Skip to content

Security Assessment Report (SAR)

The SAR documents the results of the security assessment for the CSO, including a summary of the risks remaining at the conclusion of the assessment. The purpose of the security assessment is to evaluate the CSO's implementation of, and compliance with, FedRAMP baseline security controls.
3PAOs are responsible for developing the SAR, which is likely to go through several iterations to reflect any risks that are remediated or mitigated by the CSP during the assessment phase. CSPs should carefully review the final SAR for quality and completeness before it is delivered to the AO. We have provided some guidance in this section to help CSPs when performing a review of the SAR.

  • SAR*
  • Appendix A: Risk Exposure Table (RET)*
  • Appendix B: Security Requirements Traceability Matrix (SRTM) Workbook*
  • Appendix C: Vulnerability Scan Results
  • Appendix D: Documentation Review Findings
  • Appendix E: Auxiliary Documents
  • Appendix F: Penetration Test Report
  • Evidence collected during the assessment

* Document must be submitted in the FedRAMP-provided template

Things to Consider

  • Did the 3PAO use the FedRAMP template to prepare the SAR, including the RET and SRTM? Current templates can be found on the FedRAMP Templates webpage.

  • Are all required appendices listed above included with the SAR?

  • Verify that all findings in the SRTM workbook (also known as the "Test Case Workbook") are documented in the SAR.

  • To do this, look at the "Control Summary" tab in the SRTM Workbook. All instances of controls with an assessment result of "Other than Satisfied" should be documented as an open risk in the RET, unless the finding was corrected during testing. If the finding was corrected during testing, it should be documented in the "Risks Corrected During Testing" tab in the RET.

  • Did the 3PAO adequately describe the mitigating factors for risk adjustments identified in the RET? Federal agency AOs tend to look very closely at the mitigating factors, particularly for risks with an initial rating of High.

  • Did the 3PAO adequately describe the rationale, and mitigating factors, for operational requirements identified in the RET? Federal agency AOs also look very closely at the rationale, and mitigating factors, for ORs.

  • Is the high-level summary of risks in Section 2, Executive Summary, consistent with the RET?

  • Are all other appendices completed in accordance with the instructions?

  • Did the 3PAO attest to the accuracy of the SAR and provide an authorization recommendation in Section 2, Executive Summary?