| 127 |
1.1.64.C.01. |
All Classifications |
Must |
System owners seeking a dispensation for non-compliance with any baseline controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High GradAssurance Cryptographic Systems (HACS) are implemented, the Accreditation Authority will be the Director-General GCS) are implemented, the Accreditation Authority will be the Director-General GCSB or a formal delegate. |
| 255 |
2.3.27.C.01. |
All Classifications |
Must |
Agencies intending to adopt cloud technologies or services MUST conduct a comprehensive risk assessment, in accordance with the guidance provided by the Government CIhief Digital Officer (GCDO) before implementation or adoption. |
| 283 |
3.1.8.C.02. |
All Classifications |
Should |
When the agency head devolvegates their authority, the delegate SHOULD be a senior executive who understands the CISOconsequences and potential impact to the business of the acceptance of residual risk. |
| 311 |
3.2.8.C.05. |
All Classifications |
Should |
Where multhiple roles ofare held by the CISO is outsourced,any potential conflicts of interest in availability, response times or working with vendors SHOULD be identified and carefully managed. |
| 322 |
3.2.11.C.01. |
All Classifications |
Should |
The CISO SHOULD be responsible for establishing mechanisms and programs to ensuringe compliance with the information security policies and standards within the agency. |
| 323 |
3.2.11.C.02. |
All Classifications |
Should |
The CISO SHOULD be responsible for ensuring agency compliance with the NZISM through facilitating a continuous program of certification and accreditation bof asedll on security risk managency systements. |
| 334 |
3.2.13.C.02. |
All Classifications |
Should |
The CISO SHOULD liaise with agency technology architecture teams to ensure alignment between security and agency architectures. |
| 391 |
3.3.8.C.01. |
All Classifications |
Must |
ITSMs MUST be responsible for ensuring the development, maintenance, updating and implementation of Security Risk Management Plans (SRMPs), Systems Security Plans (SecPlanSP) and any Standard Operating Procedures (SOPs) for all agency systems. |
| 569 |
4.3.18.C.01. |
All Classifications |
Must |
The SecPol, SRMP, SecSPlan, SOPs and IRP documentation MUST be reviewed by the auditor to ensure that it is comprehensive and appropriate for the environment the system is to operate within. |
| 634 |
4.4.12.C.03. |
All Classifications |
Must |
Agencies MUST notify the Government CIhief Digital Officer (GCDO) where All-of-Government systems are connected to agency systems operating with expired accreditations. |
| 675 |
4.5.18.C.03. |
All Classifications |
Must |
The Accreditation Authority MUST advise the GCIDO where the accreditation decision may affect any All-of-Government systems. |
| 702 |
5.1.10.C.01. |
All Classifications |
Must |
Agencies MUST ensure that every system is covered by a SecSPlan. |
| 718 |
5.1.15.C.01. |
All Classifications |
Should |
Agencies SHOULD ensure that their SRMP, Systems Architecture, SecSPlan, SOPs and IRP are logically connected and consistent for each system, other agency systems and with the agency’s SecPol. |
| 729 |
5.1.18.C.01. |
All Classifications |
Must |
Agencies MUST ensure that their SecPol, SRMP, SecSPlan, SOPs and IRP are appropriately classified. |
| 781 |
5.2.3.C.02. |
All Classifications |
Should |
The Information Security Policy (SecPol) SHOULD include topics such as:
accreditation processes;
personnel responsibilities;
configuration control;
access control;
networking and connections with other systems;
physical security and media control;
emergency procedures and information security incident management;
vulnerability disclosure;
change management; and
information security awareness and training.
|
| 828 |
5.4.5.C.01. |
All Classifications |
Must |
Agencies MUST select controls from this manual to be included in the SecSPlan based on the scope of the system with additional system specific controls being included as a result of the associated SRMP. Encryption Key Management requires specific consideration; refer to Chapter 17 – Cryptography. |
| 829 |
5.4.5.C.02. |
All Classifications |
Should |
Agencies SHOULD use the latest baseline of this manual when developing, and updating, their SecSPlans as part of the certification, accreditation and reaccreditation of their systems. |
| 831 |
5.4.5.C.03. |
All Classifications |
Should |
Agencies SHOULD include a Key Management Plan in the SecSPlan. |
| 1048 |
6.1.9.C.01. |
All Classifications |
Should |
Agencies SHOULD review the components detailed in the table below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.
Component
Review
Information security documentation
The SecPol, Systems Architecture, SRMPs, SecSPlans, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports.
Dispensations
Prior to the identified expiry date.
Operating environment
When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.
Procedures
After an information security incident or test exercise.
