The SAP contains the test plan to assess the security controls of a system. The test plan functions as a detailed roadmap of the approach and methodology for the assessment of a CSP’s cloud service. Included in a SAP are the Penetration Test Plan - aligned to FedRAMP’s Penetration Test Guidance - and an Inventory Worksheet that coincides with the inventory provided in the SSP. The SAP also serves as a Rules of Engagement (RoE), once signed by the CSP and 3PAO, as it includes all applicable rules of engagement for the assessment. The joint responsibility of the CSP and the 3PAO, the SAP is a customized account of the security assessment methodology and indicates that both the CSP and 3PAO are in full concurrence as to the scope of security assessment testing. Authorizing Officials (AOs) are responsible for reviewing and approving the SAPs (making sure of appropriate scope and methodologies are used) at both the time of the assessment and during ConMon.
A completed SAP includes the following documentation:
- FedRAMP Security Assessment Plan
- FedRAMP Security Test Case Workbook
- Penetration Testing Plan and Methodology
- 3PAO Supplied Deliverables
- Penetration Test Rules of Engagement
- Sampling Methodology