v2022.

1 ISO 27002:2022 Cybersecurity Data Protection Program Crosswalk Mapping 3/10/2022

MPA NIAC
ISO ISO ISO AICPA CIS CSA ISO ISO ISO NIST Privacy NIST NIST NIST NIST OWASP US US US - NY
Policy Standard Standard COBIT COSO ENISA Content Security Insurance Data PCIDSS US US US US US US HIPAA - HICP HIPAA - HICP HIPAA - HICP US - CA US - MA US - OR US-TX Secure Controls Framework (SCF)
27001 27002 27002 TSC 2017 CSC CCM 22301 27018 27701 Framework 800-53 800-53 800-218 CSF Top 10 FAR FDA DFS SCF #
Name # Name 2019 v2017 v2.0 Program Security Model v3.2 FACTA FERPA FFIEC FINRA GLBA HIPAA Small Practice Medium Practice Large Practice CCPA 201 CMR 17.00 646A Cybersecurity Act Control Description
v2013 v2013 v2022 (SOC 2) v8.0 v4 v2019 v2014 v2019 v1.0 rev4 rev5 v1.1 v1.1 v2017 52.204-21 21 CFR Part 11 23 NYCRR500
v4.07 Law (MDL-668)
5.3.1 164.306 Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance
EDM01.02
4.3 5.3.2 MS-1.0 Sec 4A 164.306(a) controls.
5.1 APO01.09 5.2 17.03(1)
Security & Privacy 4.4 GRC-05 5.3.3 MS-1.1 Sec 4B GV.PO-P1 12.1 S-P (17 CFR 164.306(b) 8.M.A
GOV-01 5.1.1 5.4 CC1.2 APO04.01 Principle 2 5.2.1 PM-1 PM-1 § 1232h 6801(b)(1) 10.S.A 8.M.A 1798.81.5(b) 17.04 500.02 Sec 10 GOV-01
Governance Program 5.1 GRC-07 5.4 MS-1.2 Sec 4E(1) GV.PO-P6 12.1.1 §248.30) 164.306(c) 10.M.A
5.37 APO13.01 5.2.2 17.03(2)(b)(2)
6.1.1 5.4.1 MS-1.3 Sec 4G 164.306(d)
APO13.02
5.4.1.1 164.306(e)
4.3 Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a
6.2 steering committee or advisory board, comprising of key cybersecurity, privacy and business
GOV-02 Steering Committee 7.4 GOV-01.1 executives, which meets formally and on a regular basis.
9.3
10.2
A&A-01 GV.PO-P1 164.306 Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies,
4.3
AIS-01 MS-1.0 GV.PO-P6 164.308 standards and procedures.
5.2 6.2 17.03(1)
Publishing Security & Privacy 5.1 BCR-01 5.2.1 MS-1.1 GV.MT-P3 12.1 § 11.10 S-P (17 CFR 164.308(a)(1)(i) 4.S.A 4.M.B
GOV-03 7.5.1 5.1.1 CC5.3 APO01.09 SO1 6.2.1 PM-1 PM-1 ID.GV-1 § 1232h D1.G.SP.B.4 6801(b)(1) 4.M.B 1798.81.5(b) 17.04 500.03 Sec 10 GOV-02
Documentation 5.37 CCC-01 5.2.2 MS-1.2 GV.MT-P4 12.1.1 § 11.10(j) §248.30) 164.312 10.S.A 10.M.A
7.5.2 6.2.1.1 17.03(2)(b)(2)
CEK-01 MS-1.3 GV.MT-P5 164.316
7.5.3
DCS-01 GV.MT-P6 164.316(a)
A&A-01 164.306(e) Mechanisms exist to review the cybersecurity and privacy program, including policies, standards
EDM01.01
AIS-01 MS-1.0 164.316(b) and procedures, at planned intervals or if significant changes occur to ensure their continuing
EDM01.03
Periodic Review & Update of 6.1.1 5.1 BCR-01 MS-1.1 Sec 4D(2) 164.316(b)(1) suitability, adequacy and effectiveness.
GOV-04 5.1.2 CC5.3 EDM05.01 SO1 6.2.1.2 GV.MT-P2 PM-1 PM-1 § 1232h 10.S.A 10.M.A 1798.81.5(b) Sec 10 GOV-03
Security & Privacy Program 7.4 5.37 CCC-01 MS-1.2 Sec 4G 164.316(b)(1)(i)
APO02.02
CEK-01 MS-1.3 164.316(b)(1)(ii)
APO13.03
DCS-01 164.316(b)(2)(iii)
12.5 Mechanisms exist to assign a qualified individual with the mission and resources to centrally-
MS-1.0
PL-9 PO.2 12.5.1 manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and
Security & Privacy MS-1.1 ID.IM-P2 PL-9 5.M.B
Assigned Security & Privacy CC1.1 GRC-06 5.1 PM-2 PO.2.1 12.5.2 D1.R.St.B.1 5.S.B 5.M.B privacy program.
Governance GOV-05 5.3 5.2 APO01.05 MS-1.2 Sec 4C(1) GV.PO-P3 PM-2 ID.AM-6 Safeguards Rule 164.308(a)(2) 8.M.A 1798.81.5(b) 17.03(2)(a) 500.04 622(2)(d)(A)(i) Sec 9 GOV-04
Responsibilities CC1.3 STA-04 5.3 PM-6 PO.2.2 12.5.3 D1.TC.Cu.B.1 10.S.A 8.M.A
MS-1.3 CM.PO-P2 PM-6 10.M.A
PM-29 PO.2.3 12.5.4
MS-3.0
12.5.5
EDM01.03 SO11 Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures
AIS-03 of performance.
CC1.2 EDM05.01 Principle 16 S12 GV.MT-P4
SEF-05 MS-1.2 Sec 4D(2) D2.IS.Is.B.1 622(2)(d)(A)(vi) Sec 10
GOV-06 Measures of Performance 9.1 CC1.5 EDM05.03 Principle 19 S13 9.1 PR.PO-P5 PM-6 PM-6 PR.IP-8 10.S.A 10.M.A 17.03(2)(j) GOV-05
TVM-09 MS-1.3 Sec 4E(1) D2.IS.Is.E.2 622(2)(d)(B)(iii) Sec 11
CC2.2 APO02.02 Principle 20 S14 PR.PO-P6
TVM-10
MEA01.04 S15
Mechanisms exist to identify and document appropriate contacts with relevant law enforcement
8.M.A and regulatory bodies.
8.M.A 8.M.C Sec 5
GOV-07 Contacts With Authorities 6.1.3 5.5 CC2.3 6.3.1.3 MS-5.2 Sec 4D(4) IR-6 IR-6 GOV-06
8.M.C 7.L.A Sec 11
8.L.B

