The security assessment strategy incorporates the steps of the Risk Managment Framework (i.e., security categorization, the security control selection process FIPS 200, and the identification of common (inherited) security controls) to maximize cost savings. Building an effective assurance case for security control effectiveness involves: (i) compiling evidence that the controls employed in the system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system; and (ii) presenting this evidence in a manner that decision makers are able to use effectively in making credible, risk-based decisions about the operation (or continued operation) of the system.
Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives.
As stated in NIST Special Publication (SP) 800-53A
The assessors will obtain the evidence needed during the assessment process to allow the Authorizing Official (AO) to make objective determinations about the effectiveness of the security controls and the security of the system.