Security Assessment Report/ Plan Of Action And Milestone (POA&M)

• Security Assessment Report also called the Final Risk Assessment Report documents all the findings and is more thorough than the initial Risk Assessment Report.
• The SAR has findings and recommendations and no pass controls are included
• ST&E has both pass and fail controls but no
• recommendations
• Both SAR and ST&E are products of the security Assessment
• Annual Assessment/one third SCA: subset of the controls are assessed (e.g. 1/3 of the total controls)
• Comprehensive SCA: all controls allocated to the system are tested

Summary

• The following artifacts are generated at this Phase by the C&A Analyst:
  • Test Plan/SAP (controls that need to be tested, the method of testing, testing procedures and evidence to validate the controls)

• SCA/ST&E report (has both pass and fail controls but no recommendations)
• Security Assessment Report (SAR)- (The SAR has findings and recommendations no pass controls are included)
• Both SAR and ST&E are products of the security Assessment

• Method of testing
  • Examination
    • Review existing documents (policies, procedures, previous assessment, etc…)
    • Observation-Observe the implementation of controls
    • Walkthrough-Take tour of a building to take note of security control implementation
  • Interview – System Owner, System Administrators, developer etc…..
  • Testing – Test existing control (Test fail login attempt)/ scans and penetration results