In RMF, which party is primarily responsible for conducting a formal security control assessment?

In RMF, the formal security control assessment is performed by a qualified independent assessor or assessment team. Independence matters because it guarantees an objective evaluation of how well the security controls are implemented and functioning. The assessor tests the controls, reviews evidence, and documents findings in the Security Assessment Report, which the Authorizing Official uses to make the risk-based authorization decision. The system owner is responsible for implementing the controls and providing evidence, but the actual formal assessment relies on an independent party. Automated self-assessment tools can aid data collection and ongoing monitoring, but they do not replace a formal assessment carried out by an independent assessor. The vendor sales team does not participate in the formal assessment.