M310 October 16, 2017; 2:00 p.m. – 3:00 p.m.

Cybersecurity: Complying with Federal Regulations for Research and by Research Institutions

J. Michael Slocum, Esquire; Slocum & Boddie, P.C.Alexandria, VA USA

Summary

• Introduction• Security issues in information security and “cyber”

• Federal initiatives

2

What is the Cloud?

• “Cloud” computing is a model for enabling convenient, on‐demand network access to a shared pool of configurable computing resources” (NIST)  

• Rapid deployment, low startup costs/capital investments, costs based on utilization or subscription, multi‐tenant sharing of services/resources

• Characteristics:  On demand service, ubiquitous network access, location independent resource pooling, rapid elasticity 

3

In Most Ways, “Cloud Computing Security” Is No Different Than “Regular Security”

• Many applications interface with end users –– All of  the vulnerabilities in those apps are just  as relevant to applications running on the cloud as they are to applications running on conventional hosts

(continued)

4

In Most Ways, “Cloud Computing Security” Is No Different

Than “Regular Security” (2)

• Data center supporting cloud computing is internally and externally indistinguishable from a data center full of "regular" servers– In each case, it will be important for the data center to be physically secure against unauthorized access or potential natural disasters, but there are no special new physical security requirements which suddenly appear simply because one of those facilities is supporting cloud computing

5

C-I-A(No, Not the Spies)

• Confidentiality, Integrity and Availability• Security incident – NIST 800‐61

– A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies or standard security practices

• Cyber Incident – DFARS 252.204‐7012– “Cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein

6

Security Issues

• Threats include: – Data breaches, data loss, account or service traffic hijacking, insecure interfaces and APIs, denial of service

– Malicious insiders, abuse of cloud, services insufficient due diligence, shared technology vulnerabilities

• Most security problems stem from: loss of control, weak trust relationships and multi‐tenancy

• Problems exist mainly with 3rd party management models

7

Security and Privacy Issues

• Confidentiality:  Questions about whether the sensitive/private data stored (on a cloud, for instance) remain confidential and about leaking of confidential customer information

• Integrity:  Questions about how the cloud provider correctly performs integrity computations and how the cloud provider really stores user data without altering it

• Availability:  Questions about what happens for customer critical systems/data, if the provider is attacked or when it goes out of business

(continued)

8

Security and Privacy Issues (2)

• Massive data mining:  Providers store data from a large number of customers and run data mining algorithms to retrieve large amounts of information

• New classes of harmful attacks:  Attackers can target the communication link between provider and customer and Provider employees can be phished

• Digital forensics:  Audit data  and forensics are hard to perform since customers don’t maintain data locally

• Legal and transitive trust issues:  Who is responsible for complying with regulations

9

Security Solutions

• Minimize loss of control – Activity monitoring (e.g., payment, delegation, usage and storage control)

– Access control and inter‐operation management• Minimize the weakness of trust relationships

– Security policy (description language, policy validation and conflict management) 

– Certification infrastructure (integrity and authentication)• Identity management, coordination and inter‐operation of multi‐tenancy

10

Cloud Challenges

• Security breaches will be constant• Password‐based security will become essentially useless– Most services should offer a multi‐factor authentication capability

• Mobile (smartphones) are used by people with minimal technical skill, virtually no attention to security

• Cloud failures will result in substantial data loss• Security‐as‐a‐service becomes a new cloud market

• Nation‐state cyber‐war escalates– Rogue nations use cybercrime

11

Litigation Prevention/Mitigation

12

• Preventative end‐user measures to include:– Data encryption before data sent to cloud– Sophisticated and often‐changed passwords (including 

dual log‐ins “multi‐factor” authentication)– Notify staff/clients/students that data is stored in this 

fashion as part of contracts governing basic relationship

– Be aware of industry‐specific rules with additional restrictions on electronic data storage (e.g., FERPA or HIPAA)

– Address cloud storage issues (and leak response plan) in formal compliance plan

Security Lapse Response

13

• Immediate internal investigation– Retain outside counsel – privilege/work product 

issues– Interview key personnel– Document measures taken

• Immediately and fully notify affected parties– No cover up, minimization or delayed reporting– Include plan/potential compensation offer– Hotline for those affected

Federal Cybersecurity Initiatives

14

• President issues Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013

• New Executive Order:May 11, 2017Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Agency Actions

15

• New Executive Order mandates NIST Cybersecurity Framework

• Three parts:– Framework core– Framework profile– Framework implementation tiers

