In a similar manner to how the security controls and privacy controls from Special Publication 800-53 are tailored for the organization’s mission, business functions, characteristics of the information system, and operating environment, organizations tailor the assessment procedures listed in Appendices F and J to meet specific organizational needs. Organizations have the flexibility to perform the tailoring process at the organization level for all information systems, at the individual information-system level, or using a combination of organization-level and system-specific approaches. Security control assessors and privacy control assessors determine if the organization provides additional tailoring guidance prior to initiating the tailoring process. Assessment procedures are tailored by:

•Selecting the appropriate assessment methods and objects needed to satisfy the stated assessment objectives;

•Selecting the appropriate depth and coverage attribute values to define the rigor and scope of the assessment;

•Identifying common controls that have been assessed by a separately documented security assessment plan or privacy assessment plan, and do not require the repeated execution of the assessment procedures;

•Developing information system/platform-specific and organization-specific assessment procedures (which may be adaptations to those procedures in Appendices F and J);

•Incorporating assessment results from previous assessments where the results are deemed applicable; and

•Making appropriate adjustments in assessment procedures to be able to obtain the requisite assessment evidence from external providers.