A security engineer is a new member to a configuration board at the request of management. The company
has two new major IT projects starting this year and wants to plan security into the application deployment. The
board is primarily concerned with the applications’ compliance with federal assessment and authorization
standards. The security engineer asks for a timeline to determine when a security assessment of both
applications should occur and does not attend subsequent configuration board meetings. If the security
engineer is only going to perform a security assessment, which of the following steps in system authorization
has the security engineer omitted?

A.
Establish the security control baseline

B.
Build the application according to software development security standards

C.
Review the results of user acceptance testing

D.
Consult with the stakeholders to determine which standards can be omitted