Attack surface documentation SHALL be maintained and updated with each system change.

Compliance is evaluated through inspection of documentary evidence including architecture documents, configuration artifacts, and operational records.

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.