Carry-forward

Most PCI evidence doesn't change every quarter. Your acceptable use policy, your vendor list, your incident response plan — these stay valid until something actually changes. Carry-forward lets you reuse that evidence in your new cycle without re-uploading the same file, while keeping an auditable attestation that someone confirmed it's still valid.

What's eligible

An entry can be carried forward if, in the most recent prior cycle, it was in one of these states:

• in_progress (evidence attached — from a CLI scan or a manual upload)
• carried_forward (carry-forward chains are allowed; the full history is preserved)

Entries in not_started, not_applicable, or needs_attention can't be carried forward.

Two ways to carry forward

Carry-forward works in two flows: a bulk review when you first open a new cycle, and a per-entry hint any time after.

Bulk review (recommended for new cycles)

When a new cycle is created and the previous cycle has eligible entries, the cycle detail page shows a Carry forward available banner near the top:

"N entries from your previous cycle have evidence that can be carried forward. [Review & Carry Forward]"

Clicking it opens a modal listing every eligible entry with a checkbox. Two things to know:

• Automatable entries are pre-unchecked. If an entry is collectable by the CLI scanner (IAM, KMS, CloudTrail, VPC, etc.), Ankos recommends re-scanning instead — fresh evidence is more defensible than a carry-forward attestation for things the CLI can re-collect in seconds.
• Manual-evidence entries are pre-checked. Policies, training, signed attestations — these don't change cycle-to-cycle as often, so they're the natural carry-forward candidates.

Toggle the boxes to match what you actually want to reuse, then confirm. All selected entries advance to carried_forward in one shot.

Per-entry hint

When you open any individual entry in a new cycle that has carry-forward-eligible evidence from the previous cycle, you'll see a Carry forward available hint at the top. It shows:

• The source cycle and upload date
• The original uploader
• The file name and size

Clicking the hint opens the carry-forward dialog for that single entry. Useful when you skipped an entry in the bulk review and want to pick it up later, or when bulk review never ran (e.g. you've been working in the cycle for weeks and the banner is long-dismissed).

Attestation note

Carry-forward requires a written attestation. The prompt asks you to confirm one of:

• The evidence is unchanged and still reflects current practice
• The evidence has been reviewed on [date] with no changes
• A more specific note

This is deliberately a friction point. The attestation is what distinguishes "I still care about this" from "I'm just closing out a ticket." It also gives your QSA the signal they need to trust the reused evidence.

After confirming, the entry advances to carried_forward with the attestation note, the source cycle, and the current user recorded.

What your QSA sees

In the evidence export:

• The file itself is included (identical to the source cycle).
• The category folder contains a carry-forward.txt noting the source cycle, original upload date, and every attestation in the chain.
• The summary PDF lists each carry-forward entry and its attestation note.

This makes the provenance explicit: the QSA can see the evidence hasn't been re-uploaded, it's been reused with an attestation trail.

When carry-forward is the wrong call

• The underlying fact has changed — your vendor list gained a new subprocessor, your org chart changed. Upload fresh evidence.
• You haven't actually reviewed it — attesting without reviewing defeats the purpose. If in doubt, re-upload.
• A QSA flagged it last cycle — don't carry forward something your assessor already had concerns about.

Next steps