The grouping of controls into security capabilities and privacy capabilities necessitates the conduct of root cause analyses to determine if the failure of a particular security or privacy capability can be traced to the failure of one or more security or privacy controls based on the established relationships among controls. The structure of the assessment procedures in this publication with the token-level decomposition and labelling of assessment objectives linked to the specific content of security and privacy controls, supports such root cause analysis. Thus, assessments of security and privacy controls (defined as part of capabilities) can be tailored based on the guidance in Section 3.2.3 and Special Publication 800-137, to define the resource expenditures (e.g., frequency and level of effort) associated with such assessments. This additional precision in assessments is essential in supporting the continuous monitoring strategies developed by organizations and the ongoing authorization decisions by senior leaders.