Security control assessments are conducted before the system is put into production and annually thereafter.

In addition, common events should trigger administrators to recheck controls. For example:

– NIST SP 800-53 is updated periodically based on comments from the IT security community to ensure the document reflects the most current controls used in practice. System administrators should verify they are using the most recent list of NIST controls and test the system against any new controls.

– Routine changes in the immediate environment, such as:

 New or modified hardware;

 New or modified software (including applications and operating systems); and

 New threats introduced to the environment.