ML22080A042

From kanterella
Jump to navigation Jump to search
CSO-PROS-2102_System_Cybersecurity_Assessment_Process
ML22080A042
Person / Time
Issue date: 10/01/2018
From: Jonathan Feibus
NRC/OCIO
To:
Dabbs B
Shared Package
ML22077A369 List:
References
CSO-PROS-2102
Download: ML22080A042 (17)
v  d  e


Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-2102 Office Instruction

Title:

System Cybersecurity Assessment Process Revision Number:

2.0 Effective Date:

October 1, 2018 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO

==

Description:==

CSO-PROS-2102, System Cybersecurity Assessment Process, defines the authorized process that must be followed to perform a cybersecurity assessment of an NRC system.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-2102 Page i TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 1 2.1 PREREQUISITES.............................................................................................................................. 1 3

SPECIFIC REQUIREMENTS................................................................................................................ 2 3.1 SCA PROCESS PHASES................................................................................................................... 2 3.1.1 Phase I: Planning and Coordination...................................................................................... 2 3.1.1.1 Scope Assessment Activities............................................................................................ 3 3.1.1.2 SCA Project Schedule Development................................................................................ 3 3.1.1.3 SCA Project Kickoff Meeting............................................................................................. 4 3.1.1.4 System Documentation Review........................................................................................ 4 3.1.1.5 Develop SCA Test Plan.................................................................................................... 4 3.1.2 Phase II: System Testing..................................................................................................... 5 3.1.2.1 Examine Assessment Objects.......................................................................................... 5 3.1.2.2 Test Security Controls....................................................................................................... 5 3.1.2.3 Vulnerability Scans and Configuration Checks................................................................. 6 3.1.2.4 Conducting Interviews....................................................................................................... 6 3.1.3 Phase III: Summarizing Test Results.................................................................................... 6 3.1.3.1 Consolidate Vulnerability Scans and Configuration Checks............................................. 7 3.1.3.2 Remediate Vulnerabilities................................................................................................. 7 3.1.3.3 Assign Assessment Findings............................................................................................ 7 3.1.4 Phase IV: Draft SCA Report Package Preparation and Review........................................... 8 3.1.4.1 Prepare the SCA Report Package.................................................................................... 8 3.1.4.2 Deliver Draft SCA Report Package for Review................................................................. 9 3.1.4.3 Conduct Draft SCA Results Meeting................................................................................. 9 3.1.5 Phase V: Final SCA Report Package Preparation and Delivery........................................... 9 APPENDIX A.

ACRONYMS................................................................................................................... 11 APPENDIX B.

REFERENCES................................................................................................................ 12 APPENDIX C.

ROLES AND RESPONSIBILITIES................................................................................. 13 List of Tables Table 3-1: Assessment Findings.................................................................................................. 7 Table C-1: SCA Process Roles and Responsibilities................................................................. 13

Computer Security Process CSO-PROS-2102 System Cybersecurity Assessment Process 1 PURPOSE CSO-PROS-2102, System Cybersecurity Assessment Process, provides the process that must be followed to conduct a system cybersecurity assessment (SCA) of a Nuclear Regulatory Commission (NRC) system that stores, transmits, receives, or processes information up to, and including, the Safeguards Information (SGI) level.

Note to Information System Security Officers (ISSOs): New technologies must be approved through intake prior to requesting an SCA unless specifically requested by the CISO for compelling business needs.

The information contained in this document is intended to be used by system owners, Information System Security Officers (ISSOs), NRC information technology (IT) project managers, system administrators, independent assessment teams, and other stakeholders responsible for ensuring cyber security controls are protecting information that is stored, processed, or transmitted by NRC IT systems.

2 GENERAL REQUIREMENTS An SCA is conducted to determine the extent to which cybersecurity controls are implemented correctly, operating as intended, and producing the desired result. This is a critical aspect of continuous monitoring, assessing a systems compliance with defined cybersecurity requirements, which is accomplished through testing the correctness and effectiveness of cybersecurity controls implemented to meet the requirements.

