Security Assessment Report/ Plan Of Action And Milestone (POA&M) Q1-2024
Security Assessment Report also called the Final Risk Assessment Report documents all the findings and is more thorough than the initial Risk Assessment Report.
The SAR has findings and recommendations and no pass controls are included
ST&E has both pass and fail controls but no
recommendations
Both SAR and ST&E are products of the security Assessment
Annual Assessment/one third SCA: subset of the controls are assessed (e.g. 1/3 of the total controls)
Comprehensive SCA: all controls allocated to the system are tested
Summary
The following artifacts are generated at this Phase by the C&A Analyst:
Test Plan/SAP (controls that need to be tested, the method of testing, testing procedures and evidence to validate the controls)
SCA/ST&E report (has both pass and fail controls but no recommendations)
Security Assessment Report (SAR)- (The SAR has findings and recommendations no pass controls are included)
Both SAR and ST&E are products of the security Assessment