<CSP> FedRAMP Annual SAR Template Date of modification
FedRAMP Annual Security Assessment Report (SAR) Template
<Vendor Name>
<Information System Name
Version #.#
<Sensitivity Level>
<Date>
Company Sensitive and Proprietary
For Authorized Use Only
Assessment Summary
This document describes the Federal Risk and Authorization Management Program (FedRAMP) Annual Security Assessment Report (SAR) for <Cloud Service Provider. The primary purpose of this document is to provide a Security Assessment Report for <Information System Name> for the purpose of making risk-based decisions. The FedRAMP website can be found at www.fedramp.gov and information included in this document is consistent with the program described on the website. The FedRAMP program supports the U.S. government’s mandate that all U.S. federal information systems comply with the Federal Information Security Management Act of 2002 (FISMA).
The assessment took place between date> and date. The assessment was conducted in accordance with the approved Security Assessment Plan (SAP), dated date. The deviations from the approved SAP were <summary info here> as detailed in table 3-1, List of Assessment Deviations. All assessment activities documented to occur in the SAP <did / did not take place as described.
The table below represents the aggregate risk identified from the FedRAMP assessment. High risks are <number>% of total risks for the system. Moderate risks arenumber>% of total risks for the system. Low risks are <number>% of total risks for the system. There are/ are not risks identified that are required for continued operation of the system.
Risk Category / Total / % of Total Risks /High / XX%
Moderate / XX%
Low / XX%
Operationally Required / XX%
Total Risks[1] / 100%
Table ES-1 – Executive Summary of Risks
Template Revision History
Date / Version / Description / Author /06/06/2014 / 1.0 / Major revision for SP800-53 Revision 4. Includes new template and formatting changes. / FedRAMP PMO
03/09/2017 / 1.1 / Renamed template to FedRAMP Annual Security Assessment Report (SAR) Template and included template version number.
Renamed Appendix B to Security Test Case Procedures Template. / FedRAMP PMO
06/06/2017 / 1.1 / Updated logo / FedRAMP PMO
Company Sensitive and Proprietary Page 3
<CSP> FedRAMP Annual SAR Template Date of modification
Table of Contents
About this document 8
Who should use this document? 8
How this document is organized 8
How to contact us 8
1. Introduction 9
1.1. Applicable Laws and Regulations 9
1.2. Applicable Standards And Guidance 9
1.3. Purpose 10
1.4. Inclusion of Previous Assessment Results 11
1.5. Scope 11
2. System Overview 12
2.1. Security Categorization 12
2.2. System Description 13
2.3. Purpose of System 13
3. Assessment Methodology 13
3.1. Perform Tests 13
3.1.1. Assessment Deviations 13
3.2. Identification of Vulnerabilities 14
3.3. Consideration of Threats 14
3.4. Perform Risk Analysis 21
3.5. Document Results 22
4. Security Assessment Results 22
4.1. Security Assessment Summary 24
5. Non-Conforming Controls 25
5.1. Risks Corrected During Testing 25
5.2. Risks With Mitigating Factors 25
5.3. Risks Remaining Due to Operational Requirements 26
6. Risks Known For Interconnected Systems 27
7. Continued Authorization Recommendation 28
Appendix A – Acronyms and Glossary 29
Appendix B – Security Test Case ProcedureS template 31
Appendix C – Infrastructure Scan Results 32
Infrastructure Scans: Inventory of Items Scanned 32
Infrastructure Scans: Raw Scan Results 33
Infrastructure Scans: False Positive Reports 33
Appendix D – Database Scan Results 35
Database Scans: Raw Scan Results 35
Database Scans: Inventory of Databases Scanned 35
Database Scans: False Positive Reports 36
Appendix E – Web Application Scan Results 38
Web Applications Scans: Raw Scan Results 38
Web Applications Scans: False Positive Reports 39
Appendix F – Assessments Results 40
Other Automated & Misc Tool Results: Tools Used 43
Other Automated & Misc Tool Results: Inventory of Items Scanned 43
Other Automated & Misc Tool Results: Raw Scan Results 44
Other Automated & Other Misc Tool Results: False Positive Reports 44
Unauthenticated Scans 46
Unauthenticated Scans: False Positive Reports 46
Appendix G – Manual Test Results 47
Appendix H – Auxilary Documents 48
Appendix I – Penetration Test Report 49
List of Tables
Table ES-1 – Executive Summary of Risks 2
