The NSGP vulnerability assessment is the document the Investment Justification (IJ) is scored against. Reviewers do not visit the facility. They read what the assessment documents, then check whether each funded line in the budget closes a gap the assessment named. If the assessment is thin, the IJ has nothing to point back to and the application drops below the funded line.
This checklist covers what the assessment must contain, how to walk a facility so the documentation holds up to a reviewer, and the three patterns that cause the most score loss.
What an NSGP Vulnerability Assessment Is
A vulnerability assessment under the Nonprofit Security Grant Program is a written, photo-documented evaluation of a single facility that identifies access points, current security measures, gaps, and recommended mitigations. One facility, one assessment. Multi-site applicants submit a separate assessment per facility, paired with a separate IJ.
The Federal Emergency Management Agency (FEMA) publishes the NSGP Notice of Funding Opportunity (NOFO) at https://www.fema.gov/grants/preparedness/nonprofit-security ahead of each cycle. The NOFO does not prescribe a single assessment template at the federal level. It does require that the IJ vulnerability section reference an assessment, and that every funded equipment line trace back to a documented gap.
Reviewers score the IJ against four criteria: risk, vulnerability, consequences, and effect of funding. The vulnerability criterion is scored most directly against the assessment. The risk criterion draws on FBI Hate Crime Statistics at https://www.fbi.gov/services/cjis/ucr/hate-crime and local police reports. Weak assessments produce weak vulnerability sections, which break the chain from risk through funded mitigation.
The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security (https://www.dhs.gov/), publishes physical security guidance at https://www.cisa.gov/topics/physical-security that informs how assessments are conducted.
What the Vulnerability Assessment Must Document
The assessment is not a narrative. It is a structured document organized by access point or zone, with each finding tied to a photograph and a recommended mitigation. Reviewers need to read it in twenty minutes and locate any finding by section number.
What every NSGP-grade assessment contains:
- Facility identification. Legal name, address, year built, square footage, public access points, peak occupancy, hours, recurring high-attendance events.
- Walkthrough date and assessor identity. Who walked the facility, when, and (for professional assessments) credentials.
- Access point inventory. Every door, gate, opening, and pathway an attacker could use, not only the doors members use.
- Current security measures per access point. Existing locks, cameras, alarms, lighting, barriers, staffing, procedures.
- Identified gaps per access point. Specific, measurable, photographed.
- Recommended mitigations per gap. Tied to NSGP allowable cost categories.
- Photographs. One or more per access point, dated, with the gap visible in frame.
- Numbered findings. Each gap gets a finding number the IJ and budget can cite.
The assessment is the evidence file. The IJ is the argument. The budget is the price tag. All three reference the same finding numbers.
Self-Assessment vs Professional Assessment
Federal NSGP accepts self-assessments. The NOFO does not require a credentialed assessor at the federal level. Several state programs differ. New Jersey, for example, requires photographs and reviewers there pay close attention to documentation quality. Other states require or strongly prefer assessments completed by certified security professionals.
An internal team can produce an NSGP-acceptable assessment. Whether that assessment scores well is a different question.
Internal walkthroughs consistently miss the same categories of gaps. The pattern shows up across denied IJs read after the fact:
- Back-of-house access. Staff entrances, kitchen doors, custodial entries, delivery doors that members never see and that internal walkthroughs treat as secured because they are locked. A locked door is not the same as a hardened door. Reviewers want to see whether the door is solid core, frame reinforced, lock rated, hinges protected, camera mounted.
- Mechanical rooms. HVAC, electrical, water shutoffs, gas shutoffs. Attack surfaces for service disruption. The assessment documents key control and door rating.
- Roof access. Exterior ladders, parapet walls low enough to scale, adjacent buildings that allow lateral entry, mechanical penthouses with doors. Roofs rarely appear in self-assessments.
- Blind corners and sight lines. Property areas the front desk cannot see, areas existing cameras do not cover, landscape features that conceal approach. Sight lines require a walk of the exterior, not just an inventory of doors.
