'tn..tJ to lk 1:\ Bu:Jt~ t>fl ) irtt.t)l'l> '-(l.l:lttl.rl}.

OJ(: R H.c:>mn•c:rulntiol"- 1.(.1 llr\'::lnr f"'tl>:...-tl :r~< II' ruv,, ,...,, ' I'C'I tl:r,ltoli.l' i<ln 1•1' a!l .,.;:\·<n•;
·,\ilh' n tb11 (J()/.,,\:\1 f<ll'nt lllrinn


                    Ro:~pun~r. CX:IO ::::411:~11> w.ll1tl.i:: tl!::lllhiii!I:Jal.ivll. (X'IO JAS tt'~>'kwS
.'-ltttll1!,<:'1TU:nJ
?0,\<\:M $1;11\IS>:n l'l \\~y 00$i:; (~l( (V~(ioc.('-.,;,; Wtle,d y Jl(l;11i~h ! rh.m thm o:ovt!llli n:: all "1"!'1
. '(M.tM 11(.m.. 'Ill..: J\'&V '!o.:.Jm ~~~..J~ i:1o:i,·iJu.d ~t·.•pl.~;.o·!t d ;u b 1,1,_:;,.·II (''.) 1l1a1. Lfk &.:1}' tjitt:.
?•)AaM ·.Ill !l \>i ·\~-.:..1:1¥ l <tiiE. Til<: POA&M .!:tli<l~ .-:i:ll:cllpdo.tcd t~ b~lud~ dt(' ~ ~m t::.r
~J•ilk.~J ;;l<Jf'li\VII d~rl!; uut! rr(!.:C'..lu~~ ) l(l r illl':)r:u in~; 11\..m~stl t•'-'1'11 w:·1o:1o 1'\):\,&;t.~ !oui~WI)<;>:.
me a:t t:RCt. T.li> !)tO..'¢~ wJJ )~ l\1U;· itr.J.>:Jil~Cicd to)• l>Cttlrt';~r ·~ l. 2C·J I.

0 "!(0 l<NIIIlfll!~lldll.liom U_t fJt\'d<lp pK!\'1.'\Ju.-..:... lv l.:~(tuali' auJ :\'.X'SJ r.J.;- l:.'tC',tn'C
l:.:(ultvou.:n::~ ii:r i :np:::ontntir.~ JIIVJ>.•~U \'!m;o;l.i•:t wtbu i~1 U'-">-·Jan.:: v;id1 OMS E:d 1iiY.b ~)
un:l .i l>:l.

 \ll!n;;.~mtnf l tot~p!>~U.-: O CIO t 1•11.:ur.1 h11h <.hll\ rtl:a.•mmzr.:lilti(lr.. (ICii J \'t111 u;~ till ,;;).;.;till~
,,,,,,. tidd ' "' ()VM:\ ''' o::r·~tun~ w"''n:::l~ ltuot lilt: I'I'O'Jdrnol t>y OVfR ,\. II F.x11it. ~l \0::•.m•l .r'l.
()(.'JU w: ll ;,:::...0 tl I:IJ IO: :1 ~:tl JIJI~:->0~ :ttl$ ...Ju:.:3t\\l o.!ll iAiw to:l Jli Vp}.'l}' ~(:It/ f('W~\1'~~S 1~\l',liJOO
whc:.:. l"tUl«lin~ 3 PO..:..i.:..'\1. Thi'5 prvc~s 'A'ill bt" f .tll;: i·n~::-nl:'l'lt,.,i hy ~~~n1~ 11, '.'(•I ·.




                                                                                                                                                      52
ore 'Rtevouu~l!(blfiihl }.l,,f D:-<di'Jp<ut-i'.Ul.OOtatef. p!Vtes ~ 10 :.Jc.llify. :afld(, !l:.itimdo. !ltlJ
l <'l;(oJI ~~tl.ll i'.j' •,w i:.I.Jm:>IX'; ~sdli:IS !'f ~u: t he !l ~~~lll.:ll y   \'\llf:~b.llt:t iC3.l~.


P.fna;: ~m~nc Rt;.pon.'!t: 0(.10 C:»l:t:.r.; v.:ib i1:; rc~)Ul~¢ndiltion. OCIO lAS i:: ¢Unto(:·
•.>oorf.:in_;• •.:: im:-oiMr.<m. l:n <:'lN!OI.'!em::r •. ir nvr.,.1S \~l'li~h 'o': ill ~ II''~ lhr h:: UUI<.1110uli..:. injtt~-.i,!ll r>r
t'·.: ... ..J~t.·Ju.: -.u.Jwr.·.t».l.ty ~tau Iii~. T J•i• ~•tti•~·•~nl. wi.l ,'1\ltc•.Ul~au:· ~J~.1ct'D.4.&Ms
for ...; ( ,h.tlr, f ~it!'lCY Ii;.'to'(l il) n •:1:ln~'·'l:i' iry '~~"~" 'I hi:: ll!:W '•Y7 !!m       "·'P:'
                                                                                                        ~i hly vti II :.l!o>'.~ OC 10
1·.• ,,l~i 11 1111 at~Uillk iu-.·o:nJJij' ~·f tk : nwl::;o;r ,{ l!O:O:•.ni(;r -.:;.'fll:d ,j ,k~ i..Jt.:Jili,.J fN-:1 !lLVlltbh•
o,.\ lb ctnN\icy .iCC)tl$ Tbis «ltutce-;nenr ;....;cb!-.iut«< ~ t<- e~·mp:ct«J h~· Ma:<th :1.1, ~.;~ :~ .

O<'t() lAS ' ' cul'1\:"llly w:1rk:ll ~·. •·on ll;t;!:f J:U::~ u: O VM:-1 a:~ ,.,.::Il l!." i•uplo; rr.~·ll •.i:ls. :t C :·,l ~)'...t ~1 :1
.,...hi.~)~ wilt IJtcl:. r.l!li.lltl'li.l. :md :ccW1 ~ooui.::";.~VJ) ~~ts. ,..,, ? tl[ 0r<".J;"Ii..CUil\ Cnp., t ilft)• ' •
....; 1::1?:1 ;•.~·:itn R'l'!"'Yl·:ihili t~· :.n:l1:1:~kine ll•lhi: ~pl"l· lbh: ;!:lrt;l.

Th11n\: }'I"·' 1;,r 1t c-; r:.~r:•"U tnil y !I) mm-mr.n. t or. Ihi,; "1lml ln lilin ~ wJr o;,.ns: ...unl •UtJFV•I ( tt J..-
f>.:l~'''ttl!. 11a:l i·.:~-.:.-i ti::~l oui..:~i,ou. 1f ~'·~ lt<>:.•:t any (lJcn.e:u •.:snrdit:S this :lll.tt-:'!, p~t
COJt:i1:1 ~ Ot (202:• ~ tS ·625! N D..\lw,y fu r"jg;'if,td C•W.




                                                                                                                                             53