The assessment results (documented in an SCA report) provide stakeholders an insight into the current security state of a system. The Authorizing Official (AO) uses the SCA report together with other relevant documents to determine the level of risk the system poses to the NRC and approves authorization and monitoring for the system.

2.1 Prerequisites The following activities are required prior to conducting the SCA process on an NRC system:

The independent assessment team must:

Possess the baseline skillsets for review, target identification, and analysis techniques established in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-115, Technical Guide to Information Security Testing and Assessment.

CSO-PROS-2102 Page 2 Be independent1 and not serve in a support role for the system being assessed (i.e., as an ISSO, system administrator, or system documentation developer).

Be knowledgeable of NRC cybersecurity policies, standards, and procedures.

Be experienced with NRC-approved vulnerability scanning tools, and methods for testing the security configurations of system network devices, servers, and workstations in order to determine whether they are compliant with NRC configuration standards.

Be authorized by the Office of the Chief Information Officer (OCIO) (or the system ISSO for assessments of systems hosted in non-NRC facilities) to conduct configuration checks and vulnerability scans.

The system security categorization must be reviewed and approved by the Chief Information Security Officer (CISO).

The system ISSO and system administrator(s) must be identified.

The system ISSO must ensure all applicable system security documentation and artifacts are up-to-date and made available to the independent assessment team and the Computer Security Office (CSO) points of contacts (POCs).

3 SPECIFIC REQUIREMENTS This section provides the actions required to complete the SCA process.

3.1 SCA Process Phases The SCA process consists of the following five specific phases:

Phase I: Planning and Coordination Phase II: System Testing Phase III: Summarizing Test Results Phase IV: Draft Report Package Preparation and Review Phase V: Final Report Package Preparation and Delivery 3.1.1 Phase I: Planning and Coordination Phase I, Planning and Coordination, begins after all required activities in Section 2.1, Prerequisites, are met. The goal of Phase I is to ensure that the appropriate resources required to conduct an SCA are made available and that the assessment can be completed in a timely manner, meeting budgetary allocations.

1 Per NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, an independent assessor is any individual or group capable of conducting an impartial (no vested interest in the outcome) assessment of security controls employed within or inherited by a system.

CSO-PROS-2102 Page 3 Phase I of the SCA process consists of the following steps:

1. Scope Assessment Activities
2. SCA Project Schedule Development
3. SCA Project Kickoff Meeting
4. System Documentation Review
5. Develop SCA Test Plan 3.1.1.1 Scope Assessment Activities The following activities should be considered when determining the scope of an SCA project:

Current continuous monitoring activities; System authorization status; System categorization; Current state of related security artifacts; System location, accessibility, and availability; Resourcing; and System security control baseline.

The scope of assessment related activities must be finalized prior to continuing to the next step in Section 3.1.1.2, SCA Project Schedule Development. These activities are agreed upon at the conclusion of any discussions between the system ISSO, CSO POCs, and the independent assessment team on the current state of the system, which could include the systems authorization status and the current status of all system continuous monitoring related activities.

The SCA will not interfere with any system level continuous monitoring activities.

The independent assessment team will verify the security categorization of the system prior to any SCA project schedule planning. This will apply for both Periodic System Cybersecurity Assessments (PSCAs) and Authorization System Cybersecurity Assessments (ACSAs).

The system ISSO must ensure that system artifacts are up-to-date and accurately reflect the as-built and security state of the system. Any issues concerning the security related artifacts of the system must be reported by the system ISSO to the CSO POCs and the independent assessment team.

3.1.1.2 SCA Project Schedule Development The independent assessment team will work with the system ISSO to develop the project schedule for the SCA. The SCA project schedule is the artifact that drives the SCA effort from beginning to completion.

The schedule is designed to meet the needs of the continuous monitoring metrics applied to the system (i.e., the SCA due date). The independent assessment team will ensure the project schedule has been developed and ready for distribution at the SCA project kickoff meeting.

CSO-PROS-2102 Page 4 3.1.1.3 SCA Project Kickoff Meeting The independent assessment team will facilitate an SCA Project Kickoff meeting and deliver the SCA project schedule to all meeting participants.

