This methodology add structure for the team reviewing C&A packages, to ensure all security program documents are available, complete, up-to-date and ready for analysis. Completing the SAR requires the following templates:
- C&A Document Checklist
- SSP Control Summary and Risk Evaluation
- C&A Document Risk Rating Crosswalk
- Security Assessment Report (SAR)
- DAA, System Owner & Stakeholder Presentation
The SAR process examines each document in the C&A Package:
- System Security Plan (SSP),
- Vulnerability Assessment Report (VAR),
- Security Risk Assessment (SRA),
- Plan of Action & Milestone (POA&M),
- Contingency Plan,
- Security Test & Evaluation (ST&E) Plan and Report and
- Other supporting documentation.
The analysis conducted by the C&A Package review team is complex, time-consuming and resource intensive. The process involves evaluating each reported documented weakness in the VAR, SRA, PO&AM and determining if the risk, rating (Low, Moderate, High) and recommendation is accurate.
This evaluation process involves vetting documented weaknesses and recommendations with selected stakeholders and validating legitimacy. A reported weakness may not be valid unless confirmed with the stakeholder responsible for the management of the control. For example, A reported weakness that emergency lighting is not present, is a NIST SP 800-53 control - PE-12 Emergency Lighting. Facility Management must be contacted to validate the legitimacy of this reported risk.