Which activity is performed by the ISSP/SCA?

Security control assessments of Classified Information Systems are what ISSP and Security Control Assessor teams focus on. In the RMF framework, these roles are responsible for evaluating the security controls that protect systems handling classified data. They plan, execute, and document assessments to verify that safeguards are properly implemented, functioning, and in line with required standards, supporting the authorization decision and ongoing monitoring. This direct focus on testing and validating the system’s security posture is why this activity is the best match. Other tasks—issuing security policies, managing physical access control, and conducting background investigations—are handled by different roles such as policy owners, physical security personnel, and personnel security investigators.