The goal of the SCA Project Kickoff meeting is to enable all stakeholders participating in the SCA effort to:

Exchange key information (i.e., POC information);

Discuss the SCA scope; Discuss the SCA project schedule; and Identify, discuss, and resolve issues or concerns.

At the conclusion of the SCA Project Kickoff meeting, all stakeholders (e.g., system ISSO, CSO POCs) should agree on and approve the project schedule and understand their roles and responsibilities accordingly.

3.1.1.4 System Documentation Review With an agreement on the SCA project schedule from all stakeholders, the system ISSO must deliver all applicable system security related documentation and artifacts to both the independent assessment team and CSO POCs for review. This review enables the independent assessment team and CSO POCs to determine if the system artifacts are up-to-date and accurately reflect the current state of the system. If the system artifacts are not adequate for the purpose of conducting the SCA, the system owner will be responsible for the impact that re-scheduling of the assessment has on resources and the delays that may affect the project.

3.1.1.5 Develop SCA Test Plan A test plan for the SCA effort will be developed at the conclusion of the documentation review.

The independent assessment team will develop the SCA test plan, using CSO-TEMP-2108, Authorization/Periodic System Cybersecurity Assessment Plan Template. Items documented within the SCA test plan, but not limited to, include:

System impact levels for confidentiality, integrity, and availability as stated in the security categorization; System security requirements; System assessment environment; SCA approach and schedule; and System component and control selection.

The SCA test plan will be delivered to the system ISSO and CSO POCs as a draft.

The system ISSO and CSO POCs must conduct a review of the SCA test plan for the purpose of providing comments and raising any issues and concerns. All feedback must be provided to the independent assessment team at the conclusion of the review period.

CSO-PROS-2102 Page 5 The independent assessment team will incorporate the comments and applicable feedback that was provided into the draft SCA test plan. If no feedback is received prior to the conclusion of the review period, the SCA test plan will be considered accepted by all stakeholders.

At the conclusion of the SCA test plan draft review period and incorporation of all feedback, the independent assessment team will finalize the SCA test plan and deliver it to the CSO POCs for the final approval prior to continuing onto Section 3.1.2, Phase II: System Testing.

3.1.2 Phase II: System Testing Phase II, System Testing, begins after the completion of all activities in Phase l and the approval of the SCA test plan. The goal of Phase II is to successfully conduct system testing consummate with NRC and federal guidance (e.g., NIST SP 800-53 [as amended], Assessing Security and Privacy Controls in Federal Information Systems and Organizations).

Phase II of the SCA process consists of the following activities:

Examine Assessment Objects Test Security Controls Vulnerability Scans and Configuration Checks Conduct Interviews The activities listed above are the main objectives conducted to complete the system testing phase of the SCA process. There is no order or precedence required when completing these activities. All activities conducted during Phase II must align with the control testing dates that are documented in the SCA project schedule.

3.1.2.1 Examine Assessment Objects Assessment objects (test cases) must be evaluated based on NRC cybersecurity guidance and the NRC defined values within CSO-STD-0020, Organization Defined Values for System Security and Privacy Controls, and CSO-STD-0021, Common and Hybrid Security Control Standard. The independent assessment team must:

Examine each test case and make a determination if it complies with federal and NRC requirements. The artifacts are examined in order to make such a determination may consist of:

System security-related documents; System-specific procedures; or System files (e.g., audit logs, rule sets)

Cite all evidence supporting the status of each test case in the SCA report and SCA test cases documents described in Section 3.1.4, Phase IV: Draft SCA Report Package Preparation and Review.

3.1.2.2 Test Security Controls The independent assessment team must test each security control in order to determine if the control is in place, operating as intended, and producing the desired outcome with respect to meeting security requirements.

CSO-PROS-2102 Page 6 Throughout the testing phase of the SCA process, the independent assessment team must preserve detailed notes that apply to each test case. In addition to retaining SCA notes, a repository of supplemental forms of evidence (e.g., screenshots, system files, and audit logs) must also be collected and saved for the purpose of cited evidence.

