A CCA is reviewing an OSC’s evidence for a CMMC practice and finds that the documentation is in draft form, marked “For Internal Use Only,” and lacks final approval. The OSC insists it is actively used. How should the CCA evaluate this evidence?
A.
Accept the draft documentation as sufficient since it is actively used.
B.
Document the lack of final approval as an evidence gap and assess based on all available evidence, including usage confirmation.
C.
Reject the draft documentation and score the practice as "NOT MET."
D.
Request the OSC to finalize the documentation before continuing the assessment.
The CAP requires noting deficiencies like lack of approval as gaps while assessing all evidence (Option B). Options A, C, and D misapply CAP procedures.
Extract from Official Document (CAP v1.0):
Section 2.2 – Conduct Assessment (pg. 25):"Document lack of final approval as an evidence gap and assess based on all available evidence."
[References:, CMMC Assessment Process (CAP) v1.0, Section 2.2., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit