Just a quick question on step 3 and 4,why don't we assess the situation before we implement,if we implement before and find out the situation is on different level and now we can't asses it.just asking.
Risk assessments are done even prior to step 1, into step 1, and after step 1. Doing this sets things up prior to selection of security controls. Also, during step 3 (Implementation), the information system isn't "live" yet. It's still undergoing testing/evaluation. The system doesn't go live until after the Authorizing Official approves the system for operation. In any case for the sake of this discussion, the system stays relatively safe until it becomes operational.
There are also two types of assessments: security control assessments (what you're talking about) and risk assessments. They're both different but related to each other.
Its important to understand that the controls are recommended, not mandatory. But a contingency plan, or counter process or POAM is needed in its place.
You mentioned artifacts at 8:30 when going through an audit. Would you please list some examples of an artifact? Would an artifact include screenshots that controls have been met?