Framework

16

• Organizations formally– Describe their current cybersecurity posture– Describe their target state for cybersecurity– Identify and prioritize opportunities for 

improvement within the context of a continuous and repeated process

– Assess progress toward the target state– Communicate among internal and external 

stakeholders about cybersecurity risk

Framework Core

17

• Set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors

• Five concurrent and continuous functions– Identify– Protect– Detect– Respond– Recover

Framework Implementation Tiers

18

• How an organization views cybersecurity risk and the processes in place to manage that risk

• A progression from informal, reactive responses to approaches that are agile and risk‐informed

• Push to Tier 4 – risk and threat aware, repeatable and adaptive

Government Requirements for Non-Governmental Organizations• Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication 800‐171)– Recommended requirements for nonfederal information systems and organizations (where there are no specific safeguarding requirements prescribed)

– The requirements apply to all components of nonfederal information systems and organizations that process, store or transmit information, or provide security protection for such components

– The requirements are intended for use by federal agencies in contractual vehicles or other agreementsestablished between those agencies and nonfederal organizations

19

Controlled Unclassified Information(CUI) 32 CFR 2002.4(h)

• Information– The Government creates or possesses,– Or that an entity creates or possesses for or on behalf of the Government,

that a law, regulation or Government‐wide policy requires or permits an agency to handle using safeguarding or dissemination controls

(continued)

20

Controlled Unclassified Information(CUI) 32 CFR 2002.4(h) (2)

• Law, regulation or Government‐wide policy may require or permit safeguarding or dissemination controls in three ways:– Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic

– Requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified

– Or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify

21

The Requirements

• Access control• Awareness and training• Audit and accountability• Configuration management• Identification and authentication• Incident response• Maintenance

(continued)

22

The Requirements (2)

• Media protection• Personnel security• Physical protection• Risk assessment• Security assessment• System and communications protection• System and information integrity

23

CUI and ResearchFurther References

• Applying FISMA & NIST to Academic Research– https://sites.nationalacademies.org/cs/groups/pgasite/documents/webpage/pga_169604.pdf

• Controlled Unclassified Information (CUI) and FISMA: an update, May 12, 2017 Sweet, Lewis, Park, Gray, & Turner– http://sites.nationalacademies.org/cs/groups/pgasite/documents/webpage/pga_179221.pdf

• Presentation for FDP• High Performance Computing Environment for 

Research on Restricted Data, Deumens, Adams & Dobra– https://meetings.internet2.edu/media/medialibrary/2016/09/27/20160928‐deumens‐infosec.pdf

24

Each Agency Adds More

• NEW Controlled Unclassified Information (CUI) Program– 32 CFR 2002, effective November 14, 2016

• FAR– 52.204‐21, Basic Safeguarding of Covered Contractor Information Systems, June 2016

• DFARS– Major change just effective

• DFARS Part 239‐76• Subpart 204‐73 – Safeguarding Covered Defense Information and Cyber Incident Reporting

25

FAR Subpart 4.19 – Basic Safeguarding of Covered Contractor

Information Systems• … insert the clause 52.204‐21, Basic Safeguarding of 

Covered Contractor Information Systems, in solicitations and contract when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system

• “Federal contract information” means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government …

26

FAR Clause 52.204-21(B)(1)NIST 800-171 Crosswalk

(continued)

27

FAR CLAUSE NIST

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)

3.1.1

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute

3.1.2

FAR Clause 52.204-21(B)(1)NIST 800-171 Crosswalk (2)

(continued)

28

FAR CLAUSE NIST

(iii) Verify and control/limit connections to, and use of, external information systems. 

3.1.20

(iv) Control information posted or processed on publicly accessible information systems.

3.1.22

FAR Clause 52.204-21(B)(1)NIST 800-171 Crosswalk (3)

(continued)

29

FAR CLAUSE NIST

(v) Identify information system users, processes acting on behalf of users, or devices

3.5.1

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems

3.5.2

(vii) Sanitize or destroy information 3.8.3

FAR Clause 52.204-21(B)(1)NIST 800-171 Crosswalk (4)

(continued)

30

FAR CLAUSE NIST

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals

3.10.1

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices

3.10.33.10.43.10.5

FAR Clause 52.204-21(B)(1)NIST 800-171 Crosswalk (5)

(continued)31

FAR CLAUSE NIST

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries

3.13.1

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.13.5

(xii) Identify, report and correct information and information system flaws in a timely manner

