How do you ensure that security assessments are aligned with JSIG/RMF continuous monitoring tools and processes?