Table 1-1 – Identified Security Controls to be assessed during the Annual Assessment 11
Table 1-2 – Information System Unique Identifier, Name and 12
Table 1-3 – Site Names and Addresses 12
Table 3-1 – List of Assessment Deviations 14
Table 3-2 – Threat Categories and Type Identifiers 15
Table 3-3 – Potential Threats 20
Table 3-4 – Likelihood Definitions 21
Table 3-5 – Impact Definitions 21
Table 3-6 – Risk Exposure Ratings 22
Table 4-1 – Risk Exposure 24
Table 5-1. Summary of Risks Corrected During Testing 25
Table 5-2 – Summary of Risks with Mitigating Factors 26
Table 5-3 – Summary of Risks Remaining Due to Operational Requirements 26
Table 6-1 – Risks from Interconnected Systems 27
Table 7-1 – Risk Mitigation Priorities 28
Table C-1 – Inventory of Items Scanned 33
Table C-2 – Infrastructure Scans: False Positive Reports 34
Table D-1 – Inventory of Databases Scanned 36
Table D-2 – Database Scans: False Positive Reports 37
Table E-1 – Inventory of Web Applications Scanned 38
Table E-2 – Web Application Scans: False Positive Reports 39
Table F-1 – Summary of System Security Risks from FedRAMP Testing 40
Table F-2 – Final Summary of System Security Risks 40
Table F-3 – Open POA&Ms 41
Table F-4 – Summary of Existing POA&Ms 42
Table F-5 – Summary of Vulnerabilities to be Carried Forward 43
Table F-6 – Summary of Unauthenticated Scans 43
Table F-7 – Other Automated & Misc. Tool Results 44
Table F-8 – Other Automated & Misc. Tool Results: False Positive Reports 45
Table F-9 – Unauthenticated Scans 46
Table F-10 – Infrastructure Scans: False Positive Reports 46
Table G-1 – Manual Test Results 47
Table I-1 – In-Scope Systems 49
About this document
This document template is developed for Third-Party Independent Assessors (3PAOs) to report security assessment findings for Cloud Service Providers (CSP). IAs must edit this template to create a Security Assessment Report (SAR).
Who should use this document?
This document is intended to be used by IAs to record vulnerabilities and risks to CSP systems. U.S. government authorization officials may use the completed version of this document to make risk-based decisions.
How this document is organized
This document is divided into eight sections and eight appendices.
Section 1 / Provides information on the scope of the assessment.Section 2 / Describes the system and its purpose.
Section 3 / Describes the assessment methodology.
Section 4 / Describes the security assessment results.
Section 5 / Describes acceptable non-conforming controls.
Section 6 / Provides risks known for interconnected systems.
Section 7 / Provides a re-authorization recommendation.
Section 8 / Provides additional references and resources.
Appendix A / Acronyms and Glossary
Appendix B / Security test procedure workbooks that were used during the testing.
Appendix C / Provide reports and files from automated testing tools.
Appendix D / Provide reports and files from automated testing tools.
Appendix E / Provide reports and files from automated testing tools.
Appendix F / Provide reports and files from automated testing tools.
Appendix G / Provides results of manual tests.
Appendix H / Describes auxiliary documents reviewed
Appendix I / Provides penetration testing results
How to contact us
Questions about FedRAMP or this document may be directed to .
For more information about FedRAMP, visit the website at http://www.fedramp.gov.
1. Introduction
This document consists of a Security Assessment Report (SAR) for Information System Name as required by FedRAMP. This SAR contains the results of the comprehensive security test and evaluation of the Information System Name system. This assessment report, and the results documented herein, is provided in support of CSP name Security Authorization program goals, efforts, and activities necessary to achieve compliance with FedRAMP security requirements. The SAR describes the risks associated with the vulnerabilities identified during <CSP name> security assessment and also serves as the risk summary report as referenced in NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems.
All assessment results have been analyzed to provide both the information system owner, CSP name, and the authorizing officials, with an assessment of the controls that safeguard the confidentiality, integrity, and availability of data hosted by the system as described in the system name System Security Plan.