- Lighting at peak service hours. Lighting at noon on Tuesday is not lighting at 8 p.m. on Friday in December. The assessment needs lighting data at the actual peak attendance window.
- Glass and glazing. Window film, laminated glass, ballistic glazing on sanctuary windows, sidelights next to main doors, lobby curtain walls. Glass is the most common entry point in forced-entry attacks and the most under-documented in internal assessments.
A credentialed assessor adds three things internal teams rarely have. First, Crime Prevention Through Environmental Design (CPTED) methodology applied systematically. Second, alignment with ASIS International standards reviewers recognize as the professional baseline. Third, photo-documented findings written in language reviewers cite back in the IJ.
The honest framing: an internal team can produce an assessment that passes. A professional assessment produces a document that scores. The gap between passing and scoring is the gap between eligibility and funding.
The Access-Point Checklist
Every facility has more access points than the internal team expects. Walk the property with this list and document each one. If an item does not apply, note so. Silence on a category reads as oversight.
Front entrances. Door material, frame, lock type, hinge protection, vestibule, camera coverage, intercom, screening protocol at peak, glazing rating of sidelights, interior panic bar status.
Side entrances. Member entries that are not the main door, ADA-accessible doors, courtyard doors. Same items plus whether the door is staffed and how it is unlocked during services.
Rear entrances. Staff doors, alley doors, doors opening onto less visible exterior areas. The highest-frequency forced-entry point. Document lighting, camera coverage, sight lines from the street, lock rating, frame reinforcement.
Loading docks. Roll-up doors, dock-leveler bays, pedestrian doors. Whether the dock is left open during deliveries, independent locking on the pedestrian door, camera coverage, visibility from a staffed area.
Kitchen entries. Catering doors, garbage doors, vendor doors. Often propped open during events. Document the propping behavior honestly, because the reviewer can imagine it.
Mechanical rooms. HVAC, electrical, water, gas, sprinkler riser, server room, fire panel. Door rating, key control, alarm status, whether utilities can be shut off from outside.
Fire exits. Every code-required exit, from the inside (panic hardware functional) and outside (no exterior pull, alarmed on opening, camera coverage). Fire exits disabled from the inside are a code violation, flag for fix.
Roof access. Interior and exterior ladders, adjacent structures allowing lateral roof access, parapet height, penthouse doors, skylights, roof hatches.
Parking. Lot lighting, fencing, vehicle approach paths, distance from the nearest paved approach to the building wall, presence of bollards or planters, visibility from a staffed area.
Perimeter. Fence type and height, gates, gaps under fences, landscaping that conceals approach, neighboring property access.
Glass and glazing. Sanctuary windows, lobby curtain walls, sidelights, transoms, stained glass with no protective film, ground-floor windows on the rear and side, basement windows.
Sight lines, lighting, alarms, cameras, access control. Walk the exterior and stop at every point you cannot see a door, window, or vehicle approach. Return after sunset on a peak day and photograph every dark area. Document intrusion system age, monitoring, panic buttons. Document camera count, type, resolution, recording duration, coverage map. Document the key system, key holders, badge system, visitor log, and screening at peak events.
Photographing the Walkthrough
Photos are evidence. A reviewer who can see the gap in the photograph scores the vulnerability section higher than one who has to imagine it from prose.
What every photograph must show:
- The access point or feature being documented
- Enough context to identify the location (a wall sign, a known reference point)
- The specific gap (the unprotected hinge, the missing camera angle, the dark zone)
- The date in the file metadata (do not strip EXIF when exporting)
File naming convention that holds up under SAA review:
[FacilityShortName]_[ZoneCode]_[FindingNumber]_[ShortDescription].jpg
Example: BethShalom_REAR_F12_unprotected_hinge_pin.jpg
The finding number ties the photograph to the assessment text and to the IJ. When the reviewer reads finding 12 in the IJ, they can locate the photograph in seconds.
