Assessors have a great deal of flexibility in organizing assessment plans that meet the needs of the organization and that provide the best opportunity for obtaining the necessary evidence to determine security or privacy control effectiveness, while reducing overall assessment costs. Combining and consolidating assessment procedures is one area where this flexibility can be applied. During the assessment of an information system, assessment methods are applied numerous times to a variety of assessment objects within a particular family of security or privacy controls. To save time, reduce assessment costs, and maximize the usefulness of assessment results, assessors review the selected assessment procedures for the security or privacy control families and combine or consolidate the procedures (or parts of procedures) whenever possible or practicable. For example, assessors may wish to consolidate interviews with key organizational officials dealing with a variety of security- or privacy-related topics. Assessors may have other opportunities for significant consolidations and cost savings by examining all policies and procedures from the families of security controls and privacy controls at the same time or by organizing groups of related policies and procedures that could be examined as a unified entity. Obtaining and examining configuration settings from similar hardware and software components within the information system is another example that can provide significant assessment efficiencies.

An additional area for consideration in optimizing the assessment process is the sequence in which security or privacy controls are assessed. The assessment of some security controls and privacy controls before others may provide useful information that facilitates understanding and more efficient assessments of other controls. For example, security controls such as CM-2 (Baseline Configuration), CM-8 (Information System Component Inventory), PL-2 (System Security Plan), RA-2 (Security Categorization), and RA-3 (Risk Assessment) produce general descriptions of the information system. Assessing these security controls early in the assessment process may provide a basic understanding of the information system that can aid in assessing other security controls. The supplemental guidance for many security controls and privacy controls also identifies related controls that can provide useful information in organizing the assessment procedures. For example, AC-19 (Access Control for Portable and Mobile Devices) lists security controls MP-4 (Media Storage) and MP-5 (Media Transport) as being related to AC-19. Since AC-19 is related to MP-4 and MP-5, the sequence in which assessments are conducted for AC-19, MP-4, and MP-5 may facilitate the reuse of assessment information from one control in assessing other related controls.