Mechanisms exist to establish contact with selected groups and associations within the
8.M.A cybersecurity & privacy communities to:
Contacts With Groups & 5.1.2 8.M.A Sec 5 ▪ Facilitate ongoing cybersecurity and privacy education and training for organizational
GOV-08 6.1.4 5.6 GRC-08 6.3.1.4 Sec 4D(4) PM-15 PM-15 8.M.C GOV-07
Associations 6.1 8.M.C Sec 11 personnel;
9.L.D
▪ Maintain currency with recommended cybersecurity and privacy practices, techniques and
technologies; and
EDM05.01 Mechanisms exist to define the context of its business model and document the mission of the
EDM05.02 4.1 ID.IM-P5 organization.
Defining Business Context & 4.1 EDM05.03 4.2 ID.BE-P1 ID.BE-1
GOV-09 GOV-08
Mission 4.2 APO01.01 4.2.1 ID.BE-P2 ID.BE-2
APO01.02 4.2.2 GV.RM-P3
APO01.03
DS-11.6 Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and
BAI09.01
1 DS-11.6.1 manage asset management controls.
5.30 BAI09.02 12.3.3
1.3 DS-11.6.2 5.M.A
AST-01 Asset Governance 11.2.6 5.31 BAI09.03 DCS-05 SO15 PR.DS-P3 PM-5 PM-5 12.3.4 5.S.A 5.M.A 1798.81.5(b) AST-01
2.1 PS-12.0 2.L.A
7.9 BAI09.04 12.3.7
2.2 PS-13.0
BAI09.05
PS-14.0
Mechanisms exist to identify and assess the security of technology assets that support more
APO09.01 than one critical business function.
5.9 APO09.02
AST-02 Asset-Service Dependencies ID.IM-P8 AST-01.1
5.30 BAI09.01
BAI09.02

Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications
EDM05.01 and services to support the ongoing secure management of those assets.
Stakeholder Identification & EDM05.02 ID.IM-P2
AST-03 4.2 5.9 AST-01.2
involvement EDM05.03 ID.IM-P8
DSS06.02

1 DS-6.11 Mechanisms exist to perform inventories of technology assets that:

1.1 DCS-05 PS-12.0 ▪ Accurately reflects the current systems, applications and services in use;
6.5 ID.AM-1 D1.G.IT.B.1 5.M.A
2.1 DSP-03 PS-12.3 CM-8 CM-8 1.1.2 5.M.A ▪ Is at the level of granularity deemed necessary for tracking and reporting;
AST-04 Asset Inventories 8.1.1 5.9 BAI09.01 SO15 6.5.1 ID.IM-P1 ID.AM-2 D4.RM.Dd.B.2 164.310(d)(2)(iii) 5.S.A 9.M.D AST-02
2.2 STA-07 PS-13.0 PM-5 PM-5 2.4 9.M.D ▪ Includes organization-defined information deemed necessary to achieve effective property
6.5.1.1 ID.AM-4 D4.C.Co.B.3 2.L.E
2.4 UEM-04 PS-8.3 accountability; and
6.6 PS-8.4 ▪ Is available for review and audit by designated organizational personnel.
Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.

Software Licensing 5.32

AST-05 18.1.2 2.2 BAI09.05 6.15.1.2 SC-18(2) SC-18(2) AST-02.7
Restrictions 6.2

Mechanisms exist to create and maintain a map of technology assets where sensitive data is
MS-8.0 ID.IM-P1 stored, transmitted or processed.
DS-6.12 ID.IM-P4
AST-06 Data Action Mapping 5.9 CM-13 AST-02.8
DS-12.0 ID.IM-P5
DS-12.1 ID.IM-P8

Mechanisms exist to assign asset ownership responsibilities to a department, team or individual

to establish a common understanding of requirements for asset protection.
Assigning Ownership of PS-12.0
AST-07 8.1.2 5.9 APO01.06 6.5.1.2 ID.IM-P2 SA-4(12) 2.5 AST-03
Assets PS-21.3

Mechanisms exist to include capturing the name, position and/or role of individuals
EDM05.01 responsible/accountable for administering assets as part of the technology asset inventory
EDM05.02 process.
AST-08 Accountability Information 5.9 ID.IM-P2 CM-8(4) CM-8(4) AST-03.1
EDM05.03
APO01.06

Mechanisms exist to track the origin, development, ownership, location and changes to systems,
SR-4 system components and associated data.
AST-09 Provenance 5.21 SR-4(1) AST-03.2
SR-4(2)

PL-2 Mechanisms exist to maintain network architecture diagrams that:

SA-5(1) PL-2 ▪ Contain sufficient detail to assess the security of the network's architecture;
Asset Management Network Diagrams & Data 3.8 DSP-05 MS-8.0 1.1.2 D4.C.Co.B.4 4.L.B ▪ Reflect the current architecture of the network environment; and
AST-10 5.9 CC2.1 ID.IM-P1 SA-5(2) SA-4(1) ID.AM-3 AST-04
Flow Diagrams (DFDs) 12.4 IVS-08 DS-6.12 1.1.3 D4.C.Co.Int.1 8.L.D ▪ Document all sensitive data flows.
SA-5(3) SA-4(2)
SA-5(4)
Mechanisms exist to maintain strict control over the internal or external distribution of any kind
9.6 of sensitive/regulated media.
9.6.1
AST-11 Security of Assets & Media 11.2.6 7.9 6.8.2.6 DS-6.6 AST-05
9.6.2
9.6.3

Mechanisms exist to implement enhanced protection measures for unattended systems to

protect against tampering and unauthorized access.
Unattended End-User 11.2.6 7.9
AST-12 6.8.2.8 DS-6.6 AST-06
Equipment 11.2.8 8.1

Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via
9.9 direct physical interaction from tampering and substitution.
Kiosks & Point of Sale (PoS) 9.9.1
AST-13 11.2.8 8.1 AST-07
Devices 9.9.2
9.9.3

PS-11.5 Mechanisms exist to inspect mobile devices for evidence of tampering upon return from
PS-20.1 geographic regions of concern or other known hostile environments that could lead to device
AST-14 Tamper Detection 11.2.6 7.9 PS-20.2 AST-08 compromise.
PS-21.2
DS-6.6.1
Mechanisms exist to securely dispose of, destroy or repurpose system components using
9.8 5.M.D organization-defined techniques and methods to prevent information being recovered from
Secure Disposal, Destruction 7.14 6.8.2.7 164.310(d)(2)(i) these components.
AST-15 11.2.7 CC6.5 3.5 DSP-02 Sec 4D(2) SA-19(3) SR-12 9.8.1 52.204-21(b)(1)(vii) 5.S.C 5.M.D 5.L.A AST-09
or Re-Use of Equipment 8.10 7.4.8 164.310(d)(2)(ii)
9.8.2 9.L.C

Mechanisms exist to ensure that employees and third-party users return all organizational assets
in their possession upon termination of employment, contract or agreement.
AST-16 Return of Assets 8.1.4 5.11 HRS-05 6.5.1.4 AST-10

**Copyrighted Material** - It is prohibited to disclose this document to third-parties without an executed Non-Disclosure Agreement (NDA) to protect this Intellectual Property (IP). 1 of 13
v2022.1 ISO 27002:2022 Cybersecurity Data Protection Program Crosswalk Mapping 3/10/2022

Mechanisms exist to authorize, control and track technology assets entering and exiting
PS-17.0 organizational facilities.
D1.G.IT.E.3 164.310(d)(1) 5.M.D
AST-17 Removal of Assets 11.2.5 7.10 6.8.2.5 PS-17.1 PR.DS-3 5.S.C 5.M.D 622(2)(d)(C)(ii) AST-11
D1.G.IT.E.2 164.310(d)(2) 5.L.A
PS-17.3

Mechanisms exist to restrict the possession and usage of personally-owned technology devices
within organization-controlled facilities.
AST-18 Use of Personal Devices 7.10 AST-12

Mechanisms exist to verify logical configuration settings and the physical integrity of critical
technology assets throughout their lifecycle.
SR-9
AST-19 Tamper Protection 11.2.6 7.9 PS-21.2 SA-18 AST-15
SR-9(1)

DSS04.01 BCR-01 4.3 Mechanisms exist to facilitate the implementation of contingency planning controls to help
CP-1 CP-1
DSS04.02 BCR-03 4.3.1 ensure resilient assets and services.
CP-2 CP-2 ID.BE-5 164.308(a)(7)(ii)(B)
Business Continuity 17.1.1 5.29 CC7.5 DSS04.03 BCR-04 SO19 4.3.2
BCD-01 11.0 6.14.1.2 MS-6.0 PR.PO-P7 IR-4(3) IR-4(3) PR.IP-9 D5.IR.Pl.B.6 164.308(a)(7)(ii)(C) 1798.81.5(b) BCD-01
Management System (BCMS) 17.1.2 5.30 CC9.1 DSS04.04 BCR-05 SO20 4.4
PM-8 PM-8 RC.RP-1 164.310(b)
DSS04.05 BCR-07 5.1
CP-10 CP-10
DSS04.06 BCR-09 5.2
Mechanisms exist to coordinate contingency plan development with internal and external
Business Continuity & elements responsible for related plans.
Disaster Recovery - 5.29
BCD-02 BCR-06 CP-2(1) CP-2(1) BCD-01.1
Coordinate with Related 5.30
Plans

Mechanisms exist to coordinate internal contingency plans with the contingency plans of
external service providers to ensure that contingency requirements can be satisfied.
Coordinate With External 5.29
BCD-03 BCR-06 CP-2(7) CP-2(7) BCD-01.2
Service Providers 5.30

Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's
effectiveness and the organization’s readiness to execute the plan.
Contingency Plan Testing & 5.29 CC7.5 BCR-06 8.5
BCD-04 17.1.3 DSS04.04 SO22 6.14.1.3 PR.PO-P8 CP-4 CP-4 164.308(a)(7)(ii)(D) BCD-04
Exercises 5.30 A1.3 BCR-10 8.6

Mechanisms exist to establish an alternate storage site that includes both the assets and
6.14.1.3 necessary agreements to permit the storage and recovery of system backup information.
CP-6
BCD-05 Alternate Storage Site 17.2.1 8.14 A1.2 6.14.2 CP-6 164.310(a)(2)(i) BCD-08
PE-23
6.14.2.1

Mechanisms exist to establish an alternate processing site that provides security measures
6.14 equivalent to that of the primary site.
Business Continuity & CP-7
Disaster Recovery BCD-06 Alternate Processing Site 17.2.1 8.14 A1.2 6.14.1 CP-7 164.310(a)(2)(i) BCD-09
PE-23
6.14.1.1

Mechanisms exist to create recurring backups of data, software and/or system images, as well as
MS-6.2 verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery
CC7.5 APO14.10 6.9.3 CP-9 CP-9 164.308(a)(7)(ii)(A) Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
BCD-07 Data Backups 12.3.1 8.13 11.2 BCR-08 DS-1.7 PR.PO-P3 PR.IP-4 4.M.D 4.M.D BCD-11
A1.2 DSS04.07 6.9.3.1 SC-28(2) SC-28(2) 164.310(d)(2)(iv)
DS-3.10

Mechanisms exist to routinely test backups that verifies the reliability of the backup process, as
well as the integrity and availability of the data.
Testing for Reliability & CC7.5 11.3 BCR-06
BCD-08 12.3.1 8.13 SO22 PR.DS-P6 CP-9(1) CP-9(1) PR.IP-4 BCD-11.1
Integrity A1.2 11.5 BCR-08

Mechanisms exist to store backup copies of critical software and other security-related
information in a separate facility or in a fire-rated container that is not collocated with the
Separate Storage for Critical system being backed up.
BCD-09 12.3.1 8.13 A1.2 DS-3.10 CP-9(3) CP-9(3) BCD-11.2
Information

Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of

backup information.
BCD-10 Cryptographic Protection 12.3.1 8.13 A1.2 11.3 DS-3.10 CP-9(8) BCD-11.4

Mechanisms exist to maintain a failover system, that is not collocated with the primary system,
application and/or service, which can be activated with little-to-no loss of information or
Redundant Secondary BCR-03 disruption to operations.
BCD-11 17.2.1 8.14 CP-9(6) CP-9(6) BCD-11.7
System BCR-11

Mechanisms exist to facilitate the implementation of capacity management controls to ensure

D5.IR.Pl.B.5 optimal system performance to meet expected and anticipated future capacity requirements.
Capacity & Performance SC-5 SC-5 D5.IR.Pl.B.6
CAP-01 12.1.3 8.6 A1.1 IVS-02 6.9.1.3 PR.DS-P4 PR.DS-4 CAP-01
Management SC-5(3) SC-5(3) D5.IR.Pl.E.3
D3.PC.Im.E.4
Capacity & Performance
Planning Mechanisms exist to conduct capacity planning so that necessary capacity for information
SC-5 SC-5 processing, telecommunications and environmental support will exist during contingency
CAP-02 Capacity Planning 12.1.3 8.6 A1.1 PR.DS-P4 SC-5(2) SC-5(2) PR.DS-4 CAP-03 operations.
CP-2(2) CP-2(2)

Mechanisms exist to facilitate the implementation of change management controls.

