What Information Is Included in a FedRAMP System Assessment Report (SAR)?

security assessment report featured

The Federal Risk and Authorization Management Program (FedRAMP) is a security assessment and authorization program for cloud services used by the federal government. It is designed to ensure that cloud services meet the federal government’s security requirements, and that sensitive government data remains protected. A critical component of the FedRAMP security authorization process is the Security Assessment Report (SAR).

In this blog post, we will examine the importance of the SAR in the FedRAMP security authorization process and provide an in-depth overview of the information that should be included in the report. We will also discuss the benefits of preparing a comprehensive SAR and the consequences of failing a FedRAMP security assessment.


What Is the System Assessment Report (SAR)?

A Security Assessment Report (SAR) is documentation that provides information on the security posture of a cloud service. This report is used by the Joint Authorization Board (JAB) as part of their decision-making for FedRAMP Authorization.

The SAR provides a comprehensive overview of the security controls and procedures the cloud service provider has implemented to protect the sensitive information it contains. The report includes information on the security architecture, risk assessment and management, security controls, and incident response procedures. 


What Is the FedRAMP Authorization Process?

There are two paths for FedRAMP (Federal Risk and Authorization Management Program) authorization:

  • Provisional ATO (P-ATO): The FedRAMP JAB P-ATO is the less common path CSPs take. In this path, the cloud service provider and their 3PAO work with JAB to gain a general authorization (following more stringent requirements) that can serve the needs of the broader agency market. Suppose the JAB determines that the cloud service meets the security requirements of the FedRAMP program. In that case, it will authorize the service to handle sensitive government data and issue a P-ATO.
  • Agency Authorization: In this path, a federal agency evaluates and authorizes a cloud service to handle specific sensitive data, using the FedRAMP security requirements as the basis for the security assessment. 

    Both paths will, at some point, require a SAR reviewed by either the sponsoring agency or the JAB.


    Building Towards a SAR

    Regarding report composition, the information contained in the SAR draws specifically from the information provided by the cloud provider in the System Security Plan (SSP) and, following that, a System Assessment Plan (SAP). 

    In the case of the former, the provider performs an inventory of their security controls, specifically those implemented on systems that will fall under FedRAMP assessment because they will handle information on behalf of a federal agency. The cloud provider will use a standardized template to list and describe their security controls. 

    Drawing from the SSP, the 3PAO will then work with the provider to create the SAP or roadmap of the FedRAMP assessment. Finally, the 3PAO will assess the listed controls and their applicability to FedRAMP authorization. This report is submitted for agency review and final authorization if all things go well.


    What Information Is Included in the Security Assessment Report?security assessment report


    The template for the SAR is available on the FedRAMP website. This lengthy document provides tables and charts where a 3PAO may enter the relevant information for an agency or JAB review.

    Some of the key pieces of information included in the SAR include:

    • Service and Scope Description: A brief overview of the cloud service, including its purpose, functionality, and the types of information it handles. This basic section includes a list of controls that have undergone assessment, the impact level of the assessment, and the purpose of the systems and infrastructure. This is otherwise known as the “boundary.”
    • Control Assessment: The 3PAO will also include a detailed breakdown of the controls from the SSP. This breakdown will consist of control names, implementation dates, and how the control addresses FedRAMP requirements. Furthermore, the 3PAO will assess each control based on FedRAMP guidelines, including consideration of potential threats (listed on a table within the SAR template), to demonstrate that these controls protect the confidentiality, integrity, and accessibility of data.
    • Assessment Deviations: If the 3PAO deviates from the SAP or other components of the FedRAMP assessment methodology, it must list those deviations in a list with unique IDs for the purposes of transparency during agency or JAB review.
    • Risk Assessment and Exposure: A description of the cloud service provider’s risk assessment and management process, including the methodology used to identify and prioritize risks. This document will also include a “Risk Exposure Table” template that lists all security weaknesses exposed during the assessment.
    • Corrective Recommendations: The 3PAO will offer disciplinary actions required by the CSP to meet FedRAMP requirements and review them with the provider. 


    What Steps Follow the SAR if the Provider Does Not Pass Their Audit?

    The potential penalties for failing a FedRAMP security assessment can vary depending on the specific circumstances of the failure, but they can include:

    • Denial of Authorization: The cloud service will not be authorized to handle sensitive government data–the basic purpose of pursuing FedRAMP Authorization in the first place. Obviously, this will halt any attempt of the business to work with federal agencies… and if this is your business model, then you’re out of the market completely.
    • Remediation and Re-Assessment: The cloud service provider may be required to implement remediation measures to address the security deficiencies that led to the failure of the security assessment. The cloud service will then need to be re-assessed to determine if it meets the security requirements of the FedRAMP program.
    • Corrective Action: In cases where the provider is already authorized but then fails an annual assessment, they may be required to submit a corrective action plan to address the security deficiencies that led to the failure. The corrective action plan must be approved before the cloud service can be re-assessed.

    There are also some cases where deviations from security requirements may be mild enough that the 3PAO will recommend corrective actions as part of an ongoing plan that still allows the provider to receive authorization. In this case, a Plan of Action and Milestones (POA&M) may be drafted such that the CSP can remediate issues according to a strict timeline, subject to ongoing assessment.


    Get Ready for Your FedRAMP Assessment with Continuum GRC

    Don’t count on manual processes, emails, and data entry to keep you in front of FedRAMP compliance. Trust a cloud platform that combines compliance inventories and risk assessments to ensure that your systems are aligned with FedRAMP. 

    Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

    • FedRAMP
    • StateRAMP
    • NIST 800-53
    • FARS NIST 800-171
    • CMMC
    • SOC 1, SOC 2
    • HIPAA
    • PCI DSS 4.0
    • IRS 1075
    • COSO SOX
    • ISO 27000 Series
    • ISO 9000 Series

    And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

    Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

    Continuum GRC