Performing Security Testing
The Performing Security Testing step involves the tasks and deliverables below. Please refer to the FedRAMP Concept of Operations document for more detailed information.
- CSP contracts with an accredited 3PAO and submits a 3PAO Designation Form to the FedRAMP PMO.
- FedRAMP ISSO holds a meeting with CSP and 3PAO to discuss expectations and set timeframes for deliverables.
- 3PAO creates and the FedRAMP ISSO approves a testing plan that ensures the assessment will cover the state authorization boundary and controls.
- 3PAO performs and independently tests the CSP's system and generates a Security Assessment Report (SAR) that documents findings and provides and analysis of the test results to determine the risk exposure.
- CSP develops a Plan of Action & Milestones (POA&M) that addresses the specific tasks, resources, and schedule for correcting each of the weaknesses and residual risks identified.
- CSP submits the SAR and POA&M to the FedRAMP ISSO for a completeness and overall risk posture review.
- The Joint Authorization Board (JAB) makes a risk-based decision on whether to accept the vulnerabilities and planned fixes.
- If JAB determines the risk level is too high it recommends remediation steps that the FedRAMP ISSO shares with the CSP.
- CSP corrects control implementations, retests affected controls, and resubmits revised documentation
- If JAB accepts the risks associated with the system, the FedRAMP ISSO notifies the CSP that they are ready to finalize the security assessment.
|3PAO Designation Form||The CSP submits this form to FedRAMP in order to designate the FedRAMP accredited 3PAO that will perform an independent assessment of the CSP's system.|
|Security Assessment Plan (SAP)||Describes the scope of the assessment.|
|Security Assessment Report (SAR)||The SAR is used to document the overall status and deficiencies in the security controls.|
|Plan of Action and Milestones (PO&M)||Describes the CSP's specific tasks and timeline for remediating or changing system or control specific information.|