When testing a site, we either are testing with the intent of writing an initial security assessment report; or, final testing to complete a DIACAP package. For one of my first engagements, we were testing for an initial assessment. So, we grab data from a representative sample of like machines. However, just this week, most likely due to external politics that I am not privy to, the decision was to create a final DIACAP package from the data collected. Obviously, the customer is not going to get the best picture of their security posture. And, there are highly important issues that will get reported instead of fixed with an initial security report.
It's been highly frustrating for me, to say the least.
However, the lesson learned is that from now on, I will test every system as if I am testing for a final DIACAP package, even if the outcome is an initial report.