Whether the district's IP addressing plan — subnet allocations, VLAN-to-subnet mapping, reserved ranges — is captured in a maintained document. Distinct from MN F8 (the IPAM tool itself); this field is about the SCHEME, that one is about the SOURCE OF TRUTH. The dashboard's existing NET-IPS-01 finding maps here.

How the network is sliced into broadcast domains. Per-function isolation (staff vs student vs guest vs voice vs IoT vs management) is best practice — it limits the blast radius of misconfiguration, malware, and rogue devices. A flat network is a hard finding.

Whether subnet IDs follow a predictable pattern across campuses. A standardized scheme (e.g. “every site uses 10.<site>.10.0/24 for staff, .20 for students”) makes ACLs, firewall rules, and incident response materially easier. Per-site improvisation isn't a hard finding but is a maturity ceiling.

Whether IPv6 is in use anywhere. Genuinely rare in K-12 — the assessment surfaces it for completeness but absence is not a finding. Worth answering for planning purposes (Microsoft, Google, and most vendors are increasingly IPv6-first).

What's actually serving DHCP. Multi-platform is common — Windows Server for staff/student, FortiGate or Meraki for guest. The list isn't a checklist; the “Other” option covers niche vendors. Empty selection is a hard finding.

Whether infrastructure devices (switches, APs, printers, servers) have static DHCP reservations or named static IPs. Without reservations, infrastructure devices can churn IPs through lease cycles, breaking firewall ACLs, monitoring targets, and inter-device trust assumptions.

Whether lease lengths are tuned to each scope's usage pattern. Shorter leases on student/guest (devices come and go) and longer on staff (stable devices) is the standard pattern — uniform lease length works but wastes either capacity or convenience.

What happens if the DHCP server is down. For a district-wide service, a DHCP outage equals network-down for every client trying to get a new lease — students arriving in the morning, devices waking from sleep, anyone who reboots. Single-server is common in K-12 and surfaced as a maturity signal, not a hard finding.

What resolves the district's own internal names. Active Directory-integrated DNS is the typical K-12 pattern (one DC, multiple DCs each carrying DNS). Cloud-managed and dedicated-server variants exist; cloud-native districts without an internal directory may resolve everything externally.

Where internal DNS sends queries for names it doesn't own. A security DNS provider (Cisco Umbrella, OpenDNS, Quad9, Cloudflare for Families) gives DNS-layer content filtering as a side effect — one half of CIPA compliance. The other half is inline content filtering — see NET-CF.

Whether the internal DNS service survives a single server outage. AD environments typically inherit this for free (every DC runs DNS); standalone DNS deployments need explicit secondary configuration.

Which DNS-specific security features are enabled. K-12 typically runs minimal DNS security (most filtering happens at the forwarder via F10), so empty selection is normal-but-not-mature rather than a hard finding. “Not sure” is valid when the DNS config hasn't been formally audited.