Step 6: Assess
The security controls should be assessed to determine whether the controls are
implemented correctly, are operating as intended, and are producing the desired
outcome with respect to meeting the security requirements for the system.
Step 7: Authorize
Upon a determination of the risk to organizational operations, organizational assets,
or individuals resulting from their operation, authorize the information systems.
Step 8: Monitor
Monitor and assess selected security controls in the information system on a
continuous basis, including documenting changes to the system.