Evaluations are requested for many reasons to help organizations meet their security goals. This includes consideration for laws and regulations within the industry or industries in which the organization functions, concerns about being attacked, concerns about market position from a security perspective, or insurance requirements. The reason the evaluation is requested drives some of the considerations and content of the engagement agreement and, ultimately, the final evaluation report. The engagement request validation process is critical to ensure that a common understanding is reached with the customer and to avoid missing some of the fine detail needed to properly scope the level of effort for the evaluation. The primary source of validation is through the customer, but publicly available information can also be used to further validate the information. The formal engagement agreement is the contract between the evaluation team and the customer. It outlines the activities that will occur and identifies the estimated cost to conduct the evaluation.