The Security Assessment Report (SAR) contains the results of the comprehensive security assessment of a CSP’s cloud service offering, including a summary of the risks associated with vulnerabilities of the system identified during testing. The purpose of a SAR is to evaluate the system’s implementation of, and compliance with, the FedRAMP baseline security controls, and thus the system’s compliance with FISMA security mandates.
A CSP’s Independent Assessor (IA) Third Party Assessment Organization (3PAO) is responsible for generating the SAR following assessment and the document must align with the assessment methodology described in the Security Assessment Plan (SAP) and address the control detail described in the System Security Plan (SSP). An effective SAR should inform a CSP’s Plan of Action & Milestones (POA&M) and reflect the true risk posture of the system.
Like SSPs, Agency AOs or designees are responsible for reviewing and approving the SARs ensuring the appropriate level of testing was done and that they risk posture associated with the system is acceptable to that Agency, both at time of assessment and during ConMon.
In addition to a completed SAR template, 3PAOs should complete and append the following materials to their assessment report.
- FedRAMP Security Assessment Report
- Risk Exposure Table
- FedRAMP Security Test Case Workbook
- Infrastructure Scan Results
- Database Scan Results
- Web Application Scan Results
- Assessment Results
- Manual Test Results
- Documentation Review Findings
- SAR Auxiliary Documents
- Penetration Test Repor