Which RMF artifact documents the assessment findings and rationale for authorization decisions?

This question tests where the assessment findings and the rationale for an authorization decision are documented. In RMF, the Security Assessment Report collects the results of testing and evaluating security controls, including identified vulnerabilities, evidence gathered, and the risk conclusions. It explains how those findings support the authorization decision and describes the residual risk. The authorization decision itself is recorded in a separate Authorization to Operate memo, while other artifacts like the System Security Plan describe how controls are implemented and the Plan of Actions and Milestones tracks remediation. So, the document that specifically captures the assessment findings and the rationale used to decide authorization is the Security Assessment Report.