In addition to selecting appropriate assessment methods and objects, each assessment method (i.e., examine, interview, and test) is associated with depth and coverage attributes that are described in Appendix D. The attribute values identify the rigor and scope of the assessment procedures executed by the assessor. The values selected by the organization are based on the characteristics of the information system being assessed (including assurance requirements) and the specific determinations to be made. The depth and coverage attribute values are associated with the assurance requirements specified by the organization (i.e., the rigor and scope of the assessment increases in direct relationship to the assurance requirements). For security controls, SCAP checklists provide a profile-based mechanism that enables tailoring of attribute values and selection of specific control requirements based on the desired level of assurance required for an information system. These checklists enable customizable, automated assessment using SCAP-validated products.