§ 11.10
CCC-01 DS-7.1
Change Management 8.19 CC3.4 § 11.10(k)
CHG-01 12.1.2 Principle 15 CEK-06 SO14 6.9.1.2 DS-15.10 Sec 4D(2) PR.PO-P2 CM-3 CM-3 1798.81.5(b) CHG-01
Program 8.32 CC8.1 § 11.10(k)(1)
CEK-06 MS-7.0
§ 11.10(k)(2)

6.4 Mechanisms exist to govern the technical configuration change control processes.
6.4.1 § 11.10
CCC-02
Change Management Configuration Change 12.1.2 8.19 CC3.4 CM-3 6.4.2 § 11.10(k)
CHG-02 CCC-05 SO14 6.11.2.2 DS-15.10 PR.PO-P2 CM-3 PR.IP-3 D1.G.IT.B.4 CHG-02
Control 14.2.2 8.32 CC8.1 SA-8(31) 6.4.3 § 11.10(k)(1)
CEK-05
6.4.4 § 11.10(k)(2)
6.4.5
Mechanisms exist to appropriately test and document proposed changes in a non-production
CM-3(2) environment before changes are implemented in a production environment.
Test, Validate & Document 8.19 CC3.4 CM-3(2)
CHG-03 14.2.3 CCC-02 6.11.2.3 CM-3(7) CHG-02.2
Changes 8.32 CC8.1 CM-5(2)
SA-8(31)

IPY-01 Mechanisms exist to facilitate the implementation of cloud management controls to ensure
IPY-04 cloud instances are secure and in-line with industry practices.
IVS-06 2.6
CLD-01 Cloud Services 5.23 52.204-21(b)(1)(iv) 4.L.A 1798.81.5(b) CLD-01
IVS-07 12.8.1
IVS-08
STA-05
Mechanisms exist to ensure the cloud security architecture supports the organization's
IVS-06 technology strategy to securely design, configure and maintain cloud employments.
CLD-02 Cloud Security Architecture 5.23 IVS-07 52.204-21(b)(1)(iv) 4.L.A CLD-02
IVS-08

Mechanisms exist to ensure support for secure interoperability between components.

IPY-01
Application & Program
CLD-03 8.26 IPY-02 52.204-21(b)(1)(iv) 4.L.A CLD-04
Interface (API) Security
IPY-03

Cloud Security
Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are
designed and governed such that provider and customer (tenant) user access is appropriately
CLD-04 Multi-Tenant Environments 5.23 IVS-06 DS-15.2 52.204-21(b)(1)(iv) 4.L.A CLD-06 segmented from other tenant users.

Mechanisms exist to document a Customer Responsibility Matrix (CRM) to delineate the

PO.2 assigned responsibilities for controls between the Cloud Service Provider (CSP) and its
Customer Responsibility PO.2.1 customers.
CLD-05 5.23 CLD-06.1
Matrix (CRM) PO.2.2
PO.2.3

7.5 Mechanisms exist to control the location of cloud processing/storage based on business
Geolocation Requirements DSP-19 7.5.1 requirements that includes statutory, regulatory and contractual obligations.
SA-9(5)
CLD-06 for Processing, Storage and 5.23 UEM-12 7.5.2 SA-9(5) 52.204-21(b)(1)(iv) 4.L.A CLD-09
SA-9(8)
Service Locations UEM-12 8.5.1
8.5.2
MEA02.01 A&A-01 Sec 4I § 11.10 164.302 Mechanisms exist to facilitate the identification and implementation of relevant statutory,
MEA02.02 A&A-04 Sec 6E(1) § 11.10(a) 164.318 regulatory and contractual controls.
6.15 MS-4.0 ID.GV-3
Statutory, Regulatory & 5.31 CC2.2 MEA03.01 GRC-07 Sec 6E(2) GV.PO-P5 PL-1 PL-1 52.204-21(b)(2) § 11.10(b) D1.G.Ov.E.2 164.318(a)
CPL-01 18.1.1 SO25 4.2.2 6.15.1 MS-4.1 PR.IP-5 12.1 6801(b)(3) 1798.145 500.19 CPL-01
Contractual Compliance 8.34 CC2.3 MEA03.02 STA-06 Sec 6F GV.MT-P3 PM-8 PM-8 52.204-21(c) § 11.10(c) D3.PC.Am.B.11 164.318(a)(1)
6.15.1.1 MS-4.2 DE.DP-2
MEA03.03 STA-09 Sec 7A § 11.10(d) 164.318(a)(2)
MEA03.04 UEM-14 Sec 7B § 11.10(e) 164.318(b)

**Copyrighted Material** - It is prohibited to disclose this document to third-parties without an executed Non-Disclosure Agreement (NDA) to protect this Intellectual Property (IP). 2 of 13