Although a formal C&A package attempts to assess and document the security of an information system at a fine level of detail and using rigorous verification and validation, a self-assessment is a less rigorous tool used to assess the security of the information in the years between formal certification and accreditations. Instead of bringing in outside agents to assess the security of a system, the self-assessment relies on people within the agency to perform the assessment. Self-assessments should be questionnaires that cover a range of technical, management, and operational controls that should be in place for information systems, so although the assessment questions do not need to replicate every control you would cover in a formal C&A, there should be some overlap. This way, you end up with a C&A package that reflects an outside auditor s assessment of the security for a system and a gut check performed by agency personnel. Comparisons between the two evaluations can then be drawn.