After selecting the assessment procedures (including developing necessary procedures not contained in the Special Publication 800-53A catalog of procedures), tailoring the procedures for information system/platform-specific and organization-specific conditions, optimizing the procedures for efficiency, and addressing the potential for unexpected events impacting the assessment, the assessment plan is finalized, and the schedule is established including key milestones for the assessment process. Once the security assessment plan or privacy assessment plan is completed, the plan is reviewed and approved by appropriate organizational officials35 to ensure that the plan is: (i) complete; (ii) consistent with the security or privacy objectives of the organization, as appropriate, and the organization’s assessment of risk; and (iii) cost-effective with regard to the resources allocated for the assessment.