System security
Items that could affect the security of the system on a regular basis.
Threats
Changes in threat environment and risk profile.
NZISM
Changes to baseline or other controls, any new controls and guidance.
|
| 1095 |
6.3.7.C.03. |
All Classifications |
Should |
Agencies SHOULD follow this change management process outline:
produce a written change request;
submit the change request to all stakeholders for approval;
document the changes to be implemented;
test the approved changes;
notification to user of the change schedule and likely effect or outage;
implement the approved changes after successful testing;
update the relevant information security documentation including the SRMP, SecSPlan and SOPs
notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and
continually educate system users in regards to changes.
|
| 1237 |
7.2.25.C.01. |
All Classifications |
Must |
Agencies MUST urgently notify GCSB of any suspected loss or compromise of keying material associated with HGACE. |
| 1409 |
8.4.11.C.01. |
All Classifications |
Should |
Agencies choosing to prevent the storage of classified information on non-volatile media and enforcing scrubbing of temporary data at logoff or shutdown SHOULD:
assess the security risks associated with such a decision; and
specify the processes and conditions for their application within the system’s SecSPlan.
|
| 1412 |
8.4.12.C.01. |
All Classifications |
Should |
Agencies securing volatile media for IT equipment during non-operational hours SHOULD:
disconnect power from the equipment the media resides within;
assess the security risks if not sanitising the media; and
specify any additional processes and controls that will be applied within the system’s SecSPlan.
|
| 1480 |
9.2.10.C.01. |
All Classifications |
Must |
Agencies MUST specify in the System Security Plan (SecSPlan) any authorisations, security clearances and briefings necessary for system access. |
| 1484 |
9.2.11.C.02. |
All Classifications |
Should |
Agencies SHOULD:
limit system access on a need-to-know/need-to-access basis;
provide system users with the least amount of privileges needed to undertake their duties; and
have any requests for access to a system authorised by the supervisor or manager of the system user; and
ensure a formal acknowledgement of the security briefing is obtained and recorded.
|
| 1487 |
9.2.12.C.01. |
All Classifications |
Should |
Agencies SHOULD:
maintain a secure record of:
all authorised system users;
their user identification;
why access is required;
role and privilege level,
who provided the authorisation to access the system;
when the authorisation was granted; and
keep a copy of the acknowledgement signed by the individual granted a clearance; and
maintain the record, for the life of the system or information to which access is granted, or the length of employment, whichever is the longer, to which access is granted.
|
| 1508 |
9.2.18.C.01. |
All Classifications |
Must |
Agencies granting limited higher access to a system MUST ensure that:
effectithe approve controls are in place to restrict access to onlyal for access is formally acknowledged and recorded; and either
effective controls are in place to restrict access only to classified information that is necessary to undertake the system user’s duties; or
the system user is continually supervised by another system user who has the appropriate security clearances to access the system.
|
| 2412 |
10.5.11.C.01. |
All Classifications |
Should |
Agencies SHOULD inspect cables for inconsistencies with the cable register in accordance with the frequency defined in the SecSPlan. |
| 5626 |
10.6.29.C.01. |
Confidential, Secret, Top Secret |
Must |
Cabinet rails MUST be installed to:
provide adequate room for patch cables and wire managers;
provide adequate space for cable management at front, sides, and rear; and
arrange switches and patch panels to minimize patching between cabinets & racks.
|
| 2662 |
11.3.12.C.02. |
Confidential, Secret, Top Secret |
Must |
Agencies MUSHOULDT use push-to-talk mechandisetms to meet the requirement for off-hook audio protection. PTT activation MUST be clearly labelled. |
| 3455 |
12.4.5.C.01. |
All Classifications |
Should |
Where known vulnerabilities cannot be patched, or security patches are not available, agencies SHOULD implement:
controls to resolve the vulnerability such as:
disable the functionality associated with the vulnerability though product configuration;
ask the vendor for an alternative method of managing the vulnerability;
install a version of the product that does not have the identified vulnerability;
install a different product with a more responsive vendor; or
engage a software developer to correct the software.
controls to prevent exploitation of the vulnerability including:
apply external input sanitisation (if an input triggers the exploit);
apply filtering or verification on the software output (if the exploit relates to an information disclosure);
apply additional access controls that prevent access to the vulnerability; or
configure firewall rules to limit access to the vulnerable software.
controls to contain the exploit including:
apply firewall rules limiting outward traffic that is likely in the event of an exploitation;
apply mandatory access control preventing the execution of exploitation code; or
set file system permissions preventing exploitation code from being written to disk;
allowhite and black and deny listing to prevent code execution; and
controls to detect attacks including:
deploy an IDS;
monitor logging alerts; or
use other mechanisms as appropriate for the detection of exploits using the known vulnerability.
