The question we need to ask is not whether this was actually good cybersecurity. The question we need to ask is whether this resulted in an Authority to Operate under DOD instruction and NIST policy. We Followed the Process™ so whatever comes out of it must be good... right?