CCI-001226

Implementation Guidance

The organization being inspected/assessed reports information system flaws according to DoD Cybersecurity policy and organizational roles and responsibilities. The organization must report information system flaws in their POA&M.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the authorization package, verifies the POA&M is up to date and includes recently identified information system flaws, and verifies that the organization has notified appropriate personnel as defined by DoD Cybersecurity policy and organizational roles and responsibilities.

Compelling Evidence

1.) Signed and dated System security plan (SSP) with a reference to the section that pertains to how (and to whom) information system flaws are reported.