controls to prevent attacks including:
deploy an IPS or HIPS; or
use other mechanisms as appropriate for the diversion of exploits using the known vulnerability, such as honey pots and Null routers.
|
| 3537 |
12.6.4.C.01. |
All Classifications |
Must |
Agencies MUST sanitise or destroy, then declassify, IT equipment containing any media before disposal. |
| 3566 |
12.6.8.C.01. |
All Classifications |
Must |
Agencies MUST visually inspect video screens by turning up the brightness to the maximum level to determine if any classified information has been burnt into or persists on the screen, before redeployment or disposal. |
| 3572 |
12.6.9.C.01. |
All Classifications |
Must |
Agencies MUST attempt to sanitise video screens with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time. If burn-in cannot be corrected the screen MUST be processed through an approved destruction facility. |
| 4302 |
13.5.24.C.01. |
All Classifications |
Must |
Agencies MUST employ approved equipment for the purpose of media and IT Eequipment destruction MUST be performed using approved destruction equipment, facilities and methods. |
| 4304 |
13.5.24.C.02. |
All Classifications |
Must |
Where agencyies do not own thedir approvedwn destruction equipment is not available, agencies MUST use an approved destruction facility for media and IT Eequipment destruction. |
| 4343 |
13.5.25.C.01. |
All Classifications |
Must |
Agencies MUST, at minimum, store and handle the resulting waste for all methods, as forin accordance with the classification given in the table below.
Initial media or IT Equipment classification
Screen aperture size particles can pass through
Less than or equal to 3mm
Treat as
Less than or equal to 6mm
Treat as
TOP SECRET
UNCLASSIFIED
RESTRICTED
SECRET
UNCLASSIFIED
RESTRICTED
CONFIDENTIAL
UNCLASSIFIED
RESTRICTED
RESTRICTED
UNCLASSIFIED
UNCLASSIFIED
Particle size: measured in any direction, should not exceed stated measurement. |
| 4359 |
13.5.27.C.03. |
All Classifications |
Should |
The Destruction Register SHOULD record:
Date oestruction facility used;
Destruction method used;
Date of destruction;
Operator and witnesses;
Media or and IT Eequipment classification; and
Media or and IT Eequipment type, characteristics and serial number.
|
| 4367 |
13.5.29.C.01. |
Top Secret |
Must Not |
Agencies MUST NOT outsource the supervision and oversight of the destruction of TOP SECRET or NZEO media and IT Eequipment or other accountable material to a non-government entity or organisation. |
| 1234 |
14.2.4.C.01. |
All Classifications |
Should |
Agencies SHOULD implement application allowhite listing as part of the SOE for workstations, servers and any other network device. |
| 1242 |
14.2.5.C.01. |
All Classifications |
Must |
Agencies MUST ensure that a system user cannot disable the application allowhite listing mechanism. |
| 898 |
14.2.5.C.04. |
All Classifications |
Should |
Agencies SHOULD ensure that application allowhite listing does not replace the antivirus and anti-malware software within a system. |
| 907 |
14.2.6.C.01. |
All Classifications |
Should |
Agencies SHOULD ensure that system administrators are not automatically exempt from application allowhite listing policy. |
| 936 |
14.2.7.C.02. |
All Classifications |
Should |
Agencies SHOULD ensure that application allowhite listing is used in addition to a strong access control list model and the use of limited privilege accounts. |
| 940 |
14.2.7.C.03. |
All Classifications |
Should |
Agencies SHOULD plan and test application allowhite listing mechanisms and processes thoroughly prior to implementation. |
| 945 |
14.2.7.C.05. |
All Classifications |
Should |
Agencies SHOULD restrict the process creation permissions of any executables which are permitted to run by the application allowhite listing controls. |
| 947 |
14.2.7.C.07. |
All Classifications |
Should |
Logs from the application allowhite listing implementation SHOULD include all relevant information. |
| 1602 |
14.3.8.C.01. |
All Classifications |
Should |
Agencies permitting TLS through their gateways SHOULD implement:
a solution that decrypts and inspects the TLS traffic as per content filtering requirements; or
a n allowhite list specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked.
