Skip to content

Security Assessment Plan (SAP)

The SAP is developed and delivered by the 3PAO that performed the assessment. It describes the scope, methodology, test plan, and rules of engagement for the assessment of a CSO. The CSP and 3PAO are required to sign the SAP, which indicates acknowledgement of and agreement with the SAP and rules of engagement. The SAP must minimally align testing to the FedRAMP guidance and requirements. CSPs should carefully review the SAP for quality and completeness and work with the 3PAO to make adjustments as needed before the assessment begins. Additional guidance is provided in this section to help CSPs when performing a review of the SAP.

  • SAP*
  • Appendix A: Security Controls Selection Worksheet*
  • Appendix B: Sampling Methodology
  • Appendix C: Penetration Testing Plan and Methodology
  • Appendix D: Significant Change Request Documentation

* Document must be submitted in the FedRAMP-provided template

Things to Consider

  • Did the 3PAO use the FedRAMP template to prepare the SAP? The current SAP template can be found on the FedRAMP Templates webpage.

  • Are all applicable artifacts listed above included with the SAP?

  • Does the scope accurately reflect all system services, components, and devices that comprise the authorization boundary for the system?

  • Does the 3PAO intend to use a sampling methodology? If so, was the methodology included as an appendix to the SAP? For vulnerability scans, the 3PAO's sampling methodology must align with FedRAMP's vulnerability scanning sampling requirements.

  • Does the test schedule reflect the agreed upon schedule?

  • Is the penetration test plan and methodology document consistent with the FedRAMP Penetration Test Guidance?