Security Assessment Report (SAR)

The Security Assessment Report (SAR) Methodology is our process and strategy for evaluating the documented risks and mitigation recommendations reported in

  • Security Control Assessment (SCA) Test Cases (Interviews / Examinations / Tests)
  • Vulnerability Assessment Tools / Reports
  • Penetration Tests / Reports
  • Contingency Tests / Reports
  • Existing Plan of Action & Milestone (POA&M)

The Independent Assessor / 3PAO must apply the SAR Methodology after completing testing, interviews and examination of Security Authorization Package documentation.

Security Authorization Documentation

ISSO DesignationSecurity Assessment Plan (SAP)
Security CategorizationPrivacy Threshold Analysis (PTA)
Business Impact Assessment (BIA)System Security Plan (SSP)
Privacy Impact Assessment (PIA)I.S. Contingency Plan (ISCP)
E-Authentication Risk AssessmentIncident Response Plan (IRP)
Configuration Management Plan(CMP)Penetration Test (PenTest) Report
Rules of Engagement (ROE)Risk Assessment Report (RAR)
Security Control Assessment (SCA) Test CasesVulnerability Assessment Report (VAR)
Memorandum of Understanding (MOU)Interconnection Security Agreement(ISA)
Plan Of Action & Milestones POA&M)Continuous Monitoring Plan
Security Assessment Report (SAR)

This methodology add structure for the 3PAO reviewing Security Authorization Package documentation, by ensuring all security program documents are available, complete, up-to-date and ready for analysis.   The 3PAO completing the analysis and development of the SAR must apply the following templates:

  • Document Checklist
  • SSP Control Summary and Risk Evaluation
  • Document Risk Rating Crosswalk
  • Security Assessment Report (SAR)
  • DAA, System Owner & Stakeholder Presentation

The SAR process examines each document in the Security Authorization Package:

  • System Security Plan (SSP)
  • Vulnerability Assessment Report (VAR)
  • Security Risk Assessment (SRA)
  • Plan of Action & Milestone (POA&M)
  • Contingency Plan
  • Security Control Assessment (SCA) Plan and Report and
  • Other supporting documentation

The analysis conducted by the 3PAO team is complex, time-consuming and resource intensive. The process involves evaluating each documented weakness in the Assessment Test Cases, Penetration Test Report, VAR, RAR, PO&AM and determining if the risk, rating (Low, Moderate, High) and recommendation are accurate.

This evaluation process involves vetting documented weaknesses and recommendations with selected stakeholders and validating legitimacy. A reported weakness may not be valid unless confirmed with the stakeholder responsible for the management of the control. For example, A reported weakness that emergency lighting is not present, is a NIST SP 800-53 control – PE-12 Emergency Lighting. Facility Management must be contacted to validate the legitimacy of this reported risk.