Pre-Assessment Verification Workflow

Your documents are built. Now confirm your environment matches — item by item. Complete this workflow to activate your Assessment-Ready Guarantee.

Your SSP, policies, and supporting documents describe your security environment based on what you told us during intake. This workflow walks you through verifying that every claim in those documents matches what's actually deployed. Your C3PAO assessor will check these same things — this is your dress rehearsal.

Before You Start: The Evidence Clock

Your C3PAO assessor will want to see that your controls have been running for at least 90 days before the assessment. This checklist confirms your environment matches your documentation right now — but you also need time to build an evidence trail.

Audit Logs 90+ days of continuous log collection from all CUI systems

Access Reviews At least one documented quarterly review of user access rights

Vulnerability Scans At least one monthly scan with documented remediation of findings

Training Records Security awareness training completed by all employees within the last 12 months

Incident Response Test At least one documented tabletop exercise

Policy Reviews All policies signed by management with dates within the last 12 months

Recommendation: Complete this checklist now. Then start your evidence clock. Schedule your C3PAO assessment at least 90 days out to give yourself time to build the evidence trail.

Section 1: Identity & Access Control

0 of 8 verified

Verify every employee has a unique login account — no shared accounts exist on any CUI system Confirm your directory service [the one named in your SSP] is the authoritative source for all user accounts Pull a current user list and compare it to your employee roster — deactivate any accounts for people who no longer work here Verify MFA is enabled on EVERY account (not just admin accounts) — log into your MFA admin panel and confirm enrollment count matches headcount Confirm privileged/admin accounts are limited to IT personnel only — screenshot the admin group membership Verify role-based access is configured — no standard users have admin rights on their workstations Confirm session timeout/lock is set to 15 minutes of inactivity on all workstations Verify your login banner / acceptable use notice appears on all CUI systems at login

Section 2: Network & Boundary Protection

0 of 6 verified

Confirm your firewall [named in SSP] is powered on, firmware is current, and rules match what's documented Verify your VPN [named in SSP] requires MFA for all remote connections Confirm CUI systems are on a separate network segment/VLAN from non-CUI systems (if applicable per your SSP) Verify wireless networks use WPA2-Enterprise or WPA3 — not WPA2-Personal/PSK Confirm no unauthorized devices are connected to your CUI network — run a network scan and compare to your asset inventory Verify your network diagram (in the CUI Data Flow document) accurately shows your current topology

Section 3: Endpoint Protection

0 of 6 verified

Confirm your EDR/antivirus [named in SSP] is installed and running on ALL in-scope workstations and servers — check the management console for any missing endpoints Verify automatic updates are enabled and definitions are current (within 24 hours) Confirm disk encryption [named in SSP] is enabled on every CUI system — for BitLocker, run manage-bde -status on each machine If using BitLocker with FIPS mode (as stated in SSP), verify FIPS is actually enabled:

gpedit.msc → Computer Config → Windows Settings → Security Settings → Local Policies → Security Options → "System cryptography: Use FIPS compliant algorithms"

Verify USB/removable media restrictions are enforced per your Media Protection Policy Confirm all operating systems and applications are patched within the timeframes stated in your SSP (14 days for critical, 30 days for standard)

Section 4: Audit & Monitoring

0 of 5 verified

Confirm your SIEM/log management [named in SSP] is collecting logs from all CUI systems Verify you have at least 90 days of audit logs available for assessor review Confirm failed login attempts are being logged and reviewed Verify log integrity — logs cannot be modified or deleted by standard users Confirm someone is actually reviewing security alerts on the schedule stated in your SSP (weekly, or as documented)

Section 5: Personnel & Training

0 of 4 verified

Confirm all employees have completed security awareness training within the last 12 months — have completion certificates/records ready Verify background checks have been completed for all personnel with CUI access Confirm you have a signed Acceptable Use Policy from every employee Verify terminated employees' accounts were deactivated within 24 hours of separation — check your last 3 terminations

Section 6: Physical Security

0 of 4 verified

Confirm server room / IT closet is locked and access is restricted to authorized IT personnel Verify visitor log is being maintained at your facility Confirm security cameras (if documented in SSP) are operational and recording Verify CUI paper documents are stored in locked cabinets when not in use

Section 7: Incident Response & Continuity

0 of 4 verified

Confirm your incident response plan is printed and accessible to key personnel Verify your backup solution [named in SSP] ran successfully within the last 7 days — screenshot the last backup status Confirm you can actually restore from backup — test a file recovery Verify key personnel know who to call if a security incident occurs (the contacts listed in your IR plan)

Section 8: Documentation Final Check

0 of 5 verified

Confirm your SSP has been signed and dated by the Authorized Representative Verify all 14 policy documents have been signed by management with dates within the last 12 months Confirm your POA&M is current and all items have assigned owners and target dates Verify your asset inventory matches what's actually deployed — walk the floor and compare Confirm your CUI Data Flow description matches how CUI actually moves through your organization today

Assessment-Ready Guarantee

What happens when you finish

If you've checked every box above and your environment genuinely matches what's in your documents, you're ready for your C3PAO assessment. Your Assessment-Ready Guarantee is active — if any document we generated is rejected by your assessor, we remediate it at no cost.

The most common reason assessments fail isn't bad documentation — it's documentation that doesn't match reality. This workflow exists to prevent that. If you found items above that DON'T match your documents, contact us before your assessment so we can update your package.

Questions before your assessment? Contact us →