1.1. Applicable Laws and Regulations
· Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]
· E-Authentication Guidance for Federal Agencies [OMB M-04-04]
· Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
· Freedom of Information Act As Amended in 2002 [PL 104-232, 5 USC 552]
· Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB
M-01-05]
· Homeland Security Presidential Directive-7, Critical Infrastructure Identification,
Prioritization and Protection [HSPD-7]
· Internal Control Systems [OMB Circular A-123]
· Management of Federal Information Resources [OMB Circular A-130]
· Management’s Responsibility for Internal Control [OMB Circular A-123, Revised
12/21/2004]
· Privacy Act of 1974 as amended [5 USC 552a]
· Protection of Sensitive Agency Information [OMB M-06-16]
· Records Management by Federal Agencies [44 USC 31]
· Responsibilities for the Maintenance of Records About Individuals by Federal Agencies
[OMB Circular A-108, as amended]
· Security of Federal Automated Information Systems [OMB Circular A-130, Appendix
III]
1.2. Applicable Standards And Guidance
· A NIST Definition of Cloud Computing [NIST SP 800-145]
· Computer Security Incident Handling Guide [NIST SP 800-61, Revision 2]
· Contingency Planning Guide for Federal Information Systems [NIST SP 800-34, Revision 1]
· Engineering Principles for Information Technology Security (A Baseline for Achieving Security) [NIST SP 800-27, Revision A]
· Guide for Assessing the Security Controls in Federal Information Systems [NIST SP 800-53A, Revision 1]
· Guide for Developing Security Plans for Federal Information Systems [NIST SP 800-18, Revision 1]
· Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [NIST SP 800-37, Revision 1]
· Guide for Mapping Types of Information and Information Systems to Security Categories [NIST SP 800-60, Revision 1]
· Guide for Security-Focused Configuration Management of Information Systems [NIST SP 800-128]
· Information Security Continuous Monitoring for Federal Information Systems and Organizations [NIST SP 800-137]
· Managing Information Security Risk: Organization, Mission, and Information System View [NIST SP 800-39]
· Minimum Security Requirements for Federal Information and Information Systems [FIPS Publication 200]
· Personal Identity Verification (PIV) of Federal Employees and Contractors [FIPS Publication 201-2]
· Recommended Security Controls for Federal Information Systems [NIST SP 800-53, Revision 4]
· Guide for Conducting Risk Assessments [NIST SP 800-30, Revision 1]
· Security Considerations in the System Development Life Cycle [NIST SP 800-64, Revision 2]
· Security Requirements for Cryptographic Modules [FIPS Publication 140-2]
· Standards for Security Categorization of Federal Information and Information Systems [FIPS Publication 199]
· Technical Guide to Information Security Testing and Assessment [NIST SP 800-115]
1.3. Purpose
The purpose of this document is to provide the system owner, CSP name, and the FedRAMP Authorizing Official (AO) with a Security Assessment Report (SAR) for the <system name annual assessment. A security assessment has been performed system name> to evaluate the system’s implementation of, and compliance with, the FedRAMP baseline security controls. The implementation of security controls is described in the System Security Plan, and required by FedRAMP to meet Federal Information Security Management Act (FISMA) compliance mandate.
FedRAMP requires CSPs to use FedRAMP Accepted Third Party Assessment Organizations (IA) to perform independent security assessment testing and development of the SAR. Security testing for system name> annual assessment was performed by 3PAO. <3PAO> also performed the assessment completed for the Provisional ATO granted on <date>.
Note: delete the statement regarding previous assessments if a different IA was used.
1.4. Inclusion of Previous Assessment Results
A subset of security controls listed in Section 1.5 below were assessed, as the remaining security controls were previously assessed under the security assessment performed as part of the JAB provisional authorization determination or agency ATO. The subset of controls is selected every year in accordance with guidance provided in the FedRAMP Continuous Monitoring Strategy and Guide, which includes a table summarizing the frequencies required for each continuous monitoring activity.
1.5. Scope
This SAR applies to the Information System Name> annual assessment, which included a security control assessment of the following controls, as identified and approved by the AO:
Family / Control /Table 1-1 – Identified Security Controls to be assessed during the Annual Assessment
The system name has a unique identifier which is noted in Table 1-2.
Unique Identifier / Information System Name / Information System AbbreviationTable 1-2 – Information System Unique Identifier, Name and
Documentation used by the IA to perform the assessment of system name> includes the following:
· system name> System Security Plan
· system name> Contingency Plan & Test Results
· system name> Incident Response Plan & Test Results
· system name> Configuration Management Plan
· system name> Security Assessment Plan
· system name> Vulnerability Scan Reports