3.1.2.3 Vulnerability Scans and Configuration Checks The independent assessment team must conduct vulnerability scanning and security configuration (hardening) checks in order to determine whether the components that were selected in the SCA testing sample are configured, operating, and maintained per federal and NRC requirements. The independent assessment team and the system ISSO are responsible for the coordination of said activities in accordance with the SCA project schedule and NRC CSO-PROS-1401, Periodic System Scanning Process, in order to minimize possible disruptions to the organizations mission, the system, and the NRC.

The independent assessment team will:

Conduct vulnerability scanning and hardening checks on the system components selected for testing in accordance with CSO-PROS-1401.

Perform scans and hardening checks only on components that have been approved by the CSO within the SCA test plan.

Perform the vulnerability scans using an NRC approved scanning tool.

Conduct configuration checks to determine if system component configurations are compliant with NRC requirements and applicable federal requirements. All system owners are responsible for implementing the system configuration standards to be used in the protection of any system that stores, transmits/receives, or processes NRC information.

System component and device configuration settings must be examined and compared to the standards required by OCIO configuration standards. The current effective standards page can be found at http://fusion.nrc.gov/OCIO/team/CSO/isd/SitePages/Standards.aspx.

3.1.2.4 Conducting Interviews The independent assessment team must conduct interviews to assist with facilitating security control testing and vulnerability scanning and hardening checks related activities. Interviews enable the independent assessment team to obtain a complete understanding of the system, determine where to find specific information needed for the assessment, and obtain clarification concerning specific test cases. Statements provided during the interview process must not be used as the only provided evidence of the implementation of a security control.

3.1.3 Phase III: Summarizing Test Results Phase III, Summarizing Test Results, begins after the completion of all the testing activities outlined in Phase II. The goal of Phase III is to consolidate all of the testing results and assessment findings by the independent assessment team and complete any applicable remediation activities.

CSO-PROS-2102 Page 7 Phase III of the SCA process consists of the following steps:

1. Consolidate Vulnerability Scans and Configuration Checks
2. Remediate Vulnerabilities
3. Assign Assessment Findings 3.1.3.1 Consolidate Vulnerability Scans and Configuration Checks The independent assessment team must review and analyze the raw scan results for the purpose of identifying any false positives derived from the vulnerability scanning and configuration checks activities conducted during Section 3.1.2, Phase II: System Testing.

The independent assessment team must review the remediation recommendations for accuracy and ensure that sufficient information is provided to the system ISSO for the purpose of implementing any remediation recommendations. If the default recommendation provided by the scanning tool is not sufficient, the assessment team must augment the recommendation to ensure usefulness and is actionable by the system ISSO.

The independent assessment team must consolidate raw scan results into a Findings Tracking Sheet (FTS). The FTS must then be submitted to the system ISSO and CSO POCs via NRC email.

3.1.3.2 Remediate Vulnerabilities The remediation period must allow the system ISSO the opportunity to analyze the FTS and determine if any of the vulnerabilities identified can be remediated prior to the completion of the SCA process.

The independent assessment team must follow CSO-PROS-1401 when conducting follow-up scans and configuration checks when verifying any remediation activities completed by the system ISSO.

The system ISSO must use CSO-PROS-1401 when providing the independent assessment team with evidence of completing remediation activities.

3.1.3.3 Assign Assessment Findings Once remediation activities are complete, the independent assessment team must assign one of six possible assessment findings to each portion of the security control. Table 3-1, Assessment Findings, describes each of the six possible findings.

Table 3-1: Assessment Findings Finding Description Satisfied Indicates that for the portion of the security control addressed by a determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result.

CSO-PROS-2102 Page 8 Finding Description Other than Satisfied Indicates that for the portion of the security control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization.

Risk Based Decision Indicates that the NRC AO has accepted the risk associated with a deficient portion of a security control due to compensating controls and mitigating factors documented per the CSO-PROS-1324, Deviation/Waiver Request Process.

