After initial security authorization, approval, certification, or accreditation, subsequent security reviews shall normally be conducted no more frequently than annually.

Additionally, such reviews shall be aperiodic or random, and be based upon risk management principles. Security reviews may be conducted “for cause”, to follow up on previous findings, or to accomplish close-out actions. Visits may be made to a facility to conduct security support actions, administrative inquiries, program reviews, and approvals as deemed appropriate by the cognizant security authority or agency.