The results of security control assessments and privacy control assessments ultimately influence control implementations, the content of security plans and privacy plans, and the respective plans of action and milestones. Accordingly, information system owners and common control providers review the security assessment reports and privacy assessment reports and the updated risk assessment and with the concurrence of designated organizational officials (e.g., authorizing officials, chief information officer, senior information security officer, senior agency officials for privacy/chief privacy officers, mission/information owners), determine the appropriate steps required to respond to those weaknesses and deficiencies identified during the assessment. By using the labels of satisfied and other than satisfied, the reporting format for the assessment findings provides visibility for organizational officials into specific weaknesses and deficiencies in security or privacy controls within the information system or inherited by the system and facilitates a disciplined and structured approach to responding to risks in accordance with organizational priorities. For example, information system owners or common control providers in consultation with designated organizational officials, may decide that certain assessment findings marked as other than satisfied are of an inconsequential nature and present no significant risk to the organization. Conversely, system owners or common control providers may decide that certain findings marked as other than satisfied are significant, requiring immediate remediation actions. In all cases, the organization reviews each assessor finding of other than satisfied and applies its judgment with regard to the severity or seriousness of the finding and whether the finding is significant enough to be worthy of further investigation or remedial action.38

Senior leadership involvement in the mitigation process may be necessary in order to ensure that the organization’s resources are effectively allocated in accordance with organizational priorities, providing resources first to the information systems that are supporting the most critical and sensitive missions for the organization or correcting the deficiencies that pose the greatest degree of risk. Ultimately, the assessment findings and any subsequent mitigation actions (informed by the updated risk assessment) initiated by information system owners or common control providers in collaboration with designated organizational officials, trigger updates to the key documents used by authorizing officials to determine the security or privacy status of the information system and its suitability for authorization to operate. These documents include security plans and privacy plans, security assessment reports and privacy assessment reports, and the respective plans of action and milestones.