Now that we have all security controls applicable to the system selected and documented in the security control baseline and, also the system owner taking the appropriate steps to implement the select controls, it is the turn of the C&A Analyst to evaluate the adequacy of the security control implemented and give recommendations.
The following artifacts are generated at this Phase by the C&A Analyst:
Test Plan/Security Assessment Plan (SAP)
Security Control Assessment (SCA)/Security Test and evaluation (ST&E) report