2.1 Describe the system 

• 2.1.1 System name and scope documented 
• 2.1.2 System purpose and functionality 

2.2 Determine security compliance required 

• 2.2.1 Information types processed, stored, or transmitted 
• 2.2.2 Security objectives outlined for each information type based on national and international security and privacy compliance requirements (e.g., Federal Information Processing Standards (FIPS), International Organization for Standardization/International 

Electrotechnical Commission (ISO/IEC), data protection impact assessment) 

• 2.2.3 Risk impact level determined for system based on the selected framework 

3.1 Identify and document baseline and inherited controls 

3.2 Select and tailor controls 

• 3.2.1 Determination of applicable baseline and/or inherited controls 
• 3.2.2 Determination of appropriate control enhancements (e.g., security practices, overlays, mitigating controls) 
• 3.2.3 Specific data handling/marking requirements identified 
• 3.2.4 Control selection documentation 
• 3.2.5 Continued compliance strategy (e.g., continuous monitoring, vulnerability management) 
• 3.2.6 Control allocation and stakeholder agreement 

4.1 Develop implementation strategy (e.g., resourcing, funding, timeline, effectiveness) 

• 4.1.1 Control implementation aligned with organizational expectations, national or international requirements, and compliance for 
• security and privacy controls 
• 4.1.2 Identification of control types (e.g., management, technical, common, operational control) 
• 4.1.3 Frequency established for compliance documentation reviews and training 

4.2 Implement selected controls 

• 4.2.1 Control implementation consistent with compliance requirements 

• 4.2.2 Compensating or alternate security controls implemented 

4.3 Document control implementation 

• 4.3.1 Residual security risk or planned implementations documented (e.g., Plan of Action and Milestones (POA&M), risk register) 
• 4.3.2 Implemented controls documented consistent with the organization’s purpose, scope, and risk profile (e.g., policies, procedures, 
• plans) 

5.1 Prepare for assessment/audit 

• 5.1.1 Stakeholder roles and responsibilities established 
• 5.1.2 Objectives, scope, resources, schedule, deliverables, and logistics outlined 
• 5.1.3 Assets, methods, and level of effort scoped 
• 5.1.4 Evidence for demonstration of compliance audited (e.g., previous assessments/audits, system documentation, policies) 
• 5.1.5 Assessment/audit plan finalized 

5.2 Conduct assessment/audit 

• 5.2.1 Compliance capabilities verified using appropriate assessment methods: interview, examine, test (e.g., penetration, control, 
• vulnerability scanning) 
• 5.2.2 Evidence verified and validated 

5.3 Prepare the initial assessment/audit report 

• 5.3.1 Risks identified during the assessment/audit provided 

• 5.3.2 Risk mitigation summaries outlined 
• 5.3.3 Preliminary findings recorded 

5.4 Review initial assessment/audit report and plan risk response actions 

• 5.4.1 Risk response assigned (e.g., avoid, accept, share, mitigate, transfer) based on identified vulnerabilities or deficiencies 
• 5.4.2 Risk response collaborated with stakeholders 
• 5.4.3 Non-compliant findings with newly applied corrective actions reassessed and validated 

5.5 Develop final assessment/audit report 

• 5.5.1 Final compliance documented (e.g., compliant, non-compliant, not applicable) 
• 5.5.2 Recommendations documented when appropriate 
• 5.5.3 Assessment report finalized 

5.6 Develop risk response plan 

• 5.6.1 Residual risks and deficiencies identified 
• 5.6.2 Risk prioritized 
• 5.6.3 Required resources identified (e.g., financial, personnel, and technical) to determine time required to mitigate risk 

6.1 Review and submit security/privacy documents 

• 6.1.1 Security and privacy documentation required to support a compliance decision by the appropriate party (e.g., authorizing 
• official, third-party assessment organizations, agency) compiled, reviewed, and submitted 

6.2 Determine system risk posture 

• 6.2.1 System risk acceptance criteria 
• 6.2.2 Residual risk determination 
• 6.2.3 Stakeholder concurrence for risk treatment options 
• 6.2.4 Residual risks defined in formal documentation 
• 6.3 Document system compliance 
• 6.3.1 Formal notification of compliance decision 
• 6.3.2 Formal notification shared with stakeholders 

7.1 Perform system change management 

• 7.1.1 Changes weigh the impact to organizational risk, operations, and/or compliance requirements (e.g., revisions to baselines) 
• 7.1.2 Proposed changes documented and approved by authorized personnel (e.g., Change Control Board (CCB), technical review board) 
• 7.1.3 Deploy to the environment (e.g., test, development, production) with rollback plan 
• 7.1.4 Changes to the system tracked and compliance enforced 

7.2 Perform ongoing compliance activities based on requirements 

• 7.2.1 Frequency established for ongoing compliance activities review with stakeholders 
• 7.2.2 System and assets monitored (e.g., physical and logical assets, personnel, change control) 
• 7.2.3 Incident response and contingency activities performed 

• 7.2.4 Security updates performed and risks remediated/tracked 
• 7.2.5 Evidence collected, testing performed, documentation updated (e.g., service level agreements, third party contracts, policies, 
• procedures), and submission/communication to stakeholders when applicable 
• 7.2.6 Awareness and training performed, documented, and retained (e.g., contingency, incident response, annual security and privacy) 
• 7.2.7 Revising monitoring strategies based on updates to legal, regulatory, supplier, security and privacy requirements 

7.3 Engage in audits activities based on compliance requirements 

• 7.3.1 Required testing and vulnerability scanning performed 
• 7.3.2 Personnel interviews conducted 
• 7.3.3 Documentation reviewed and updated 
• 7.4 Decommission system when applicable 
• 7.4.1 Requirements for system decommissioning reviewed with stakeholders 
• 7.4.2 System removed from operations and decommissioned 
• 7.4.3 Documentation of the decommissioned system retained and shared with stakeholders