A signed deviation or waiver approval memo that the assessors determine is still valid constitutes evidence that the NRC AO has accepted the risk associated with the deficient assessment objective.

Provided at Agency Level Indicates that for the portion of the security control addressed by a determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control is provided by the NRC for the system.

CSO-STD-0021 and the supporting system security plan (SSP) constitute evidence that the assessment objective is provided by the NRC to the assessed system.

Provided by <XYZ System>

Indicates that for the portion of the security control addressed by a determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control is provided by system XYZ for the assessed system.

A signed, currently effective service level agreement (SLA) between the organizations providing and inheriting the assessment objective constitutes evidence that the assessment objective is provided as a service to the assessed system.

Systems owned by the same organization are not required to have an SLA.

Not Applicable Indicates that for the portion of the security control addressed by the determination statement, the assessment information obtained indicates that the assessment objective is not applicable to the assessed system per the scoping guidance provided in NIST SP 800-53.

For example, a security control that refers to a specific technology (e.g., wireless) is only applicable if wireless is employed within the assessed system, and an agency common control is not within the scope of the system and/or providing the control function.

3.1.4 Phase IV: Draft SCA Report Package Preparation and Review Phase IV, Draft SCA Report Package Preparation and Review, begins after the completion of all activities outlined in Phase III. The goal of Phase IV is to prepare the draft SCA report package and conduct a review of the package with the system ISSO and CSO POCs.

There are three steps in Phase IV of the SCA process:

1. Prepare the SCA Report Package
2. Deliver Draft SCA Report Package for Review
3. Conduct Draft SCA Results Meeting 3.1.4.1 Prepare the SCA Report Package After the security controls have been assessed, the independent assessment team must prepare an SCA report package. During this step of Phase IV, the independent assessment team compiles, analyzes, and documents all of the data derived from the testing phase of the

CSO-PROS-2102 Page 9 assessment process. All of this information is documented within the SCA report package. The SCA report package consists of the following:

SCA Report: Documents the results of the SCA process (i.e., testing and assessing) and is delivered to all of the SCA stakeholders. It must document a risk analysis conducted on the system by the independent assessment team.

SCA Test Cases: Compiles results of the test cases derived from the testing activities conducted by the independent assessment team. The overall security control status must be provided within the SCA Test Cases document, along with the independent assessment teams notes that support the findings documented within.

Vulnerability Assessment Report (VAR): Summarizes the results of vulnerability scanning and configuration checks compiled by the independent assessment team. The total number of vulnerabilities and their severity determined by the independent assessment team must be provided within the VAR.

FTS: Presents the final version of the FTS.

3.1.4.2 Deliver Draft SCA Report Package for Review The assessment team must deliver the draft SCA report package to both the system ISSO and CSO POCs.

The draft SCA report must be delivered in Portable Document Format (PDF) and via NRC email.

All POCs will be granted a period to review the contents of the SCA report package prior to attending the results meeting that is scheduled by the independent assessment team.

3.1.4.3 Conduct Draft SCA Results Meeting The independent assessment team must schedule and conduct a review meeting with both the system ISSO and CSO POCs. The purpose of this meeting is to brief and discuss the results and findings that were identified during the SCA and also documented within the SCA report package. Any questions or concerns will be addressed during this meeting. In addition, the system ISSO will be given the opportunity to provide evidence to the independent assessment team that specific assessment objectives are satisfied.

It is recommended that the system ISSO bring to the meeting any technical staff needed to address the findings.

The independent assessment team will apply any feedback derived from the SCA results meeting to the contents of the draft SCA report package prior to delivering the package in its final form.

3.1.5 Phase V: Final SCA Report Package Preparation and Delivery Phase V, Final SCA Report Package Preparation and Delivery, begins after the completion of all activities in Phase IV. The goal of Phase V is to deliver the SCA report package to the system ISSO and CSO POCs as a final document.

CSO-PROS-2102 Page 10 The independent assessment team must deliver the final report package in a PDF format and via NRC email only.

