Develops a security assessment plan that describes the scope of the assessment including:
Security controls and control enhancements under assessment;
Assessment procedures to be used to determine security control effectiveness; and
Assessment environment, assessment team, and assessment roles and responsibilities;
Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
Produces a security assessment report that documents the results of the assessment; and
Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].