This methodology add structure for the 3PAO reviewing Security Authorization Package documentation, by ensuring all security program documents are available, complete, up-to-date and ready for analysis. The 3PAO completing the analysis and development of the SAR must apply the following templates:
- Document Checklist
- SSP Control Summary and Risk Evaluation
- Document Risk Rating Crosswalk
- Security Assessment Report (SAR)
- DAA, System Owner & Stakeholder Presentation
The SAR process examines each document in the Security Authorization Package:
- System Security Plan (SSP),
- Vulnerability Assessment Report (VAR),
- Security Risk Assessment (SRA),
- Plan of Action & Milestone (POA&M),
- Contingency Plan,
- Security Control Assessment (SCA) Plan and Report and
- Other supporting documentation.
The analysis conducted by the 3PAO team is complex, time-consuming and resource intensive. The process involves evaluating each documented weakness in the Assessment Test Cases, Penetration Test Report, VAR, RAR, PO&AM and determining if the risk, rating (Low, Moderate, High) and recommendation are accurate.
This evaluation process involves vetting documented weaknesses and recommendations with selected stakeholders and validating legitimacy. A reported weakness may not be valid unless confirmed with the stakeholder responsible for the management of the control. For example, A reported weakness that emergency lighting is not present, is a NIST SP 800-53 control - PE-12 Emergency Lighting. Facility Management must be contacted to validate the legitimacy of this reported risk.