In addition to delivering the final SCA report package, the independent assessment team must provide a Plan of Action and Milestones (POA&M) spreadsheet to the system ISSO to be used for updating the system POA&M.

CSO-PROS-2102 Page 11 APPENDIX A.

ACRONYMS AO Authorizing Official ASCA Authorization System Cybersecurity Assessment ATO Authorization to Operate CSO Computer Security Organization CISO Chief Information Security Officer FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act FTS Findings Tracking Sheet FY Fiscal Year ISSO Information System Security Officer IT Information Technology NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OCIO Office of the Chief Information Officer PDF Portable Document Format POA&M Plan of Action and Milestone POC Point of Contact PROS Process PSCA Periodic System Cybersecurity Assessment PUB Publication SCA System Cybersecurity Assessment SGI Safeguards Information SLA Service Level Agreement SP Special Publication SSP System Security Plan TEMP Template VAR Vulnerability Assessment Report

CSO-PROS-2102 Page 12 APPENDIX B.

REFERENCES Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347, December 2002 Federal Information Processing Standard (FIPS) Publication (PUB) 200, Minimum Security Requirements for Federal Information and Information Systems NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans NIST SP 800-115, Technical Guide to Information Security Testing and Assessment NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations NRC Management Directive 12.5, "NRC Cyber Security Program" CSO-PROS-1323, U.S. Nuclear Regulatory Commission Agencywide Continuous Monitoring Program CSO-PROS-1324, Deviation/Waiver Request Process CSO-PROS-1401, Periodic System Scanning Process CSO-PROS-2016, Plan of Action and Milestones Process CSO-STD-0021, Common and Hybrid Security Control Standard CSO-STD-0020, Organization Defined Values for System Security and Privacy Controls CSO-TEMP-2108, Authorization/Periodic System Cybersecurity Assessment Plan Template FY13 NRC IT Security Risk Management Activities Memo

CSO-PROS-2102 Page 13 APPENDIX C.

ROLES AND RESPONSIBILITIES Table C-1 provides the high-level roles and responsibilities associated with the SCA process.

Table C-1: SCA Process Roles and Responsibilities Role Responsibilities AO Executive that issues an authorization and approves all risks related to the use of an information system.

CSO POC Serves as the primary contact for NRC policy, guidance, direction, and resources through the course of the SCA.

Reviews and approves the SCA test plan.

System ISSO Ensures the security state of the system meets NRC requirements.

Ensures the independent assessment team receives required system artifacts and access to the system and personnel as required.

Conducts remediation activities.

Provides assistance to the independent assessment team during system testing activities.

Participates in interviews conducted by the independent assessment team.

System Administrator Assists the independent assessment team with access to the system and its resources through the course of the SCA process.

Conducts remediation activities.

Provides assistance to the independent assessment team during system testing activities.

Participates in interviews conducted by the independent assessment team.

Independent Assessment Team Analyzes system security documentation (e.g., SSP, ATO, SLAs) to detect notable security concerns that could affect the security state of NRC data or the NRC operating environment.

Conducts independent SCA in accordance with CSO-PROS-2102 on the NRC security control baseline.

Validates system NRC security control baseline effectiveness.

Performs periodic SCA (PSCA) annually as required by CSO-PROS-1323 and the FY13 NRC IT Security Risk Management Activities Memo.

Analyzes external IT service POA&M information to validate that the system owner is remediating/mitigating weaknesses, and to determine if any new notable security

CSO-PROS-2102 Page 14 Role Responsibilities concerns are present that could affect the security state of NRC data or the NRC operating environment.

Develops and delivers the SCA report package.

CSO-PROS-2102 Page 15 CSO-PROS-2102 Change History Date Version Description of Change Method Used to Announce &

Distribute Training 21-Feb-14 1.0 Initial release Posting to CSO web page and notification to ISSO forum.

As needed 06-Jul-18 2.0 Update OCIO/CSO website As needed 10-June-21 This document is going through major revision and will be completed end of FY22 Q1 OCIO/CSO website As needed

Retrieved from "https://kanterella.com/w/index.php?title=ML22080A042&oldid=5471416"