My organization hired a consultant to conduct a NIST assessment for us. He is new and this will be his first time leading an assessment.

We provided him with our SSP, but he also wants to schedule interviews with various staff members. In some cases, he’s requesting 3-4 hours of peoples time.

Are interviews a standard part of the assessment process? I know it’s a time-intensive process, but I have the feeling it’s being made more complicated than it actually should be.