Do you have to have the meaningful use security risk assessment completed before starting the 90 day attestation period?

It is a BEST PRACTICE to get the security risk assessment done before your attestation period. You can provide the evidence of mitigating any risks identified in the assessment during the 90 days attestation period.