Photo-to-gap mapping table inside the assessment:
| Finding # | Zone | Gap | Photo file | Recommended mitigation |
|---|---|---|---|---|
| F01 | Front | No vehicle barrier between curb and main door, 14 feet | BethShalom_FRONT_F01_no_barrier.jpg | ASTM F2656 M30 bollards |
| F12 | Rear | Hinge pins exposed on staff door, removable from outside | BethShalom_REAR_F12_unprotected_hinge.jpg | Non-removable hinge pins or hinge guard |
| F18 | Roof | Exterior ladder reaches roof, no anti-climb | BethShalom_ROOF_F18_exterior_ladder.jpg | Anti-climb cage with locking gate |
This table is the most valuable artifact in the assessment. The IJ writer pulls from it. The budget builds from it. The reviewer scans it.
Mapping Gaps to Allowable NSGP Costs
Every gap the assessment names should map to an allowable cost category in the current NOFO at https://www.fema.gov/grants/preparedness/nonprofit-security. Procurement of those items, once funded, follows the federal Uniform Guidance at 2 CFR Part 200 (https://www.ecfr.gov/current/title-2/subtitle-A/chapter-II/part-200). Items outside the allowable categories cannot be funded, regardless of how well the assessment documents the gap.
The standard mapping pattern:
- Unhardened door, glass and glazing, vehicle approach, roof access, lighting, perimeter: target hardening (door, frame, lock, hinge, security film, bollards, anti-climb hardware, exterior lighting, fencing).
- Camera blind spots: additional cameras and recording capacity under surveillance.
- Access control gaps: electronic access control, badge readers, key management.
- Alarm gaps: intrusion detection, panic buttons.
- Training gaps: security training and active threat response training (capped per the NOFO).
- Contracted security: contract security personnel (capped per the NOFO).
If a gap does not map to an allowable category, it still belongs in the document for the operational record, but the IJ cannot fund it. Surface those items in the assessment narrative and address them through other funding sources.
CPTED Principles Reviewers Recognize
Crime Prevention Through Environmental Design is the framework most professional assessors apply. Reviewers recognize the language because it appears in federal and state security guidance. An assessment organized around CPTED principles reads as professional even when the assessor is internal.
The four CPTED principles:
Natural surveillance. Trimmed shrubs below window height, clear sight lines from staffed areas to entrances, lighting at peak hours, windows oriented toward parking and approach paths. The assessment documents where surveillance is strong and where it is obstructed.
Access control. Physical and procedural measures that channel people through intended entries and restrict unintended ones. Fencing, gates, door hardware, key control, visitor procedures.
Territoriality. Visible markers that the property is owned, maintained, and watched. Signage, landscaping, defined property edges. The assessment notes territorial weaknesses (faded signage, neglected edges, unclear property boundaries).
Maintenance. Broken windows, burned-out lights, graffiti not removed, fences not repaired. The maintenance condition communicates whether anyone is paying attention.
CPTED is a way of reading the property, not a checklist of products. An assessment that opens with a CPTED frame produces better gap documentation than one that jumps directly into a door-by-door inventory.
Three Assessment Gaps That Lower IJ Scores Most Often
Reading denied IJs after the fact, three patterns repeat in the assessments that backed them:
Undocumented access points. The IJ lists the front and side doors. The assessment never inventories loading docks, kitchen entries, mechanical room doors, fire exits, or roof access. Reviewers cannot score a vulnerability they cannot see. If an attacker would use the door, the assessment names the door.
Equipment without an underlying gap. The budget proposes $40,000 in fencing. The assessment never mentions perimeter as a gap. Reviewers cannot connect the line item to a documented vulnerability. The fix is to walk the perimeter, document the gap, photograph it, and number it as a finding the IJ can cite.
Vague gap language. “Improve perimeter security” is not a gap. “Six-foot chain-link fence on the east property line is sagging and breached at the corner near the alley, photograph F23” is a gap. Reviewers reward specificity. Adjectives lose points.
How Often to Refresh the Assessment
The working rule is 12 to 18 months. An assessment older than 18 months should be refreshed before a new NSGP cycle. The refresh updates photographs, re-walks the access points, and incorporates changes to the facility, staffing, or threat picture.
