What type of Artifacts/Evidence would suffice for this control. The control appears to cover custom software development as well as integration of new systems and services. With Cloud systems/services, wouldn't FedRAMP reqs cover this? CSPs need to to have assessment from third party, which would require assessment plan, vulnerability scans, remediation/mitigation, etc.? For Software development, would developer testing using automated tools, DevOps, etc. be applicable?. This would be in addition to web application and device vulnerability scanning prior to deployment to production. Also, wouldn't on going assessments be incorporated into the organization's standard security control assessment/RMF process? Thanks for the feedback.