A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and
wants to plan security into the application deployment. The board is primarily concerned with the applications’ compliance with federal assessment and
authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend
subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system
authorization has the security engineer omitted?

A.
Establish the security control baseline

B.
Build the application according to software development security standards

C.
Review the results of user acceptance testing

D.
Consult with the stakeholders to determine which standards can be omitted