LLMResponse AC.L2-3.1.3.c: Difference between revisions
Created page with "Ranking Evidence Types for Designated Sources and Destinations For assessment objective [c] "designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified," here's my ranking of evidence types based on the CMMC assessment objects: == Evidence Type Ranking == 1. **Documentation (Highest Priority)** - Network diagrams showing CUI flow paths - System design documentation id..." |
(No difference)
|
Latest revision as of 02:16, 30 April 2025
Ranking Evidence Types for Designated Sources and Destinations
For assessment objective [c] "designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified," here's my ranking of evidence types based on the CMMC assessment objects:
Evidence Type Ranking
1. **Documentation (Highest Priority)**
- Network diagrams showing CUI flow paths - System design documentation identifying CUI sources and destinations - System security plan sections mapping CUI flows - List of information flow authorizations with source/destination details - System baseline configuration documents showing network segmentation
2. **Technical Testing Evidence (Medium-High Priority)**
- Configuration files showing allowed/denied paths between sources and destinations - Firewall/router/switch configurations with rules for specific sources and destinations - Access control lists identifying permitted connection paths
3. **Interview Evidence (Supporting Priority)**
- Explanations from system/network administrators about how sources and destinations are identified - Information from security personnel on how CUI boundaries are defined
Assessment Approach Prioritization
For this objective, I recommend prioritizing assessment approaches as follows:
1. **Examine (First)**: Documentation review should be your first approach since identifying sources and destinations is primarily documented through network diagrams, data flow diagrams, and other system documentation that maps where CUI resides and flows.
2. **Test (Second)**: Technical validation provides concrete evidence that the identified sources and destinations are actually implemented in the system. This helps verify that documentation accurately reflects the actual system state.
3. **Interview (Third)**: Use interviews to clarify how the organization identifies and tracks CUI sources and destinations, particularly for any areas not clearly documented.
This objective is particularly focused on having clearly identified and documented locations where CUI is stored, processed, and transmitted. Strong documentation that maps these sources and destinations is the most critical evidence type, supported by technical validation that the system is configured according to these specifications.