During a CMMC assessment, you review the OSC’s documented procedures for access control.These procedures detail a user access request and approval process for the organization’s Human Resources (HR) information system. You then interview IT personnel responsible for access control, who confirm the documented procedures accurately reflect how access is managed for the HR system. However, the OSC’s network diagram reveals the presence of other in-scope systems critical to their operations, such as their Engineering Design Database and Manufacturing Control System. Neither the documented procedures nor the interview addressed access control practices for these additional systems. Based on the CMMC Assessment Process guidelines on evidence sufficiency, how would you characterize the evidence collected so far regarding access control?
Submit