RMF steps 4, 5, and 6 - Assess, authorize, and monitor

Release version: Australia

Updated March 12, 2026

2 minutes to read

After you have implemented controls, you can assess internal and external controls, generate Plans of Action and Milestones (POA&M), and manage change requests and vulnerable items.

Before you begin

Role required:

sn_irm_cont_auth.system_owner
sn_irm_cont_auth.info_system_sec_officer
sn_irm_cont_auth.authorization_official
sn_irm_cont_auth.info_system_sec_manager
sn_irm_cont_auth.admin

About this task

The Assess process is generally performed by a user other than the system owner or the personnel who implemented the controls.

The Assess state adds Control Assessments and Risk Summary related lists, as well as POA&M, Change Requests, Security Incidents, and Vulnerable Items tabs to the Authorization Package form.

Note:

CAM performance may slow when a high volume of Change Request, Incident records, or both is related to a single authorization package. If you experience long transaction response times, consider performing the procedures detailed in KB0861865.

Procedure

For an authorization package in the Implement state, select Assess.

Note:
An Audit Engagement is automatically created.

To send the package back to the Implement state, select Back to previous step. The state of the engagement becomes Closed Incomplete. On selecting Assess, an engagement is created.
Select the Control Assessments related list to view the Audit engagement.

Note:
The Audit Engagement is automatically assigned to the SCA.
Select the engagement number to open it.

Notice that the Entities tab is displaying the authorization boundary for the package.
Select the Controls tab to view all the controls that your team implemented.
Select the Test plans tab.
Test plans are automatically created for the control. For more information on test plans, see Generate assessment procedure plans for a test plan.
Select the Control tests tab to view the tasks for assessing the controls.

Note:
The Audit tasks tab in the Default view is renamed as Control tests tab in the CAM view. The names of the related list labels vary and are specific to the Default view or CAM view. You can change the view by selecting the Additional actions icon ().
For more information on test plans, see Determine control effectiveness of a control test.
1. Select a control test.
2. From the Assessment procedures list, select a record.
3. Select the Attach File link to attach an evidence document as a proof of the test.
4. Select the Notes field to enter additional assessment details.
In the Default view, select an audit task and perform the Design Test and Operation Test to judge the control's effectiveness.

For details on this process, see Manage engagements.

Note:
Any issues that arise during the Assess phase appear in the POA&M tab. Additionally, any open Change Requests or Vulnerable Items targeting the system elements in the package appear under those tabs.
The system owner must review and document any POA&M issues, change requests, and vulnerable items that potentially threaten your systems.
When the review is complete, select Authorize.

Note:
In the Monitor state, continuous monitoring is achievable if you have indicators. If not, you can manually review the controls. For more information, see Manage control indicators.

You can select Generate Report(s) to generate a FedRAMP System Security Plan (SSP) document for the authorization package in PDF format.

The package transitions to the Authorize state. When you’re satisfied that all is in order, select Request Approval. An approval request is sent to the Authorizing Official, who will access My Approvals from the navigation pane and review the information in the package. When the approval is received, the package transitions to the Monitor state.