How do you prepare a system for an assessment and authorization (A&A) process under the Risk Management Framework (RMF)?