The security plan and privacy plan provide an overview of the security and privacy requirements, respectively, for the information system and organization and describe the security controls and privacy controls in place or planned for meeting those requirements. The assessor starts with the security or privacy controls described in the security or privacy plan and considers the purpose of the assessment. A security or privacy control assessment can be a complete assessment of all controls in the information system or inherited by the system (e.g., during an initial security or privacy authorization process) or a partial assessment of the controls in the information system or inherited by the system (e.g., during system development as part of a targeted assessment resulting from changes affecting specific controls, or where controls were previously assessed and the results accepted in the reciprocity process).

For partial assessments, information system owners and common control providers collaborate with organizational officials having an interest in the assessment (e.g., senior information security officers, senior agency officials for privacy/chief privacy officers, mission/information owners, Inspectors General, and authorizing officials) to determine which security or privacy controls are to be assessed. The determination of the controls to be assessed depends on the purpose of the assessment. For example, during the initial phases of the system development life cycle, specific controls may be selected for assessment to promote early detection of weakness and deficiencies and a more cost-effective approach to risk mitigation. After the initial authorization to operate has been granted, targeted assessments may need to be conducted when changes are made to the system, specific security or privacy controls, or to the environment of operation. In such cases, the focus for the assessment is on the security or privacy controls that may have been affected by the change.