After you have completed the implementation process, you can assess internal and external controls, generate Plans of Action and Milestones, and manage change requests and vulnerable items.

1. For an Authorization Package in the Implement state, click Assess.

   

   Note: An Audit Engagement is automatically created.
2. Click the Control Assessments related list to view the Audit engagement.

   

   Note: The Audit Engagement is automatically assigned to the SCA.
3. Click the engagement number to open it. Notice that the Entities tab is displaying the authorization boundary for the package.

   

4. Click the Controls tab to view all of the controls your team implemented.

   

5. Next, click the Audit Tasks tab to view tasks you can use for assessing the controls.
6. Click an audit task and perform the Design Test and Operation Test to judge the control's effectiveness. For details on this process, see Manage engagements.
   Note: Any issues that arise during the Assess phase appear in the POA&M tab. Additionally, any open Change Requests or Vulnerable Items targeting the system elements in the package appear under those tabs.
7. The system owner must review and document any Plan of Action and Milestones (POA&M) issues, change requests, and vulnerable items that potentially threaten your systems.
8. When this is complete, click Authorize. The package transitions to the Authorize state. When you are satisfied that all is in order, click Request Approval. An approval request is sent to the Authorizing Official, who will access My Approvals from the navigation pane and review the information in the package. When the approval is received, the package transitions to the Monitor state.
   Note: In the Monitor state, continuous monitoring is achievable if you have indicators. If not, you can manually review the controls. For more information, see Manage control indicators.