Reviewing the SAR - Best Practices for 3PAOs, Agencies, and Cloud Service Providers
Cloud Service Providers (CSPs) pursuing a Low, Moderate, or High FedRAMP authorization are required to partner with a Third-Party Assessment Organization (3PAO) to perform an assessment of their cloud service offering. 3PAOs perform comprehensive independent and objective assessments of a CSP’s service offering and document the results of that assessment in the Security Assessment Report (SAR).
The FedRAMP PMO has compiled best practices for 3PAOs, Agencies, and CSPs to leverage when reviewing the SAR.
Best Practices for Reviewing the SAR
- Confirm the FedRAMP SAR template was used
- Check that system risks are listed and accurately described
- Confirm the 3PAO has accurately described mitigating factors and compensating controls for all risk adjustments and operational requirements
- Ensure the following documentation is included with the SAR and FedRAMP templates are used, where applicable:
- Vulnerability scan results are in line with FedRAMP scanning guidance
- Validate that the assessment methodology described in SAR Section 3 aligns with the methodology described in the Security Assessment Plan (SAP)
- Validate that any sampling methodologies used for the purpose of assessment are described (if applicable)
- Check that the SAR includes a 3PAO attestation statement and recommendation for authorization for the system
Probing Questions for Reviewing the SAR
- Are all documents in FedRAMP templates?
- Are all document artifacts complete?
- Are all ancillary SAR documents included with the SAR?
- Are unique risks individually identified and labelled?
- Are risks described to a level of detail that could be understood by the JAB / Agency Authorizing Official (AO)?
- Are HIGH findings identified and provided along with comments?
- Are downgraded risks listed, described, and include a description of the mitigating factor(s)?
- Are the inventory lists in the SAR consistent with the lists provided in the SSP?
- Are the Assessment Results described in Appendix F consistent with the Risk Exposure Table (SAR Section 4 and Appendix A)?
- Are document / system versions consistently stated within the SAR?
Agency Authorization: SAR Debriefs
The PMO recommends a SAR debrief for all CSPs pursuing Agency authorizations (this practice is standard for all CSPs working with the JAB). Designed to inform stakeholders on the results of assessment, a SAR debrief allows the 3PAO to present its assessment findings to the Agency customer, FedRAMP PMO and JAB as well as provides an opportunity for the CSP to communicate its remediation plan.