|
| 1609 |
14.3.10.C.01. |
All Classifications |
Should |
Agencies SHOULD implement allowhite listing for all HTTP traffic being communicated through their gateways. |
| 1608 |
14.3.10.C.02. |
All Classifications |
Should |
Agencies using an allowhite list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allowhite list addresses by domain name or IP address. |
| 1610 |
14.3.10.C.03. |
All Classifications |
Should |
If agencies do not allowhite list websites they SHOULD blackdeny list websites to prevent access to known malicious websites. |
| 1611 |
14.3.10.C.04. |
All Classifications |
Should |
Agencies blackdeny listing websites SHOULD update the blackdeny list on a frequent basis to ensure that it remains effective. |
| 1621 |
14.3.13.C.01. |
All Classifications |
Must Not |
Users MUST NOT use agency useridID and login passwords as credentials for external websites. |
| 1745 |
15.2.21.C.01. |
All Classifications |
Should |
Agencies SHOULD configure the following gateway filters:
inbound and outbound email, including any attachments, that contain:
malicious code;
content in conflict with the agency’s email policy;
content that cannot be identified;
deny listed or unauthorised filetypes; and
encrypted content, when that content cannot blacklisted or unauthorised filetye inspescted for malicious code or authenticated as originating from a trusted source; and
encrypted content,
emails addressed to internal email aliases when that content cannot be inspected for malicious code or authenticated as originating from a trusted sourceith source addresses located from outside the domain;
emails addressed to internal email aliases and
all emails arriving via an external connection with source addresses located from outside the domain; and
all emails arriving via an external connection where the source address uses an internal agency domain name.
|
| 2070 |
17.1.51.C.01. |
All Classifications |
Must |
Agencies using cryptographic functionality within a product for the protection of classifiedto protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. |
| 2080 |
17.1.53.C.02. |
Confidential, Secret, Top Secret |
Must |
If an agency wishes to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they MUST encrypt the classified information using High GradAssurance Cryptographic Equipment (HGACE). It is important to note that the classification of the information itself remains unchanged. |
| 2081 |
17.1.53.C.03. |
Confidential, Secret, Top Secret |
Must |
If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
full disk encryption; or
partial disk encryption where the access control will allow writing onlyONLY to the encrypted partition holding the classified information.
|
| 2082 |
17.1.53.C.04. |
All Classifications |
Should |
If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
full disk encryption; or
partial disk encryption where the access control will only allow writing ONLY to the encrypted partition holding the classified information.
|
| 2089 |
17.1.55.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST use HGACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. |
| 2090 |
17.1.55.C.02. |
Restricted/Sensitive |
Must |
Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an aApproved encryption alCryptogorithm and praphic Algorithm and Protocol if information is transmitted or systems are communicating over any insecure or unprotected network such as the Internets, such as the Internet, public infrastructurenetworks or non-agency controlled networks. |
| 2091 |
17.1.55.C.03. |
All Classifications |
Must |
Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol when data is transmitted over insecure or unprotected networks such as the Internet, pubetween data centres over insecure or unprotectlic infrastructure or non-agency controlled networks such as the Internet, public inwhen the compromise ofrastructure or non-agency controlled networks the aggregated data would present a significant impact to the agency. |
| 2092 |
17.1.55.C.04. |
All Classifications |
Should |
Agencies SHOULD useencrypt agency data using an approved encryption productalgorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. |
| 2105 |
17.1.58.C.03. |
All Classifications |
Must |
Agencies using HACE MUST consult with the GCSB for the key management requirements for HGCE. |
| 2128 |
17.2.17.C.01. |
All Classifications |
Must |
Agencies using an unevaluated product that implements an Approved Cryptographic Algorithm MUST ensure that only Approved Cryptographic Algorithms can be used when using an unevaluated product that implements a combination of approved and non-approved Cryptographic Algorithms. |
| 2134 |
17.2.19.C.01. |
All Classifications |
Must |
Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least 4309672 bits. |
| 2137 |
17.2.20.C.01. |
All Classifications |
Must |
Legacy dDevices which are NOT capable of implementing required key lengths MUST be reconfigured with the longest feasible key length as a matter of urgency. |
| 2138 |
17.2.20.C.02. |
All Classifications |
Must |
Legacy dDevices which are NOT capable of implementing required key lengths MUST be scheduled for replacement as a matter of urgency. |
| 2151 |
17.2.24.C.01. |
All Classifications |
Must |
Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least 3072048 bits. |
| 2155 |
17.2.26.C.01. |
All Classifications |
Must |
Agencies MUST use the SHA-2 family befor new systems. Use usingof SHA-1 is permitted ONLY for legacy systems. |
| 5905 |
17.2.26.C.02. |
All Classifications |
Must |
Agencies MUSHOULDT use a minimum of SHA-384 when using hashing algorithms to provide integrity protection for information classified as RESTRICTED/SENSITIVE or above. |
| 2158 |
17.2.28.C.01. |
All Classifications |
Should Not |
Agencies using approved symmetric encryption algorithms (e.g. AES or 3DES) SHOULD NOT use Electronic Code Book Mode (ECB) mode. |
| 3021 |
17.9.25.C.01. |
All Classifications |
Should |
The table below describes the minimum contents which SHOULD be documented in the KMP.