3.14.1 

FAR Clause 52.204-21(B)(1)NIST 800-171 Crosswalk (6)

32

FAR CLAUSE NIST

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems

3.14.3

(xiv) Update malicious code protection mechanisms when new

3.14.4

(xv) Perform periodic scans of the information system and real‐time scans of files from external sources as files are downloaded, opened, or executed

3.14.5

Subcontracts Under FAR

(c)   Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off‐the‐shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

33

DFARS Overview“Cloud computing” means a model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.  This includes other commercial terms, such as on‐demand self‐service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software‐as‐a‐service, infrastructure‐as‐a‐service, and platform‐as‐a‐service.

34

If a Contractor is Using Cloud Computing “in the Performance” to Provide Information Technology Services

– Cloud computing security requirements– Limitations on access to, and use and disclosure of Government data and Government‐related data 

– Cloud computing services cyber incident reporting – Submitting malicious software– Media preservation and protection– Access to additional information or equipment necessary for forensic analysis

– Cyber incident damage assessment activities– Notification of third party access requests– Spillage (transfer to another system not “accredited”)– Flowdown to subcontracts

35

• 252.239‐7010 Cloud Computing Services (Oct 2016)

Contracts and Subcontracts with Covered Defense Information

36

• “Covered defense information” means unclassifiedcontrolled technical information or other information that requires safeguarding or dissemination controls 

• And is —– Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

– Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled Technical Information• “Controlled Technical Information” means technical 

information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination

• The term does not include information that is lawfully publicly available “without restrictions”– Query: Is “without restrictions” defined the same as for the new proposed  ITAR rule for “Technical Data arising during, or resulting from, fundamental research?”

– See also: Proposed Rule – 81 FR 75352, 10/31/2016 Withholding of Unclassified Technical Data and Technology From Public Disclosure 

37

DFARS 252.204-7012 Safeguarding Covered Defense Information

and Cyber Incident Reporting

• 204.7304– (c) Use the clause at 252.204‐7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, in all solicitations and contracts, …

38

Each Agency Adds More

• See, for example:– DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle, September 2015 (v. 1.0)

– NIH Security Best Practices for Controlled‐Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy, updated: 09 MAR 2015 (See also: NOT‐OD‐15‐086)

– NIH Policy Manual, 6307‐3 – Special Clearance and Other Acquisition Procedures

• Issuing Office:  OD/OM/OALM/OAMP/DSAPS – (301) 435‐3927, Release Date 8/7/2014

(continued)

39

Each Agency Adds More (2)

• See, for example:– Enhanced Cyber Risk Management Standards

• Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation – proposed rule 10/26/2016

– Standards for Safeguarding Customer Information

• Federal Trade Commission – proposed rule 09/07/2016

40

41

• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration Staff; Availability (See https://www.federalregister.gov/ articles/2014/10/02/2014‐23457/content‐of‐premarket‐submissions‐for‐management‐of‐cybersecurity‐in‐medical‐devices‐guidance‐for)

• Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication (See https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm) 

(continued)

FDA

42

• Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off‐the‐Shelf (OTS) Software” (See http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm)

• Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off‐the‐Shelf (OTS) Software (See http://www.fda.gov/ RegulatoryInformation/ Guidances/ucm077812.htm) 

• January 22, 2016,  Postmarket Management of Cybersecurity in Medical Devices Draft Guidance

FDA (2)

Crosswalk NIST to HIPAA Security Rule Cybersecurity Framework

• Entities regulated by the Health Insurance Portability and Privacy Act (HIPAA) must comply with the HIPAA Security Rule– National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) crosswalk document identifies “mappings” between the Cybersecurity Framework and the HIPAA Security Rule

• Additional resources on the HIPAA Security Rule at http://www.hhs.gov/hipaa/for‐professionals/security/guidance/index.html 

43

Crosswalk NIST to HIPAA Security Rule Cybersecurity

44

Additional Crosswalks• Cyber Resilience Review (CRR): NIST Cybersecurity 

Framework Crosswalks February 2016– https://www.us‐cert.gov/sites/default/files/c3vp/csc‐crr‐nist‐

framework‐crosswalk.pdf• Comparison of IT Security Standards

– FISMA security standards and guidelines and the ISO 27001 Information Security Management System (ISMS)

