OCIO management should develop and implement an effective review process to ensure the required security controls are assessed in accordance with the information system's security baseline categorization (e.g., High, Moderate, or Low) and designation as a HVA, as applicable.