The security assessment plan and privacy assessment plan provide the objectives for the security and privacy control assessments, respectively, and a detailed roadmap of how to conduct such assessments. These plans may be developed as one integrated plan or as distinct plans, depending upon organizational needs. The following steps are considered by assessors in developing plans to assess the security or privacy controls in organizational information systems or inherited by those systems:

•Determine which security and privacy controls/control enhancements are to be included in assessments based upon the contents of the security plan and privacy plan and the purpose and scope of the assessments;

•Select the appropriate assessment procedures to be used during assessments based on the security or privacy controls and control enhancements to be included in the assessments;

•Tailor the selected assessment procedures (e.g., select appropriate assessment methods and objects, assign depth and coverage attribute values);

•Develop additional assessment procedures to address any security requirements or privacy requirements or controls that are not sufficiently covered by Special Publication 800-53;

•Optimize the assessment procedures to reduce duplication of effort (e.g., sequencing and consolidating assessment procedures) and provide cost-effective assessment solutions; and

•Finalize assessment plans and obtain the necessary approvals to execute the plans.