Determine if authorization and assurance documents identify an acceptable level of risk for software applications, systems, and networks