Skip to main content

Performing Security Testing

 

FedRAMP Process Flow

The Performing Security Testing step involves the tasks and deliverables below. Please refer to the FedRAMP Concept of Operations document for more detailed information.

  1. CSP contracts with an accredited 3PAO and submits a 3PAO Designation Form to the FedRAMP PMO.
  2. FedRAMP ISSO holds a meeting with CSP and 3PAO to discuss expectations and set timeframes for deliverables.
  3. 3PAO creates and the FedRAMP ISSO approves a testing plan that ensures the assessment will cover the state authorization boundary and controls.
  4. 3PAO performs and independently tests the CSP's system and generates a Security Assessment Report (SAR) that documents findings and provides and analysis of the test results to determine the risk exposure.
  5. CSP develops a Plan of Action & Milestones (POA&M) that addresses the specific tasks, resources, and schedule for correcting each of the weaknesses and residual risks identified.
  6. CSP submits the SAR and POA&M to the FedRAMP ISSO for a completeness and overall risk posture review.
  7. The Joint Authorization Board (JAB) makes a risk-based decision on whether to accept the vulnerabilities and planned fixes.
  8. If JAB determines the risk level is too high it recommends remediation steps that the FedRAMP ISSO shares with the CSP.
  9. CSP corrects control implementations, retests affected controls, and resubmits revised documentation
  10. If JAB accepts the risks associated with the system, the FedRAMP ISSO notifies the CSP that they are ready to finalize the security assessment.

 

Deliverable Description
3PAO Designation Form The CSP submits this form to FedRAMP in order to designate the FedRAMP accredited 3PAO that will perform an independent assessment of the CSP's system.
Security Assessment Plan (SAP) Describes the scope of the assessment.
Security Assessment Report (SAR) The SAR is used to document the overall status and deficiencies in the security controls.
Plan of Action and Milestones (PO&M) Describes the CSP's specific tasks and timeline for remediating or changing system or control specific information.