A security engineer is a new member to a configuration board at the request of management. The
company has two new major IT projects starting this year and wants to plan security into the
application deployment. The board is primarily concerned with the applications’ compliance with
federal assessment and authorization standards. The security engineer asks for a timeline to
determine when a security assessment of both applications should occur and does not attend
subsequent configuration board meetings. If the security engineer is only going to perform a
security assessment, which of the following steps in system authorization has the security
engineer omitted? (Select TWO).

A.
Establish the security control baseline to be assessed

B.
Build the application according to software development security standards

C.
Write the systems functionality requirements into the security requirements traceability matrix

D.
Review the results of user acceptance testing

E.
Categorize the applications according to use

F.
Consult with the stakeholders to determine which standards can be omitted