In the coming weeks I will be traveling to a base in order to help them prepare for a Command Cyber Readiness Inspection. I have never participated in one of these, typically I am auditing a system for certification efforts.
As far as I understand, DISA picks the unit/system that is undergoing the inspection. There are a series of checklists that they will use and that must be completely filled out. It also appears that they will Retina scan the entire system. In addition to helping the unit prepare by running a "pre-audit" we will be ensuring that documentation is complete and up-to-date. Our only "true" deliverable will be a POAM so that the unit knows what they need to fix or update before the actual inspection takes place.
I would be interested in hearing more about the mechanics of a CCRI; who gets selected, why, etc.