• http://www.federalcybersecurity.org/CourseFiles/WhitePapers/ISOvNIST.pdf

• FAR‐NIST “Final Rule Implements New Baseline Cybersecurity Requirements for Federal Contractors” –Hogan Lovells– https://www.hoganlovells.com/en/blogs/focus‐on‐

regulation/final‐rule‐implements‐new‐baseline‐cybersecurity‐requirements‐for‐federal‐contractors (included in Blog post)

(continued)

45

Additional Crosswalks (2)

• NIST SP 800‐171 Compliance Template– https://library.educause.edu/resources/2016/9/nist‐sp‐800‐171‐compliance‐template

– The NIST SP 800‐171 Compliance Template was share Higher Education Cloud Vendor Assessment Tool was prepared through collaboration of Common Solutions Group (http://stonesoup.org/) members.  Its purpose is to provide a starting point for NIST SP 800‐171 compliance. Published by EDUCAUSE with the permission of the Common Solutions Group Steering Committee.

46

So What About Grants?

• No centralized requirement – YET• Examples can be found in individual agreements:

– CYBER SECURITY PLAN. The Recipient is required to submit to the DOE Technical Project Officer, a plan for how it will address cyber security requirements. Failure to submit an acceptable cyber security plan within a reasonable time frame may result in termination of the award. In addition, failure to effectively implement the DOE approved cyber security plan may result in termination of the award. The cyber security plan shall describe the Recipient's approach to detect, prevent, communicate with regard to, respond to, or recover from system security incidents. The plan shall address the following areas from both a technical and a management (organizational) perspective: …

47

Federal Risk and Authorization Management Program (FedRAMP)

• Standardized approach for the adoption and use of cloud services:– Standardized security requirements – A conformity assessment program for Cloud Service 

Providers (CSPs)– Authorization packages of cloud services reviewed by a 

Joint Authorization Board (JAB) consisting of security experts from the Department of Homeland Security (DHS), Department of Defense (DoD) and General Services Administration (GSA)

– Standardized contract language– A repository of authorization packages for cloud services 

that can be leveraged government‐wide

48

FedRAMP

• Result of collaboration – GSA, NIST, DHS, DoD, NSA, OMB the Federal CIO Council

• Risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services

49

FedRAMP Provides “Standardized” Solution

• FedRAMP process:– CSPs must meet FedRAMP requirements to be acceptable to Government agencies

– CSPs provide the actual cloud service to an Agency (and to their contractors/grantees), and must meet all FedRAMP requirements before they implement their services

– 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on‐going role in ensuring CSPs meet requirements

50

Examples of Institutional Response

• Secure Compute Research Environment ‐ Security Controls UC Santa Barbara

• http://www.ets.ucsb.edu/services/secure‐compute‐research‐environment/secure‐compute‐research‐environment‐security‐controls

• Stanford Medicine– Server Security

• https://med.stanford.edu/irt/security/servers.html• See: Can Campus Networks Ever Be Secure?

– The Atlantic, JOSEPHINE WOLFF  OCT 11, 2015 • https://www.theatlantic.com/technology/archive/2015/10/can‐campus‐networks‐ever‐be‐secure/409813/

51

Additional References and Materials

• CMS Information Security Contract Clause/Provision 

– https://www.cms.gov/Research‐Statistics‐Data‐and‐Systems/CMS‐Information‐Technology/InformationSecurity/Info‐Security‐Library‐Items/CMS‐Information‐Security‐Contract‐Clause‐Provision.html?DLPage=2&DLEntries=10&DLSort= 0&DLSortDir=ascending

• Controlled Unclassified Information (CUI)– https://www.archives.gov/cui/about

• Cybersecurity For Dummies®, Palo Alto Networks 2nd Edition (free download)– https://get.info.paloaltonetworks.com/webApp/cybersecurity‐for‐dummies‐en

(continued)

52

Additional References and Materials (2)

• FedRAMP– https://www.fedramp.gov/

• An Introduction to NIST Special Publication 800‐171 for Higher Education Institutions– Higher Education Information Security Council, Oct. 2016 (2016 EDUCAUSE)

• https://library.educause.edu/resources/2016/4/an‐introduction‐to‐nist‐special‐publication‐800‐171‐for‐higher‐education‐institutions

PART OF EDUCAUSE LIBRARYhttps://library.educause.edu/topics/cybersecurity/cloud‐security

(continued)

53

Additional References and Materials (3)

• CMS Information Security https://www.cms.gov/Research‐Statistics‐Data‐and‐Systems/CMS‐Information‐Technology/Information Security/ 

