Managed Entity Results (MERs) form the basis of an automated control activity’s (CA) score. A managed entity result is either a test result generated automatically using Desired Configuration Manager or a manually attested result of Compliant, Non-Compliant, Unknown, or Error. A control activity’s score is calculated at report time using the current scope and applicability group and any approved Scope or Process exceptions. When the subset of applicable MERs is determined, the CA score is calculated in the following order:
- If the number of Compliant MERs is greater than or equal to the
CA’s threshold, the CA receives a score of Meets Expectations.
- Next, if the number of Non-Compliant MERs is greater than 100%
minus the CA’s threshold, the CA receives a score of Fails
- If neither of the above conditions is true, the CA receives a
score of Unknown.
Example Calculation 1
Assume the CA has a threshold set to 60% and 90 MERs comprised of 54 Compliant results, 14 Non-Compliant results, 4 Error results, and 18 Unknown results.
- In this case, a CA Score of “Meets
Expectations” is assigned as 54 Compliant MERs is ≥ 54, 60% of the
Example Calculation 2
Assuming the same threshold of 60% and a new set of MERs comprised of 40 Compliant MERs, 40 Non-Compliant MERs, 2 Error MERs, and 8 Unknown MERs.
- In this case, a CA Score of “Fails
Expectations” is assigned as 40 Compliant MERs are not ≥ 54 (60% of
the applicable results) and 40 Non-Compliant MERs are > 36 (90
total MERs x (100% – threshold%)).
Example Calculation 3
Assuming the same threshold of 60% and a new set of MERs comprised of 4 Compliant MERs, 36 Non-Compliant MERs, 14 Error MERs, and 36 Unknown MERs.
- In this case, a CA Score of “Unknown” is
assigned as 4 Compliant MERs are not ≥ 54 (60% of the applicable
results) and 36 Non-Compliant MERs are not > 36 (90 total MERs x
(100% – threshold%)).