Engaging with FedRAMP - PART 3, The SAR Debrief
FedRAMP often receives requests for information and guidance regarding the Agency Authorization process. In response, the FedRAMP Program Management Office (PMO) is releasing a three-part blog series that explores the formal touchpoints with stakeholders as they pursue a FedRAMP Authorization. Throughout this series, we will explore the What, Who, Why, and When of the following touchpoints:
This final edition in the series takes a look at Security Assessment Report (SAR) Debriefs. The SAR debrief is typically the last time all stakeholders will meet before an agency’s authorization decision is made.
What is a SAR Debrief?
SAR Debriefs are 70-minute meetings where the Third Party Assessment Organization (3PAO) presents the results from the Cloud Security Offerings (CSOs) security assessment and highlights vulnerabilities uncovered during testing. This is followed by a presentation of the Cloud Service Provider’s (CSPs) remediation plan for those findings. This meeting is also often used to discuss Continuous Monitoring responsibilities.
Who is involved?
SAR Debriefs are attended by the PMO, members of the agency review team, and those from the CSP and 3PAO teams involved in the system’s security assessment.
Why are SAR Debriefs important?
The SAR Debrief aims to ensure the agency understands the system’s risk posture prior to conducting its full, final review and making an Authority to Operate (ATO) decision. It serves as the last touchpoint for agencies to ask questions on 3PAO findings and/or a CSPs remediation plan before developing their risk-recommendation.
When should a meeting be scheduled?
SAR Debriefs are scheduled at the conclusion of the 3PAO assessment and after the agency has had time to review the final SAR.
- The PMO has prepared a SAR Debrief presentation template which must be used when developing the 3PAO and CSP presentations.
- NOTE: The CSP must upload a draft presentation to the PMO via its repository on OMB Max or an alternative secure repository for review and feedback before the PMO will confirm a SAR debrief date.
After the meeting, what can I expect?
Following the SAR Debrief, agencies should be comfortable enough with the information presented to begin developing the risk recommendation required for an ATO letter to be issued for a CSO by their Authorizing Official (AO). Once an ATO letter is issued it should be sent to the PMO via email@example.com to begin the review required for full FedRAMP authorization.
We look forward to continuing our engagement with industry and we hope you found this information helpful! Please reach out to firstname.lastname@example.org with any questions or for assistance with starting your FedRAMP Authorization journey or visit the Agency Authorization page for more resources on the FedRAMP Authorization process.
The PMO recognizes that not every CSP’s authorization journey will follow steps as outlined here, and specific steps of the process can vary depending on many factors. In addition, it is important to note that these are not the ONLY touchpoints you may have with the PMO, and that you are encouraged to request meetings at any point where we may be of some assistance in your authorization journey.