Assessment Day
Assessment day is where preparation meets reality. The difference between a smooth assessment and a painful one is almost entirely determined by how well you’ve prepared — not how good your security is.
Before the Assessor Arrives
Section titled “Before the Assessor Arrives”SSP is current and accurate. The assessment team has already read it. If they arrive and the environment doesn’t match the SSP, trust evaporates immediately. Review the SSP one final time the week before: are recent changes reflected? Does the network diagram match reality? Are all asset categories documented?
Operational plan of action is up to date. Active temporary deficiencies with evidence of progress. No stale items with passed deadlines. Monthly status updates visible. The assessor will check whether this is a managed document or a dust-collecting artifact.
Asset inventory is complete. Every asset categorized per the Scoping Guide. The assessor may pick a random system in the office and ask to see it in the inventory. If it’s not there, that’s a finding — and it raises questions about everything else.
Network diagram matches reality. The diagram shows CUI Assets, SPAs, CRMAs, Out-of-Scope assets, boundary enforcement points, and data flows. The assessor will compare the diagram to what they see on the network. A diagram that shows segmentation but a port scan that reveals CUI systems reachable from the corporate zone is a very bad start.
Evidence binder is organized. Policies, configurations, logs, records — accessible in under a minute for any requirement. Organized by family. See Evidence Binder.
Who Should Be Available
Section titled “Who Should Be Available”Don’t pull people into the assessment cold. Brief them beforehand on what to expect and what they’ll be asked about.
System/network administrators — they’ll demonstrate configurations, walk through processes, run queries, show live system states. They should know where every relevant configuration is and be able to navigate to it quickly.
Security officer/lead — they’ll answer questions about policies, risk decisions, incident response, logging, monitoring, and security governance. They should be able to explain any control without referencing a script.
Account/identity management — they’ll show how onboarding and offboarding works, access review processes, and account lifecycle management.
Management/executive — they may be asked about risk acceptance, resource allocation, security investment decisions, and organizational commitment to security. The senior official who signed the affirmation should understand what they attested to.
What to Expect
Section titled “What to Expect”The assessment team works through requirements systematically — typically family by family. For each requirement:
- They review the relevant documentation (policy, configuration evidence, logs)
- They interview the responsible person (describe the process, explain how it works)
- They test the mechanism (demonstrate it working, show it handles edge cases)
The pace varies. Simple requirements with clear evidence take minutes. Complex requirements with multiple objectives take longer. The assessor may circle back to earlier requirements if later evidence raises questions.
Mistakes That Create Findings Before the First Control Is Tested
Section titled “Mistakes That Create Findings Before the First Control Is Tested”The SSP doesn’t match the environment. The SSP describes a VPN that was replaced six months ago. The network diagram shows a firewall that’s been decommissioned. The assessor notices and now questions the accuracy of everything in the SSP.
Evidence isn’t findable. The assessor asks for the last quarterly access review and it takes 15 minutes of searching. That’s 15 minutes of the assessor watching you scramble — and it signals that the review may not have actually happened on schedule.
The wrong people are available. The system administrator who manages the SIEM is on vacation. The person substituting can’t run a Sentinel query or explain the correlation rules. Put the assessment on the calendar first, then schedule vacations around it.
Policies are unsigned or expired. A policy document without a signature, approval date, or review date is a draft — and drafts aren’t evidence. Sign and date every policy before the assessment.
Controls don’t work when demonstrated. The policy says screen lock at 15 minutes, but the assessor watches a workstation sit idle for 20 minutes without locking. The policy says USB is blocked, but a USB drive mounts. Test your own controls the week before.