During a CMMC assessment of an OSC, you discover that they rely heavily on a reputable CSP for their email services. As you delve deeper into the assessment, you suspect the OSC is incorrectly assuming that the CSP’s security measures are sufficient to meet all the CMMC requirements related to email security. Given the critical nature of email communications and the potential exposure of sensitive information, you recognize the importance of clearly understanding the division of responsibilities between the OSC and the CSP for email security controls. To effectively assess how email security responsibilities are divided between the OSC and the CSP, which document should you prioritize reviewing?
Submit