Topic
Content
Objectives
Objectives of the cryptographic system and KMP, including organisational aims.
Refer to relevant NZCSIs.
System description
The environment.
Maximum classification of information protected.
Topology Diagram(s) and description of the cryptographic system topology including data flows.
The use of keys.
Key algorithm.
Key length.
Key lifetime.
Roles and administrative responsibilities.
Documents roles and responsibilities, including the:
COMSEC Custodian;
Cryptographic systems administrator;
Record keeper; and
Auditor.
Accounting
How accounting will be undertaken for the cryptographic system.
What records will be maintained.
How records will be audited.
Classification
Classification of the cryptographic system hardware.
Classification of cryptographic system software.
Classification of the cryptographic system documentation.
Information security incidents
A description of the conditions under which compromise of key material should be declared.
References to procedures to be followed when reporting and dealing with information security incidents.
Key management
Who generates keys.
How keys are delivered.
How keys are received.
Key distribution, including local, remote and central.
How keys are installed.
How keys are transferred.
How keys are stored.
How keys are recovered.
How keys are revoked.
How keys are destroyed.
Maintenance
Maintaining the cryptographic system software and hardware.
Destroying equipment and media.
References
Vendor documentation.
Related policies.
|
| 3043 |
17.9.31.C.01. |
All Classifications |
Must |
Agencies MUST comply with NZCSI when using HGCP or HGACE. |
| 3053 |
17.9.32.C.03. |
All Classifications |
Should Not |
Agencies SHOULD NOT transport commercial grade cryptographic equipment or products in a keyed state. |
| 3290 |
18.2.6.C.01. |
All Classifications |
Must |
Agencies deploying a wireless network for public access MUST segparegate it from any other agency networks; including BYOD networks. |
| 3621 |
18.2.34.C.01. |
All Classifications |
Should |
Wireless networks SHOULD be sufficiently segregated through the use of channel separation. |
| 3740 |
18.3.12.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST:
configure VTC and VoIP devices to authenticate themselves to the call controller upon registration;
disable phone auto-registration and only allow a n allowhite list of authorised devices to access the network;
block unauthorised devices by default;
disable all unused and prohibited functionality; and
use individual logins for IP phones.
|
| 3741 |
18.3.12.C.02. |
All Classifications |
Should |
Agencies SHOULD:
configure VoIP phones to authenticate themselves to the call controller upon registration;
disable phone auto-registration and onlyuse an allow a whitelist of authorised devices to access the network;
block unauthorised devices by default;
disable all unused and prohibited functionality; and
use individual logins for IP phones.
|
| 4015 |
19.4.4.C.01. |
All Classifications |
Must |
Agencies MUST use devices as shown in the following table for controlling the data flow of one-way gateways between networks of different classifications.
High networrk
Low network
You require
RESTRICTED
UNCLASSIFIED
EAL2 or PP diode
RESTRICTED
EAL2 or PP diode
CONFIDENTIAL
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
high assurance diode
TOP SECRET
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
high assurance diode
TOP SECRET
high assurance diode
|
| 4742 |
19.5.27.C.06. |
All Classifications |
Should |
Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM. See sections 16.56 - Event lLogging and Auditing and 13.1.12 - Archiving. |
| 4752 |
19.5.28.C.05. |
All Classifications |
Should |
Agencies SHOULD consider the use of balacklistingow and whitdeny listing to manage fraudulent calls to known fraudulent call destinations. |
| 4406 |
20.3.12.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment. |
| 4407 |
20.3.12.C.02. |
All Classifications |
Should |
Agencies SHOULD create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment. |
| 4660 |
21.4.11.C.06. |
All Classifications |
Must |
Wireless accesses points used for access to agency networks MUST be implemented and secured in accordance with the directions in this manual (See Section 18.2 – Wireless Local Area Networks). |
| 4812 |
22.1.21.C.05. |
All Classifications |
Must |
Agencies MUST consult with the GCIDO to ensure the strategic and other cloud risks are comprehensively assessed. |
| 4814 |
22.1.21.C.07. |
All Classifications |
Must |
Agencies using cloud services MUST ensure they have conducted a documented risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO. |
| 4822 |
22.1.22.C.03. |
All Classifications |
Must |
Agencies using cloud services hosted offshore and connected to All-of-Government systems MUST ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO. |