Triggers for a full redo rather than a refresh:
- Major renovation or addition
- Change of primary use (residential wing added, school program added)
- New construction on the adjacent property that affects sight lines or approach
- Significant change in occupancy patterns or operating hours
- A documented incident at the facility
- A change in the NOFO that affects the documentation standard
Reviewers downgrade IJs that cite assessments from prior cycles without updates. Citing a 2022 assessment in a 2026 application without a refresh note signals that the documentation has not kept pace.
An internal refresh of an internal original tends to inherit the gaps the original missed. The first professional assessment, even when the prior internal documents passed federally, usually surfaces three to five access points the internal team had not treated as access points.
Frequently Asked Questions
Can we do the assessment ourselves?
At the federal NSGP level, yes. The NOFO does not require a credentialed assessor. State programs vary. New Jersey requires photographs and several states require or strongly prefer professional assessments. The real question is whether a self-assessment scores. Internal walkthroughs consistently miss back-of-house access, mechanical rooms, roof points, blind corners, lighting at peak hours, and glazing. A professional assessor applying CPTED and ASIS standards typically surfaces three to five gaps a self-walkthrough does not. Each missed gap is a finding the IJ cannot cite and a budget line that cannot be defended.
Does the assessment need to be done by a former law enforcement officer?
No. There is no federal requirement that the assessor be sworn or former law enforcement. Board Certified Protection Professional (CPP) through ASIS International is the most commonly recognized credential. Local law enforcement crime prevention units will often perform a walkthrough at no cost, but those walkthroughs are typically not detailed enough to stand as the NSGP assessment.
How long should the assessment document be?
Long enough to inventory every access point, document every gap, and tie every recommendation to a finding number. For a small single-building facility, that is typically 25 to 40 pages including photographs. For a larger campus, 60 to 100 pages is common. Coverage is the metric, not page count.
Can one assessment cover multiple buildings?
No. NSGP is facility-by-facility. One IJ per facility, one assessment per facility, one budget per facility.
Does the assessment get submitted with the IJ?
Yes. The assessment is part of the federal NSGP submission package and is typically required by state SAA portals. Submitting an IJ without the underlying assessment, or with an assessment too thin to support the IJ claims, is one of the most common reasons applications are returned at the administrative review stage.
What if our facility has had no incidents?
Vulnerability is not contingent on prior incidents. The vulnerability section documents the gaps an attacker could exploit, independent of attack history. Prior incidents belong in the risk section of the IJ. An assessment of a facility with no incident history is the same document as one with five incidents.
What We Do
Security Grant Advisors conducts NSGP vulnerability assessments for nonprofits applying to federal NSGP and state programs. The work covers facility walkthrough, photo documentation, CPTED-based gap analysis, finding numbering aligned to NSGP allowable cost categories, and integration with the IJ draft.
For organizations with a prior internal assessment, we re-walk the facility, surface the missed access points, and produce a refreshed document the IJ can cite. For first-time applicants, the assessment is the starting point of the full submission package.
If you are planning a 2026 or 2027 application and want an assessment built to current NOFO standards, contact us or call (855) 674-7946.
Official Sources
Every claim in this checklist traces back to a primary federal source. Confirm the current cycle requirements at the official URLs below before submission.
- FEMA Nonprofit Security Grant Program (NSGP): https://www.fema.gov/grants/preparedness/nonprofit-security
- CISA Physical Security: https://www.cisa.gov/topics/physical-security
- U.S. Department of Homeland Security: https://www.dhs.gov/
- FBI Hate Crime Statistics: https://www.fbi.gov/services/cjis/ucr/hate-crime
- 2 CFR Part 200 (Uniform Guidance for federal awards): https://www.ecfr.gov/current/title-2/subtitle-A/chapter-II/part-200
State Administrative Agencies publish state-specific NOFOs and assessment requirements. Confirm the current SAA contact for your state through the FEMA grants portal above.