• A Guide to Complying with DoD’s New Cybersecurity Rules – Law 360 http://www.law360.com/articles/705295/a‐guide‐to‐complying‐with‐dod‐s‐new‐cybersecurity‐rules 

• CUI FAQ’shttps://www.archives.gov/cui/faqs.html 

• CUI Registry – Categories and Subcategories https://www.archives.gov/cui/category‐list.html 

(continued)

54

Additional References and Materials (4)

• Congressional Research Service, “Cybersecurity:  Selected Legal Issues” http://fas.org/sgp/ crs/misc/R42409.pdf 

• “Cybersecurity for Dummies” https://www.paloaltonetworks.com/content/dam/paloaltonetworks‐com/en_US/assets/pdf/education/cybersecurity‐for‐dummies.pdf

• FAR Cybersecurity Clause Table (beginning on Slide 27)

(continued)

55

Additional References and Materials (5)

• FedRAMP Online Training https://www.fedramp.gov/ resources/training – “Continuous Monitoring (Con Mon) Overview, 3/15/2015

– “How to Write a Control,” 3/15/2016– “Security Assessment Plan (SAP) Overview,” 12/9/2015

– “Security Assessment Report (SAR) Overview,” 12/9/2015

– “FedRAMP System Security Plan (SSP) Required Documents,” 6/15/2015

(continued)

56

Additional References and Materials (6)

• Final Rule Implements – New Baseline Cybersecurity Requirements for Federal Contractors https://www.hoganlovells.com/en/blogs/focus‐on‐regulations/final‐rule‐implements‐new‐baseline‐cybersecurity‐requirements‐for‐federal‐contractors 

• Covington & Burling, LLP, “Final FAR Cyber Rule Issued on Safeguarding of Contractor Systems”    https://www.cov.com/en/news‐and‐insights/ insights/2016/05/final‐far‐cyber‐rule‐issued‐on‐safeguarding‐of‐contractor‐systems 

(continued)

57

Additional References and Materials (7)

• 2016 HIMSS Cybersecurity Survey http://www.himss.org/ sites/himssorg/files/2016‐cybersecurity‐report.pdf 

• International Institute for Analytics, “Stronger Cybersecurity Starts With Data Management” http://iianalytics.com/research/stronger‐cybersecurity‐starts‐with‐data‐management

• “An Introduction to NIST Special Publication 800‐171 for Higher Education Institutions,” Higher Education Information Security Council, October 2016 https://library.educause.edu/~/media/files/library/2016/4/nist800.pdf

(continued)

58

Additional References and Materials (8)

• Key Elements of the CUI Program, https://www.archives.gov/cui/key‐elements.html 

• NIH National Heart, Lung & Blood Institute, “Information Technology Security Plan (IT‐SP) for Moderate Impact Level Nonfederal Information Systems and Organizations, www.nhlbi.nih.gov/sites/www.nhlbi.nih.gov/files/IT%20Security%20Plan%20%20(IT‐SP)%20Template.docx

• NIST SP 800‐171 and CUI with Ron Ross, EDUCAUSE, https://library.educause.edu/~/media/files/library/2016/9/nistcoffeechatslidesfinal.pdf

(continued)

59

Additional References and Materials (9)

• HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, https://www.hhs.gov/sites/default/ files/nist‐csf‐to‐hipaa‐security‐rule‐crosswalk‐02‐22‐2016‐final.pdf

• NIST SP 899‐171 and CUI with Ron Ross, EDUCAUSE Cybersecurity Initiative, https://library.educause.edu/~/ media/files/library/2016/9/nistwebinartranscript.pdf 

• “Understanding Cyber Security and How It Affects Federal Grant Writing,” by Stephen R. Galati, http://www.trcsolutions.com/writable/images/Understanding‐Cyber‐Security‐Federal‐Grant‐Writing.pdf

• Federal Actions to Enable Contractors to Protect “Covered Defense Information” and “Controlled Unclassified Information”  A White Paper Published in Conjunction with the IT Alliance for Public Sector, March 27, 2017https://www.itic.org/dotAsset/cea3083e‐dc0c‐434c‐b5a9‐db5c796aa3c.pdf

60

Thank you!

J. Michael Slocum, EsquireSLOCUM & BODDIE, P.C.

5400 Shawnee Road, Suite 300Alexandria, VA  22312

Tel:   (703) 451‐9001Fax:  (703) 451‐8557

jmichaelslocum@slocumboddie.com

61